Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-08-2024 17:43
Static task
static1
Behavioral task
behavioral1
Sample
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe
Resource
win11-20240802-en
General
-
Target
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe
-
Size
1.8MB
-
MD5
0400d0f91db9d1a2cb7806b94b23be8a
-
SHA1
ec696470fcffb473ebdb5586d00a86bebb38be2c
-
SHA256
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a
-
SHA512
4053c07ff80f6d9044f241b9848071ed039a5df9472144f3a0da235fec6eb83871a6bd8b859a347205934ddc531c9cb83aa746aa1d439ff39d68ab9a5af2164a
-
SSDEEP
49152:kS87XHVA4tnIh2erdVvXLHezW0gzq29VV:kS8D1AMnI5f/qzW0gzN
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeb62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe8b56157048.exe41d095a501.exe70e74b7d23.exeexplorti.exeexplorti.exepid process 1712 explorti.exe 1624 8b56157048.exe 2772 41d095a501.exe 1572 70e74b7d23.exe 1672 explorti.exe 4928 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\Run\8b56157048.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\8b56157048.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2352-44-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/2352-46-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/2352-48-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exeexplorti.exeexplorti.exeexplorti.exepid process 5068 b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe 1712 explorti.exe 1672 explorti.exe 4928 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
8b56157048.exe41d095a501.exedescription pid process target process PID 1624 set thread context of 2352 1624 8b56157048.exe RegAsm.exe PID 2772 set thread context of 2464 2772 41d095a501.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exedescription ioc process File created C:\Windows\Tasks\explorti.job b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exe70e74b7d23.exeexplorti.exeb62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exeexplorti.exe8b56157048.exeRegAsm.exe41d095a501.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70e74b7d23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8b56157048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 41d095a501.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exeexplorti.exeexplorti.exeexplorti.exepid process 5068 b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe 5068 b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe 1712 explorti.exe 1712 explorti.exe 1672 explorti.exe 1672 explorti.exe 4928 explorti.exe 4928 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 396 firefox.exe Token: SeDebugPrivilege 396 firefox.exe Token: SeDebugPrivilege 396 firefox.exe Token: SeDebugPrivilege 396 firefox.exe Token: SeDebugPrivilege 396 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exepid process 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe 2352 RegAsm.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
firefox.exepid process 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exeexplorti.exe8b56157048.exe41d095a501.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 5068 wrote to memory of 1712 5068 b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe explorti.exe PID 5068 wrote to memory of 1712 5068 b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe explorti.exe PID 5068 wrote to memory of 1712 5068 b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe explorti.exe PID 1712 wrote to memory of 1624 1712 explorti.exe 8b56157048.exe PID 1712 wrote to memory of 1624 1712 explorti.exe 8b56157048.exe PID 1712 wrote to memory of 1624 1712 explorti.exe 8b56157048.exe PID 1624 wrote to memory of 2352 1624 8b56157048.exe RegAsm.exe PID 1624 wrote to memory of 2352 1624 8b56157048.exe RegAsm.exe PID 1624 wrote to memory of 2352 1624 8b56157048.exe RegAsm.exe PID 1624 wrote to memory of 2352 1624 8b56157048.exe RegAsm.exe PID 1624 wrote to memory of 2352 1624 8b56157048.exe RegAsm.exe PID 1624 wrote to memory of 2352 1624 8b56157048.exe RegAsm.exe PID 1624 wrote to memory of 2352 1624 8b56157048.exe RegAsm.exe PID 1624 wrote to memory of 2352 1624 8b56157048.exe RegAsm.exe PID 1624 wrote to memory of 2352 1624 8b56157048.exe RegAsm.exe PID 1624 wrote to memory of 2352 1624 8b56157048.exe RegAsm.exe PID 1712 wrote to memory of 2772 1712 explorti.exe 41d095a501.exe PID 1712 wrote to memory of 2772 1712 explorti.exe 41d095a501.exe PID 1712 wrote to memory of 2772 1712 explorti.exe 41d095a501.exe PID 2772 wrote to memory of 2464 2772 41d095a501.exe RegAsm.exe PID 2772 wrote to memory of 2464 2772 41d095a501.exe RegAsm.exe PID 2772 wrote to memory of 2464 2772 41d095a501.exe RegAsm.exe PID 2772 wrote to memory of 2464 2772 41d095a501.exe RegAsm.exe PID 2772 wrote to memory of 2464 2772 41d095a501.exe RegAsm.exe PID 2772 wrote to memory of 2464 2772 41d095a501.exe RegAsm.exe PID 2772 wrote to memory of 2464 2772 41d095a501.exe RegAsm.exe PID 2772 wrote to memory of 2464 2772 41d095a501.exe RegAsm.exe PID 2772 wrote to memory of 2464 2772 41d095a501.exe RegAsm.exe PID 1712 wrote to memory of 1572 1712 explorti.exe 70e74b7d23.exe PID 1712 wrote to memory of 1572 1712 explorti.exe 70e74b7d23.exe PID 1712 wrote to memory of 1572 1712 explorti.exe 70e74b7d23.exe PID 2352 wrote to memory of 2412 2352 RegAsm.exe firefox.exe PID 2352 wrote to memory of 2412 2352 RegAsm.exe firefox.exe PID 2412 wrote to memory of 396 2412 firefox.exe firefox.exe PID 2412 wrote to memory of 396 2412 firefox.exe firefox.exe PID 2412 wrote to memory of 396 2412 firefox.exe firefox.exe PID 2412 wrote to memory of 396 2412 firefox.exe firefox.exe PID 2412 wrote to memory of 396 2412 firefox.exe firefox.exe PID 2412 wrote to memory of 396 2412 firefox.exe firefox.exe PID 2412 wrote to memory of 396 2412 firefox.exe firefox.exe PID 2412 wrote to memory of 396 2412 firefox.exe firefox.exe PID 2412 wrote to memory of 396 2412 firefox.exe firefox.exe PID 2412 wrote to memory of 396 2412 firefox.exe firefox.exe PID 2412 wrote to memory of 396 2412 firefox.exe firefox.exe PID 396 wrote to memory of 1952 396 firefox.exe firefox.exe PID 396 wrote to memory of 1952 396 firefox.exe firefox.exe PID 396 wrote to memory of 1952 396 firefox.exe firefox.exe PID 396 wrote to memory of 1952 396 firefox.exe firefox.exe PID 396 wrote to memory of 1952 396 firefox.exe firefox.exe PID 396 wrote to memory of 1952 396 firefox.exe firefox.exe PID 396 wrote to memory of 1952 396 firefox.exe firefox.exe PID 396 wrote to memory of 1952 396 firefox.exe firefox.exe PID 396 wrote to memory of 1952 396 firefox.exe firefox.exe PID 396 wrote to memory of 1952 396 firefox.exe firefox.exe PID 396 wrote to memory of 1952 396 firefox.exe firefox.exe PID 396 wrote to memory of 1952 396 firefox.exe firefox.exe PID 396 wrote to memory of 1952 396 firefox.exe firefox.exe PID 396 wrote to memory of 1952 396 firefox.exe firefox.exe PID 396 wrote to memory of 1952 396 firefox.exe firefox.exe PID 396 wrote to memory of 1952 396 firefox.exe firefox.exe PID 396 wrote to memory of 1952 396 firefox.exe firefox.exe PID 396 wrote to memory of 1952 396 firefox.exe firefox.exe PID 396 wrote to memory of 1952 396 firefox.exe firefox.exe PID 396 wrote to memory of 1952 396 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe"C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\1000036001\8b56157048.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\8b56157048.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1912 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f95f06b6-bf6b-4a59-a8fc-466fae33208f} 396 "\\.\pipe\gecko-crash-server-pipe.396" gpu7⤵PID:1952
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe892c60-baf4-409a-86ed-d7d78abec3b4} 396 "\\.\pipe\gecko-crash-server-pipe.396" socket7⤵PID:3908
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3088 -childID 1 -isForBrowser -prefsHandle 3112 -prefMapHandle 3048 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1060 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46fdc9a3-134d-48c1-8a1b-4f5030952b64} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab7⤵PID:224
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3380 -childID 2 -isForBrowser -prefsHandle 3628 -prefMapHandle 3624 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1060 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49931685-0e56-4a11-be3b-813d669ada8e} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab7⤵PID:5024
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4816 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4648 -prefMapHandle 4692 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a5b5ca6-bf45-4e23-b2b1-6a442d4548d6} 396 "\\.\pipe\gecko-crash-server-pipe.396" utility7⤵
- Checks processor information in registry
PID:5260 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 3 -isForBrowser -prefsHandle 5480 -prefMapHandle 5608 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1060 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aea62460-9feb-4475-8131-0cf6ce817ffb} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab7⤵PID:832
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 4 -isForBrowser -prefsHandle 5684 -prefMapHandle 5584 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1060 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16a62b2f-443f-4ca0-a21c-e3889275f5b8} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab7⤵PID:1112
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5988 -childID 5 -isForBrowser -prefsHandle 5996 -prefMapHandle 6000 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1060 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6139cbcb-ff99-4a5b-acad-9f064b8e2f84} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab7⤵PID:2012
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6188 -childID 6 -isForBrowser -prefsHandle 6196 -prefMapHandle 6200 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1060 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a877a951-fc71-4798-8726-f21d600628fe} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab7⤵PID:3556
-
C:\Users\Admin\1000037002\41d095a501.exe"C:\Users\Admin\1000037002\41d095a501.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\1000038001\70e74b7d23.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\70e74b7d23.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1572
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1672
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4928
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5fff78902d667ae5d4d5e6eca47703322
SHA1aee23060c9cd8dad8afa9227d5f03b89fb18357f
SHA256a823ed8e9c412d6d62fa3ad5742054f38b81175dca7604439a8ed06abd55a8aa
SHA512ecf897f6885f71b4af40a85ed29ddc800f32f056d299357c7c50c62a8d670583592ecaea5bbcb9e6c2ca6d9dfcadfab81dc159e8e5d060ddd4fb918367e80176
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\activity-stream.discovery_stream.json
Filesize38KB
MD5407406b0a93a5e0aaf747307ca197c3b
SHA1cb8354c28f4565c6e56a895368c12d60bec0ddc9
SHA25658b951f49a8a66ca2dfd5c499b5117991a96077a5e121c06675907114e548aa2
SHA512e3f9ca5a74ecd4f09ac0a3b59d6dc8b132cbbd2699889aab552f0bfed8fe7f9b50256ac5faf93d543bbc829f1c46c0ec07eca74687ab4f8961a76e1ff87f7541
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5e6ade15a926c43a298f47112997c86ed
SHA1641f60fda0b6bdccc3fbcf863aadeb04360962ee
SHA25661ae1bec626ff37fd5b0e77154b9755af8608d7b453448e8d79de02746366ce7
SHA5128c653f3f21aa6257b5ad1d91c34ccf7c6744e8e42e7836c31d3f976e06e49d33a8531ceff9a0083f1d17ed9d108122a8236ff7dc06599677131451200589e79d
-
Filesize
1.8MB
MD50400d0f91db9d1a2cb7806b94b23be8a
SHA1ec696470fcffb473ebdb5586d00a86bebb38be2c
SHA256b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a
SHA5124053c07ff80f6d9044f241b9848071ed039a5df9472144f3a0da235fec6eb83871a6bd8b859a347205934ddc531c9cb83aa746aa1d439ff39d68ab9a5af2164a
-
Filesize
1.2MB
MD571dbe4bb236cc85e0eca13bbbeddc3be
SHA1134f1402299e1e3ddaad05989875725cfbe71763
SHA25665ef9eb886fbf27227211f2e8d9a5266adbe3206e00835b1b9018ea79c4816a2
SHA512c208e1ceda249822b608ab23c58d17202d1b4d0be2d451398b0b0f20eae0ce15fadd5e943047048d133dfb53107a2a710673c7e0d7baead559e305cf3381f86d
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\AlternateServices.bin
Filesize16KB
MD5d0da64ab3fcbd68821cd44f88cbc0904
SHA1d69a41f5eb154ddda7a4bb666c70b704a2649164
SHA2560871e000e324fbbafa13a8b04b63491038e8a2565c8aac82405abeb86866ee12
SHA5123a305ea9ff91ae3ff6861eca1babcd6cb604d32d731f4b693ac535c81758a055978d58ad613be185d1f9dd7d4b785bef426afd5edb04caa28cc7bc16a53158c9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\AlternateServices.bin
Filesize10KB
MD59ddaa0e703c2da7ddc057a4a1ae6f701
SHA18c361c70a0ef341af87b7d14a7df5e9b9378bf8a
SHA256c5538987be4442408f3faec44319f0e9d82e658d26470d40599241e455bb9893
SHA5122704f88fed00b5e116b7a9dfa236c6efa93d58b9b6748d266f7c406c67b8df2adcb321ef4003c146a66fe1741725ec786c2546a02c06dfd5de70167edde1acbd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5d3bfd24d8238d109e1ef37d8d8733bec
SHA132b14ee6790ca48f16c3faf2ef6797bdc32d691e
SHA256cfa100ce91a11161a3d7104e84936fd14b9fe44805865196bc4f05b0a901b8bd
SHA512409918ed212b1d54b8b93dedfaf4e148e691d4b882e10f4ce1c42676f64e84725178c2dbce903c8b8aa3506145e635284bd20aae519837eedb8dbb7a67f4a13e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5d1bba225b3376d407b1de1763e41eec8
SHA15e12cf50cadc72811b7b36af4fe83bf2a828a957
SHA2564959fe2ba78068a4ee4bed1cb9ef1c4cead5c7a79181f04af66582dbc6b3ba7c
SHA512975c98d2e321e599dcb3c1b3198b7e864e7250d20ee4d175b192189e57abbe8495604352cec161510cef2840ade5a29b859df8731dcb5b745ee2f76b5a931896
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\916c662b-1be8-4e9d-905b-4f6a517fd13e
Filesize25KB
MD566551a2e4fbca1675b7ab7c92bfa5d8a
SHA14ab9e0b6a789a9bf65f43068a5eaa5ec76b86672
SHA2564f6ef13a1db8ee355b8a4b9173f3d46fb92fdcddae4094ab3da94a762027b43e
SHA5123cc01c84056c33e4a875acff8f54600afc5c2d9ac782605ef18bdb5c50b015dcd7ada9da6dbea5060e85dca427dc68d735058bc204e01df070611f18d2be78a3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\ddf44aa7-f928-41a9-a774-ba9b2cffa9c4
Filesize671B
MD583b1067d6dff178d1170ff55d94dad4d
SHA171ae1092a6c92774fb14babc502aa01ec2432ab3
SHA256df63907fc5bfc3bd84ca405f3716bc3a4040888f13bb71f065c8a58da32e31aa
SHA5121b0d5a4fbf0d4996a9105e8e38cbe9785d5642d398bb48297fecbcbcd8dcf9de809d669f2a490b520515962f1145ed31a69c63584bdc4049a2ca958a1887df45
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\e97d4c56-5048-4d5f-8d02-002a4bec533e
Filesize982B
MD5803d2893096d1087554d15bea3d7cfd9
SHA16147500f6ddf30a4873a30a6b927f6cb45606954
SHA256712420565d2d8f5c77841fd7d9224c58c22a1e4f43583ef15728b4315c8b3218
SHA512c3f163bb5d0d62ed1064b4f0a4fde8817435b66ee5df754216e896188da9ffd6b3445ca6eba656b24ceca18f9e22a94535d91bad8ca01ea9c079f1f998dffad4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD57e683f523fd49d5fd662d7d954653e0d
SHA15ce68bed31a90e1aa635cd97a3b44b7acff9a847
SHA2568a75fb014c9bce5ece346f356280433ae04f1293aa90cace1dae229e7faccfaa
SHA51234aa3cb3c3b275bd02c5ececeb557b72b757e776da192863a286fff1293eb7b49d6e7dc01ae0961b9a05283eeccd088ecb327a3a235ec4dff488bba0cb7e1902
-
Filesize
16KB
MD59eecde16b696b8d59ea2a418a2161adf
SHA1d13c88459c1459d58a4310de880ec3dce132a755
SHA256799504ffa61d0f4b081ec97f6072200a29f3ca2e93fab92dfd7322e3e318703b
SHA512cef0a481af73d096581f36aa80c5ac86b890798c0440b79085e7ae0d1b1a3cb5c2f6d6ad5e9ed56378f8c3b50a4c7a6abc16ad618690c20d8ed949fec3942b8a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.3MB
MD5444259ef7373f6541e633bcee20035a9
SHA10fdec5dd89b256481c6508e46fbad447f9546c61
SHA2565991e3019fc0cf2813e7b57b9015d83502f9dfb12dedb95f6955e8cf09aec608
SHA512d54b6ef920e141068953ef67209e6e56d40c26d3ad0cc2c01ca23e5b10bcacfa12c1ef5716b0ae2a91a5af0512eb3e9b2bede50ac6830e6190baa9fb048e112a