Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-08-2024 21:27
Static task
static1
Behavioral task
behavioral1
Sample
66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe
Resource
win10v2004-20240802-en
General
-
Target
66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe
-
Size
1.8MB
-
MD5
16a0efa2b6695032ed7c293ac609b548
-
SHA1
3c00ff7eb82cbb8439b3499f468000fd1ffaa12a
-
SHA256
66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613
-
SHA512
cffae5effbf09dfed4625a28385578f1c27f6caa10f691406a3fa8eeed4d6749217d9e2ae806256aca1acbb597d37bf726bfa07901fdb64854a297a4da28ca26
-
SSDEEP
49152:TMYsyaxDs9VIYKl9UPCshhDfQn69BDCh8yRRhJMKu3B:ToyaxD+V1KfUPGkASyRFo
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
explorti.exe66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exefb3b92899b.exe47e31c7b4f.exe4684fd6485.exeexplorti.exeexplorti.exepid process 1176 explorti.exe 2144 fb3b92899b.exe 1688 47e31c7b4f.exe 1336 4684fd6485.exe 5760 explorti.exe 5232 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\fb3b92899b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\fb3b92899b.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/728-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/728-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/728-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exeexplorti.exeexplorti.exeexplorti.exepid process 1836 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe 1176 explorti.exe 5760 explorti.exe 5232 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
fb3b92899b.exe47e31c7b4f.exedescription pid process target process PID 2144 set thread context of 728 2144 fb3b92899b.exe RegAsm.exe PID 1688 set thread context of 1952 1688 47e31c7b4f.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exedescription ioc process File created C:\Windows\Tasks\explorti.job 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exeexplorti.exefb3b92899b.exeRegAsm.exe47e31c7b4f.exeRegAsm.exe4684fd6485.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb3b92899b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 47e31c7b4f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4684fd6485.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exeexplorti.exeexplorti.exeexplorti.exepid process 1836 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe 1836 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe 1176 explorti.exe 1176 explorti.exe 5760 explorti.exe 5760 explorti.exe 5232 explorti.exe 5232 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 3764 firefox.exe Token: SeDebugPrivilege 3764 firefox.exe Token: SeDebugPrivilege 3764 firefox.exe Token: SeDebugPrivilege 3764 firefox.exe Token: SeDebugPrivilege 3764 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 3764 firefox.exe 3764 firefox.exe 3764 firefox.exe 3764 firefox.exe 728 RegAsm.exe 3764 firefox.exe 3764 firefox.exe 3764 firefox.exe 3764 firefox.exe 3764 firefox.exe 3764 firefox.exe 3764 firefox.exe 3764 firefox.exe 3764 firefox.exe 3764 firefox.exe 3764 firefox.exe 3764 firefox.exe 3764 firefox.exe 3764 firefox.exe 3764 firefox.exe 3764 firefox.exe 3764 firefox.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exepid process 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe 728 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 3764 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exeexplorti.exefb3b92899b.exe47e31c7b4f.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 1836 wrote to memory of 1176 1836 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe explorti.exe PID 1836 wrote to memory of 1176 1836 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe explorti.exe PID 1836 wrote to memory of 1176 1836 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe explorti.exe PID 1176 wrote to memory of 2144 1176 explorti.exe fb3b92899b.exe PID 1176 wrote to memory of 2144 1176 explorti.exe fb3b92899b.exe PID 1176 wrote to memory of 2144 1176 explorti.exe fb3b92899b.exe PID 2144 wrote to memory of 728 2144 fb3b92899b.exe RegAsm.exe PID 2144 wrote to memory of 728 2144 fb3b92899b.exe RegAsm.exe PID 2144 wrote to memory of 728 2144 fb3b92899b.exe RegAsm.exe PID 2144 wrote to memory of 728 2144 fb3b92899b.exe RegAsm.exe PID 2144 wrote to memory of 728 2144 fb3b92899b.exe RegAsm.exe PID 2144 wrote to memory of 728 2144 fb3b92899b.exe RegAsm.exe PID 2144 wrote to memory of 728 2144 fb3b92899b.exe RegAsm.exe PID 2144 wrote to memory of 728 2144 fb3b92899b.exe RegAsm.exe PID 2144 wrote to memory of 728 2144 fb3b92899b.exe RegAsm.exe PID 2144 wrote to memory of 728 2144 fb3b92899b.exe RegAsm.exe PID 1176 wrote to memory of 1688 1176 explorti.exe 47e31c7b4f.exe PID 1176 wrote to memory of 1688 1176 explorti.exe 47e31c7b4f.exe PID 1176 wrote to memory of 1688 1176 explorti.exe 47e31c7b4f.exe PID 1688 wrote to memory of 4912 1688 47e31c7b4f.exe RegAsm.exe PID 1688 wrote to memory of 4912 1688 47e31c7b4f.exe RegAsm.exe PID 1688 wrote to memory of 4912 1688 47e31c7b4f.exe RegAsm.exe PID 1688 wrote to memory of 1952 1688 47e31c7b4f.exe RegAsm.exe PID 1688 wrote to memory of 1952 1688 47e31c7b4f.exe RegAsm.exe PID 1688 wrote to memory of 1952 1688 47e31c7b4f.exe RegAsm.exe PID 1688 wrote to memory of 1952 1688 47e31c7b4f.exe RegAsm.exe PID 1688 wrote to memory of 1952 1688 47e31c7b4f.exe RegAsm.exe PID 1688 wrote to memory of 1952 1688 47e31c7b4f.exe RegAsm.exe PID 1688 wrote to memory of 1952 1688 47e31c7b4f.exe RegAsm.exe PID 1688 wrote to memory of 1952 1688 47e31c7b4f.exe RegAsm.exe PID 1688 wrote to memory of 1952 1688 47e31c7b4f.exe RegAsm.exe PID 1176 wrote to memory of 1336 1176 explorti.exe 4684fd6485.exe PID 1176 wrote to memory of 1336 1176 explorti.exe 4684fd6485.exe PID 1176 wrote to memory of 1336 1176 explorti.exe 4684fd6485.exe PID 728 wrote to memory of 4628 728 RegAsm.exe firefox.exe PID 728 wrote to memory of 4628 728 RegAsm.exe firefox.exe PID 4628 wrote to memory of 3764 4628 firefox.exe firefox.exe PID 4628 wrote to memory of 3764 4628 firefox.exe firefox.exe PID 4628 wrote to memory of 3764 4628 firefox.exe firefox.exe PID 4628 wrote to memory of 3764 4628 firefox.exe firefox.exe PID 4628 wrote to memory of 3764 4628 firefox.exe firefox.exe PID 4628 wrote to memory of 3764 4628 firefox.exe firefox.exe PID 4628 wrote to memory of 3764 4628 firefox.exe firefox.exe PID 4628 wrote to memory of 3764 4628 firefox.exe firefox.exe PID 4628 wrote to memory of 3764 4628 firefox.exe firefox.exe PID 4628 wrote to memory of 3764 4628 firefox.exe firefox.exe PID 4628 wrote to memory of 3764 4628 firefox.exe firefox.exe PID 3764 wrote to memory of 4652 3764 firefox.exe firefox.exe PID 3764 wrote to memory of 4652 3764 firefox.exe firefox.exe PID 3764 wrote to memory of 4652 3764 firefox.exe firefox.exe PID 3764 wrote to memory of 4652 3764 firefox.exe firefox.exe PID 3764 wrote to memory of 4652 3764 firefox.exe firefox.exe PID 3764 wrote to memory of 4652 3764 firefox.exe firefox.exe PID 3764 wrote to memory of 4652 3764 firefox.exe firefox.exe PID 3764 wrote to memory of 4652 3764 firefox.exe firefox.exe PID 3764 wrote to memory of 4652 3764 firefox.exe firefox.exe PID 3764 wrote to memory of 4652 3764 firefox.exe firefox.exe PID 3764 wrote to memory of 4652 3764 firefox.exe firefox.exe PID 3764 wrote to memory of 4652 3764 firefox.exe firefox.exe PID 3764 wrote to memory of 4652 3764 firefox.exe firefox.exe PID 3764 wrote to memory of 4652 3764 firefox.exe firefox.exe PID 3764 wrote to memory of 4652 3764 firefox.exe firefox.exe PID 3764 wrote to memory of 4652 3764 firefox.exe firefox.exe PID 3764 wrote to memory of 4652 3764 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe"C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1808 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94bda5dd-d8b8-4609-9dfc-85c1d756630b} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" gpu7⤵PID:4652
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68e9127f-5d10-4e4b-99dd-5d22db249de6} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" socket7⤵PID:1504
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3388 -childID 1 -isForBrowser -prefsHandle 3380 -prefMapHandle 3376 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ed737fb-15d0-4ee2-a8ab-74426695aa05} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" tab7⤵PID:4844
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3728 -childID 2 -isForBrowser -prefsHandle 3720 -prefMapHandle 3716 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb103bbf-c45b-4cb5-bd76-01a6442eb434} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" tab7⤵PID:2272
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4364 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4376 -prefMapHandle 4452 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d615a503-eeff-43b5-a6af-22550fd3842c} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" utility7⤵
- Checks processor information in registry
PID:472 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 3 -isForBrowser -prefsHandle 5520 -prefMapHandle 5524 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86b40fb5-6d15-40c7-af1a-a4e639bf2a60} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" tab7⤵PID:5664
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 4 -isForBrowser -prefsHandle 5760 -prefMapHandle 5756 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4043d237-de51-4337-9c9c-cbffc5b56dfd} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" tab7⤵PID:5676
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5948 -childID 5 -isForBrowser -prefsHandle 5520 -prefMapHandle 5524 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef14858e-8be1-421d-a027-313ee91098a0} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" tab7⤵PID:5708
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6240 -childID 6 -isForBrowser -prefsHandle 6260 -prefMapHandle 6256 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f42319e7-c428-44a2-a971-09e8e88e0dbc} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" tab7⤵PID:4492
-
C:\Users\Admin\1000037002\47e31c7b4f.exe"C:\Users\Admin\1000037002\47e31c7b4f.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4912
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\1000038001\4684fd6485.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\4684fd6485.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1336
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5760
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5232
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
330KB
MD57bdc4dd6037f1f49611576c723466332
SHA1a7cbc0ee6529f261db5d164b3e502b36d2c8bcef
SHA256f13cdb9370460f2909bf758ffd985178fe657a4ab0ef8f40ed6931637dda4b73
SHA512a914b56d4c2c4a8dd1f8d2a8fdd8956741e1fc98836b5845e62a4737fba0a7ad854fba341ce94034b4a4c8f665e7a61ab8f1cd5a020da19207695909322fe637
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json
Filesize26KB
MD5306992ea792d2ccc784b5b69274e387b
SHA1a88452434b930608c4f0420affc92b6a01df4c2c
SHA25650a4ed572e7c72e21880cc61726350f871e8a10f88d3df4a118dd05f05edc0cc
SHA51275ddd5331f380079c42afd6302809d539d76b9073367d6c25a2dbe1b43d0422de204ffe76259d278179a79d3b712570e42a9a96e4f73409a2a84b062d5d89989
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD52a20a2dc4f5d7281930b3c4b36d5d8f5
SHA15fb7803a6c6b1f1709a3b3654badf26ed34bbeb7
SHA2566fb4d39ae5373ed78ef2ce8525bed9f0121f27048bbc6e320f69903e2478836f
SHA512f0f7a562c5218aa7498647f40e2eff170b430d023b069003800e256bfcc3faee1e88e5c6f7c8268d9443f82f262190f5ef4093b1e9fbe15dbd66426157115379
-
Filesize
1.8MB
MD516a0efa2b6695032ed7c293ac609b548
SHA13c00ff7eb82cbb8439b3499f468000fd1ffaa12a
SHA25666814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613
SHA512cffae5effbf09dfed4625a28385578f1c27f6caa10f691406a3fa8eeed4d6749217d9e2ae806256aca1acbb597d37bf726bfa07901fdb64854a297a4da28ca26
-
Filesize
1.3MB
MD5929e5d8768ad2142515bc380fb050012
SHA1857996d4d7f7d75cf8f8839c6d51c53825286017
SHA2562a7cb9a967e2842a517b585b92a07e0542d4a330e602b633439b71c9c386e9e1
SHA512446eff6fe391873573879584d89cb75f15d0b6301c0eca21736647740bdbeb109171d95fc7b13bcf89826dc2dd838bf0d12bfd7d9608b5022f1e24028703f66f
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin
Filesize10KB
MD5875526c400fd756ea2bbaec05d20af9e
SHA115ada60924376c905b1ef04f6684414b23e6e4db
SHA256a5764b3099ac6f7806312e3c35af3c7c94075e803f1e4b181cf36c2cdebe0d19
SHA512a5afcfa816e381bb8bdafd8bb1b375b12336ff5ccda35749b4b033f96d589ddf19793d0cdd0cefb3bac5486e421f9ff2a2ec2b557d66eb11dc8c527f842d2932
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD54b58e591b7c6508fc68c3ef75b7c2001
SHA159c3db62dd69c0439d52c3d89d751fb5f82073c5
SHA256982c57c37f86702ee08f7077b70b58c2385f89edfbb73663a154054d66ecc771
SHA512722b2250301ebb4c4f788fb5d5f6f0a9fdd637a8ee79d63769a8b9b9fb8cc21dc0c32b28f9af3f5829ad734544148a02da58c57a386a42c292a766934ba68a24
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5cebb5d170719aab66bd113dcd40930ba
SHA122e5e103f9d0c2388e31b39a0a459f5818df6eb0
SHA256ecb42b791dc2491aa29af3523405392fd9c93170cb4dd7404810c9b3c1f76ac0
SHA51226b4d73c722fdd38dd3ddaf994bea8bec24a1f43ef82eebb01f4a3350e6b0b0dbdfd1a609a14a27bf66ab6613e5c3389b126afbee16ad767d5db3905016c72aa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5a11472ebf4049c254b778527b389e213
SHA1849a2476bd3bdcc5b37d3268808cb5494cd0d97d
SHA2567b8121208c6ec9108b3f7d0054471e75cd771f8de95959c951a043301dad3956
SHA5123bb5f4c10a05d56ffb996456109aaaeba6a364c90c8fb8ccc4f340a459d4b9b77eb69d419b04d6b490974741f890959bed7bf9a2ec9ce8b9feb034f53e742ad3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5e940434b9c1384720a0baf6bd3929668
SHA1712e6562d8aee80f5b4938c932087037aceddf97
SHA25624ccff057435e6a100f628f5078cc59d417072ecb9148705239aeb00529f1542
SHA512d2cc34c3f2d7af8221497d9bd69fe52d1019c6879cbbe5a4b4425a2f8342e32ac47597c00956cd9016d874522dccec798fe6747f3c7710fb1f3d940f274307eb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD58f669d06d1c7a4feb701510982fd1c58
SHA16c5723637aa0c8082308085a0216845164aa9624
SHA2564a528ce23d11ce38553a5e5949f1648a650195d52bbf4b3d41a9d1b7aa455ac1
SHA512ac47094308f8f872287a5dab8fc4da954d921206a367c93f0a722567b035da1d5a60c4d5869d36fec2271f3ee3cd8176d25f791426a748d30ebc83868db67d98
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\7a793f33-d6df-4625-93ae-4dfdf772c511
Filesize982B
MD5a53c1349875020a864ccf385557a07ea
SHA12e4e4fca40a85d17fddba45266e94baf47fe2f54
SHA25678e1e1165a6c95b2f364a7d7bac601564432c97772b911fcd22221457df3603a
SHA512975a93619ecdeff08e56f5c209c43ffefc92545bb35fda9d25c827844f66e7d2c207dcfff2cffa0ece73e8e5c8d5cb905a275fafb7778b51723d2cb8e6736b0a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\c258413f-5b23-49b1-b06f-1a0440461c6a
Filesize27KB
MD5e8a06bcf9525eadb72d1894f48366eda
SHA1233b6e4b99b373820e602890b4cb2e19cda56bc8
SHA256892906d83ae0270a406fcc198bcf9a428df624fac0bddfcb1168d7e26fddfde3
SHA5126aa8521df47cf123b773ee990bc696b3746526b3b70bb6ea967cbba8cf7ae82e2f7019cdaef1eba09e9468f18d0a9573417073f6106eadfd34b1d4a0d1f95e58
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\c877dbde-74cb-4894-8145-dc704df9f5b2
Filesize671B
MD593f1240aafc3034cff7e9564fdbfa673
SHA14e9bc650c53eb7e4cfcb364aa091274e1d5832bf
SHA256cd2439bd1741f7604da66dc6cb809600bd2e81aeba0d0e420cc00586e47108bf
SHA5122303ae32ebd68f933d8a49af1811866c52f7e9cc5184d0f2cba1de45d5b83a94e7db7af8831c073cf6bdb801fe7a22154726c808db91033e18662ad709aeadab
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5a6975cfb658e12d5339f714cad6e7202
SHA198be86ab51cefaeaf47426e5dfc83811cf845452
SHA256f30d900c2bf8f1d64724937d1d666653f7e5b9057199e299a3fa0ce4795a8fa9
SHA512f42ebb821c4d1b13a1b8a6543643ee467f44b6a1dc678a37ffd4489795c49180693fa9945f2901d13a9d84893d954991712fe4e514cc97baf4cacbd52fc5aa73
-
Filesize
16KB
MD5f1900a3a31f22afc77911d20c07bb236
SHA1a2f2acf1eab8ddcfe03527a38369748d4b6591cd
SHA2567517d6f7463c56dcabd2f74b9aabc178744a43c8cafce39cacf72bc888b855c0
SHA512f42036077b9836111ed23c90e962063e856e89c57c0e0242ea6135b3a9fa784a2279e123bd28f374862cc4ecf0c489fbb788ebf611ca9e8d3bd6c6580dc3282d
-
Filesize
11KB
MD5d9d865238589e7510901aec1451a7fcd
SHA110df393c5a86774dc7728492c5d9aa69472f10e1
SHA2569136b3b0e789f351feac951bbb1978acbf8eb33486799ba59dec9ebbc1330a3c
SHA512297975272c61dce05b828f2bff92687ac8d922fdf0f3944fb162007cc97bc8c903caabfbf3e10ae36d0f9aebc004dc0f4b8d31934a63c79c12ff549a91f4d504
-
Filesize
10KB
MD5b7bf3b99b95c576b09987aae8fa03571
SHA1d6e2cb48c1ee2bf338de059b32d04ca685e2e33b
SHA2569b172588c13468ac477a5f909e0ee4425d7bef9ed604ebd765118257c45cf93b
SHA512eab952ce72bbe9dd907b1548596eabb9f8fc0521e89a5cab854e09dbdb233484b53cabc838dc77556051cf57f9aa9093f50d828097ae001f81790c9d67d0c62e