Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2024 13:57
Static task
static1
Behavioral task
behavioral1
Sample
ce34e695be48df08fa41d59a053cedd0N.exe
Resource
win7-20240708-en
General
-
Target
ce34e695be48df08fa41d59a053cedd0N.exe
-
Size
1.8MB
-
MD5
ce34e695be48df08fa41d59a053cedd0
-
SHA1
ca6204856cadc3e4afbfa719144701c9eb3227f4
-
SHA256
0ed0b53230753468678dee0d7f6d5566f6b26de475f62392c9a0c313d5aee82f
-
SHA512
df0cec22b76367bc8a34ef65abae5f8ccd79793dfb445789b0878182ba2e90a64191de6dafdb9215b094391b5df3e69a735a3eca6f184ebec219b61c28a3eccf
-
SSDEEP
49152:6HEqYbLTPMfxIZhzPydHjQ98/ezfWKVIOOn:6kqSn3z6mWgWsO
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
ce34e695be48df08fa41d59a053cedd0N.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ce34e695be48df08fa41d59a053cedd0N.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exece34e695be48df08fa41d59a053cedd0N.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ce34e695be48df08fa41d59a053cedd0N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ce34e695be48df08fa41d59a053cedd0N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
explorti.exeRegAsm.exece34e695be48df08fa41d59a053cedd0N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation ce34e695be48df08fa41d59a053cedd0N.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe1c117fb5cc.exe2155bea9e1.exef4da902613.exeexplorti.exeexplorti.exepid process 3128 explorti.exe 708 1c117fb5cc.exe 4232 2155bea9e1.exe 3528 f4da902613.exe 5600 explorti.exe 820 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exece34e695be48df08fa41d59a053cedd0N.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine ce34e695be48df08fa41d59a053cedd0N.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1c117fb5cc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\1c117fb5cc.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1436-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/1436-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/1436-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
ce34e695be48df08fa41d59a053cedd0N.exeexplorti.exeexplorti.exeexplorti.exepid process 3680 ce34e695be48df08fa41d59a053cedd0N.exe 3128 explorti.exe 5600 explorti.exe 820 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1c117fb5cc.exe2155bea9e1.exedescription pid process target process PID 708 set thread context of 1436 708 1c117fb5cc.exe RegAsm.exe PID 4232 set thread context of 4132 4232 2155bea9e1.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
ce34e695be48df08fa41d59a053cedd0N.exedescription ioc process File created C:\Windows\Tasks\explorti.job ce34e695be48df08fa41d59a053cedd0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
explorti.exe1c117fb5cc.exeRegAsm.exe2155bea9e1.exeRegAsm.exef4da902613.exece34e695be48df08fa41d59a053cedd0N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1c117fb5cc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2155bea9e1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f4da902613.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ce34e695be48df08fa41d59a053cedd0N.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
ce34e695be48df08fa41d59a053cedd0N.exeexplorti.exeexplorti.exeexplorti.exepid process 3680 ce34e695be48df08fa41d59a053cedd0N.exe 3680 ce34e695be48df08fa41d59a053cedd0N.exe 3128 explorti.exe 3128 explorti.exe 5600 explorti.exe 5600 explorti.exe 820 explorti.exe 820 explorti.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 4600 firefox.exe Token: SeDebugPrivilege 4600 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
ce34e695be48df08fa41d59a053cedd0N.exeRegAsm.exefirefox.exepid process 3680 ce34e695be48df08fa41d59a053cedd0N.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 4600 firefox.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 4600 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ce34e695be48df08fa41d59a053cedd0N.exeexplorti.exe1c117fb5cc.exe2155bea9e1.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 3680 wrote to memory of 3128 3680 ce34e695be48df08fa41d59a053cedd0N.exe explorti.exe PID 3680 wrote to memory of 3128 3680 ce34e695be48df08fa41d59a053cedd0N.exe explorti.exe PID 3680 wrote to memory of 3128 3680 ce34e695be48df08fa41d59a053cedd0N.exe explorti.exe PID 3128 wrote to memory of 708 3128 explorti.exe 1c117fb5cc.exe PID 3128 wrote to memory of 708 3128 explorti.exe 1c117fb5cc.exe PID 3128 wrote to memory of 708 3128 explorti.exe 1c117fb5cc.exe PID 708 wrote to memory of 2440 708 1c117fb5cc.exe RegAsm.exe PID 708 wrote to memory of 2440 708 1c117fb5cc.exe RegAsm.exe PID 708 wrote to memory of 2440 708 1c117fb5cc.exe RegAsm.exe PID 708 wrote to memory of 1436 708 1c117fb5cc.exe RegAsm.exe PID 708 wrote to memory of 1436 708 1c117fb5cc.exe RegAsm.exe PID 708 wrote to memory of 1436 708 1c117fb5cc.exe RegAsm.exe PID 708 wrote to memory of 1436 708 1c117fb5cc.exe RegAsm.exe PID 708 wrote to memory of 1436 708 1c117fb5cc.exe RegAsm.exe PID 708 wrote to memory of 1436 708 1c117fb5cc.exe RegAsm.exe PID 708 wrote to memory of 1436 708 1c117fb5cc.exe RegAsm.exe PID 708 wrote to memory of 1436 708 1c117fb5cc.exe RegAsm.exe PID 708 wrote to memory of 1436 708 1c117fb5cc.exe RegAsm.exe PID 708 wrote to memory of 1436 708 1c117fb5cc.exe RegAsm.exe PID 3128 wrote to memory of 4232 3128 explorti.exe 2155bea9e1.exe PID 3128 wrote to memory of 4232 3128 explorti.exe 2155bea9e1.exe PID 3128 wrote to memory of 4232 3128 explorti.exe 2155bea9e1.exe PID 4232 wrote to memory of 4132 4232 2155bea9e1.exe RegAsm.exe PID 4232 wrote to memory of 4132 4232 2155bea9e1.exe RegAsm.exe PID 4232 wrote to memory of 4132 4232 2155bea9e1.exe RegAsm.exe PID 4232 wrote to memory of 4132 4232 2155bea9e1.exe RegAsm.exe PID 4232 wrote to memory of 4132 4232 2155bea9e1.exe RegAsm.exe PID 4232 wrote to memory of 4132 4232 2155bea9e1.exe RegAsm.exe PID 4232 wrote to memory of 4132 4232 2155bea9e1.exe RegAsm.exe PID 4232 wrote to memory of 4132 4232 2155bea9e1.exe RegAsm.exe PID 4232 wrote to memory of 4132 4232 2155bea9e1.exe RegAsm.exe PID 3128 wrote to memory of 3528 3128 explorti.exe f4da902613.exe PID 3128 wrote to memory of 3528 3128 explorti.exe f4da902613.exe PID 3128 wrote to memory of 3528 3128 explorti.exe f4da902613.exe PID 1436 wrote to memory of 1892 1436 RegAsm.exe firefox.exe PID 1436 wrote to memory of 1892 1436 RegAsm.exe firefox.exe PID 1892 wrote to memory of 4600 1892 firefox.exe firefox.exe PID 1892 wrote to memory of 4600 1892 firefox.exe firefox.exe PID 1892 wrote to memory of 4600 1892 firefox.exe firefox.exe PID 1892 wrote to memory of 4600 1892 firefox.exe firefox.exe PID 1892 wrote to memory of 4600 1892 firefox.exe firefox.exe PID 1892 wrote to memory of 4600 1892 firefox.exe firefox.exe PID 1892 wrote to memory of 4600 1892 firefox.exe firefox.exe PID 1892 wrote to memory of 4600 1892 firefox.exe firefox.exe PID 1892 wrote to memory of 4600 1892 firefox.exe firefox.exe PID 1892 wrote to memory of 4600 1892 firefox.exe firefox.exe PID 1892 wrote to memory of 4600 1892 firefox.exe firefox.exe PID 4600 wrote to memory of 2996 4600 firefox.exe firefox.exe PID 4600 wrote to memory of 2996 4600 firefox.exe firefox.exe PID 4600 wrote to memory of 2996 4600 firefox.exe firefox.exe PID 4600 wrote to memory of 2996 4600 firefox.exe firefox.exe PID 4600 wrote to memory of 2996 4600 firefox.exe firefox.exe PID 4600 wrote to memory of 2996 4600 firefox.exe firefox.exe PID 4600 wrote to memory of 2996 4600 firefox.exe firefox.exe PID 4600 wrote to memory of 2996 4600 firefox.exe firefox.exe PID 4600 wrote to memory of 2996 4600 firefox.exe firefox.exe PID 4600 wrote to memory of 2996 4600 firefox.exe firefox.exe PID 4600 wrote to memory of 2996 4600 firefox.exe firefox.exe PID 4600 wrote to memory of 2996 4600 firefox.exe firefox.exe PID 4600 wrote to memory of 2996 4600 firefox.exe firefox.exe PID 4600 wrote to memory of 2996 4600 firefox.exe firefox.exe PID 4600 wrote to memory of 2996 4600 firefox.exe firefox.exe PID 4600 wrote to memory of 2996 4600 firefox.exe firefox.exe PID 4600 wrote to memory of 2996 4600 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe"C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2440
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2036 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df4d753a-6fe9-467b-b79b-8980736fadd3} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" gpu7⤵PID:2996
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2472 -parentBuildID 20240401114208 -prefsHandle 2380 -prefMapHandle 2388 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46d04b8a-abd9-4cfb-814a-8d3a0c97543d} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" socket7⤵PID:3680
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3156 -childID 1 -isForBrowser -prefsHandle 3160 -prefMapHandle 3264 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb8d2dbd-b403-459d-bbd1-45eac18c8c12} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" tab7⤵PID:2380
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2616 -childID 2 -isForBrowser -prefsHandle 3968 -prefMapHandle 3964 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e16a4628-bca0-44f7-8a1c-3a399ae8faa2} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" tab7⤵PID:4192
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4912 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4908 -prefMapHandle 4904 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {253bb604-c43b-4718-b6be-84652129a253} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" utility7⤵
- Checks processor information in registry
PID:5528 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 3 -isForBrowser -prefsHandle 5588 -prefMapHandle 5584 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12cfcc55-d4dd-42a9-a30a-b4f5371c97bd} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" tab7⤵PID:464
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 4 -isForBrowser -prefsHandle 5740 -prefMapHandle 5744 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5698f49-c682-41e2-b69e-4619481e2916} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" tab7⤵PID:1232
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5980 -childID 5 -isForBrowser -prefsHandle 6056 -prefMapHandle 6052 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc1dad92-58f3-49d6-bf61-503169ec5f78} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" tab7⤵PID:432
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6052 -childID 6 -isForBrowser -prefsHandle 5748 -prefMapHandle 5752 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65159e3b-96fd-41ef-9cd0-3dbf247aa501} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" tab7⤵PID:2700
-
C:\Users\Admin\1000037002\2155bea9e1.exe"C:\Users\Admin\1000037002\2155bea9e1.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\1000038001\f4da902613.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\f4da902613.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3528
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5600
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:820
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207KB
MD509e0dcce015c477013eeb41f46666de3
SHA1689270c3b986ce1972b41a870b496393241ec9f9
SHA256d02e922af9d858ab006e97b50ec7df58ced54f6215293dc88f75c263bc90faa3
SHA512af05dd50ce05474e33615173fad8c4a0abc7b9b578f7492d60eabb71a2a0399e722ed547dc134e1fe9f04fe9bc5bffa12a9c8f2737c6ff939eacc870c747258b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\activity-stream.discovery_stream.json
Filesize44KB
MD549572876323f50eb5170bab7b6eeff49
SHA15f7d2819117d1a0f4b8a58532bd31334d1195419
SHA2560661d385ce629722999d56fe632ec06e661da894900a6d875e7186dd48d7f858
SHA51233c7d338dd199a398f83e5064049fe5abccad4df9e42f8f3ab5c793dff5de23bc6a9a1094d31c7aff391220fb882a90a012860ef9f09870e8a334a2ed508bc20
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5223140481e62d1a13f561405e860481c
SHA1056ae3544d372dba322220bcc28980947203fd3c
SHA256fd7d4783489893945bdefe582f13c335808972a7725347ec66bd44d6af3ba699
SHA5127fcb0db30dc5719c065c80044739711db2fc875bea13bf5553b7c4a61f74aa585886405260bec458cd4709e2309950a7943e0c71e9770c0487704212f4e64e40
-
Filesize
1.8MB
MD5ce34e695be48df08fa41d59a053cedd0
SHA1ca6204856cadc3e4afbfa719144701c9eb3227f4
SHA2560ed0b53230753468678dee0d7f6d5566f6b26de475f62392c9a0c313d5aee82f
SHA512df0cec22b76367bc8a34ef65abae5f8ccd79793dfb445789b0878182ba2e90a64191de6dafdb9215b094391b5df3e69a735a3eca6f184ebec219b61c28a3eccf
-
Filesize
1.2MB
MD5f2a4333776f732782306983155f35001
SHA1c006668c59bd567d36ee666aceacfd9d12d92928
SHA25661fd7b57bc759945368126253d18e2cfbcf226a8506d02e44c59441cf16e0221
SHA512798a1dc37355a7510f7e844aef7d2cac9a40d2a69479100a1ce2a5e8447b9c473afe1e0263fec972233d6c7703317eb0bf5572f1c5fd867aa1d1feebf11f002a
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin
Filesize8KB
MD52cad107db417965c1b04edfcd940a2ac
SHA1e9c53f1029efb65c4ee4390d375c9837945bee51
SHA25614bba022bd9ba29a048196de7295272bd60b6885058e39ee72e67625fccb6687
SHA5124b24c899fe57654cc6cd65e78c22cac3cea55de68dcde49b9d33e1504882a02f8298211cabdebd04bd7c13739c9833bd42a648b2c67285404b5eb61f272dddfe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD521a38bd83bae72aee8a89be1564d4a9d
SHA1e3c391a25e482aaffd55e6a899a105c9e901bb88
SHA25656e2d0a8dddddcfe8ad03b0b75cd3bc47dfeca1fcc3fb3eea91456e260bef475
SHA512dba6b49054eb792d730b80038b4f1919a5d7a7911ee46813c4b70232314aec2c8fb6b682e5f68722b49cf94a83624d0ccd7bfe1b48f0239524870bdb8e1cb260
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5da98fa6ea7cc2f2808ec65e9edf89702
SHA10db18a79520a8a55be7396fea99a81bfbd5af9c4
SHA2562218ee9f3eb55ff881522c74809e07a39347b9148b7d98ce85ed1aa91bb80d64
SHA5127378f1bfbd6c31199a0b64c987f9e5f64a64509db11b6b4694a8e86e0af18878cccd5274424ca3f94b75dd857111bc55cc92559c74cc597941a4f9905a79c513
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5c3ce2856fe4bfe9dfb24df046c273b6c
SHA16d4d27d9b26e3d9fa27ae10b73e0127c1e150cfe
SHA2566dd033597a584096e861ab2bf949d6c7d7e9fb5d5ef1dcb26541d0a24204d60d
SHA512cdc5ec41fddf892702497aeda164f6a7c2c5c2ba0ddd5c3eee3b7b7930591462a75fc93478ad2c43f42c443eb4cd844e30a0c6b958e980491f1d855c7c5e9b84
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD527c71c1f82ddb30a877870892152b7fc
SHA1b2fe7cbea22e105b3c1d8855b74ee1e3d867ff38
SHA256f5be057e3e1a1cf407c961c497adcf6b6b15ff678b996cf440b15c7f609bf2a6
SHA5120d2b5123b482ed160d7a254b46d18f0a8c4d3a7eca4d80a9864de6bb04b5b82020dda4aee400ab7ec1c4736da7e33f49df04d3f2e7125db2f1b809b10159b31b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD531e26f53841d0ca4904a9c3b8215a0f6
SHA111bc748210ee80c2e2e7ee0d7560871efa4df86f
SHA256262ae2f60cf73096fd7f31979692c2062e48af153b58e58ae2e69ce4a9e629b1
SHA512f24df0c7044a14a65a8b2479fa87adb12f40e7143da076831a92523f4fc56e567bce7ca95ab722f0a5653d41e9ed4d6e8831304cea794b3a68fbf5a5dadd476e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\050e4ec5-749b-4ea3-b08d-5a3a9464e12f
Filesize982B
MD596c7c8f0679ba4cda5d06b5141e4ff8f
SHA136147276a156950b8d099b465b95b3ebe7bdcd91
SHA25602e03a949295fd7c282f491d96392adeec1e394c7def20aa158a91a83bf942f9
SHA51280d0851d4e804914411f4c6bc8cf4683e184dd70e45f54bef408a04aa6b4b0ac56f212db42387fa8914cd5ec54003b30508a1549221c351c73e45657330923ff
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\1dab725a-f51d-46f1-b2e3-d643bf6f5798
Filesize25KB
MD5258534c03657d375a6678394ac9b2e11
SHA1c7aa18f3a2d2a9d51baac65cf0e3abedbd6cd3ec
SHA256648637551dd990da78a4892602597d453f17cdb471d305a1121a066f60aeffa9
SHA51286096332cd97d75556b3bf889d92f538fdfe05335670956bb06dcf3011b3a36bec5181288e7a807f53a61c7c34a9edcf2314b9c2680eee52885799130a8378b8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\5b12b352-b884-4184-8192-2b7c6583960c
Filesize671B
MD5e8d1c0af041729385eee917f57aa08a9
SHA100dfae9f9a330f8b0bd98fe6d35ef40b443024da
SHA256b01358f012068902690c4a0b0e0d28e2b33cadf9830771d31d1bc2d08b82df2e
SHA5127108f537f2a649be28df35c8edd93a07f751db7c4acf5879b1c586bf45672ea85357e12956be9872b16cc49d2e211b0fd53e69509f0ad994af5e21fea7a4dca3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
16KB
MD5a529cebac64418784a1079e4cc672b49
SHA1709729bbd91a5f1b13a1a1308def5aa1f1716025
SHA256ee3d87b9cb95f962b4450c44e5b4019452ad0fc4dcf44d789d53681babf52edc
SHA512adaf05e3e307fb9d6cf2a1e4238d65ec6ff669156821118d1200aadfa6065f3d23671f4b527f976dbf3dbe927d0c97e0a486d02d06943f66e4307a158c396c03
-
Filesize
11KB
MD56df1f1f0ff85d605b33d008838e7c86c
SHA1229c211ca43cc104fdd64be5caed18464a6aa8c3
SHA256f342bb43711e3a080a02442a8bdd799d64899efbc80a7e63e4338807200f2393
SHA512ec5feee94dcab65add1461c3056ae604b554e901f35761a43b0e5c293fbe8dd09d7c481e2471d1a471568a15faf773ef77559ff9e947c9f71e15afc2659d70be
-
Filesize
11KB
MD5441453e26cab53990a41b3afa3d5e640
SHA165a3825316e81c0efa5b04c6c847588d224cf690
SHA25611c0c2e1153d470a038701a1a326ab3cbcd16537930efad0005f10bf8bfcdb2e
SHA5125224726f2d1e7db59a2f5fa0fd787faae16a5d89b4f819750cfa3d827b89f0f240decdd2f6178da1b6c6126f0a1182d18468c57cf332cfda51c70097831ba4be
-
Filesize
12KB
MD513408e43671ef2f6989cc12433d8907d
SHA1bc36c77501dab565793641a7f62e0138ee187b30
SHA256f17cc4e5c3b3a6574fde0b221b1f6338508099fb924bee175df141ad2f35877f
SHA512edb84f737c9d5f2612d248141c33070da5ce596a1b297c1bb4c0d3ea5e2a9f07eea22d84d95e63948a020669831367b0d5fa68b9e61fb3f5c8b0b6bac0fc1fae
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD5fe29af8bc51a3d99988877c1520f7d05
SHA19d65bd777b141f5d45a0fac526abeb80455356c3
SHA25671e564bec2115aef3c22e93fcf6c1cc625938a72d8f9b29b1f4c1a95be811faa
SHA51221505f7c3c32673901774e1b91c3d024c2c2226ea6724e894ad904c3ccaf0fce637c5aa059607cb8e7ba77bac890fa8e210610825a5b575ab64b9ab2ab6892f3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize9.4MB
MD5537db2f575011c73b88117386fffdbc2
SHA12acd544d939795ee962a50bf4b5dbd2ab5ad688e
SHA2567ad1d0ba6fcc06087c9bf53270157b6941950f9600377fde36a4bdeb2ab4cb66
SHA51257984d2ddbc6c472289cd9be1767763f68bf2121946dcc5f7ed10ef13666688909d80af2056f2c4415b41e75604c91e057de81655e63238f58d8016fca07317f