Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2024, 22:35
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240708-en
General
-
Target
file.exe
-
Size
2.4MB
-
MD5
fcac53ade6abee5bd5c813c626a7dc2e
-
SHA1
49d2890836e8122188c20cfe0d4e412862e58c02
-
SHA256
17c2797cb63c1cc15869f36031c9dc2c7f63953ae08ee9f257faa3b7a916629a
-
SHA512
03689b9d80408e79a258f234daa782c7721f4c4f69349838e89e7e6056c28a1f492e1fee1f62f5cde23adaaea64086eb4a2684261afa0c57ceb21b3e5855491d
-
SSDEEP
49152:la3U2Quvnr17NUfsaGMXyKM7c7QabvKvfeuzfv3mGt2uUaSbK/NxHeFEKc8:gkgsxGjIkaZ4eY2um2eFEKL
Malware Config
Extracted
stealc
funny
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CFHCGHJDBF.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BGIIDAEBGC.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CFHCGHJDBF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CFHCGHJDBF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BGIIDAEBGC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BGIIDAEBGC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation BGIIDAEBGC.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation d38314c416.exe -
Executes dropped EXE 6 IoCs
pid Process 1428 BGIIDAEBGC.exe 4472 explorti.exe 1676 CFHCGHJDBF.exe 4484 7563d0efa9.exe 5084 d38314c416.exe 1688 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine BGIIDAEBGC.exe Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine CFHCGHJDBF.exe Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
pid Process 3568 file.exe 3568 file.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023465-140.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 3568 file.exe 3568 file.exe 3568 file.exe 3568 file.exe 3568 file.exe 3568 file.exe 3568 file.exe 3568 file.exe 3568 file.exe 3568 file.exe 3568 file.exe 1428 BGIIDAEBGC.exe 4472 explorti.exe 1676 CFHCGHJDBF.exe 4484 7563d0efa9.exe 4484 7563d0efa9.exe 1688 explorti.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\explorti.job BGIIDAEBGC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3568 file.exe 3568 file.exe 3568 file.exe 3568 file.exe 1428 BGIIDAEBGC.exe 1428 BGIIDAEBGC.exe 4472 explorti.exe 4472 explorti.exe 1676 CFHCGHJDBF.exe 1676 CFHCGHJDBF.exe 1688 explorti.exe 1688 explorti.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1476 firefox.exe Token: SeDebugPrivilege 1476 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 1476 firefox.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe 5084 d38314c416.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3568 file.exe 4484 7563d0efa9.exe 1476 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3568 wrote to memory of 940 3568 file.exe 89 PID 3568 wrote to memory of 940 3568 file.exe 89 PID 3568 wrote to memory of 940 3568 file.exe 89 PID 940 wrote to memory of 1428 940 cmd.exe 91 PID 940 wrote to memory of 1428 940 cmd.exe 91 PID 940 wrote to memory of 1428 940 cmd.exe 91 PID 1428 wrote to memory of 4472 1428 BGIIDAEBGC.exe 92 PID 1428 wrote to memory of 4472 1428 BGIIDAEBGC.exe 92 PID 1428 wrote to memory of 4472 1428 BGIIDAEBGC.exe 92 PID 3568 wrote to memory of 4944 3568 file.exe 93 PID 3568 wrote to memory of 4944 3568 file.exe 93 PID 3568 wrote to memory of 4944 3568 file.exe 93 PID 4944 wrote to memory of 1676 4944 cmd.exe 95 PID 4944 wrote to memory of 1676 4944 cmd.exe 95 PID 4944 wrote to memory of 1676 4944 cmd.exe 95 PID 4472 wrote to memory of 4484 4472 explorti.exe 96 PID 4472 wrote to memory of 4484 4472 explorti.exe 96 PID 4472 wrote to memory of 4484 4472 explorti.exe 96 PID 4472 wrote to memory of 5084 4472 explorti.exe 97 PID 4472 wrote to memory of 5084 4472 explorti.exe 97 PID 4472 wrote to memory of 5084 4472 explorti.exe 97 PID 5084 wrote to memory of 2508 5084 d38314c416.exe 99 PID 5084 wrote to memory of 2508 5084 d38314c416.exe 99 PID 2508 wrote to memory of 1476 2508 firefox.exe 101 PID 2508 wrote to memory of 1476 2508 firefox.exe 101 PID 2508 wrote to memory of 1476 2508 firefox.exe 101 PID 2508 wrote to memory of 1476 2508 firefox.exe 101 PID 2508 wrote to memory of 1476 2508 firefox.exe 101 PID 2508 wrote to memory of 1476 2508 firefox.exe 101 PID 2508 wrote to memory of 1476 2508 firefox.exe 101 PID 2508 wrote to memory of 1476 2508 firefox.exe 101 PID 2508 wrote to memory of 1476 2508 firefox.exe 101 PID 2508 wrote to memory of 1476 2508 firefox.exe 101 PID 2508 wrote to memory of 1476 2508 firefox.exe 101 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 PID 1476 wrote to memory of 1564 1476 firefox.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BGIIDAEBGC.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\AppData\Local\Temp\BGIIDAEBGC.exe"C:\Users\Admin\AppData\Local\Temp\BGIIDAEBGC.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\1000006001\7563d0efa9.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\7563d0efa9.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4484
-
-
C:\Users\Admin\AppData\Local\Temp\1000011001\d38314c416.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\d38314c416.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {008c1c78-1b9f-4ef4-a86f-41382720d787} 1476 "\\.\pipe\gecko-crash-server-pipe.1476" gpu8⤵PID:1564
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7279291e-adcd-4483-9cb8-e8a25a11754a} 1476 "\\.\pipe\gecko-crash-server-pipe.1476" socket8⤵PID:1692
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3172 -childID 1 -isForBrowser -prefsHandle 3164 -prefMapHandle 2788 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b5b6fd2-fc27-4404-bacd-8e0cbf343515} 1476 "\\.\pipe\gecko-crash-server-pipe.1476" tab8⤵PID:3380
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4012 -childID 2 -isForBrowser -prefsHandle 4024 -prefMapHandle 4020 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96de096d-1579-40e1-9344-8b036ea810fe} 1476 "\\.\pipe\gecko-crash-server-pipe.1476" tab8⤵PID:1288
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4844 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4836 -prefMapHandle 4832 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce72ebee-c5b8-4065-8447-677ce2152e21} 1476 "\\.\pipe\gecko-crash-server-pipe.1476" utility8⤵
- Checks processor information in registry
PID:4476
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5256 -childID 3 -isForBrowser -prefsHandle 5248 -prefMapHandle 5212 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {069a1402-637b-4d3c-97e6-9db102caf75b} 1476 "\\.\pipe\gecko-crash-server-pipe.1476" tab8⤵PID:3472
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5404 -childID 4 -isForBrowser -prefsHandle 5480 -prefMapHandle 5476 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c1ddf2a-cb95-4c1f-a57d-1b830850191f} 1476 "\\.\pipe\gecko-crash-server-pipe.1476" tab8⤵PID:1804
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 5 -isForBrowser -prefsHandle 5616 -prefMapHandle 5620 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3cb552e-c806-4baa-ba16-feb7f84fd5da} 1476 "\\.\pipe\gecko-crash-server-pipe.1476" tab8⤵PID:2200
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CFHCGHJDBF.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\CFHCGHJDBF.exe"C:\Users\Admin\AppData\Local\Temp\CFHCGHJDBF.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1676
-
-
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\activity-stream.discovery_stream.json.tmp
Filesize21KB
MD5602c127bdfa601d96f54c3d650dad097
SHA13c5dbb138b615b9efb101c517629356a4d0edb5b
SHA25646cba93d345bf7fa41477a8e13894445674f2f927435216787746132087cda24
SHA51214aeac9142d09654c718ad7a03808edbc61936f3d0f72e52d509934cc6af5e5c29948820ed28e37b877676fcc0570dc24d2ecf847ee849693b335e5161ee540d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D
Filesize13KB
MD5497b9df5fa87aa1387c4b3d7ef1ca0a0
SHA1b40ee35a4699a12562cc6b82c04c8a8b5feea1d4
SHA25636be0d262f43bb95f3a1e618a44d030ad924b20689d0721f20525b7bb24a0a5f
SHA512e4e2c91cac8a7925f4085af97e95fcc5a760f8b72fee8d96c13c25edb3f54890e6977f3a3da9b24fcc6ac3e816c8ad34e92947b1d0a15ef4ee120392cb925f80
-
Filesize
2.4MB
MD5fcac53ade6abee5bd5c813c626a7dc2e
SHA149d2890836e8122188c20cfe0d4e412862e58c02
SHA25617c2797cb63c1cc15869f36031c9dc2c7f63953ae08ee9f257faa3b7a916629a
SHA51203689b9d80408e79a258f234daa782c7721f4c4f69349838e89e7e6056c28a1f492e1fee1f62f5cde23adaaea64086eb4a2684261afa0c57ceb21b3e5855491d
-
Filesize
1.2MB
MD591927606a724c341db688cc798879bfd
SHA10f7110664498b4d037db0bb7bb7c3e41cdc4efa4
SHA256ca279e3490d392e41efb3ce649f1d187f9ab6cee32a490d608fa24b6a6050234
SHA512d2c09f9a4bf4a499b7b53436139b142dea0ef6dfde27008a37be52cacef09ab94ce2e35abf21e2cf2fdab586bad5a25953bcba60b7ba1bde65126722c87a508a
-
Filesize
1.8MB
MD5affbfbbc1052df9ad856c0a05306a913
SHA1b791484e5d918aa7f692f95cf70633c2648e79a3
SHA256a3026329d0bea6d65853bc011f2f1032da1b92e89c6c0c810734633628496c81
SHA512439a8d3163c4030a81d5cd7ccf7afeb0beaaf37ab083c6a9a38a25c125194b021b9efb00bceecdf96bf132f6d76789304865b0aa2a6fcf03d04d5929f7f6d53e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\AlternateServices.bin
Filesize8KB
MD54c7a5ed86352b4f9893399eeed1ac6a8
SHA116bad1920fae3729f7401d9689231843b9101604
SHA256dc3aafc843a4a21f0275a33475ea9ee28be05bd87ad9b705bc306e6ce88e124c
SHA5125d52d66ca587b0647aa2d42ce7a48bc3f2e447c5e548ab09f48bc5fdd3cb5e336c8b31b3147b726640e145671beabcdced453f6a7bb7001d28a7d8883e8f1219
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5f7185a8ac6d76f8446bc833dc0e78cff
SHA102d5867afd18f4774e09d16aa158b93c9dd12c45
SHA256909a2e54fed0a74a5220dc042457bdd2b1bc865c64e7112d076880495ed58390
SHA51282ccbe060a56929ccee9d00a1c81d23f2f5a6af2fa9e86f70806bb866dab6e78babf070fc2d241978cf52f0d1c77762c25011240cd4fdfac8a76fcc88b214159
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5dc2b3ec60fcf3c0640210d570b59c967
SHA1a957980795407f2084c763487681601dec9951f5
SHA256f76daf1d272f3d8fc164adc89c632148dd9673d63597136e18bd6f1435abd161
SHA512f103c6bb509e30fb82b765bec5b0967748c10be7c76326e4c8c13ac2cc83ac926b0ea34f8ac3db0393a908f755b348e07abc9165a63f952daa6e72827134ac9a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\3306cc86-12f3-4fc0-998a-bcdb931f5eb2
Filesize671B
MD5d80f9bcd97997b8f081e1a2337e28374
SHA19911f33f25c29aa75062612984145f2f2223ce18
SHA2568ec98201ab2b57153a06a5cebffa812c1013c28d5d270bcd151e44e6c027504f
SHA5122b1b70bb9abf3533e48079689b93e668f1a39dd783f59279f435ce22e1e77f7559363d327a8285e340ef77c1303ed0517ed9283ad2f9e282cf1b6f5d7695b9f5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\b299237f-83e2-4f24-8201-286d758f8232
Filesize982B
MD5ebe43e90c883b6c74fc61e279c6f9176
SHA1933f99fa2aba4ab421598e74df007c5ca5a4b550
SHA256b5ad88e8d4554a5004147963d0b165f2f79dd7f8013af0c564c9def0e8662b25
SHA512476fbef042a3b2d77957af85bd9a2b1c76ff97bdafe58991a3d62c4c4374b7ace84f434d5e2778eaec607150c2f2db324f4e49c7c598f750f06aa627495220cf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\e1189cb8-5b12-43a4-8a2a-1cd574c6ef22
Filesize26KB
MD50bde7c7d1e7b098eb4b52c29aae835af
SHA15ee98e758f9afcf37fb4d7113436c573f1216047
SHA2569a136408e9a5575a5ecb50aea9dc105db46df755f572ae12f12663292e0d8c2f
SHA512a325ec2152ce9269204d34272f178dcefd9ac5bd132e1980206d6d8063e39d2968a530ed58f604e641cab19c02f6b113f965027131525f807e13f56b7d96b4a4
-
Filesize
12KB
MD576f4ab28a4b7caf4d55ff48dcc3f6c19
SHA16e35c7e7c07947521c8afd8ea99f661f416c8ead
SHA2560bac2b762f4fefec26c001d5afab086de86c9f480cdd685de969c026d95de11d
SHA512bda3f5b7976a700913925e25c1db791e745a87a154bd74a49a975f50f0d395a648814fa5b21821c4bcaaca704567e44bb2606bebabf5c0e9202521ecc411a59d
-
Filesize
12KB
MD5b15ecbb60aa8c2daeaf13757f0ed7df0
SHA10bdabe426ecd26892500030db32560926143b24d
SHA2568f95a0d9a9b75dca546065e5a6cc5023f196dce074779426e6f87506f8ac6104
SHA512a7d9a957987617539c3a7dded5821552e08f0ada2052b2b6a28d0812d7d9d919809e39dc4620295fe4213c447b508f2af2e3d6a2b8e608f97052a95f2af0ebcd
-
Filesize
11KB
MD51004a5b744cd2b7eaecc994eec2c8d5c
SHA12a92cd4c727aceaf0acb79e22dacf4a204261842
SHA256b1420143e9dc45af9e992a742166f68de9417f8ef29beda3f237acb7997cdfaf
SHA512547fe85e84bed7fbd31344ae50d4c789c57200a74435d682f1f63541d5943975d2e5a18f11d60251c894ed11cea22bc27e569172c60b86a1b72c5e4a2e2e9a96
-
Filesize
11KB
MD55f429ca0e62ec7327f6d7a44712ea857
SHA1c6fcf058bb1ae5a9b6f115879138194ca79cfe67
SHA256a28c3836ba2cd9c281d42330c1f07288d6ffae3fc78979069898921d35f5f8d7
SHA512090822967a8f9d74438e1e2cbf6e27684dee54ca320ae5cf9b7fbf913c21bbfb9f8e4d8679b610426152884de2b5ac500dedbbcbbf5841eff253c36ef972ef63
-
Filesize
8KB
MD510702eff3edf06b284c9b98a17da1007
SHA1adfefa3e4e2ea0d08bc67135b719d12ae661b258
SHA25631c1f5dee381fa886b653937c420b149a8e619cfa79c20bcb3b52c850c4bf451
SHA51263630f615a0b378263274a704e1b7203d1762a973434dbcc5a5d7d60bb60cedb46257241c814121ab262c5d702e14073a80dff5ceb45eee0d44f9587d9bf4fba
-
Filesize
8KB
MD55e1fa910e510622685babcaf1eec39e4
SHA1a2ef25ff3f871a260b64b5f85afb101c53b4b206
SHA256d88a2d0a20f605fbc01d2202dd63a9657e2bebb24c8059a983a63a7f5d6105f6
SHA5128dbce9777dffa46c4a3fd1994136dfed57c5b77483d8846276e1fff07a6e914c0d42c502730c2a2363376be9b272aca01cfc5ad6765d466b5640943aad2cdeeb