Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-08-2024 10:04
Static task
static1
Behavioral task
behavioral1
Sample
e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe
Resource
win10v2004-20240802-en
General
-
Target
e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe
-
Size
1.8MB
-
MD5
ba37a189ab35239217ccdd4f4766c71c
-
SHA1
3c0026b03213b6aa832f7e6221f1ebc601066898
-
SHA256
e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765
-
SHA512
03940a1b0310e5a37931e531f4c65a53c9adab784c527e50065f5e22f10687d8f0f260a1c51453e4ffe780205c4bdd8603cac3a72bc461acb3c8ab6a20bee474
-
SSDEEP
49152:cokvS72lZo7r7awCDiJBW/U4os6bWW9fUNB/oL/kaRbmwJ:Lkuh73awC6QU43BI+VoTkabn
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeexplorti.exee57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exea61151bbb9.exe1bf64a96e4.exe66ed5fb3ce.exeexplorti.exeexplorti.exepid process 5048 explorti.exe 1624 a61151bbb9.exe 868 1bf64a96e4.exe 1592 66ed5fb3ce.exe 108 explorti.exe 1316 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exee57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\a61151bbb9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\a61151bbb9.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4072-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/4072-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/4072-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exeexplorti.exeexplorti.exeexplorti.exepid process 2424 e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe 5048 explorti.exe 108 explorti.exe 1316 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
a61151bbb9.exe1bf64a96e4.exedescription pid process target process PID 1624 set thread context of 4072 1624 a61151bbb9.exe RegAsm.exe PID 868 set thread context of 3280 868 1bf64a96e4.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exedescription ioc process File created C:\Windows\Tasks\explorti.job e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1bf64a96e4.exeRegAsm.exe66ed5fb3ce.exee57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exeexplorti.exea61151bbb9.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bf64a96e4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66ed5fb3ce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a61151bbb9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exeexplorti.exeexplorti.exeexplorti.exepid process 2424 e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe 2424 e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe 5048 explorti.exe 5048 explorti.exe 108 explorti.exe 108 explorti.exe 1316 explorti.exe 1316 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 3400 firefox.exe Token: SeDebugPrivilege 3400 firefox.exe Token: SeDebugPrivilege 3400 firefox.exe Token: SeDebugPrivilege 3400 firefox.exe Token: SeDebugPrivilege 3400 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 3400 firefox.exe 3400 firefox.exe 3400 firefox.exe 3400 firefox.exe 4072 RegAsm.exe 3400 firefox.exe 3400 firefox.exe 3400 firefox.exe 3400 firefox.exe 3400 firefox.exe 3400 firefox.exe 3400 firefox.exe 3400 firefox.exe 3400 firefox.exe 3400 firefox.exe 3400 firefox.exe 3400 firefox.exe 3400 firefox.exe 3400 firefox.exe 3400 firefox.exe 3400 firefox.exe 3400 firefox.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exepid process 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe 4072 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 3400 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exeexplorti.exea61151bbb9.exe1bf64a96e4.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 2424 wrote to memory of 5048 2424 e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe explorti.exe PID 2424 wrote to memory of 5048 2424 e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe explorti.exe PID 2424 wrote to memory of 5048 2424 e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe explorti.exe PID 5048 wrote to memory of 1624 5048 explorti.exe a61151bbb9.exe PID 5048 wrote to memory of 1624 5048 explorti.exe a61151bbb9.exe PID 5048 wrote to memory of 1624 5048 explorti.exe a61151bbb9.exe PID 1624 wrote to memory of 1440 1624 a61151bbb9.exe RegAsm.exe PID 1624 wrote to memory of 1440 1624 a61151bbb9.exe RegAsm.exe PID 1624 wrote to memory of 1440 1624 a61151bbb9.exe RegAsm.exe PID 1624 wrote to memory of 4072 1624 a61151bbb9.exe RegAsm.exe PID 1624 wrote to memory of 4072 1624 a61151bbb9.exe RegAsm.exe PID 1624 wrote to memory of 4072 1624 a61151bbb9.exe RegAsm.exe PID 1624 wrote to memory of 4072 1624 a61151bbb9.exe RegAsm.exe PID 1624 wrote to memory of 4072 1624 a61151bbb9.exe RegAsm.exe PID 1624 wrote to memory of 4072 1624 a61151bbb9.exe RegAsm.exe PID 1624 wrote to memory of 4072 1624 a61151bbb9.exe RegAsm.exe PID 1624 wrote to memory of 4072 1624 a61151bbb9.exe RegAsm.exe PID 1624 wrote to memory of 4072 1624 a61151bbb9.exe RegAsm.exe PID 1624 wrote to memory of 4072 1624 a61151bbb9.exe RegAsm.exe PID 5048 wrote to memory of 868 5048 explorti.exe 1bf64a96e4.exe PID 5048 wrote to memory of 868 5048 explorti.exe 1bf64a96e4.exe PID 5048 wrote to memory of 868 5048 explorti.exe 1bf64a96e4.exe PID 868 wrote to memory of 3280 868 1bf64a96e4.exe RegAsm.exe PID 868 wrote to memory of 3280 868 1bf64a96e4.exe RegAsm.exe PID 868 wrote to memory of 3280 868 1bf64a96e4.exe RegAsm.exe PID 868 wrote to memory of 3280 868 1bf64a96e4.exe RegAsm.exe PID 868 wrote to memory of 3280 868 1bf64a96e4.exe RegAsm.exe PID 868 wrote to memory of 3280 868 1bf64a96e4.exe RegAsm.exe PID 868 wrote to memory of 3280 868 1bf64a96e4.exe RegAsm.exe PID 868 wrote to memory of 3280 868 1bf64a96e4.exe RegAsm.exe PID 868 wrote to memory of 3280 868 1bf64a96e4.exe RegAsm.exe PID 5048 wrote to memory of 1592 5048 explorti.exe 66ed5fb3ce.exe PID 5048 wrote to memory of 1592 5048 explorti.exe 66ed5fb3ce.exe PID 5048 wrote to memory of 1592 5048 explorti.exe 66ed5fb3ce.exe PID 4072 wrote to memory of 2104 4072 RegAsm.exe firefox.exe PID 4072 wrote to memory of 2104 4072 RegAsm.exe firefox.exe PID 2104 wrote to memory of 3400 2104 firefox.exe firefox.exe PID 2104 wrote to memory of 3400 2104 firefox.exe firefox.exe PID 2104 wrote to memory of 3400 2104 firefox.exe firefox.exe PID 2104 wrote to memory of 3400 2104 firefox.exe firefox.exe PID 2104 wrote to memory of 3400 2104 firefox.exe firefox.exe PID 2104 wrote to memory of 3400 2104 firefox.exe firefox.exe PID 2104 wrote to memory of 3400 2104 firefox.exe firefox.exe PID 2104 wrote to memory of 3400 2104 firefox.exe firefox.exe PID 2104 wrote to memory of 3400 2104 firefox.exe firefox.exe PID 2104 wrote to memory of 3400 2104 firefox.exe firefox.exe PID 2104 wrote to memory of 3400 2104 firefox.exe firefox.exe PID 3400 wrote to memory of 2032 3400 firefox.exe firefox.exe PID 3400 wrote to memory of 2032 3400 firefox.exe firefox.exe PID 3400 wrote to memory of 2032 3400 firefox.exe firefox.exe PID 3400 wrote to memory of 2032 3400 firefox.exe firefox.exe PID 3400 wrote to memory of 2032 3400 firefox.exe firefox.exe PID 3400 wrote to memory of 2032 3400 firefox.exe firefox.exe PID 3400 wrote to memory of 2032 3400 firefox.exe firefox.exe PID 3400 wrote to memory of 2032 3400 firefox.exe firefox.exe PID 3400 wrote to memory of 2032 3400 firefox.exe firefox.exe PID 3400 wrote to memory of 2032 3400 firefox.exe firefox.exe PID 3400 wrote to memory of 2032 3400 firefox.exe firefox.exe PID 3400 wrote to memory of 2032 3400 firefox.exe firefox.exe PID 3400 wrote to memory of 2032 3400 firefox.exe firefox.exe PID 3400 wrote to memory of 2032 3400 firefox.exe firefox.exe PID 3400 wrote to memory of 2032 3400 firefox.exe firefox.exe PID 3400 wrote to memory of 2032 3400 firefox.exe firefox.exe PID 3400 wrote to memory of 2032 3400 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe"C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:1440
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1908 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c558990-19c2-4ef3-a0c1-0f6028c891eb} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" gpu7⤵PID:2032
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {178885b0-55b3-4b17-bc45-1457e6aa0043} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" socket7⤵PID:4948
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3324 -childID 1 -isForBrowser -prefsHandle 3316 -prefMapHandle 3312 -prefsLen 22587 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {731eec53-05fb-4a15-8067-51939b86c9c1} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" tab7⤵PID:1424
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3976 -childID 2 -isForBrowser -prefsHandle 3056 -prefMapHandle 1484 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdbe2063-f6cd-4378-9177-780baa57bb9c} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" tab7⤵PID:2664
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4704 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4780 -prefMapHandle 4776 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8344ea86-652a-4da7-8806-5d30f6a3a8fd} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" utility7⤵
- Checks processor information in registry
PID:4652 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 3 -isForBrowser -prefsHandle 5284 -prefMapHandle 5280 -prefsLen 27025 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {425bd169-fbfa-4a8a-bb80-f6a069029b68} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" tab7⤵PID:3308
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 4 -isForBrowser -prefsHandle 5428 -prefMapHandle 5432 -prefsLen 27025 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {111a9db5-51c1-4ebb-8593-1eada836ba8e} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" tab7⤵PID:2424
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 5 -isForBrowser -prefsHandle 5616 -prefMapHandle 5620 -prefsLen 27025 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {678d7c01-ed33-45cc-ac1f-fa1dd73ea2d4} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" tab7⤵PID:1428
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6204 -childID 6 -isForBrowser -prefsHandle 6184 -prefMapHandle 6164 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eadae736-5736-4845-9d39-32f19d28f593} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" tab7⤵PID:5036
-
C:\Users\Admin\1000037002\1bf64a96e4.exe"C:\Users\Admin\1000037002\1bf64a96e4.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\1000038001\66ed5fb3ce.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\66ed5fb3ce.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1592
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:108
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1316
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5cb4e84cce0305faa0a43117b20174638
SHA15e0b5ea5e872486aaaaa28379ea08611f4a93a91
SHA2565d3fbab87e5beaff194ad29e919aff1306fd5be2eb1beefaac069ffd5472e537
SHA512a8be13a3d14c11f91b3d7feb7b5fc05aea026e00c1df8d01aef30e27da6441bb3734c406ffcd235fff7c4113b0bfe251cb7aec2620864d6689f6b2b8a37ce42e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\activity-stream.discovery_stream.json
Filesize41KB
MD572c860dd423c08d24206cc096c61aead
SHA1ccdd7a66ad2faa1c0789b54ad2cdfa19547123f4
SHA256450cb6b3d8a7058759e164f3b499845d76246cfb2529a3df7fc3161100b55894
SHA512588d1aa82a673cbea94dbeef6570e0d81b0603126436e2fd9274d259e7571711bea453334f8ab1da96717be161ef0068c97d3209b6bb642c558791b9d1da7ad5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5d8f23beb5549303048f142a5bb70feff
SHA1865057561baf0a834d8038b84bf9ee0e8e5572b0
SHA256f071c5194a7fc8a40c60516e90a7bd297f26ef1c73f9c712f8e0f7205ad75d33
SHA512b88619e0a6aa08fd1add5c392d44f666d869b251dc0d63cfcf899dd22a1d6066a4f1351ff5d58728ade8107c3a60d71960d573c5188f46db630ed1e925737faa
-
Filesize
1.8MB
MD5ba37a189ab35239217ccdd4f4766c71c
SHA13c0026b03213b6aa832f7e6221f1ebc601066898
SHA256e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765
SHA51203940a1b0310e5a37931e531f4c65a53c9adab784c527e50065f5e22f10687d8f0f260a1c51453e4ffe780205c4bdd8603cac3a72bc461acb3c8ab6a20bee474
-
Filesize
1.2MB
MD57df65683dbced3f7291eb39076e2e5e8
SHA171713f2fe64b7750c91bb5cf5f430bc4cd98fe1b
SHA25604b82fddffd0735b575f82f9ae450409fe93496a86dfc5eef2f93e22e5f3be0d
SHA512179aa98c467a961acac274b6f0a2e8f907304a82dabd53019de273255942e90debeb1948f1e293476a922391f17b695ca8ff2620320db3d61ecf19a3cc650c36
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin
Filesize7KB
MD5555e68a2a0cd591f956e72bb6a06dbbf
SHA139d5d7d8ca89abb392f51eab1a34722fb590a858
SHA2567de65404d69f70a88cc8c257a8e6121240a57ed2600be4d3967118a27c09b8a0
SHA512d2e11d9c164269a02d66d7cc489ddf5a169f07f80b8caaae8e01f0017de91a1bf3f40b808a5905106e9f6cdcf52913ddf7d8a4f83e9f78384a7803f219bb73a8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin
Filesize10KB
MD58782f0a7ac7adbf6a274fa01b69c70ba
SHA18a5afe4a767ebbe88e6e623e6bc313b372995504
SHA256c9bc469758c18d5dbd66c6e983c34e4684869487e2b6fc63b25ec09ce2a8ea1f
SHA51286404ba045e36895c9b749588e3a7531764605e54ac23740915c76f9312a9d938b81339e067b0e2e569d50ca3a09ed76d15efafe3c9343661bcff875e9c10643
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5e5e8141e4d5e3e318521995f67a3596d
SHA1935923323d080dae9db39284def1169e1be4bd3f
SHA256d07834a7c9ff75095b7072e4ba3a1e5b5c6b0552ed53ce3bf93cb1a2d2d1e38e
SHA512dc5ef4e28e5c622bf1c52fc483224c47d1bfbb1c8195863df3b2fe8fdf2df024485c56cd2d4c6f5b6568d116f9172e52aa922cea3619db7a100d0bab9d8ed469
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD54e75e8f81c4890a5072995ba363a0a08
SHA1086941994ad5c259f9a4af4c4f74970bf8eb13a0
SHA256dbbf9df3810e111cfd58ca3cb40326e7d9d3a8113689d4adcb2a85b988437c71
SHA512c27444ee005dbf378b3947f650517b9bab3bc458cbec372d558ca1bf6ca9c1642e4e83136a6c536cb86da841e1ec7f2afc52db654ee2fbe8d81c5a3a6daacc29
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5561b45c247ea1d497312c7580372ad88
SHA1281837b0538e258e742549c1618745915c8b3459
SHA256eaece00cc7e6de46ed74e608736713a4f776c5c02b707434274398ded914ba37
SHA512c0d1b6fe9523b8c9172810aa66b64cf55a8975d8ef1635de6074eca0ff3e777fbf4f39f0ac0f826c387a12c12797870a987639192fa0e404b228ba5b058af98b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp
Filesize32KB
MD54fd98e42a04d0c7642c4c815cd5ae00c
SHA1946924d7daae8a5d2aaacd4d8721f7756b2cab41
SHA25630969fd70ed2ed36f67522956156a0f0b49721d16db2e72d47ea72b00340b6a3
SHA512d6569d3715d319eae672682fc6bdac7552e70b642e5a4adf686a9336a6a0cae8c410069f8fb1b1bfebe758a3050f1b9bc33a7df68f688f0559de46781642e173
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\790a5dd4-7a14-484c-8cc0-064502d6ca6e
Filesize27KB
MD5d1a4a20a790a1e47cb538c89dfeffe58
SHA10aa6c292042604e592c6fb9f66a53ab9e65ac280
SHA256bef081e7f2fcd04e51277a021579380cd1903befc7ec531a2fb544420c1b9436
SHA5127cad19f2c556e3b237a4919dd2b73a29b8be0b44adc3ba107621d133278b5a7d436a732384e5e90fe34d0ff6e91e9bd7fd45066701a073b1e5b1b2f6982af12a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\d609fc36-eac1-459c-bba5-48892600f835
Filesize982B
MD5f355c815616d3d08bd95399cf9b0a042
SHA1ea273f52a74458315b847c9ad316f1a8f5726f2a
SHA25630b740c4f6c3a279f4f68bdf795f06454e576acb5f14c347f8578c388b255983
SHA51286c4e6c671e8e4e2e7d81e444f59d78b14fcc2a29f80fe0030b860d45d72f3ce3f998d9c2cacece0c31a6dec505064f0e5c5a0c3b916929618e5ed5fd35864ba
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\da385fca-74d6-4193-8c67-3e578d22cd8a
Filesize671B
MD59a99c5348868b687944edd56f279dcd3
SHA1fb1a6f82f9e955507f4a624cc7d08cd3cc374368
SHA256ee5ad3ace8806293ca7461edc044c894040cd62e5fa473fcb39b1e866b17866c
SHA5126b08380d85b8ea61e58d86af1b355bbc2d3690a14c6e5a3d3b210b4f99ff5eb60635b0ba583f322fcb41dcba81841331f9b2f8a6e93554e78322990c06511d2e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD534af19d2de93225115980df80ba7c81f
SHA1e35d069b3d98ee9940a03190694d1bb37848382a
SHA256879a3ccad178bc0f145e3333ee7379e7ac1ea77db6018fa3d66f61d78bbf4b75
SHA51231daa5926c346afdd033b8a513e516361132a9d36d321bed42d4f86d9a54000160f9ae25af71e9387e7dafe7b28a4ce40a3220edfa5d744fcb7952c3cde6f733
-
Filesize
16KB
MD5ae6e94c67fa7532929765994a5b8f501
SHA1a2ef7e669114d4a238fba275efe60729d2bc98d7
SHA256d585ce69b1ee0c930e13974c7755a1eb02f7753414478b8c5ffed041eee7cfd0
SHA5123c7e787c8a9492cea2fb686b5541aefdf27a7f19f6f3ced7f7ac6c2b361ddac930215a382550cf6ebf087dc40f0ab526b116408dce67c0b27f491f7d26fe32ce
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5fcd1de5d57c680b7cb4683bab6067e43
SHA111726c95aa05124098865b709601ddabe1688f94
SHA2561f0f562a1f3f8e46f84321c61f908129ee4439f68b360773ff165addb950bbc5
SHA512cd39d021a022b743d4f65a8e8ccf5395f53dba700fdbbf807f04aa5431636e6c6816319d043b1824ff08220be63746dab226ab681c7a938d86f89237457c1551
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD5ab72d39480bdcfabd8464d4f52d3f849
SHA1feb02b4991461bd1351c77d3b814a95738b3a809
SHA256e249c5c8a9bde846388984df76487f34f4a412dc05c267126cae91b489e1e5c2
SHA51200e0a85f1f5ca7e0ce639df9f120a1c852996c553306aa974bf6427ff9f415f60458f55ddcf5dc1c68a6c084f2fded2a296e527462dbe281af9f4d888c78d389