Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13/07/2024, 10:43
Static task
static1
Behavioral task
behavioral1
Sample
33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1.exe
Resource
win10v2004-20240709-en
General
-
Target
33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1.exe
-
Size
1.8MB
-
MD5
45dd9a569cfe0c0629b04c7df06dfcd4
-
SHA1
3376e39a006081cb9fd18bff5110eb12bbfa241a
-
SHA256
33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1
-
SHA512
dd158bb54b46b8c1f61d202af80f610cd7599d41b5c03977d25e2b95215daaf0c163cfe74f32499b1366a1904fecb010db2891be2a8d0ca85c4a176a8cdbc574
-
SSDEEP
49152:nFJWTJAzOJ/Xw+HuLlmOskO1WeMJ2TKqLKo1Xxf:nCTJ3H4lmlkOEDCKo1XJ
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ JDBGDHIIDA.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CGIDAAAKJJ.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion JDBGDHIIDA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CGIDAAAKJJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion JDBGDHIIDA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CGIDAAAKJJ.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 876d58e143.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 457f3cf2e8.exe -
Executes dropped EXE 8 IoCs
pid Process 1976 explorti.exe 4408 457f3cf2e8.exe 2616 876d58e143.exe 4584 explorti.exe 324 JDBGDHIIDA.exe 4876 CGIDAAAKJJ.exe 4416 explorti.exe 4584 explorti.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine JDBGDHIIDA.exe Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine CGIDAAAKJJ.exe Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine 33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1.exe Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
pid Process 4408 457f3cf2e8.exe 4408 457f3cf2e8.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0007000000023465-42.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 4656 33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1.exe 1976 explorti.exe 4408 457f3cf2e8.exe 4584 explorti.exe 4408 457f3cf2e8.exe 324 JDBGDHIIDA.exe 4876 CGIDAAAKJJ.exe 4416 explorti.exe 4584 explorti.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\explorti.job 33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 457f3cf2e8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 457f3cf2e8.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4656 33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1.exe 4656 33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1.exe 1976 explorti.exe 1976 explorti.exe 4408 457f3cf2e8.exe 4408 457f3cf2e8.exe 4584 explorti.exe 4584 explorti.exe 4408 457f3cf2e8.exe 4408 457f3cf2e8.exe 324 JDBGDHIIDA.exe 324 JDBGDHIIDA.exe 4876 CGIDAAAKJJ.exe 4876 CGIDAAAKJJ.exe 4416 explorti.exe 4416 explorti.exe 4584 explorti.exe 4584 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4884 firefox.exe Token: SeDebugPrivilege 4884 firefox.exe Token: SeDebugPrivilege 4884 firefox.exe Token: SeDebugPrivilege 4884 firefox.exe Token: SeDebugPrivilege 4884 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4656 33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 4884 firefox.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe 2616 876d58e143.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4408 457f3cf2e8.exe 4884 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4656 wrote to memory of 1976 4656 33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1.exe 86 PID 4656 wrote to memory of 1976 4656 33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1.exe 86 PID 4656 wrote to memory of 1976 4656 33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1.exe 86 PID 1976 wrote to memory of 4408 1976 explorti.exe 87 PID 1976 wrote to memory of 4408 1976 explorti.exe 87 PID 1976 wrote to memory of 4408 1976 explorti.exe 87 PID 1976 wrote to memory of 2616 1976 explorti.exe 88 PID 1976 wrote to memory of 2616 1976 explorti.exe 88 PID 1976 wrote to memory of 2616 1976 explorti.exe 88 PID 2616 wrote to memory of 3208 2616 876d58e143.exe 90 PID 2616 wrote to memory of 3208 2616 876d58e143.exe 90 PID 3208 wrote to memory of 4884 3208 firefox.exe 92 PID 3208 wrote to memory of 4884 3208 firefox.exe 92 PID 3208 wrote to memory of 4884 3208 firefox.exe 92 PID 3208 wrote to memory of 4884 3208 firefox.exe 92 PID 3208 wrote to memory of 4884 3208 firefox.exe 92 PID 3208 wrote to memory of 4884 3208 firefox.exe 92 PID 3208 wrote to memory of 4884 3208 firefox.exe 92 PID 3208 wrote to memory of 4884 3208 firefox.exe 92 PID 3208 wrote to memory of 4884 3208 firefox.exe 92 PID 3208 wrote to memory of 4884 3208 firefox.exe 92 PID 3208 wrote to memory of 4884 3208 firefox.exe 92 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 PID 4884 wrote to memory of 2128 4884 firefox.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1.exe"C:\Users\Admin\AppData\Local\Temp\33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\1000006001\457f3cf2e8.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\457f3cf2e8.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4408 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JDBGDHIIDA.exe"4⤵PID:636
-
C:\Users\Admin\AppData\Local\Temp\JDBGDHIIDA.exe"C:\Users\Admin\AppData\Local\Temp\JDBGDHIIDA.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:324
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CGIDAAAKJJ.exe"4⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\CGIDAAAKJJ.exe"C:\Users\Admin\AppData\Local\Temp\CGIDAAAKJJ.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4876
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000011001\876d58e143.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\876d58e143.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c54f09e6-8463-4fca-a322-76d907c670ad} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" gpu6⤵PID:2128
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7adb9255-2646-4ae5-9740-7909f395f58d} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" socket6⤵PID:1980
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3132 -childID 1 -isForBrowser -prefsHandle 2948 -prefMapHandle 3148 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {938762e6-5777-42b0-bf9a-0d707bc4c72b} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" tab6⤵PID:4804
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3992 -childID 2 -isForBrowser -prefsHandle 4016 -prefMapHandle 4012 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed6a9fff-6338-4e6e-9a7a-0f1181b800c1} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" tab6⤵PID:1560
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4752 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4580 -prefMapHandle 4596 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80b9ede1-3543-4d99-8b9b-1a6f1e695b85} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" utility6⤵
- Checks processor information in registry
PID:1660
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 3 -isForBrowser -prefsHandle 5432 -prefMapHandle 5428 -prefsLen 27131 -prefMapSize 244658 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f518e229-7f23-49ef-90e0-687d5303ccc2} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" tab6⤵PID:1740
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5472 -childID 4 -isForBrowser -prefsHandle 5588 -prefMapHandle 5592 -prefsLen 27131 -prefMapSize 244658 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05be70b0-344f-4b9a-9603-d74a22ec0c57} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" tab6⤵PID:952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 5 -isForBrowser -prefsHandle 5752 -prefMapHandle 5748 -prefsLen 27131 -prefMapSize 244658 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b9a681b-ee18-442c-9491-d5dec727e108} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" tab6⤵PID:1500
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4584
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4416
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\activity-stream.discovery_stream.json.tmp
Filesize21KB
MD5e22962254786008950b0c0223c44a51d
SHA11818220d3f8878b5b119ebf192b0fc59992a839d
SHA256d62e9239e763e0ab5c4d7b1ecc3dd2cf9d6f3bf0e48413624793258d848314da
SHA512249bcb23cefb518871b9b421152429b24e893c0052f8c0c35fff1564c7ec96c0714da3cdf226f1a0f4d84cc23a84a7200254e8396b0a577a8293021567e42900
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5837746a41312db2c54eede0173b4d513
SHA127ccc7127ce84ce68c3b912c368001559233275d
SHA2564e787fe1d59571d536394c316ffaba614adbcaaa9a524e937717e5c4441a8e6e
SHA512c107cbba4b813d8c8f65e2640e05dbb41fd78a9f68bf223c6a72a66b1a4f63e8930d64482513a4d1c1829ba9f538e72d778ad6f51a59b959f667e21b5be9df45
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D
Filesize13KB
MD5460e7996f86cb06405b6d6e8322ad157
SHA1f4d565721011f9d940c9647d365bfe32ba83dae8
SHA25669b1cce20e418039fbda7c40a29794d5e4f268f8ea18fd6e1881787765e48766
SHA512d0ad9d7e3f6ef432e916ffb8170e0367f2754820d27bebe08e1a8f44bd0b2b925b57d0383eaef758d5ab43733f017ec7d68b8cf8820ebaef6d0ca068457f7574
-
Filesize
2.4MB
MD56df237049e2950a0da53ae449ade3db4
SHA15872182fc56499f265c841a068865245d692e971
SHA256110a3616523579af31689b0adb305d0dde68d103d2d836b1e1649df802dac599
SHA512dac17c622baf098208552e9a8dffb5fcbc5fce6404f7c76c8a555fd3bdd977ae732bd2225b9ac2ec35b694b7fc96750a7363b389f506fd891fa1a4014247e033
-
Filesize
1.2MB
MD55b007186724d7e9e503a07b4d81462d0
SHA1534940537380f689630b4b2c430a49d89bc3ad8a
SHA2561a2b0b66d16f99a5cd0c4e88e0e56e186fdf7d7eae86f9bd776d6f2de9d7e971
SHA512999498a8dec3f541eb59a42485d4bc265e3db41796409dd19a1135d6aa673645e269640b8cb5a4724ae072f1bf6952f856fe850ab08c371e96b2a6fa198bada0
-
Filesize
1.8MB
MD545dd9a569cfe0c0629b04c7df06dfcd4
SHA13376e39a006081cb9fd18bff5110eb12bbfa241a
SHA25633710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1
SHA512dd158bb54b46b8c1f61d202af80f610cd7599d41b5c03977d25e2b95215daaf0c163cfe74f32499b1366a1904fecb010db2891be2a8d0ca85c4a176a8cdbc574
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\AlternateServices.bin
Filesize11KB
MD5a76fb948c329fa556541c050f92fd919
SHA1743cdb783691fe2ff2f0b22485be2cd3251b71ab
SHA256d4020adace8ffe631bbb7c93deb5d3f6a74c0e6122200115e69b3bc5d134b093
SHA51212904107e0631ed8e0f3adeb3578bbd4abb0ce8c6a9b20da82ae1dfb2b1210d3bf78cd285fb6d5104f3aa1c4b8417fcf37a558ded3b6f4c951e13d7755488aef
-
Filesize
256KB
MD56e0b9184fe6c0590d90f978fabffecdd
SHA1064a0569a9b8dbb6242b73278dfb924cb8ed3259
SHA2563ff7e088022a121e17e4284cd45b8ac6c2a7c557bdd1a4bc1e9043fe66363bb3
SHA512f3fa5b5642f11f56b48d51e483f4e468169fed101b928f227b120c6931a9846be42ed0a591ba8b715fb6a2bf576f77ab2d1f6e2f254f70a386dee3df5d9f38dd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5de94fec449c3c8923ca76c558e5006af
SHA1e71db046ae0506b36846e9a45ca6c3a64858ee4c
SHA256af0a120762ed20f649c99314485d082ba87b7a9f92619005dcb07683c5fcf723
SHA5124d9042af71a995b049be3a0ca6cf063c295cb986f4ebaaa244f1db14f90cfcdadd44732c1d1efc714d003aa01ad7c3b4d60e6d26f45ded1cec9d77b2ba9f3d09
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5a0a1c31e08d99ce951aba94f0557f68a
SHA15f4a357dd87efffbaa1cfc3195de992a3612eb2e
SHA2562c1d834549f942a4ae812bd88c6c41b6ae523633176c9d924b2592ad5ef0dbab
SHA512e40071b8cdb3b22e68d5de00ea1b942849edfa26b388e9cd7d31f2f8a90ba78218337a8075eba19e38d3c8c3ad867e9afb650d0c7ccbaedef8ed2492e2b3f7d7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD52ad5f92345b1dcb232408b6f54b4a902
SHA180dfe910b3b3eb84f535d880b4e6c5ef287d65f8
SHA256293f9f53e9ef8059b690d2ed101ade71ac562946c16b17f387b3ea61f54d23ff
SHA512b47c859216e568de14c0ec7bc27e0bcaa9a16f0bbe7820fa895ca3067b2ad0d2eb021fcce70b651e150dd4fe590293f737f365138c7b2b6999218da13be7cb8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\814bb6f2-5376-4810-9ee7-38ef743ba2cb
Filesize982B
MD58dffef63bd4896f2a962ab8d6cc25b49
SHA1cc5f71f94845692aa852a2d810a4fa34cdb1325a
SHA256ff541b37c462b1cc0c48b06b9c603d7422d91ed5789a18fd0e745713413b45bb
SHA5121b2243fc90cae9341bc16a8701ca03b81dfafc17c396bee17dcbd5a4f87cfe564aab0c5ffb8b9de8d064f0e328c1fbf21d99501204f8a521d49fa5186c4be253
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\822741cc-1088-4f0c-ae77-d73cf392af1c
Filesize26KB
MD5adde43d81ec625b29ddb317b21705905
SHA198e9a5e049da8b93cd88e1d1ef0c35736e79882e
SHA256f87c8502c05a4c36d8e2c5e91f1b40bb05b53971b191db2e3cbd6794041a6c56
SHA512583c651284b9c5df99b23ff5398eba3c92f76bb124ba968618284d4a9e714b331fb9b9cea28f75c414f9c81c989b3853953e765eac9c7cf30a50dcac4634ef31
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\bbfb5ba3-4dd8-4f38-975c-ebb7cebcfdd8
Filesize671B
MD5e6897badfdf000b28c30489ba9d2ca92
SHA13135940c8842b41c50df5bf555cca1b36ff81514
SHA256488be2c325dde3d8db216a75b65835aed406f9510772af7673ccbb804c733404
SHA512940d430b7153f02f6a1780c6ff5aeb15562a2fb80b81119f5f8146b2df624a81b29ce2dd6d5b1747e2f08827382b6d16357c3f29b49c24e7698f48e1933e65d6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
992KB
MD546a4a4a94595e952284c71f8b79e1ab1
SHA16861abdf18c4a516de336a5ad81e588d1a39c824
SHA256943e13a1d941b2f09048913c9eb4c5c4961b0bda693690151bad20f596955071
SHA51283448bdfd9546df96980a46b7812b9c754affc8e4729adfa1a52fe06d7090c6cba518619738717542059a7e8c3077022b220e68c02a19d77148cebd13213f755
-
Filesize
12KB
MD51e7c13eee4cdd1784d0f9374d65d3352
SHA15f4b670dc861e0eb2aabf01b2df99503ba4be928
SHA25663843a1beac2d66bbcd7ebd1b74807291d519f37dc6d95309ee76cf2e71f092a
SHA5128e351c03f3cef58471f604a7aecb6d1c96f3aa0b0353fcfd35dac992d79b7411893a1ef8e0879ad521ee339f6c3ec88ae9127a6cf84fb4e5eee1486019b653aa
-
Filesize
16KB
MD514b1e9c09dfc53dca83907c8458e3a32
SHA12512d50a15e70284b783903ec1844b9d101d474e
SHA2565aacdaf9807224512b676060dc95282cf1bb94b843ed52e9f0d49126d6849322
SHA512a3c3c46beff83d1affc48a0be9095e97ddfaa70846be795cd0e0b439f69ef1ee1e1b0447c93a957c24b1f1bdaad6625d45a19a97d3796eeb7e9de5cac01ee71b
-
Filesize
11KB
MD5aa482da427a3a25bafe6c021de0c1b95
SHA1a0c3ab522aeec5589c4f98185d8bb075e8e9b6c9
SHA256b75ae672377c76fe2667950000fc92b05f356755152789a3277791cd77f23fd1
SHA512dc7cfc1cf666bf2363462e2d44c030336d0c326361eaf509f9c79c2f7090f48146282258005d5480af28a9bdc5a4afdc0dfc4ac29c63f9e742d1a93d43853440
-
Filesize
8KB
MD55ee7c1f2df0f33935ee51e697d708b11
SHA1aac651a555b58c68f320647bfb72a751128c1a89
SHA25639759b656c16b3c2e16bc1d985d59bace7ab2ebec272f167cb8b710aa4f1a582
SHA5126477be8323de9aa585d996d5ea0298e20991870ddffa9228697e77883f83829105bf1c9293285e16374c45a46716dcab57be5cf2449677548fba404cdcd8bfcb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize9.5MB
MD554485740cfd31e89dee66f3cce49416b
SHA11c824f87ee17349544db60f354a98b389c0322e8
SHA256d71e69290b482273a1977bcdaf0be72d41f5d94c7aa2594ed9787cf2445b80c8
SHA5122d599306f3a128fabdfb3992f7bef7f11e7c19964b2aa57fec6ba81a29bd43ab3ecc2d389742adba1b9cb6f72df7eccbf539d040ec261b4751dad68fe197571a