Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-08-2024 22:49
Static task
static1
Behavioral task
behavioral1
Sample
74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe
Resource
win10v2004-20240802-en
General
-
Target
74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe
-
Size
1.8MB
-
MD5
1c001b7c1daa650908f734203a11329f
-
SHA1
d5cbdc631e0fc50f85ade35e12b9fd1d78053205
-
SHA256
74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1
-
SHA512
7f3eebb2d11f77ce9d242fb5610faa43081cb41b17bff3f37416b1b15bf71495f227f228f6b3efa6c5b685c0a1e5f1fdea8145ea6507fe4ac59483cdb0c42fa7
-
SSDEEP
49152:2GVkZJYb8UXrgcujxbbjNz5UT0kxe9QhcmmfVuZD:2GeU7gvjxXpmx/hcDf8p
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
explorti.exeexplorti.exe74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exe74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe391f140264.exe64ba15d8a0.exe4b740206d4.exeexplorti.exeexplorti.exepid process 104 explorti.exe 2308 391f140264.exe 1464 64ba15d8a0.exe 3764 4b740206d4.exe 5392 explorti.exe 2992 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exe74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\391f140264.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\391f140264.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1960-42-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/1960-44-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/1960-46-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exeexplorti.exeexplorti.exeexplorti.exepid process 3376 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe 104 explorti.exe 5392 explorti.exe 2992 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
391f140264.exe64ba15d8a0.exedescription pid process target process PID 2308 set thread context of 1960 2308 391f140264.exe RegAsm.exe PID 1464 set thread context of 1616 1464 64ba15d8a0.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exedescription ioc process File created C:\Windows\Tasks\explorti.job 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
391f140264.exeRegAsm.exe64ba15d8a0.exeRegAsm.exe4b740206d4.exe74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 391f140264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64ba15d8a0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b740206d4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exeexplorti.exeexplorti.exeexplorti.exepid process 3376 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe 3376 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe 104 explorti.exe 104 explorti.exe 5392 explorti.exe 5392 explorti.exe 2992 explorti.exe 2992 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 2540 firefox.exe Token: SeDebugPrivilege 2540 firefox.exe Token: SeDebugPrivilege 2540 firefox.exe Token: SeDebugPrivilege 2540 firefox.exe Token: SeDebugPrivilege 2540 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exeRegAsm.exefirefox.exepid process 3376 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 1960 RegAsm.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exepid process 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe 1960 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 2540 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exeexplorti.exe391f140264.exe64ba15d8a0.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 3376 wrote to memory of 104 3376 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe explorti.exe PID 3376 wrote to memory of 104 3376 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe explorti.exe PID 3376 wrote to memory of 104 3376 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe explorti.exe PID 104 wrote to memory of 2308 104 explorti.exe 391f140264.exe PID 104 wrote to memory of 2308 104 explorti.exe 391f140264.exe PID 104 wrote to memory of 2308 104 explorti.exe 391f140264.exe PID 2308 wrote to memory of 1884 2308 391f140264.exe RegAsm.exe PID 2308 wrote to memory of 1884 2308 391f140264.exe RegAsm.exe PID 2308 wrote to memory of 1884 2308 391f140264.exe RegAsm.exe PID 2308 wrote to memory of 1960 2308 391f140264.exe RegAsm.exe PID 2308 wrote to memory of 1960 2308 391f140264.exe RegAsm.exe PID 2308 wrote to memory of 1960 2308 391f140264.exe RegAsm.exe PID 2308 wrote to memory of 1960 2308 391f140264.exe RegAsm.exe PID 2308 wrote to memory of 1960 2308 391f140264.exe RegAsm.exe PID 2308 wrote to memory of 1960 2308 391f140264.exe RegAsm.exe PID 2308 wrote to memory of 1960 2308 391f140264.exe RegAsm.exe PID 2308 wrote to memory of 1960 2308 391f140264.exe RegAsm.exe PID 2308 wrote to memory of 1960 2308 391f140264.exe RegAsm.exe PID 2308 wrote to memory of 1960 2308 391f140264.exe RegAsm.exe PID 104 wrote to memory of 1464 104 explorti.exe 64ba15d8a0.exe PID 104 wrote to memory of 1464 104 explorti.exe 64ba15d8a0.exe PID 104 wrote to memory of 1464 104 explorti.exe 64ba15d8a0.exe PID 1464 wrote to memory of 1616 1464 64ba15d8a0.exe RegAsm.exe PID 1464 wrote to memory of 1616 1464 64ba15d8a0.exe RegAsm.exe PID 1464 wrote to memory of 1616 1464 64ba15d8a0.exe RegAsm.exe PID 1464 wrote to memory of 1616 1464 64ba15d8a0.exe RegAsm.exe PID 1464 wrote to memory of 1616 1464 64ba15d8a0.exe RegAsm.exe PID 1464 wrote to memory of 1616 1464 64ba15d8a0.exe RegAsm.exe PID 1464 wrote to memory of 1616 1464 64ba15d8a0.exe RegAsm.exe PID 1464 wrote to memory of 1616 1464 64ba15d8a0.exe RegAsm.exe PID 1464 wrote to memory of 1616 1464 64ba15d8a0.exe RegAsm.exe PID 104 wrote to memory of 3764 104 explorti.exe 4b740206d4.exe PID 104 wrote to memory of 3764 104 explorti.exe 4b740206d4.exe PID 104 wrote to memory of 3764 104 explorti.exe 4b740206d4.exe PID 1960 wrote to memory of 2352 1960 RegAsm.exe firefox.exe PID 1960 wrote to memory of 2352 1960 RegAsm.exe firefox.exe PID 2352 wrote to memory of 2540 2352 firefox.exe firefox.exe PID 2352 wrote to memory of 2540 2352 firefox.exe firefox.exe PID 2352 wrote to memory of 2540 2352 firefox.exe firefox.exe PID 2352 wrote to memory of 2540 2352 firefox.exe firefox.exe PID 2352 wrote to memory of 2540 2352 firefox.exe firefox.exe PID 2352 wrote to memory of 2540 2352 firefox.exe firefox.exe PID 2352 wrote to memory of 2540 2352 firefox.exe firefox.exe PID 2352 wrote to memory of 2540 2352 firefox.exe firefox.exe PID 2352 wrote to memory of 2540 2352 firefox.exe firefox.exe PID 2352 wrote to memory of 2540 2352 firefox.exe firefox.exe PID 2352 wrote to memory of 2540 2352 firefox.exe firefox.exe PID 2540 wrote to memory of 1052 2540 firefox.exe firefox.exe PID 2540 wrote to memory of 1052 2540 firefox.exe firefox.exe PID 2540 wrote to memory of 1052 2540 firefox.exe firefox.exe PID 2540 wrote to memory of 1052 2540 firefox.exe firefox.exe PID 2540 wrote to memory of 1052 2540 firefox.exe firefox.exe PID 2540 wrote to memory of 1052 2540 firefox.exe firefox.exe PID 2540 wrote to memory of 1052 2540 firefox.exe firefox.exe PID 2540 wrote to memory of 1052 2540 firefox.exe firefox.exe PID 2540 wrote to memory of 1052 2540 firefox.exe firefox.exe PID 2540 wrote to memory of 1052 2540 firefox.exe firefox.exe PID 2540 wrote to memory of 1052 2540 firefox.exe firefox.exe PID 2540 wrote to memory of 1052 2540 firefox.exe firefox.exe PID 2540 wrote to memory of 1052 2540 firefox.exe firefox.exe PID 2540 wrote to memory of 1052 2540 firefox.exe firefox.exe PID 2540 wrote to memory of 1052 2540 firefox.exe firefox.exe PID 2540 wrote to memory of 1052 2540 firefox.exe firefox.exe PID 2540 wrote to memory of 1052 2540 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe"C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:104 -
C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\391f140264.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:1884
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28e51505-3a37-43ec-9128-81205587b0b3} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" gpu7⤵PID:1052
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86faec77-f1ae-4247-a41c-f95f52f830a5} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" socket7⤵PID:776
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3288 -childID 1 -isForBrowser -prefsHandle 3280 -prefMapHandle 3276 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbf44c23-a016-4089-ad78-8e050897ca08} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab7⤵PID:3408
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3928 -childID 2 -isForBrowser -prefsHandle 3592 -prefMapHandle 2740 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b057f770-9a20-4e80-b00d-82b9b9fd0208} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab7⤵PID:4104
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3600 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4752 -prefMapHandle 4800 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b05f709-3249-4fc2-84c4-86de0c895a60} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" utility7⤵
- Checks processor information in registry
PID:4432 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 3 -isForBrowser -prefsHandle 5608 -prefMapHandle 5444 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45bb357e-1abc-4b66-9e77-e4fffb387dd0} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab7⤵PID:5788
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5656 -childID 4 -isForBrowser -prefsHandle 5736 -prefMapHandle 5732 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {374cd8a3-7484-4db3-abcb-bf1c26b5f16e} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab7⤵PID:5800
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5868 -childID 5 -isForBrowser -prefsHandle 5880 -prefMapHandle 5824 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b20f8f98-fde1-4f20-b395-359521d6c265} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab7⤵PID:5816
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6240 -childID 6 -isForBrowser -prefsHandle 6252 -prefMapHandle 6248 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ff89a4e-34c0-4808-b223-fac72d728823} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab7⤵PID:728
-
C:\Users\Admin\1000037002\64ba15d8a0.exe"C:\Users\Admin\1000037002\64ba15d8a0.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\1000038001\4b740206d4.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\4b740206d4.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3764
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5392
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2992
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5184ac865439679ad7884b845084b1aad
SHA1cdf22ebfa466e18e2e7e2d7bfa419e04d0bca2dc
SHA256a5105e830cde1a2cd8b5464114e3684b7c71b4680122918e6e213d86cb62b59f
SHA512cbe62b31319dbc5775cc67855be5413f0c13e050629cf12a4dde478080e22f0210078ec7b0c718346ead1cb5cec7959f907d4167d003877cf10d0e14f539c10b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json
Filesize35KB
MD5c32776bdb05e39c8e665b533224a2ecc
SHA14a3c5fe359d8c07402c94552684486c4b56faedf
SHA256d492e27cd990df3e04a80ef29d08ad4d169f9e7f09cfd7454b5aa3720adb0e7a
SHA51296219e6819a8b2e9d691e98e6b36de1fd9285d3308b151ce691f1badbb64b4b62bcac61124a57a1cbd0ed5782d03504069efe7fbbd3b4e245a94e63894e93643
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5f2b437506e34253a3a4eed33b30b03e1
SHA18dfa0218ef254f716ccfe668d2473a11e7c9c66c
SHA256196e40ffe018663d6c837312a0fc9a50f19a65a2cbcaca5fd70b064525a03a3e
SHA512f6b8f577b98e95ecc26f5d53049c97b1e612e9c7ad739b6b87dde6e4b0df0971f7dcdc78262d5cd102a2597e675be058c0dc91acb0f3bbd1a0c76a167c0320ca
-
Filesize
1.8MB
MD51c001b7c1daa650908f734203a11329f
SHA1d5cbdc631e0fc50f85ade35e12b9fd1d78053205
SHA25674526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1
SHA5127f3eebb2d11f77ce9d242fb5610faa43081cb41b17bff3f37416b1b15bf71495f227f228f6b3efa6c5b685c0a1e5f1fdea8145ea6507fe4ac59483cdb0c42fa7
-
Filesize
1.2MB
MD50034ee4a88a9fc8d25c363524fa9fa0f
SHA1c1f17b6ccea75290c2c9c8d7f42856428e7fad29
SHA25645b08cdfdae665ef8140d7a099c7031c7ee582ba7a30dc9a484ac03775ec29a2
SHA512624e7aa712e79fae69a4e1e301f01710f584f0a85768aeab7a18739b26c9e1c146d007795b776c8e23721f42dec98d6a7edd04cc168e1995345a58ace71fa85a
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin
Filesize10KB
MD5b93db465924a7a8eb6c7139c721bf906
SHA19216917b61431e445f0f1bb626668d00e9bba72c
SHA256d57730ce8095a3c040d92885f5b839c2eb1d02fe6117337372ae0cc4ae6f1efb
SHA512e7e1f258157bac863f458cb6907b702d6ce407ec478c57a93b57a263a4d0d43c247605610723ae8e68f94bcb0d092c6536bcd726f96af538cc46dda3576e2899
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD50b3776be0bd43b75e6994a805ac3802b
SHA1a13865245f99afb712354ff06bf5a0aac876bd6c
SHA2569c18b40ad0bc2fe82a650e4a033bf41bfa8bae8d94929b5bcab168eef053d0bc
SHA512549b621ed1ff6c987f23bbca0305653cef0e3e271a00864dff9a5ecb2307ff85905f7d9f0808cb004b8234bbe5915a28a0863fda7303b99b9fcf218259c1773e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD52edc23252831cc67f560a735f7c902aa
SHA1647ed7798462748464128ba77e13cc8cf859a7a5
SHA2566872a485eefc6cff4b7918a5221aaeaf7f80e51fd45488558eacdd90d0cc5342
SHA51267b1ee5f4757a3c193afd3bc4715f78785cd422d94b04aa2ecb21383b08650288af7e763760c1110fcec1589208ee75a1eabf4c7f59262b98d84cc2d73412557
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\807b5fa9-1cee-43b9-ae1c-d3e1f04941c2
Filesize26KB
MD5b00f3674f34fca19a854bfabf4274ab9
SHA13a48c4843de75896145c207d991a4a5a3b8817f8
SHA256bb470b20f0035c6668c62ec5007de4e71053ea0a4c3e99b5f021f5b08e5edd41
SHA51291f93f1aa9ffc1aab04a3fe2627ee1f3d5234711c01f4160cbf2d00c9f4fcbafc4667c7587e172f2a56f5b714ec4771419f8de8829d4babe8fa456135dfb2147
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\b8d3d12a-764c-4823-bc49-29629d20b568
Filesize982B
MD52e86c1b97913b97fd6f626b0e76a779e
SHA1ca50901eac05260b8dada3e44167e08ed1a202c4
SHA256c114fdae7d9556e7f453dc454499229e4f5531c7f33c281f11ea445d3b109b64
SHA5121fc6b8ecaf9c8149017211c59df39e88156cd2426d9757b06937e477d43bf59e427e2984fcde13160e373d53293943ff4ffccb708a0e5fcca9103a4813187b0f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\b9e9dc1c-d27f-47c3-b69a-5f24769ae6ea
Filesize671B
MD5f2cf24feab6eaeaa347b7f5fc8018ca8
SHA16d4d0998fb1fa203987d058cd6c1d22baf24f360
SHA256a638b51cf6b7cf4e9b3182d4e76f7439d174035602eda5872862675514979b36
SHA5120c98591a34b98209bc6d88c853dca769691083e35e265ff032eb9775f62dea65b54dd07f05824ba5e9ea9f34a9d0931a0cad6e0046aa461b6f31642f1dfd3f11
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
16KB
MD58f7e95a564b93350376c28983638f79a
SHA1c689692a30367dbd3387d44b3289f97b2e18760b
SHA256b2cde5eee56fdf11f1a6f26a022ed1239f8026639d91dc271a6d7be0867b46bb
SHA512b4b57cef5aaa8ed79571407e9c85d70f9de97f9df57da4b5803794e243e1b31d460cfdabce4ea573b8d0ccc12b1fe2c5dff267db96474ae3a994f6bde4a7fde7
-
Filesize
15KB
MD586e958a8dd8475b9d9a464baf546fe31
SHA1a6b110fa8cddd12716f042b4c9e5131e3a4ac04c
SHA25641a5153950b0d08d1b0225652a6a184d670b17c9d89509f6af33387145dbe1d3
SHA51255eff5be4fd5716d750e4d3af5f9e3d33f568398d0bb0277069eb60c93a3c53e9e9fcbd3417a8e481b43b1edf4d7feaa0abfdfd2dbc99de5700f4be4616caa4c
-
Filesize
11KB
MD5154aa79aea9762037a8f46a95bc9a0c0
SHA1a63f5e9f0a223310a7838c2ab94526d72d92356c
SHA256f4fd328065979bbe30a5aff8d82c973d6c04c5c18d9c5bb14a55addaaa41f223
SHA512c0f94e3b636828f3383104c961579275f7f78fc4ea512474db2236ab46e9d927f0b020923f855781db70bfa5495d6c3b8052faa92d36ad013cfe81fe8539cc0a
-
Filesize
12KB
MD5d8a8fd3f3d87fc43a5c80e7563d4dc39
SHA132588e27ca33fa49f1c5245a1b76e65a6abe6110
SHA256f9dc541436d764354c6c55636f35c847f0eb1dbbae5a13c88af9c56367acffea
SHA51209bfa7fc8aec42b1853da3389bbbcc933e39a41a0c3dfa9fb1a6f53d0836dcba6242628a86c016f8e5ae989984b33a94bbfa7155839f23fea5169fcca3189c7d
-
Filesize
10KB
MD5b46bf2b2b7882d1e04dfac2356cde2da
SHA116fced05b45371ce4c4f4066da86dc2e09540513
SHA256fb103db1847a4a6d8e00a1d42426823b6b7cf33be5dfe94c22f8b95e4d19a43a
SHA512419196c9ae9cd29407eb457948b3847186614a7a8ff93fe63d930fc5009966ad68affd82dc1b81c0c6fe5b458b49145945ca8ec56c28bf175c20af8220b654a3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD55164a0d615b587003263ea6a45a3e878
SHA1dad2786470fb84817e8b234b205ab09a2c75670b
SHA256b2623468442899b009a5486f3a2a3b224080fc045bda6f60effe9e49880b0b98
SHA5124cb68aa6744443a41f640f47da4280046b3fbc2fb1c4896044f8febc1959c4bdb374dfa0e43096f08c4b653231e27cd133e54ddb763fd4430c18c209800f6da0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.3MB
MD598fc8a13e74923bcf08a33ea109933b7
SHA1a46116aee992829d53a94d053e9fe40bbe87c6a4
SHA256aa009f269675531940f66743cde86105fed58247272877f2811864ad79955b90
SHA512aa1e718dfa9200ad5d9a9cd40e063612cdee59c474a1c59389a1f76eeea460fbfe6e1b9935463e966491cb4b8f862943e87fd729a997458a8e41518ad3160a35
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize9.5MB
MD5740c347606ef4cf605a48bfb737de470
SHA1b655ed67ab554f6496f8448e5c40e8c503da33dd
SHA256536eb9e234e35f41b3de6ba4b269e6fdf2e1159d6827130bc9379aa01ab2bfd0
SHA5123e3ccc82fe70c260ba4db11570330e5a6954f5e4a4427913d7c6d3d6849f3e5a022bd72a6f651eb7f1c5e46123532421fdc2cadbd18e0eec305fd18596d7e9c3