Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-08-2024 11:40
Static task
static1
Behavioral task
behavioral1
Sample
122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe
Resource
win10v2004-20240802-en
General
-
Target
122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe
-
Size
1.8MB
-
MD5
8cfd11d6a5f1ba80b9f0ca53a2f35b64
-
SHA1
6eb30457da8fc3b449da94b37620dc8bc8e6d884
-
SHA256
122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b
-
SHA512
c452673edda6c6b02894bb92121ff230ae0167bfe7b8645145dccd33e0a1a726dbda8e6abf5e7432e75f8d49c3e2be81d454e3e34515acd5659ad64c55408de5
-
SSDEEP
49152:4IEH6xME9v+EHHjcNjYsATPAhHufRGW5Phj:4Is6/92EHHjSYsA7lRGW5Phj
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeexplorti.exe122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe4a64ccf7b9.exeb9cfe2f0e5.exe648bc05d34.exeexplorti.exeexplorti.exepid process 4816 explorti.exe 1884 4a64ccf7b9.exe 4088 b9cfe2f0e5.exe 580 648bc05d34.exe 6096 explorti.exe 1052 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\4a64ccf7b9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\4a64ccf7b9.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4400-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/4400-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/4400-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exeexplorti.exeexplorti.exeexplorti.exepid process 5088 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe 4816 explorti.exe 6096 explorti.exe 1052 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
4a64ccf7b9.exeb9cfe2f0e5.exedescription pid process target process PID 1884 set thread context of 4400 1884 4a64ccf7b9.exe RegAsm.exe PID 4088 set thread context of 3200 4088 b9cfe2f0e5.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exedescription ioc process File created C:\Windows\Tasks\explorti.job 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
4a64ccf7b9.exeRegAsm.exeb9cfe2f0e5.exeRegAsm.exe648bc05d34.exe122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a64ccf7b9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b9cfe2f0e5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648bc05d34.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exeexplorti.exeexplorti.exeexplorti.exepid process 5088 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe 5088 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe 4816 explorti.exe 4816 explorti.exe 6096 explorti.exe 6096 explorti.exe 1052 explorti.exe 1052 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 5052 firefox.exe Token: SeDebugPrivilege 5052 firefox.exe Token: SeDebugPrivilege 5052 firefox.exe Token: SeDebugPrivilege 5052 firefox.exe Token: SeDebugPrivilege 5052 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 5052 firefox.exe 5052 firefox.exe 5052 firefox.exe 5052 firefox.exe 4400 RegAsm.exe 5052 firefox.exe 5052 firefox.exe 5052 firefox.exe 5052 firefox.exe 5052 firefox.exe 5052 firefox.exe 5052 firefox.exe 5052 firefox.exe 5052 firefox.exe 5052 firefox.exe 5052 firefox.exe 5052 firefox.exe 5052 firefox.exe 5052 firefox.exe 5052 firefox.exe 5052 firefox.exe 5052 firefox.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exepid process 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe 4400 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 5052 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exeexplorti.exe4a64ccf7b9.exeb9cfe2f0e5.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 5088 wrote to memory of 4816 5088 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe explorti.exe PID 5088 wrote to memory of 4816 5088 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe explorti.exe PID 5088 wrote to memory of 4816 5088 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe explorti.exe PID 4816 wrote to memory of 1884 4816 explorti.exe 4a64ccf7b9.exe PID 4816 wrote to memory of 1884 4816 explorti.exe 4a64ccf7b9.exe PID 4816 wrote to memory of 1884 4816 explorti.exe 4a64ccf7b9.exe PID 1884 wrote to memory of 4400 1884 4a64ccf7b9.exe RegAsm.exe PID 1884 wrote to memory of 4400 1884 4a64ccf7b9.exe RegAsm.exe PID 1884 wrote to memory of 4400 1884 4a64ccf7b9.exe RegAsm.exe PID 1884 wrote to memory of 4400 1884 4a64ccf7b9.exe RegAsm.exe PID 1884 wrote to memory of 4400 1884 4a64ccf7b9.exe RegAsm.exe PID 1884 wrote to memory of 4400 1884 4a64ccf7b9.exe RegAsm.exe PID 1884 wrote to memory of 4400 1884 4a64ccf7b9.exe RegAsm.exe PID 1884 wrote to memory of 4400 1884 4a64ccf7b9.exe RegAsm.exe PID 1884 wrote to memory of 4400 1884 4a64ccf7b9.exe RegAsm.exe PID 1884 wrote to memory of 4400 1884 4a64ccf7b9.exe RegAsm.exe PID 4816 wrote to memory of 4088 4816 explorti.exe b9cfe2f0e5.exe PID 4816 wrote to memory of 4088 4816 explorti.exe b9cfe2f0e5.exe PID 4816 wrote to memory of 4088 4816 explorti.exe b9cfe2f0e5.exe PID 4088 wrote to memory of 2524 4088 b9cfe2f0e5.exe RegAsm.exe PID 4088 wrote to memory of 2524 4088 b9cfe2f0e5.exe RegAsm.exe PID 4088 wrote to memory of 2524 4088 b9cfe2f0e5.exe RegAsm.exe PID 4088 wrote to memory of 2908 4088 b9cfe2f0e5.exe RegAsm.exe PID 4088 wrote to memory of 2908 4088 b9cfe2f0e5.exe RegAsm.exe PID 4088 wrote to memory of 2908 4088 b9cfe2f0e5.exe RegAsm.exe PID 4088 wrote to memory of 3200 4088 b9cfe2f0e5.exe RegAsm.exe PID 4088 wrote to memory of 3200 4088 b9cfe2f0e5.exe RegAsm.exe PID 4088 wrote to memory of 3200 4088 b9cfe2f0e5.exe RegAsm.exe PID 4088 wrote to memory of 3200 4088 b9cfe2f0e5.exe RegAsm.exe PID 4088 wrote to memory of 3200 4088 b9cfe2f0e5.exe RegAsm.exe PID 4088 wrote to memory of 3200 4088 b9cfe2f0e5.exe RegAsm.exe PID 4088 wrote to memory of 3200 4088 b9cfe2f0e5.exe RegAsm.exe PID 4088 wrote to memory of 3200 4088 b9cfe2f0e5.exe RegAsm.exe PID 4088 wrote to memory of 3200 4088 b9cfe2f0e5.exe RegAsm.exe PID 4816 wrote to memory of 580 4816 explorti.exe 648bc05d34.exe PID 4816 wrote to memory of 580 4816 explorti.exe 648bc05d34.exe PID 4816 wrote to memory of 580 4816 explorti.exe 648bc05d34.exe PID 4400 wrote to memory of 1176 4400 RegAsm.exe firefox.exe PID 4400 wrote to memory of 1176 4400 RegAsm.exe firefox.exe PID 1176 wrote to memory of 5052 1176 firefox.exe firefox.exe PID 1176 wrote to memory of 5052 1176 firefox.exe firefox.exe PID 1176 wrote to memory of 5052 1176 firefox.exe firefox.exe PID 1176 wrote to memory of 5052 1176 firefox.exe firefox.exe PID 1176 wrote to memory of 5052 1176 firefox.exe firefox.exe PID 1176 wrote to memory of 5052 1176 firefox.exe firefox.exe PID 1176 wrote to memory of 5052 1176 firefox.exe firefox.exe PID 1176 wrote to memory of 5052 1176 firefox.exe firefox.exe PID 1176 wrote to memory of 5052 1176 firefox.exe firefox.exe PID 1176 wrote to memory of 5052 1176 firefox.exe firefox.exe PID 1176 wrote to memory of 5052 1176 firefox.exe firefox.exe PID 5052 wrote to memory of 1412 5052 firefox.exe firefox.exe PID 5052 wrote to memory of 1412 5052 firefox.exe firefox.exe PID 5052 wrote to memory of 1412 5052 firefox.exe firefox.exe PID 5052 wrote to memory of 1412 5052 firefox.exe firefox.exe PID 5052 wrote to memory of 1412 5052 firefox.exe firefox.exe PID 5052 wrote to memory of 1412 5052 firefox.exe firefox.exe PID 5052 wrote to memory of 1412 5052 firefox.exe firefox.exe PID 5052 wrote to memory of 1412 5052 firefox.exe firefox.exe PID 5052 wrote to memory of 1412 5052 firefox.exe firefox.exe PID 5052 wrote to memory of 1412 5052 firefox.exe firefox.exe PID 5052 wrote to memory of 1412 5052 firefox.exe firefox.exe PID 5052 wrote to memory of 1412 5052 firefox.exe firefox.exe PID 5052 wrote to memory of 1412 5052 firefox.exe firefox.exe PID 5052 wrote to memory of 1412 5052 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe"C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\1000036001\4a64ccf7b9.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\4a64ccf7b9.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {975eadc8-f5fd-4d82-a3e6-4fe0dc0a3c89} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" gpu7⤵PID:1412
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d590855e-1556-4711-a10a-10767eddecde} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" socket7⤵PID:4688
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2876 -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 3116 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23b6db85-65cf-4f17-b587-45f6f85b1b8f} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" tab7⤵PID:1192
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4080 -childID 2 -isForBrowser -prefsHandle 4076 -prefMapHandle 4072 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af925b83-fc6c-493a-bf22-910ada20cf0e} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" tab7⤵PID:1184
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4984 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4960 -prefMapHandle 4956 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7876a455-c1ab-45ee-835b-5b0f5f961b6a} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" utility7⤵
- Checks processor information in registry
PID:5156 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 3 -isForBrowser -prefsHandle 5456 -prefMapHandle 5544 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93f65dbb-ce34-4706-87d5-4b86859f841b} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" tab7⤵PID:5920
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5800 -childID 4 -isForBrowser -prefsHandle 5792 -prefMapHandle 5788 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5df9f10-7203-406b-ba6e-6d6c47bb0bed} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" tab7⤵PID:5932
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 5 -isForBrowser -prefsHandle 5556 -prefMapHandle 5576 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15b75db8-473e-42aa-a231-7f7be8872b31} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" tab7⤵PID:5948
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6316 -childID 6 -isForBrowser -prefsHandle 6236 -prefMapHandle 5972 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d093b9e-2d47-4f3f-b2b7-32682748e521} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" tab7⤵PID:4460
-
C:\Users\Admin\1000037002\b9cfe2f0e5.exe"C:\Users\Admin\1000037002\b9cfe2f0e5.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2524
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2908
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\1000038001\648bc05d34.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\648bc05d34.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:580
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6096
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1052
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD55db5a3f06b620db20b518a768af52ff0
SHA1627943735db2423a4e477e51a4f13d285c1c5c5b
SHA2565f969cdb5dd215f67b7668507b227129f1a5699bc2999d4ebf049bda5a825f52
SHA512adda99e0edb76bc3f53b3fd56ef8c1b03fd78d410a856d96d6d673ae22156ccf6e52b4154cbb6d5ec1076b04d030cd841b311c2cdeadca867a054ce22b0e440a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json
Filesize41KB
MD59670634ad26b5369dbe399ce80c573c1
SHA14f833973367ec596efffb238b4654af8a7535a37
SHA256a8fc7003f80ba3a3741dd218fc1d05f9f4f49c43d9bcffc8b1b813658ccf0f10
SHA51250df36ebdfd9ab7d9641cf49b2eaabbbcf46eb5a964066b05ab9d8c8e0eebdb93ecb26b3dc6d5648391f4edc466f26324ede92f2f7dbd3a7ab64ca16d6377d0e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5cc92536a7e57f9977777ef3f0c8ed767
SHA1a24fa1f2710204057df5b911cc51add34efcb42b
SHA2563d46d44f9e9a4d5f6a5d2c47017bc95e8f2267d4a57a84c31124ae65a7e2fa12
SHA512edbceddaa00bd1b1d8cf754280385d8222951980bfd063a630500c99f2bcabf28130f3f80fed99a5c816167abc3a82af8792e261e285458b08f22c0597bf1120
-
Filesize
1.8MB
MD58cfd11d6a5f1ba80b9f0ca53a2f35b64
SHA16eb30457da8fc3b449da94b37620dc8bc8e6d884
SHA256122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b
SHA512c452673edda6c6b02894bb92121ff230ae0167bfe7b8645145dccd33e0a1a726dbda8e6abf5e7432e75f8d49c3e2be81d454e3e34515acd5659ad64c55408de5
-
Filesize
1.2MB
MD5b7cb9408ec3a1dc9887d66a2486bba84
SHA1aeb00177710bf797ced31a0b010a8479e04a1df6
SHA2563764af516112d1eca7d13f26f5a62c0539ece509d8ca370085f5ce5522df5975
SHA512363ad813ac09ee7a10b6d290e56b4301182ae1db638b5c35d08af3b3ec59deb52d22424bf9b6fe6cf86361ababd7be8a766989aad28305e3f7858b0f3285bb3f
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin
Filesize8KB
MD5c0655ff16b56590e22aa3f04ab2215f1
SHA1cbd3bb14f13efab6aa1c64b03e9490cdbe303264
SHA25602e2f85d76de8cd92f3cd6575a24b6667ffa3c4c4427d252c97025720a536d69
SHA51232b17fdc5275a9343ab1d0cde43f228137636817b044a4d8fa916eaf8d309fff3583f5ba078ae7f114f105a0aefc0e8274e7b290ca3866a84e8898402749d857
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD50b898f18003a503b9342096a6e911420
SHA1648068b2e55f18d89d79b30f32b920b16d1e36f0
SHA2563a7836de6f7f3d1c5eda5e40723da62da26e18e92f515ffc5b27f090a052f1d5
SHA512932bdfa3a8098d6e8005750b6d3fb1660c732363bc24911810c418d0ef9e7756c618c087486e1a66939137c0b8d24ae1f40b3cb487a9cf06e3a212ef16eb5bd6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5a58bb3dcdbfaadcd3e78427f89e0892e
SHA1904089522b10788c1cef50b45571e27f6e8c0479
SHA2564a9cfd2f77e1eafee4a13383d3975bd2f1ac5f2099d2f8acba9dd5c45e62b6e0
SHA512754c8c6aaece26c4451607edd46de4c261fe9969425ecbb7ddbde36472e4b0c2bc15d8795305858913aa1c1d04b848e0b9b63b3dc55c55dd8cd40544232cc72c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5cdd196094b4e977766815b77775156e4
SHA1305d6bda086811eeb498ab1ca419c613deecc6dc
SHA256c3950d44afbb3b669803756a695de7ecc67ca932a15a7e970de6fcac0c42b5cd
SHA5127920ec3e058e1fd1548176e3a5ecbb266e90ff34e08a7323706ddf9f5c479a14a2ce22bb59e72c7a886d4ad58faefc09f983859823ebe6b510d85d6b4ae98997
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5b9b59101b70af6d278aff306ea53370c
SHA188dd07fe5bd245fe1c0656bab4304053b5461818
SHA256864dd027c90d36f992b67074fcaa04376263fa30da32f46a62fe3bcc69c24a7d
SHA512304bc6f0cd72f31b10389835f82fab6eda3785c685b357256a688f9256ca6f02aea81080a6f9cbb05ca6036469bb5d86a49b6bfc5dd4eec1a160833b9d10f11e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\1c783b1d-4242-44b8-afa3-60532c060855
Filesize671B
MD525c2049606c17b6a8437ba738525259d
SHA17ede2c2dcdb930a8e56f209846dcb25e28e1728c
SHA256501a244e069a66f955bf361891dfae95bdbdf2d32605210a90a05f1c1a90095f
SHA512fbb31177d16945dacf0d54c0f637dbe420cbfa225474af4610cd192a69fc230836476bb66a0cedff2ef2aa47094db1926a5d0671a2df6ea0bf26dac33d5c5ed8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\5c99701b-d54c-43d3-808c-c5ac1b6a782f
Filesize26KB
MD527a66fba6cd01b1dfabafa1721f24847
SHA11635d7d176d1da279c29b915ccfe1885e7db653d
SHA2560f20d9ddf74858f8f4c09eea7818aaf39d80d99d707c0b64b16a16c35404dbca
SHA512fcf3a981a2a031e17eff362d985735486155033c01147db0b4b0a01b69b8c5f2804403c0bc54ec970916052cde06f699bfb619dacae4d7ce62832acdc94d23df
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\eba68137-6d06-4120-8390-bbc6dcfedaf1
Filesize982B
MD59a4d5319a42e73e70a5c6ef0ab5c5aa2
SHA1646f9420c059d8f631ca5a552ae61ba9328a96f3
SHA25667053128a9613d3184ee8dc469a139aa0c85d51f525546d5836a62cf2aa2a3fc
SHA5128ebcd20ef8ae8664561ae291b83c6aa038c5427c2ee734cbf608d8878c11fef7cee921517f79500c1d4d6abe4a802c43246552937948610bc0d5cc9a8a2555c5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD55aac6b8817db5333c11ac8330c21e8a0
SHA194604e943679876a01c40d89999127d329142754
SHA256123d075cc44d65db6d2357ca1c219f2150a59ade573fa2e8ae6183f6ee77e154
SHA5121ae698565bd3f99a3ce98302e6cbb4e947107f5f21387d6260ab71c26de5bedf03c8823501318296b68820271f49f0279f5b36e6baf4bf3b6434d13e991d9780
-
Filesize
13KB
MD5a956c5b836eeef1d83da70bb2b7f01bd
SHA1809d9d6a4b39719ae8470339c96f0fe8756ebe4e
SHA2561e223aba08cb20d61a573def10adccce110ca8acdba2aedaf22cd85f1751954a
SHA51247c54b46ea6de7fb7663d4c5095ca0b0eb9594bede57b8be4b092600b3b4aff6107a911939897b693049ebc8b02fe1a3c3773c434708686490cb6b54f10a1380
-
Filesize
16KB
MD5a18b74fcd5c47189a0363ee6cce56a7f
SHA17b95ecb9569bcd119d855db1684a6176712770c8
SHA2568d4b7644e994ae2603fcf92d7c2eb52550e0770838fd89c2396029cb0c7015ea
SHA5123b84ad37b2edb826a261062a1443f863d3deedc027212846c8062036f28f2910d844ff4e1d323f6d3ff8a3641006e09f9c79e686c110084fbd0c12397eded4c2
-
Filesize
10KB
MD5188054a4b674eedccef7e0dc011902a4
SHA130d504dcc8b9688bd9d25976830fea6e81982732
SHA25611ab3b11b12717842c5daba83797be9431988d926cb6b05c6afa437b62514fa5
SHA512813f3ac78c28e42bfbc3ffa6e9edc8dc43639ca10c3aeebb1eed8d3ca76b2326765ea5bbed9e910968d96536f1635b2fdffa458a8b0cdf3e0453c420662ae06e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD52ed92d17ff23343f62ab091fb56027cd
SHA1c460cc85131d66ebd7c68a64862be6e3423afbc0
SHA2566fa0b6f1054805262b121018bc01fb92d6054edce83a5fe20b31943900063c96
SHA51232795606419b38bd1fc81d3f848c0d481ebebf757e418a0d8756e2d522aa8558784c9c53b31cc04a43ff1be42edfcfdd5d440a4261d461c22214556d21ade479
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD5fd893203c6034e106965b232867966d9
SHA17dc800a3f286301d07c1e2effeec836d4dc770e8
SHA2563f3be488382fe8c38c773dc5f40a2f19761935b7372998a964aab478ae1ebf69
SHA512952550f414c0b31521d462d757673f0b68dfd664f0d5e3f7e11af4d74867b05aa54600449a102045b454c2e1c4b2b0cbfe55a921f418acbdd97ff312b50f48c4