Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-08-2024 21:07
Static task
static1
Behavioral task
behavioral1
Sample
5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe
Resource
win10v2004-20240802-en
General
-
Target
5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe
-
Size
1.8MB
-
MD5
e4b66dca73b9df6e615b29127344497f
-
SHA1
af8dea556b8bea1fa0abdbca3c743ebc20744288
-
SHA256
5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863
-
SHA512
77b3edf2bc70da1ccb11a9b8a68c132ca2b42b1bc8a524a7ab1d883c95686adca0afa528610dda1ddce3db4c42920753fe05302b858a6d2851256069e341d83e
-
SSDEEP
49152:07TRmgI3cpdo2sjC/njuUXzHFe2T54MCidlzZs0xhNfNhthg:mTRSki2sjC/iUjHFDT54M91ZsQFhg
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeexplorti.exe5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe7b34e08074.exe93cf1ae337.exed88b586c75.exeexplorti.exeexplorti.exepid process 2928 explorti.exe 3396 7b34e08074.exe 3200 93cf1ae337.exe 4672 d88b586c75.exe 4724 explorti.exe 1928 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\7b34e08074.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\7b34e08074.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4164-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/4164-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/4164-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exeexplorti.exeexplorti.exeexplorti.exepid process 1800 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe 2928 explorti.exe 4724 explorti.exe 1928 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
7b34e08074.exe93cf1ae337.exedescription pid process target process PID 3396 set thread context of 4164 3396 7b34e08074.exe RegAsm.exe PID 3200 set thread context of 2092 3200 93cf1ae337.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exedescription ioc process File created C:\Windows\Tasks\explorti.job 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d88b586c75.exe5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exeexplorti.exe7b34e08074.exeRegAsm.exe93cf1ae337.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d88b586c75.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7b34e08074.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 93cf1ae337.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exeexplorti.exeexplorti.exeexplorti.exepid process 1800 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe 1800 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe 2928 explorti.exe 2928 explorti.exe 4724 explorti.exe 4724 explorti.exe 1928 explorti.exe 1928 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 2984 firefox.exe Token: SeDebugPrivilege 2984 firefox.exe Token: SeDebugPrivilege 2984 firefox.exe Token: SeDebugPrivilege 2984 firefox.exe Token: SeDebugPrivilege 2984 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 2984 firefox.exe 2984 firefox.exe 2984 firefox.exe 2984 firefox.exe 2984 firefox.exe 2984 firefox.exe 2984 firefox.exe 2984 firefox.exe 2984 firefox.exe 2984 firefox.exe 2984 firefox.exe 2984 firefox.exe 2984 firefox.exe 2984 firefox.exe 2984 firefox.exe 2984 firefox.exe 2984 firefox.exe 2984 firefox.exe 2984 firefox.exe 2984 firefox.exe 2984 firefox.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exepid process 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe 4164 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 2984 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exeexplorti.exe7b34e08074.exe93cf1ae337.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 1800 wrote to memory of 2928 1800 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe explorti.exe PID 1800 wrote to memory of 2928 1800 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe explorti.exe PID 1800 wrote to memory of 2928 1800 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe explorti.exe PID 2928 wrote to memory of 3396 2928 explorti.exe 7b34e08074.exe PID 2928 wrote to memory of 3396 2928 explorti.exe 7b34e08074.exe PID 2928 wrote to memory of 3396 2928 explorti.exe 7b34e08074.exe PID 3396 wrote to memory of 4164 3396 7b34e08074.exe RegAsm.exe PID 3396 wrote to memory of 4164 3396 7b34e08074.exe RegAsm.exe PID 3396 wrote to memory of 4164 3396 7b34e08074.exe RegAsm.exe PID 3396 wrote to memory of 4164 3396 7b34e08074.exe RegAsm.exe PID 3396 wrote to memory of 4164 3396 7b34e08074.exe RegAsm.exe PID 3396 wrote to memory of 4164 3396 7b34e08074.exe RegAsm.exe PID 3396 wrote to memory of 4164 3396 7b34e08074.exe RegAsm.exe PID 3396 wrote to memory of 4164 3396 7b34e08074.exe RegAsm.exe PID 3396 wrote to memory of 4164 3396 7b34e08074.exe RegAsm.exe PID 3396 wrote to memory of 4164 3396 7b34e08074.exe RegAsm.exe PID 2928 wrote to memory of 3200 2928 explorti.exe 93cf1ae337.exe PID 2928 wrote to memory of 3200 2928 explorti.exe 93cf1ae337.exe PID 2928 wrote to memory of 3200 2928 explorti.exe 93cf1ae337.exe PID 3200 wrote to memory of 4748 3200 93cf1ae337.exe RegAsm.exe PID 3200 wrote to memory of 4748 3200 93cf1ae337.exe RegAsm.exe PID 3200 wrote to memory of 4748 3200 93cf1ae337.exe RegAsm.exe PID 3200 wrote to memory of 3404 3200 93cf1ae337.exe RegAsm.exe PID 3200 wrote to memory of 3404 3200 93cf1ae337.exe RegAsm.exe PID 3200 wrote to memory of 3404 3200 93cf1ae337.exe RegAsm.exe PID 3200 wrote to memory of 2092 3200 93cf1ae337.exe RegAsm.exe PID 3200 wrote to memory of 2092 3200 93cf1ae337.exe RegAsm.exe PID 3200 wrote to memory of 2092 3200 93cf1ae337.exe RegAsm.exe PID 3200 wrote to memory of 2092 3200 93cf1ae337.exe RegAsm.exe PID 3200 wrote to memory of 2092 3200 93cf1ae337.exe RegAsm.exe PID 3200 wrote to memory of 2092 3200 93cf1ae337.exe RegAsm.exe PID 3200 wrote to memory of 2092 3200 93cf1ae337.exe RegAsm.exe PID 3200 wrote to memory of 2092 3200 93cf1ae337.exe RegAsm.exe PID 3200 wrote to memory of 2092 3200 93cf1ae337.exe RegAsm.exe PID 2928 wrote to memory of 4672 2928 explorti.exe d88b586c75.exe PID 2928 wrote to memory of 4672 2928 explorti.exe d88b586c75.exe PID 2928 wrote to memory of 4672 2928 explorti.exe d88b586c75.exe PID 4164 wrote to memory of 4124 4164 RegAsm.exe firefox.exe PID 4164 wrote to memory of 4124 4164 RegAsm.exe firefox.exe PID 4124 wrote to memory of 2984 4124 firefox.exe firefox.exe PID 4124 wrote to memory of 2984 4124 firefox.exe firefox.exe PID 4124 wrote to memory of 2984 4124 firefox.exe firefox.exe PID 4124 wrote to memory of 2984 4124 firefox.exe firefox.exe PID 4124 wrote to memory of 2984 4124 firefox.exe firefox.exe PID 4124 wrote to memory of 2984 4124 firefox.exe firefox.exe PID 4124 wrote to memory of 2984 4124 firefox.exe firefox.exe PID 4124 wrote to memory of 2984 4124 firefox.exe firefox.exe PID 4124 wrote to memory of 2984 4124 firefox.exe firefox.exe PID 4124 wrote to memory of 2984 4124 firefox.exe firefox.exe PID 4124 wrote to memory of 2984 4124 firefox.exe firefox.exe PID 2984 wrote to memory of 4808 2984 firefox.exe firefox.exe PID 2984 wrote to memory of 4808 2984 firefox.exe firefox.exe PID 2984 wrote to memory of 4808 2984 firefox.exe firefox.exe PID 2984 wrote to memory of 4808 2984 firefox.exe firefox.exe PID 2984 wrote to memory of 4808 2984 firefox.exe firefox.exe PID 2984 wrote to memory of 4808 2984 firefox.exe firefox.exe PID 2984 wrote to memory of 4808 2984 firefox.exe firefox.exe PID 2984 wrote to memory of 4808 2984 firefox.exe firefox.exe PID 2984 wrote to memory of 4808 2984 firefox.exe firefox.exe PID 2984 wrote to memory of 4808 2984 firefox.exe firefox.exe PID 2984 wrote to memory of 4808 2984 firefox.exe firefox.exe PID 2984 wrote to memory of 4808 2984 firefox.exe firefox.exe PID 2984 wrote to memory of 4808 2984 firefox.exe firefox.exe PID 2984 wrote to memory of 4808 2984 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe"C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\1000036001\7b34e08074.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\7b34e08074.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {27c5cb09-7ae4-464d-a976-567949739393} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" gpu7⤵PID:4808
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc0027ba-747c-4dd7-a2dd-15c8b0cd9331} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" socket7⤵PID:4084
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3340 -childID 1 -isForBrowser -prefsHandle 3328 -prefMapHandle 3324 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cb16c0d-7003-48f2-b251-c69f1177babf} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab7⤵PID:2064
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3908 -childID 2 -isForBrowser -prefsHandle 3900 -prefMapHandle 3896 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a5f48c7-e7b7-4307-adfd-2b4b20a31c39} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab7⤵PID:2940
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4808 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4840 -prefMapHandle 4832 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {636f5bfc-8f31-4521-879f-809257863551} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" utility7⤵
- Checks processor information in registry
PID:3816 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4760 -childID 3 -isForBrowser -prefsHandle 5604 -prefMapHandle 5588 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5191f53a-6880-46fc-a979-80c10fe1a41c} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab7⤵PID:5812
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 4 -isForBrowser -prefsHandle 5724 -prefMapHandle 5728 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3792bc18-fa79-44bd-b47a-0f3ec6a706b3} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab7⤵PID:5824
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 5 -isForBrowser -prefsHandle 5904 -prefMapHandle 5908 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cabeecec-f121-40d2-a9cb-d7a01a02b6d8} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab7⤵PID:5836
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6248 -childID 6 -isForBrowser -prefsHandle 6188 -prefMapHandle 5748 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b5f6f76-c985-484a-b2e6-697191e2a349} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab7⤵PID:1076
-
C:\Users\Admin\1000037002\93cf1ae337.exe"C:\Users\Admin\1000037002\93cf1ae337.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4748
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3404
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\1000038001\d88b586c75.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\d88b586c75.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4672
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4724
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1928
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207KB
MD508c4a58bbadc6ca9b4c015f6d73d682f
SHA139e3fb93c93a7518e3fac3d5b6bae8fd2d2dc072
SHA2568e6ceaf7c0ef571561f2ddadfc11ee4519b0d6fae6746e34381e393400c9fbab
SHA5126b0db9a73bcee0ea9faba522cd1c7250c0bfa307f6c32dc2ecdea8cc0303837ed7b5258a3c7f3120207b49c83d7d1cc50024e4e404db8848ee3a4b5a633672b3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\activity-stream.discovery_stream.json
Filesize35KB
MD52d604805e41e4e4c785468b8b51f3051
SHA1ee0a45c798d939d20e86d747b3fb2ef83359fd9f
SHA256a80dee4ce7c40ac5cfa97ed55f46a82d16ef7395d4a8652afa1a48e969830863
SHA5126da04f42b5d612e06d06969507eb0a8ed2fd57ef6c2bea3bfdfd9df883b0736a73d05d8e42c07770c76bedfb3a64570d6f1443acd223f1fec446690f387df10e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD56f37804e0ab462d1139429c35c20d90e
SHA145e3112d6c17762d2f4f62a951c26eb7308a0032
SHA2562048b39d7e14ff969f9d866dbc032c6c5bc34c24307f1072772426492260dbb8
SHA512e7bbfb8b40797b4fdadbd950f74b4a5213dcd13a2348158ddd838c5653d0c0219b154817deafb9b6276bd70d3fdd608f0b9bf03ec9ae81835bd7a999474b224c
-
Filesize
1.8MB
MD5e4b66dca73b9df6e615b29127344497f
SHA1af8dea556b8bea1fa0abdbca3c743ebc20744288
SHA2565f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863
SHA51277b3edf2bc70da1ccb11a9b8a68c132ca2b42b1bc8a524a7ab1d883c95686adca0afa528610dda1ddce3db4c42920753fe05302b858a6d2851256069e341d83e
-
Filesize
1.2MB
MD5627b7e7a593c56c3952ae9ef80f5af4a
SHA17fc9bb380f9efcfd3aa42f9e7b58cdb41530c8d8
SHA256d89781341164e48965db98c8d05d83046a4d827b197c54108f0b35df9a9942be
SHA5126a1c77db5de5a7696901846a8c05f188162acc4729cb8a8e76c5a38527e104710e2dfcd38c32fce9421bf31a95e2be96e4e30e3eb2d40c81c892911e15fc05f4
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin
Filesize7KB
MD55f0dc1e08ee5bb21768363355dde363a
SHA136ced9aeb0fddc63046228b0e7dcc0ae60420b27
SHA25667141fdf413d2e4a176af9a86dc4341ed74b3619c1e51ae99cf747cf6d9214a1
SHA5128c48c23cbe490947c8d94678b0207711b785b5e6a73749d029e3063bf7b5cf082a730f85bd67a19b365360446389b74b204b1e65db8695a30d41c8a5eb66af3d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin
Filesize10KB
MD512f954baf4fd7072bbf01a2bd3f03a09
SHA12904a3ce2b24796fdac41d1c362bf73c52f53c74
SHA25632a0fc85981b31e4a5e314e1e85c731de018ce790b69a1eb865fcc6e83bcce2f
SHA512e217be21b4c39689fca7b734922143230d98e6f4ee481a5320a5b7df6b6ffda4785b2a6d604f94e15ee9aae6a3d9f11a65a9045e94a088100688a1a1c4861173
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin
Filesize16KB
MD57e70464571d23c9cc1880d9f6b8c6f53
SHA1761638ebdcd42b4a10ec3d865812f141a6c6e628
SHA256ad3b79f540cd703ac0f66ee5b2ca5bcaa5a1551309c57921007b30504c3f4d4a
SHA512bc7197fa215a4c24b4f75d28e87b6cf1ad5e77329f8455e75b9f13b74d0f24954f8916fea7e276f2a256c01b26c0a6c06ab59433735f8fc366069e8a2252d7d6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD520de6445ccab17256002a38da95d38fc
SHA1110ec6e9388c8f3a3a48647a7433c4df9752e5b9
SHA25692d12ac3d4cebf184d26ecd92eeb333ae831a55a0cfe678c59a5272d3ac4918d
SHA51295b356576bc5c6768821e7951af70cfb91abad63c6a335666cf243533f7b0fc4b0a181e4c254c65929399fdab56c9898511cabf52d537fb1148b29badd7529db
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5fece3212bfa659fe0e21923fe229d2eb
SHA1b6d4bf7b2df0f961e2cb643f2f5e1a2e89aa4c00
SHA256c279275e0ff280d37a64445f68e58c4753e7639eace23000c787f0ace6ff899b
SHA512c1ad93d87cc11b273c3e57b95827e47fc10402788f3c887ac91c6b1758c8237b3b0f6fa2ee4942700cf68519c71d1ab4e3e7754b558b204122d648b84ada509a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5992a92ebe02350a4cb49837dbd60fae3
SHA1c7f359ba6bec1b819b5bd3aac525518eadf819ba
SHA2560c42a7ce970026e7be3a818673177b64440acfbfdb55686373862ee40f98102c
SHA512e4903517840f97dc2c6c8066fd649651ddfb76aa7d68087ba10a1da9e000697a5059d9a888127b78e8f9f94cd4fbd260ca1662b3e0da00c8efae566fd3d82ccf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\9460a954-1cc0-4b82-930d-da33c10200a7
Filesize26KB
MD58f664fa475a45bbf134ea1ee02d59fad
SHA1b383f073945ef37324b59604d1fc03c19bb02bd2
SHA256ee6ed94bc2c923822e1a0515b4e9c2be00e992d7d10a9d5c8dd0c5769f85742a
SHA512844ed3977f412723d5a89bbec0e73cac1f211849ad32d93ae3896626a3f061f96973c99d727497cc88d6c8b61d543f331955b1f01012f6ac8422ad6562ddd806
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\caf438ab-e01a-4925-a54f-cf805f7a350e
Filesize671B
MD5529735bc9953f40453dfc4e5fabfe6f4
SHA174d49e2e9c77e60613e7c8a70dee75329a0042bf
SHA25631296fa5d68baa51122f6a5f4281c9700b24b51b15c67a4f480246d2da3f7c9d
SHA51288f7d1779c4f88d825570eda93a1ad5d8c78e2af5c8c8d7d3e130e4b19bbfbbc3d360b42cbeabb93844bf94257c2f1dd8ccb0f9704c88d4638044016c9997fd5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\db6cd3c6-9e42-4273-aaf0-19a8e311d157
Filesize982B
MD5456387f47cb0bff20d3da2b2750be348
SHA1e00882504145cad7d1b223b84a5f43c2aaa970e7
SHA256e9e8060342105d6dbf188f33d9f1aa8e37642fcb4dbe97537441a19cbcd8e84c
SHA512ef9474ee2caf53753827b762f34309e2915010af9c5ad3a52f2267a16b4de052028f21167a16f348a5d69f72aa8aad16a437ff4aa5eac691198a32cb8f7b7731
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5a6277c3c42a7099b0ca791115dbe3c1d
SHA1eab8aa844c8051afb7fb5975b9f5ef655f76fa86
SHA256db6fba099936fe4f9693f4da12a77c586d3f00460a3d1721f298019da5035e9f
SHA5127149a1ffde0d98170d1f7f472533507f18dea001366810ede7596e7ccf4ecb88adc370b40c9cd133eb2181f85c13df6c12ebb18f20694c5794076c1d1005f06e
-
Filesize
13KB
MD5c937a3868997cc4c8fa02127789ab437
SHA152e24789d5364175f90de8e850e8cb0a34fcb05c
SHA256ae2ce7116975ff31e7307861b2236df354003eff720a4ca3f96c377965793f4f
SHA5121b1abad5faef1f01481c1d3dc273b0a76cb014113a651c5fb82ba35ae5d08f2b99477b94048064fe5018dab7abd2626290b114975ee16becbfc7788f93642c1e
-
Filesize
11KB
MD519735a9db698961f6062ab2b8a54e9ce
SHA112936e2607a36b1ff46053ba133268f93aeb18f3
SHA2561e63f91841ca1a0a7fce469d8add5ecb14554ab2dda52e19a18ef8f922f2afe3
SHA5126c83f0c782a02e65734758a612605ba07d23c00c050eb52fe40e8c56d6c74462d9ee4e566582c7f1fa936ce09b04268b0ad3a59c1e8c64821407096ac4e29cbb
-
Filesize
10KB
MD528b65dfc7f0065ccd15d0f599d5d8f53
SHA1d37f01b5e82d999a84f084457d0b60db35b23aab
SHA25661dc86507344d986dd487c91f23cf11f8d3ed22d27beff4eec047b4a7d329441
SHA512e2102fd157d3cf9c50f0340c462303b7317386e7f6a4a8d397e341a785602c824ba9416873096e8cc78ed65e5a95164c00d6aba14f1314e538737433197cb126
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize896KB
MD5efd252a37d474cd0a9c4208291c67a3b
SHA1a0b116a291da46fd449f74b38b78fa902de733af
SHA256248c789858b0dc63a15d8c95412877f40cfc9486fa11a7be99dd633af90c7b79
SHA5121be0174a41959f7f9bc13f9a85c07bfe0b00fab05e107117a2d72335bb10bd5c01c7d9b62ad3cbdc3c917f479fe8eb951b8f2981a1bdf448c0d44b45e5148113
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.2MB
MD52000a6310f39286a14d1036ee34e31ca
SHA19f39732e8088449ff7b614fd065ff544d50ff24c
SHA2566ae86e3c0ae34b362718ea9b95050f7cb79707975297bb9813db7c2f587fd269
SHA512c2cd29e1541312a18f149a040b46c1bc744fb3b6c694b86d0b06223cc523df9d99592e6a49e69ea0cc58fb93821c07e67de5534cdeeee919f0b2ddaf382ef1d8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD5eafac327a1584b97e8b15b67879b5271
SHA1bf430cac8de4e39b7c36d1e21fde61c2f5f20bd6
SHA256247be9e3255ae8f9343ee2de58f0d721f007d84e12b07d909a56ddf94084c362
SHA51281d998f543b8f329fb43e17deafff9f5cca7da0daab9d56dd89750aaf68fa141e89dc3e3e1b584fb8ee05ebfce5f83c9471c4fafb31c02d74d5954ec29a338e6