Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2024 15:10
Static task
static1
Behavioral task
behavioral1
Sample
ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exe
Resource
win7-20240705-en
General
-
Target
ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exe
-
Size
1.8MB
-
MD5
4c4b3ab5a3585886c61f2196330be874
-
SHA1
31f66e71ac832fff02394525ff6828438a98b902
-
SHA256
ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395
-
SHA512
7bf3406cacf76ff374e5eba9125e2d278178fe3867f53dd5ad46c23b4f12b29a631dd0870183e5cad4945270eca090e9b2cb0380d1a8d652a7c46a522bd2423d
-
SSDEEP
49152:M4lyrNmjQfikqd3J32GGiKLq/JhBMgRnAmC0+2AN:M4QeTJGGGiKLqvBmDf
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
default
http://85.28.47.31
-
url_path
/5499d72b3a3e55be.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
explorti.exeexplorti.exeac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
explorti.exe2e16582ffa.exeac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 2e16582ffa.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exe -
Executes dropped EXE 5 IoCs
Processes:
explorti.exe743c2d22e2.exe2e16582ffa.exeexplorti.exeexplorti.exepid process 4032 explorti.exe 1076 743c2d22e2.exe 2276 2e16582ffa.exe 6076 explorti.exe 4992 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exe Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\743c2d22e2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000015001\\743c2d22e2.exe" explorti.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2e16582ffa.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\2e16582ffa.exe" explorti.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000016001\2e16582ffa.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exeexplorti.exe743c2d22e2.exeexplorti.exeexplorti.exepid process 740 ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exe 4032 explorti.exe 1076 743c2d22e2.exe 6076 explorti.exe 4992 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exedescription ioc process File created C:\Windows\Tasks\explorti.job ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exeexplorti.exeexplorti.exeexplorti.exepid process 740 ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exe 740 ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exe 4032 explorti.exe 4032 explorti.exe 6076 explorti.exe 6076 explorti.exe 4992 explorti.exe 4992 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 2804 firefox.exe Token: SeDebugPrivilege 2804 firefox.exe Token: SeDebugPrivilege 2804 firefox.exe Token: SeDebugPrivilege 2804 firefox.exe Token: SeDebugPrivilege 2804 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exe2e16582ffa.exefirefox.exepid process 740 ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
2e16582ffa.exefirefox.exepid process 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe 2276 2e16582ffa.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
743c2d22e2.exefirefox.exepid process 1076 743c2d22e2.exe 2804 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exeexplorti.exe2e16582ffa.exefirefox.exefirefox.exedescription pid process target process PID 740 wrote to memory of 4032 740 ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exe explorti.exe PID 740 wrote to memory of 4032 740 ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exe explorti.exe PID 740 wrote to memory of 4032 740 ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exe explorti.exe PID 4032 wrote to memory of 1076 4032 explorti.exe 743c2d22e2.exe PID 4032 wrote to memory of 1076 4032 explorti.exe 743c2d22e2.exe PID 4032 wrote to memory of 1076 4032 explorti.exe 743c2d22e2.exe PID 4032 wrote to memory of 2276 4032 explorti.exe 2e16582ffa.exe PID 4032 wrote to memory of 2276 4032 explorti.exe 2e16582ffa.exe PID 4032 wrote to memory of 2276 4032 explorti.exe 2e16582ffa.exe PID 2276 wrote to memory of 4588 2276 2e16582ffa.exe firefox.exe PID 2276 wrote to memory of 4588 2276 2e16582ffa.exe firefox.exe PID 4588 wrote to memory of 2804 4588 firefox.exe firefox.exe PID 4588 wrote to memory of 2804 4588 firefox.exe firefox.exe PID 4588 wrote to memory of 2804 4588 firefox.exe firefox.exe PID 4588 wrote to memory of 2804 4588 firefox.exe firefox.exe PID 4588 wrote to memory of 2804 4588 firefox.exe firefox.exe PID 4588 wrote to memory of 2804 4588 firefox.exe firefox.exe PID 4588 wrote to memory of 2804 4588 firefox.exe firefox.exe PID 4588 wrote to memory of 2804 4588 firefox.exe firefox.exe PID 4588 wrote to memory of 2804 4588 firefox.exe firefox.exe PID 4588 wrote to memory of 2804 4588 firefox.exe firefox.exe PID 4588 wrote to memory of 2804 4588 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 3572 2804 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exe"C:\Users\Admin\AppData\Local\Temp\ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\1000015001\743c2d22e2.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\743c2d22e2.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\1000016001\2e16582ffa.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\2e16582ffa.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2036 -parentBuildID 20240401114208 -prefsHandle 1964 -prefMapHandle 1956 -prefsLen 25757 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99f058bf-942b-43b7-9060-f88d98c7cbcf} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" gpu6⤵PID:3572
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2464 -prefMapHandle 2460 -prefsLen 26677 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {705df6d0-a0d2-4159-baef-f6e4f00222f2} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" socket6⤵PID:2160
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2780 -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 2808 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cafaa68-7519-4d93-b155-0f1ac39992db} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" tab6⤵PID:960
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3632 -childID 2 -isForBrowser -prefsHandle 3620 -prefMapHandle 3616 -prefsLen 31167 -prefMapSize 244658 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebb702d5-7694-4d57-aab4-a5af47586cae} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" tab6⤵PID:4716
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4908 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4900 -prefMapHandle 4896 -prefsLen 31167 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf6d56f8-dc0b-45a7-b85a-b96464337fd8} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" utility6⤵
- Checks processor information in registry
PID:5488 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 3 -isForBrowser -prefsHandle 5496 -prefMapHandle 5500 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {029a5fb3-79cd-4c11-9d3d-65dbf5a1e093} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" tab6⤵PID:60
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 4 -isForBrowser -prefsHandle 5512 -prefMapHandle 5508 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ad54606-dae3-48fc-9b83-707f400c2180} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" tab6⤵PID:3276
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5932 -childID 5 -isForBrowser -prefsHandle 5924 -prefMapHandle 5920 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2eadf64b-2ab7-4397-8f2b-3628cba2d77d} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" tab6⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6076
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\activity-stream.discovery_stream.json
Filesize21KB
MD50927a7fe406f4f3adaf5255dd440f7f4
SHA1b233db4d63b2f4faff336c54a73119dee10f8177
SHA2562f62d9c9a1585b4e9501f2806d03353c8dcc3db7a5a8c5e92809a9fd50da38f6
SHA512b3a16c320fb1c2a0170360a2c8f862800c29ed2bc2187caa023f1644858f46747b6f3c78990cb2c323da1d062130862584530442072ef8903e917f0b50399202
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D
Filesize13KB
MD55cb73e5ac6d44e994a75ebd9cae2beed
SHA168ce2b9c0a0f1e54301989fdeea2adc5dcbc1374
SHA25654a0f45991a87b904f19b0b410d5ab411c1b385036fcb90aaae7e2d343b0c84d
SHA512daeeaf723a3c6c9f6a61f865155dda887fda255f090b14b5f532a488b6e30c86f26b10db903b6b2ad3cc5da00e97af4b47a9baacb335eaec5b17d1ab3a2cafbf
-
Filesize
678KB
MD5f27a4cd423984e67c913698caab27dc3
SHA1e03b4ecb1e8e2f359ebd1e78ee0cc68cf3075d0f
SHA25648f63e29f5a2f7a377600e6070f3b60c36b342cc12ed34230974d39a10522c01
SHA512b87e868bd74187eda2667522a9b135eba75851783b70033702f1194c34e2a402fbaef6d306e05a4767ffe668605186187ed47e70d2ad6d8c92764d11f8974ae2
-
Filesize
1.2MB
MD5677ed18220be9935e116eb637fc32c7d
SHA1a50323d59b874425417cb5d6c4e7d55b2c300e0f
SHA2562c12ad3be28378a4ca90961b62fb0d2246a92a514777eab39831b26960e9476b
SHA5122fd3e745479651fdbfb1f98bd45817ccfe0fba6904a14f9f681e3a7548d3af6b8ad7b0036122af281de794cdccbe526967125b4755b2739de3f3dbd49a2de925
-
Filesize
1.8MB
MD54c4b3ab5a3585886c61f2196330be874
SHA131f66e71ac832fff02394525ff6828438a98b902
SHA256ac980b5cf3bf87c2646c29969aaa25ff25e63f58bad66a4db98e81f98a3cb395
SHA5127bf3406cacf76ff374e5eba9125e2d278178fe3867f53dd5ad46c23b4f12b29a631dd0870183e5cad4945270eca090e9b2cb0380d1a8d652a7c46a522bd2423d
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\AlternateServices.bin
Filesize8KB
MD5202efa4c6ea9f803da8b47800db81fb6
SHA180a5d4f934d6dee79f4047e448997c2490dbe41a
SHA25696bfee38bc39932a454acabaf2a7273f8855830be208b4005ec41ed9eb1b5d17
SHA51285601e56808145d1b0ee43782c1a9fe5d3c75014390b6de393dcd8178cdd1127cb8174691ddc570b76dc4f6429bc32322982c90448c03f9a3e6d28f5eacefa20
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD55e17789f1f9101cec3c430a657027a05
SHA12698ec8889ca37c94f8a414b28ee058d87e04576
SHA25619d6e282e7aa1d8e1576735739be8770ebdd2eda17028d4c2815002c75a69ac9
SHA512bf0e87e75878707a8d40bf7fd3231f64de5bc1ff53c56856476a01d2f883b816aa71c5645d53008d0e2a6b335defd377a69ee8d97893d50c576aec51625a94b0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5702cff84df697ccb66a2c2430f2a1049
SHA178e2184e15a8ae63a9908192c6c81d386c249c95
SHA256e276d23c9c4bf6220cd6a54000c211f68ade4b97b8befd8369922410a1447125
SHA512320cf640a0480c3477b7997381910ece55a55d8a0696d5035c9bbe909f1d604c4ec551abe7f13b1aa09d2caeaa64272975b246f743ee0dcce3aed1eb20a6063d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\3cc0459a-af6d-4e6d-bcc6-b69a408ba78d
Filesize671B
MD581e826622015e4d55698687c52d193ec
SHA17e244bb93307675fbcdfa5fd8af33a667ce08613
SHA256e7db9ceb228e15aa6a81b01c7bb2050bf4be0f6e9be279cd4802d193a61cb1f7
SHA5129f8298b48bce6d3c181fb53121e581d3d9e03853fc45ed5407209855361d856e5113ec0a306457b4021e90994fdbd60477d832e0d10ebdb33d1c2cc530043bb6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\799ac6c7-3952-4d58-87d6-9dba6f8db1f2
Filesize27KB
MD50573542e18beaa75797befef014e272e
SHA13765e243856768191594b413ecf6c56ae5dfe581
SHA2565738c689167f84ce37f5f40687aa330f999606e20b88837448a1aa0f1cf9faa7
SHA5129e10562ab4a7f405098f641fdf2d0f9b47d06f2a953433cbd782ca243206e1f560fd32cb5229df29f93ccc6a3c43c257672fd050d751fec5c5e62f263004f7d9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\fea37e49-8cc4-4e8a-8ebe-dc0742e67188
Filesize982B
MD55db43351b9fb922521bdf98eb9283678
SHA140b19068cb7b07b37ece5edde9c4346034e31421
SHA256d4fde6b68972ce8f00da54a7049ba8a0dd7b10222398b888592b2b9782a9fbb5
SHA512d63840d6852eea56989b2cb0400093dc2a210b7c0e2e8cef03cb1640c5938ee08b81267c49080fe3264f872ca77c1c696a9911d3ef7cc086fa1ef2f469b7864d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD58552e95d632fc4d5978d54a8884193a8
SHA14f75ea59369223d1c883a99fb800bc448214a7eb
SHA25601b8de3ec4ba464b44b5d4342e0b0368935590b8ea3a7594ff52728c7bc529f0
SHA5122fcde9ad105790df2aeefde8d84173b30a4fafc56dabe2c57de2d532072f0bb7ad67822b2de4d8f538dc2f04aee0d1522efe99316b5d7762405507507ef054e2
-
Filesize
16KB
MD5ed021a6650026c9d8c26f6f7a9498599
SHA162e8c7034baa4f6f6b29238e01d9c98f159d9d67
SHA25636cdb34e6252c408ed357db53654a60819cbfc2e24d77c97f5e5a863aa83007c
SHA512719ad226896b6f2c386d0e1d11fd14218970e4955d1a5a049a790cab1f6437d896050e097acda2cdf6e521e786c63a6e3f6c387fa4f5ac47c7a97a8ca6c26c25
-
Filesize
8KB
MD5ea40eca261ec43ce0f399ff8c85fd697
SHA11a166c8aaf8543c7ce9721046947756be5a4d28d
SHA256aac3c45c3a974fd2aa5545c9e947e3a70d40d0782156d455c7f0caa06a8fd2b1
SHA5126fbe21b556f4bc3f9545831ac6b6ed63279cebd5c47850375d3db2003754e02d5367c963dadd5c9138ef6dc2f9e3e8042f652b8690d5fa208e6944586d832878
-
Filesize
11KB
MD5355702a50c4df194959a75b96b8946ad
SHA1fadcea8b9b79e42e0d711d7057fe1cd459a27689
SHA256d74986eece449f7197b27e9fc6c5232056351e536135177b7e60954aa773c4f3
SHA512f4eaf28035c259aa9a81ceec1777a5f1528162d6ec6b8f39b85c397cf6a63903816d1f4f7c79c504810b42519a2faf32095332df713358a332118e5f2ad209f4