Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
max time network
39s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 07:06
Static task
static1
Behavioral task
behavioral1
Sample
55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe
Resource
win10v2004-20240802-en
Errors
General
-
Target
55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe
-
Size
1.8MB
-
MD5
6a8855023dca6226bcfd23ff4ba3a6c8
-
SHA1
aaed3742a5352026e782f0b57431773039b7afdd
-
SHA256
55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6
-
SHA512
1b1b2f1d48ee17c73fc31523308e23f2198ffbcf0fa26680cfeb4d6bdc74aa3192afbc5c73889b24e3bd487f64cf83c49540fbfcb8c2cf195af563572ef5ad05
-
SSDEEP
24576:3CpZ7HMIDGMJdMKR0t8Ag5GzQiu5/VIvxfaOUvGghrDJZ9BbwEw3HKV+Xnt:EZ71DuKRzAaKQiu/gs9eiJPBJw3Hr
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 5 IoCs
pid Process 2000 explorti.exe 4908 f4dfe0e4ba.exe 1620 4b5c16ae16.exe 4136 4fb3bfd77b.exe 5656 explorti.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f4dfe0e4ba.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\f4dfe0e4ba.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/740-44-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/740-46-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/740-48-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2064 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe 2000 explorti.exe 5656 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4908 set thread context of 740 4908 f4dfe0e4ba.exe 94 PID 1620 set thread context of 1484 1620 4b5c16ae16.exe 96 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\explorti.job 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f4dfe0e4ba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b5c16ae16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4fb3bfd77b.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2064 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe 2064 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe 2000 explorti.exe 2000 explorti.exe 5656 explorti.exe 5656 explorti.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4308 firefox.exe Token: SeDebugPrivilege 4308 firefox.exe -
Suspicious use of FindShellTrayWindow 54 IoCs
pid Process 2064 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 740 RegAsm.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe -
Suspicious use of SendNotifyMessage 52 IoCs
pid Process 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 740 RegAsm.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe 740 RegAsm.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2000 2064 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe 87 PID 2064 wrote to memory of 2000 2064 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe 87 PID 2064 wrote to memory of 2000 2064 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe 87 PID 2000 wrote to memory of 4908 2000 explorti.exe 93 PID 2000 wrote to memory of 4908 2000 explorti.exe 93 PID 2000 wrote to memory of 4908 2000 explorti.exe 93 PID 4908 wrote to memory of 740 4908 f4dfe0e4ba.exe 94 PID 4908 wrote to memory of 740 4908 f4dfe0e4ba.exe 94 PID 4908 wrote to memory of 740 4908 f4dfe0e4ba.exe 94 PID 4908 wrote to memory of 740 4908 f4dfe0e4ba.exe 94 PID 4908 wrote to memory of 740 4908 f4dfe0e4ba.exe 94 PID 4908 wrote to memory of 740 4908 f4dfe0e4ba.exe 94 PID 4908 wrote to memory of 740 4908 f4dfe0e4ba.exe 94 PID 4908 wrote to memory of 740 4908 f4dfe0e4ba.exe 94 PID 4908 wrote to memory of 740 4908 f4dfe0e4ba.exe 94 PID 4908 wrote to memory of 740 4908 f4dfe0e4ba.exe 94 PID 2000 wrote to memory of 1620 2000 explorti.exe 95 PID 2000 wrote to memory of 1620 2000 explorti.exe 95 PID 2000 wrote to memory of 1620 2000 explorti.exe 95 PID 1620 wrote to memory of 1484 1620 4b5c16ae16.exe 96 PID 1620 wrote to memory of 1484 1620 4b5c16ae16.exe 96 PID 1620 wrote to memory of 1484 1620 4b5c16ae16.exe 96 PID 1620 wrote to memory of 1484 1620 4b5c16ae16.exe 96 PID 1620 wrote to memory of 1484 1620 4b5c16ae16.exe 96 PID 1620 wrote to memory of 1484 1620 4b5c16ae16.exe 96 PID 1620 wrote to memory of 1484 1620 4b5c16ae16.exe 96 PID 1620 wrote to memory of 1484 1620 4b5c16ae16.exe 96 PID 1620 wrote to memory of 1484 1620 4b5c16ae16.exe 96 PID 2000 wrote to memory of 4136 2000 explorti.exe 97 PID 2000 wrote to memory of 4136 2000 explorti.exe 97 PID 2000 wrote to memory of 4136 2000 explorti.exe 97 PID 740 wrote to memory of 4332 740 RegAsm.exe 99 PID 740 wrote to memory of 4332 740 RegAsm.exe 99 PID 4332 wrote to memory of 4308 4332 firefox.exe 101 PID 4332 wrote to memory of 4308 4332 firefox.exe 101 PID 4332 wrote to memory of 4308 4332 firefox.exe 101 PID 4332 wrote to memory of 4308 4332 firefox.exe 101 PID 4332 wrote to memory of 4308 4332 firefox.exe 101 PID 4332 wrote to memory of 4308 4332 firefox.exe 101 PID 4332 wrote to memory of 4308 4332 firefox.exe 101 PID 4332 wrote to memory of 4308 4332 firefox.exe 101 PID 4332 wrote to memory of 4308 4332 firefox.exe 101 PID 4332 wrote to memory of 4308 4332 firefox.exe 101 PID 4332 wrote to memory of 4308 4332 firefox.exe 101 PID 4308 wrote to memory of 4708 4308 firefox.exe 102 PID 4308 wrote to memory of 4708 4308 firefox.exe 102 PID 4308 wrote to memory of 4708 4308 firefox.exe 102 PID 4308 wrote to memory of 4708 4308 firefox.exe 102 PID 4308 wrote to memory of 4708 4308 firefox.exe 102 PID 4308 wrote to memory of 4708 4308 firefox.exe 102 PID 4308 wrote to memory of 4708 4308 firefox.exe 102 PID 4308 wrote to memory of 4708 4308 firefox.exe 102 PID 4308 wrote to memory of 4708 4308 firefox.exe 102 PID 4308 wrote to memory of 4708 4308 firefox.exe 102 PID 4308 wrote to memory of 4708 4308 firefox.exe 102 PID 4308 wrote to memory of 4708 4308 firefox.exe 102 PID 4308 wrote to memory of 4708 4308 firefox.exe 102 PID 4308 wrote to memory of 4708 4308 firefox.exe 102 PID 4308 wrote to memory of 4708 4308 firefox.exe 102 PID 4308 wrote to memory of 4708 4308 firefox.exe 102 PID 4308 wrote to memory of 4708 4308 firefox.exe 102 PID 4308 wrote to memory of 4708 4308 firefox.exe 102 PID 4308 wrote to memory of 4708 4308 firefox.exe 102 PID 4308 wrote to memory of 4708 4308 firefox.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe"C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8159eb95-4658-4a32-8ad9-a6ecc7effa0b} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" gpu7⤵PID:4708
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79cdc9bb-baa5-4b5b-9db6-94cfee1c3ad8} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" socket7⤵PID:4640
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3116 -childID 1 -isForBrowser -prefsHandle 3176 -prefMapHandle 3164 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90e3a80c-ded2-4918-b3fe-548e4e699037} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab7⤵PID:3048
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3888 -childID 2 -isForBrowser -prefsHandle 3900 -prefMapHandle 3896 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cf97e62-e790-41a4-a6f1-f7408e7ab5b4} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab7⤵PID:3524
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4732 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4740 -prefMapHandle 4736 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11b8bf9b-9ace-469c-b22d-38a0c6983252} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" utility7⤵
- Checks processor information in registry
PID:5412
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4236 -childID 3 -isForBrowser -prefsHandle 5304 -prefMapHandle 5300 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2e3da6f-232d-419d-9231-9c8e507ef5a2} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab7⤵PID:5728
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5448 -prefMapHandle 5216 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {837b173d-afcb-4c34-aea8-1e96d793b096} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab7⤵PID:5740
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5704 -childID 5 -isForBrowser -prefsHandle 5624 -prefMapHandle 5628 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e0b2ed8-fef8-4c0b-98ad-e0b56033ffb5} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab7⤵PID:5752
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6332 -childID 6 -isForBrowser -prefsHandle 6352 -prefMapHandle 6316 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {658923cb-6b5e-4d03-af10-e3af5969f84c} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab7⤵PID:4124
-
-
-
-
-
-
C:\Users\Admin\1000037002\4b5c16ae16.exe"C:\Users\Admin\1000037002\4b5c16ae16.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1484
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000038001\4fb3bfd77b.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\4fb3bfd77b.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4136
-
-
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5656
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207KB
MD5510bbbc4aaa1435c2fbaae4a72ad2055
SHA18fcc653c1da4c9b641b0ee566565ae27127687ce
SHA256cd390760087ffc9c698e75f33f6c2844e97131dbd00a894dfeee0f1b144f2222
SHA5124701c53d69c6000cb9759f13b31074c8ae5dea21ca09ef40a2aec2bdcf72b52ede4b7327bda398a937094e2d4074a58c8ac9d4c079ddb31ffb46a000416e1a65
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\activity-stream.discovery_stream.json
Filesize41KB
MD594bcfad3d0b0311552212fc2cb10ed46
SHA166519aa7be937a7f65529d1566de0f4ba5559312
SHA256b0d39e09dc9a045e0cba8d75645a610471fdf3b28ebcc3ad308d93b138f152b4
SHA5128982f5d71c698b81e9b9347bb2f6154b4b8aec05fa5aea2b77fa835e664c5a5c727d0b59c99e6b5fa390a93f165441ea9f468de0c442058e46f4fa7045073109
-
Filesize
1.8MB
MD56a8855023dca6226bcfd23ff4ba3a6c8
SHA1aaed3742a5352026e782f0b57431773039b7afdd
SHA25655196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6
SHA5121b1b2f1d48ee17c73fc31523308e23f2198ffbcf0fa26680cfeb4d6bdc74aa3192afbc5c73889b24e3bd487f64cf83c49540fbfcb8c2cf195af563572ef5ad05
-
Filesize
1.2MB
MD575a2d87eafbefb74dc8bab6fec16cac1
SHA1c3decd95d7e19c4dbd1d7b9e409eeb4861c6f369
SHA2560027e27dcdc31f32e1159f82034ce00169ec7e3b487999d95997c519e0e7d40a
SHA5121b6c9ad97b74f639d26fd6d3af7c218f04ef08b77f6d6a67c05350c2965941472592fc6cc9c878644e686532295a20cc23d95ca5db4b62a86ec440000079c5f4
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin
Filesize10KB
MD5c7563a75b5ce328869001f1fe060709d
SHA1ef4ff3f508e8438646db59402711124c6cdf4e20
SHA25663d028f77b7631fb54478a30d772e55f0dd7e6acd2389f9551d7ac9b4040eb1d
SHA5124501de08eb0263593747f00ceb229eb36c93df88685d74f83f61cdb391c02fb95319ab58b41a6f985e0680eac41504fba8d4cf2b0bfa6f09a20ede05bf82c93b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5ccae4068cfd53ab0ad377ef16e2e4700
SHA19b3eb40c8a6e28b58e5ff198ba4bee94b6a82f7a
SHA256f8da76e19cd59fe4c041471187180684295a1426723225214d5e5384db99a564
SHA5120e97dcfe863e615b55f09fe1034594d0c6aa83a47053109f9378977c3231838aada2950803a3298ebb9565c7417e022d3680ba45bb0de3e31655f1b8e1641738
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD52ddbcf412c26e10b3fc9c47b553080d3
SHA1037bdafc2661a8201c7065d6e2fe23253e1f7beb
SHA2563922a46b5844d02985bf1060e9e9bedce7a4ca0671f4d9ea660b66eb0760411f
SHA5128b9e3c6cc5ef3063cecaba69af4b7212836b57279d0afa5a8ac8c917c2c4ac493b6728d1be5e0aad6bafb086194991c56f55e6c21b0409dca8dc9737c865a0e7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\a1819732-e64e-476b-8082-18996dba3647
Filesize671B
MD52edb9f23bbe2ff479a766c88bebbfe40
SHA19a49465508efae245ea46a65b1c6669a71a8c0bc
SHA256596e2dc97be11cadde91c4348ed4c20dc2163e31b9a5bca2024c58db070d96d4
SHA51270eeaf8851ce7f0358a3825ab5136d24bc912cb35b53b8e6c13d9d94d1d70fc869f7b5031b528e120ec0508d0ca43db211d18aa1d547eeadc252fd94953bbeec
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\cc257946-ff83-4e24-a0ad-bf265b3f5f4e
Filesize982B
MD5ad2deb559a2bcea8baa151b85e8a183a
SHA1b6fe698bfeee8e74ca939b532a30d1c67c635d16
SHA256cda261167b43645962f7513f4c62032ebb528bb89f16ed0299ffd8aa266ef3fe
SHA5129384b52e1e9e8e1712ef544aa133b2c3ddb07ad62f5b91e81c4cdf81441846f402f0805dc5ca7f10fee4576950b08a361a7cf160ded3199bb21e21783b75b6ca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\e5a76c61-c750-41bd-a140-fddfed0e9e9b
Filesize26KB
MD5a0dd8a39743a2f8cf56e638e5e1a3beb
SHA156f44061ff48eaddb6187cd70af7128b43fe25b8
SHA2565d57731e721a42656e91e44e84a7cb8591209254acd7e9c0928ce085552b5369
SHA512e53e74d168f5de096e6e4ec3a452a1ad4315c63c9dfd6b1f28520267da59a96da374697855cc52a42800706eaf66e0c2419e0bf6555e1fcd6319e0eb261bbc81
-
Filesize
11KB
MD5758d969a8d03925dad87b9b422fdcced
SHA14f3fdde94632c4a66721d92f23d4f00b63c5355a
SHA2563fc6178f7021c6958e8df76d30dc497789dfda88c7db2b0e4c3cd624e42a5fc4
SHA512f0e29c5234793064b8f69c7f1b3ce90da4982608c9a663ffd0d02fc86032a5456814a7b5deb9cd9e932e46d268578916272ddec37c9363c4c452409c09211a2d