Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
14/08/2024, 07:06
Static task
static1
Behavioral task
behavioral1
Sample
55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe
Resource
win10v2004-20240802-en
General
-
Target
55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe
-
Size
1.8MB
-
MD5
6a8855023dca6226bcfd23ff4ba3a6c8
-
SHA1
aaed3742a5352026e782f0b57431773039b7afdd
-
SHA256
55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6
-
SHA512
1b1b2f1d48ee17c73fc31523308e23f2198ffbcf0fa26680cfeb4d6bdc74aa3192afbc5c73889b24e3bd487f64cf83c49540fbfcb8c2cf195af563572ef5ad05
-
SSDEEP
24576:3CpZ7HMIDGMJdMKR0t8Ag5GzQiu5/VIvxfaOUvGghrDJZ9BbwEw3HKV+Xnt:EZ71DuKRzAaKQiu/gs9eiJPBJw3Hr
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 7 IoCs
pid Process 780 explorti.exe 2756 aa630bdd3c.exe 3636 3990518d4e.exe 1632 f7df2e71e0.exe 4948 explorti.exe 3804 explorti.exe 5536 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\aa630bdd3c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\aa630bdd3c.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3612-44-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/3612-48-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/3612-46-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1420 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe 780 explorti.exe 4948 explorti.exe 3804 explorti.exe 5536 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2756 set thread context of 3612 2756 aa630bdd3c.exe 84 PID 3636 set thread context of 3272 3636 3990518d4e.exe 88 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\explorti.job 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa630bdd3c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3990518d4e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7df2e71e0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1420 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe 1420 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe 780 explorti.exe 780 explorti.exe 4948 explorti.exe 4948 explorti.exe 3804 explorti.exe 3804 explorti.exe 5536 explorti.exe 5536 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2268 firefox.exe Token: SeDebugPrivilege 2268 firefox.exe Token: SeDebugPrivilege 2268 firefox.exe Token: SeDebugPrivilege 2268 firefox.exe Token: SeDebugPrivilege 2268 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 2268 firefox.exe 2268 firefox.exe 2268 firefox.exe 2268 firefox.exe 2268 firefox.exe 2268 firefox.exe 2268 firefox.exe 2268 firefox.exe 2268 firefox.exe 2268 firefox.exe 2268 firefox.exe 2268 firefox.exe 2268 firefox.exe 2268 firefox.exe 2268 firefox.exe 2268 firefox.exe 2268 firefox.exe 3612 RegAsm.exe 2268 firefox.exe 2268 firefox.exe 2268 firefox.exe 2268 firefox.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe 3612 RegAsm.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2268 firefox.exe 2268 firefox.exe 2268 firefox.exe 2268 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1420 wrote to memory of 780 1420 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe 82 PID 1420 wrote to memory of 780 1420 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe 82 PID 1420 wrote to memory of 780 1420 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe 82 PID 780 wrote to memory of 2756 780 explorti.exe 83 PID 780 wrote to memory of 2756 780 explorti.exe 83 PID 780 wrote to memory of 2756 780 explorti.exe 83 PID 2756 wrote to memory of 3612 2756 aa630bdd3c.exe 84 PID 2756 wrote to memory of 3612 2756 aa630bdd3c.exe 84 PID 2756 wrote to memory of 3612 2756 aa630bdd3c.exe 84 PID 2756 wrote to memory of 3612 2756 aa630bdd3c.exe 84 PID 2756 wrote to memory of 3612 2756 aa630bdd3c.exe 84 PID 2756 wrote to memory of 3612 2756 aa630bdd3c.exe 84 PID 2756 wrote to memory of 3612 2756 aa630bdd3c.exe 84 PID 2756 wrote to memory of 3612 2756 aa630bdd3c.exe 84 PID 2756 wrote to memory of 3612 2756 aa630bdd3c.exe 84 PID 2756 wrote to memory of 3612 2756 aa630bdd3c.exe 84 PID 780 wrote to memory of 3636 780 explorti.exe 85 PID 780 wrote to memory of 3636 780 explorti.exe 85 PID 780 wrote to memory of 3636 780 explorti.exe 85 PID 3636 wrote to memory of 1340 3636 3990518d4e.exe 86 PID 3636 wrote to memory of 1340 3636 3990518d4e.exe 86 PID 3636 wrote to memory of 1340 3636 3990518d4e.exe 86 PID 3636 wrote to memory of 904 3636 3990518d4e.exe 87 PID 3636 wrote to memory of 904 3636 3990518d4e.exe 87 PID 3636 wrote to memory of 904 3636 3990518d4e.exe 87 PID 3636 wrote to memory of 3272 3636 3990518d4e.exe 88 PID 3636 wrote to memory of 3272 3636 3990518d4e.exe 88 PID 3636 wrote to memory of 3272 3636 3990518d4e.exe 88 PID 3636 wrote to memory of 3272 3636 3990518d4e.exe 88 PID 3636 wrote to memory of 3272 3636 3990518d4e.exe 88 PID 3636 wrote to memory of 3272 3636 3990518d4e.exe 88 PID 3636 wrote to memory of 3272 3636 3990518d4e.exe 88 PID 3636 wrote to memory of 3272 3636 3990518d4e.exe 88 PID 3636 wrote to memory of 3272 3636 3990518d4e.exe 88 PID 780 wrote to memory of 1632 780 explorti.exe 89 PID 780 wrote to memory of 1632 780 explorti.exe 89 PID 780 wrote to memory of 1632 780 explorti.exe 89 PID 3612 wrote to memory of 2580 3612 RegAsm.exe 90 PID 3612 wrote to memory of 2580 3612 RegAsm.exe 90 PID 2580 wrote to memory of 2268 2580 firefox.exe 93 PID 2580 wrote to memory of 2268 2580 firefox.exe 93 PID 2580 wrote to memory of 2268 2580 firefox.exe 93 PID 2580 wrote to memory of 2268 2580 firefox.exe 93 PID 2580 wrote to memory of 2268 2580 firefox.exe 93 PID 2580 wrote to memory of 2268 2580 firefox.exe 93 PID 2580 wrote to memory of 2268 2580 firefox.exe 93 PID 2580 wrote to memory of 2268 2580 firefox.exe 93 PID 2580 wrote to memory of 2268 2580 firefox.exe 93 PID 2580 wrote to memory of 2268 2580 firefox.exe 93 PID 2580 wrote to memory of 2268 2580 firefox.exe 93 PID 2268 wrote to memory of 4588 2268 firefox.exe 94 PID 2268 wrote to memory of 4588 2268 firefox.exe 94 PID 2268 wrote to memory of 4588 2268 firefox.exe 94 PID 2268 wrote to memory of 4588 2268 firefox.exe 94 PID 2268 wrote to memory of 4588 2268 firefox.exe 94 PID 2268 wrote to memory of 4588 2268 firefox.exe 94 PID 2268 wrote to memory of 4588 2268 firefox.exe 94 PID 2268 wrote to memory of 4588 2268 firefox.exe 94 PID 2268 wrote to memory of 4588 2268 firefox.exe 94 PID 2268 wrote to memory of 4588 2268 firefox.exe 94 PID 2268 wrote to memory of 4588 2268 firefox.exe 94 PID 2268 wrote to memory of 4588 2268 firefox.exe 94 PID 2268 wrote to memory of 4588 2268 firefox.exe 94 PID 2268 wrote to memory of 4588 2268 firefox.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe"C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1872 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b118abe-3b39-4ee9-bbda-4c9ae058f35d} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" gpu7⤵PID:4588
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {257bfdfd-e136-40e2-a158-2106d30a671f} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" socket7⤵PID:5020
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1524 -childID 1 -isForBrowser -prefsHandle 2804 -prefMapHandle 3040 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {834d8a2f-17b8-4fdc-9972-bb9584f858e3} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" tab7⤵PID:4780
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3496 -childID 2 -isForBrowser -prefsHandle 3960 -prefMapHandle 3956 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7674a4fa-f35d-42ea-a854-409247fb30e3} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" tab7⤵PID:1620
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4696 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4684 -prefMapHandle 4532 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8ea7d5f-4163-4e3e-9239-baae0c26ba56} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" utility7⤵
- Checks processor information in registry
PID:1848
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 3 -isForBrowser -prefsHandle 5576 -prefMapHandle 5508 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14869bc3-d2af-4f4c-b693-a6f251bba938} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" tab7⤵PID:5700
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5696 -childID 4 -isForBrowser -prefsHandle 5644 -prefMapHandle 5576 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3868653-7684-4abc-8f62-6146c1fee0f6} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" tab7⤵PID:5744
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 5 -isForBrowser -prefsHandle 5848 -prefMapHandle 5852 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f8c6faa-4174-4c61-8e5e-a382b0d6598b} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" tab7⤵PID:5756
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6292 -childID 6 -isForBrowser -prefsHandle 6260 -prefMapHandle 6284 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {844bf7d7-ed28-4464-801d-967d37ccf8a7} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" tab7⤵PID:536
-
-
-
-
-
-
C:\Users\Admin\1000037002\3990518d4e.exe"C:\Users\Admin\1000037002\3990518d4e.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:1340
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3272
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000038001\f7df2e71e0.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\f7df2e71e0.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1632
-
-
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4948
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3804
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5536
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207KB
MD5510bbbc4aaa1435c2fbaae4a72ad2055
SHA18fcc653c1da4c9b641b0ee566565ae27127687ce
SHA256cd390760087ffc9c698e75f33f6c2844e97131dbd00a894dfeee0f1b144f2222
SHA5124701c53d69c6000cb9759f13b31074c8ae5dea21ca09ef40a2aec2bdcf72b52ede4b7327bda398a937094e2d4074a58c8ac9d4c079ddb31ffb46a000416e1a65
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\activity-stream.discovery_stream.json
Filesize41KB
MD50b228b260337da37810a5bcd205e78e4
SHA1d0e31cd9b1aeacfb9ce26b648ea67f4004700f87
SHA256f5c0dd67961130187916289781eacf50caf1364f2b7518953c93107cb0800a29
SHA512b4d24b6bc7176e53ea3a0669fbd8651a1794fd8de30e84722af8f97b6fc9c3757501b93c631ab818cde2d911b994c8d5248467d0bb90b9681ab86d786013b199
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD572db3c01928fb413013efc3f45401ba0
SHA19492c9eb4d257cf5ed1e2c3a515573851e0a9119
SHA2565280487206a1e1aefebcd55b47762f4a8744ba07ddf58cbbb78734fc94d868c3
SHA512bb11231fcc31ba182a829a57afca75b957e3eea81c3cd4bd980e5400c14aca51a923a946a435faafcdeec6c72ecc314a291f966d243fea4b180063c38932124f
-
Filesize
1.8MB
MD56a8855023dca6226bcfd23ff4ba3a6c8
SHA1aaed3742a5352026e782f0b57431773039b7afdd
SHA25655196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6
SHA5121b1b2f1d48ee17c73fc31523308e23f2198ffbcf0fa26680cfeb4d6bdc74aa3192afbc5c73889b24e3bd487f64cf83c49540fbfcb8c2cf195af563572ef5ad05
-
Filesize
1.2MB
MD575a2d87eafbefb74dc8bab6fec16cac1
SHA1c3decd95d7e19c4dbd1d7b9e409eeb4861c6f369
SHA2560027e27dcdc31f32e1159f82034ce00169ec7e3b487999d95997c519e0e7d40a
SHA5121b6c9ad97b74f639d26fd6d3af7c218f04ef08b77f6d6a67c05350c2965941472592fc6cc9c878644e686532295a20cc23d95ca5db4b62a86ec440000079c5f4
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin
Filesize7KB
MD59ca75c74dc0f850d16210dc3e70b3943
SHA1dcf3547461a42f826d1ba90a611ecf24f16dafe7
SHA2563ff7c2396f66fe41d96a0284611ef619b11dd8535f0ffd2c6b7a96bbc14b4f40
SHA5128cf91f9dcc4b8d171640e62dbd5f19e02c79d320e25dd9e174357d766ebda3299eccc74f54292723339f19e2aacd2fc795a808d672e8fb09e104d419d2aedcca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin
Filesize10KB
MD59d233287b328fdb88aca6e508a393332
SHA1c0449055ec69632f610ae3c2b283ccec71d838c7
SHA2564f3c1dcbc0cd25e98f9eef6d19b69bbc07d5fbe9895b892e5fbf5a6f04eac4e6
SHA512030f4ebaf6359548ccb2ff9387dd3625867803a526befaa3c9e71f81176e1a2c3014b0ceb07cad64f4450c1bc9f267d0765a4ced3d05541480295b7d429d86f9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD599908e397257dac8466a0ee9d43be9dd
SHA1ab2fde0b227b106afa09cf95b3a46153889934dd
SHA25684991ddbadbcd5d43d5948d001e76392042ad7c2ec3edda9a6a56d21999e1472
SHA512e9ca157f46409cefaf612de0e5b85633224b44c6898c872db460bbcde48f7d7fec4c0f02daddc3c36257b258f85c70c9a89a37c1f9d7c327fa6e9ec8a5dfde59
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp
Filesize32KB
MD510e94b5f038fe593cbcb18067e7609d0
SHA1c64c56ec5bd67cbfbff471600537731908178fe6
SHA256758ecbf0161461ad28635337e051efa4002c3b3a1f45ea06e0882412387df02d
SHA5129ce4c6bb4946d351c66c0a669c7c0129f9c6255d99c29fad0a20dee94a5dbe22a2c10ab2ddddcc0b9171421a5a5bb87fca1b4fba379ba280d96951c2ddb04b30
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\59b4d5c5-949f-49ff-9d0e-777b7224aaf0
Filesize982B
MD5843b5c51cfe3a6a5f079db055fe2c787
SHA16f095ebf92be36d888efe9beaab4453db240e25d
SHA256b31640002b9deedcdd5644a6de6de8f6fec6a91c5c21d3b4afc0dec295ce70d0
SHA512c9c3614f61561ad57c70187735a5104e4d9990e48d35603f6c9d5b7e49ce6dd7fd3a786c738dbb3f7f169897b9e550fae82f4d3a1c4b578cb6ad87a5905db4d5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\91f84ebd-0dad-4690-b351-977ff5764a27
Filesize671B
MD5e66800dcf46dcbfd9e8a44278b6438ae
SHA139914a78abe6b298bbad723dd48c3f4ce0fe58a6
SHA256634fb5b5e481ec0024c6d0fa087970f415b755e889239999c7499b888e9637a4
SHA5127393cef845db758471243b1e60ba1e7cf2567ecb2d6e6eef403cfdac48348a4406ce47745cff09568fd425a64ae8f64e37e2222ae5c3f4ff951ce25d7b03a8f0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\fdd85613-9796-4efd-8da6-ef7231c3a250
Filesize27KB
MD519a7da920d874893a57fb9d8e5ffe89d
SHA11f1d0590752e3a5ec3f643a9320e9cbc33358718
SHA256f88659779b3105aec66484114f1f4fbfaf796d9d70e2c6dcc457530f16e11be3
SHA512ab0c3b0e7325ccdc8d34b44fab89aecd32876b43d8587069da346653f8704405105a858ad538b1b1c6eca2ede0c9d70ef7bbe08bbed31ad41f2830e9838f38b2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD510fec288cc6c43b91be6ff93f31c35a8
SHA1ee3158f3e29c9f67678d9cbc1b5f2b118deef67a
SHA25605c3354803094ef59694520201daadeb7d053627856e0daab18c8eb0efc4f3aa
SHA51200f042a927ebcf0b0f585a36d5424ae397a1cf6e4812d4094409db58ab2f8821d9987af683e67e21bae17cf21e5c0bf791d175a5be19542b0c4ddbfa076d67d2
-
Filesize
16KB
MD5e8c359468500c2e73e1e0454e0fe873e
SHA1856470ad88d58316b83fbba6a9e957d69cad67c2
SHA25623d2768a672a0f7caeeeba2c51cc1a68a373c79740b12960934b38bd41538e36
SHA512da0436ed26b7aa1c79c237cf18e7e1c246bc9327114488c57cfb16ca7e55e556f8c2e35b9654837b352d4ee08b6408a268890af289f85e111bd5759d60ad00a0
-
Filesize
11KB
MD59f1f341c35552d3281934fe87d12b396
SHA14ae31cc73e6c1cbe7715ef4f9f6723987e622f7d
SHA2563b9dcd1dbeefc18ee430adb328d51da586d62dab6061ff9b37b8f43c79837006
SHA5129527e021b2122652da483b6a0e79a5ee0bbca43ac0af88f807976b63142fc4a16ccdc6c4ec370c9760b4fc47b27c919399b889e90c40026b488b67dd0a29e49c
-
Filesize
10KB
MD53bd8cdb13c1eb0d5a720dc167d0048e2
SHA1a6143b65e76c6ddcd2319004ec692e1010aaba43
SHA2566b9e8baa5e5a64e8021f39820a22e1db6daeabace403a85067aaa107cf2c4bc9
SHA51298312478a40944db619ccbfb5f1b5958403fcc63668e02c48377110b1a0f7fab41fbdf68118ef3fca6a165169ceadd0b6fbb89403f18090ec1aace73837729a2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.6MB
MD59fc2d176e9d9d959c1b5eec75aa8d36b
SHA15b5d163d92cbcb5454ed1f787e1963fa4b849f5f
SHA256b2fdcb5245083fb0aaa39a7f5b1d18a619422b10cfb34e908656467023251d42
SHA512a538f1a4c5dc42fc62eee797644181325036a3176e52d91b310cb9bf5cbf83e556bb83392d0f01466905da07229489696ce43347132b6c34b00618969e27db97