Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-08-2024 10:02
Static task
static1
Behavioral task
behavioral1
Sample
9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe
Resource
win10v2004-20240802-en
General
-
Target
9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe
-
Size
1.8MB
-
MD5
8f051507449e73b6415351694009fb14
-
SHA1
44beb908fb82d6eafd3050544695b6ffde58c50c
-
SHA256
9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf
-
SHA512
d8b4aa25dcb073a09d2ae78de0a9eb50e3ea744a65853ed61e5a6a9c6389495b1979cd9ba6f976b2c2cc4b65c588fa62a8482b3a7ffca83cff1499c1394d6a31
-
SSDEEP
49152:giC9An4RqHLNifybQPOG15yY7qtS4ai3B9moryzTVNL5:Hf4RqHgmQ2EB2B9DryzBNL5
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
explorti.exeexplorti.exe9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exe9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exee6b7eb3454.exe0ae611e92b.exeaccebe5e21.exeexplorti.exeexplorti.exepid process 4360 explorti.exe 1672 e6b7eb3454.exe 3908 0ae611e92b.exe 5392 accebe5e21.exe 912 explorti.exe 2208 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine 9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\e6b7eb3454.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\e6b7eb3454.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/668-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/668-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/668-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exeexplorti.exeexplorti.exeexplorti.exepid process 5692 9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe 4360 explorti.exe 912 explorti.exe 2208 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
e6b7eb3454.exe0ae611e92b.exedescription pid process target process PID 1672 set thread context of 668 1672 e6b7eb3454.exe RegAsm.exe PID 3908 set thread context of 3724 3908 0ae611e92b.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exedescription ioc process File created C:\Windows\Tasks\explorti.job 9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exe0ae611e92b.exeRegAsm.exeaccebe5e21.exe9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exeexplorti.exee6b7eb3454.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ae611e92b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language accebe5e21.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e6b7eb3454.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exeexplorti.exeexplorti.exeexplorti.exepid process 5692 9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe 5692 9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe 4360 explorti.exe 4360 explorti.exe 912 explorti.exe 912 explorti.exe 2208 explorti.exe 2208 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 3984 firefox.exe Token: SeDebugPrivilege 3984 firefox.exe Token: SeDebugPrivilege 3984 firefox.exe Token: SeDebugPrivilege 3984 firefox.exe Token: SeDebugPrivilege 3984 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 3984 firefox.exe 3984 firefox.exe 3984 firefox.exe 3984 firefox.exe 668 RegAsm.exe 3984 firefox.exe 3984 firefox.exe 3984 firefox.exe 3984 firefox.exe 3984 firefox.exe 3984 firefox.exe 3984 firefox.exe 3984 firefox.exe 3984 firefox.exe 3984 firefox.exe 3984 firefox.exe 3984 firefox.exe 3984 firefox.exe 3984 firefox.exe 3984 firefox.exe 3984 firefox.exe 3984 firefox.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exepid process 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe 668 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 3984 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exeexplorti.exee6b7eb3454.exe0ae611e92b.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 5692 wrote to memory of 4360 5692 9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe explorti.exe PID 5692 wrote to memory of 4360 5692 9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe explorti.exe PID 5692 wrote to memory of 4360 5692 9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe explorti.exe PID 4360 wrote to memory of 1672 4360 explorti.exe e6b7eb3454.exe PID 4360 wrote to memory of 1672 4360 explorti.exe e6b7eb3454.exe PID 4360 wrote to memory of 1672 4360 explorti.exe e6b7eb3454.exe PID 1672 wrote to memory of 668 1672 e6b7eb3454.exe RegAsm.exe PID 1672 wrote to memory of 668 1672 e6b7eb3454.exe RegAsm.exe PID 1672 wrote to memory of 668 1672 e6b7eb3454.exe RegAsm.exe PID 1672 wrote to memory of 668 1672 e6b7eb3454.exe RegAsm.exe PID 1672 wrote to memory of 668 1672 e6b7eb3454.exe RegAsm.exe PID 1672 wrote to memory of 668 1672 e6b7eb3454.exe RegAsm.exe PID 1672 wrote to memory of 668 1672 e6b7eb3454.exe RegAsm.exe PID 1672 wrote to memory of 668 1672 e6b7eb3454.exe RegAsm.exe PID 1672 wrote to memory of 668 1672 e6b7eb3454.exe RegAsm.exe PID 1672 wrote to memory of 668 1672 e6b7eb3454.exe RegAsm.exe PID 4360 wrote to memory of 3908 4360 explorti.exe 0ae611e92b.exe PID 4360 wrote to memory of 3908 4360 explorti.exe 0ae611e92b.exe PID 4360 wrote to memory of 3908 4360 explorti.exe 0ae611e92b.exe PID 3908 wrote to memory of 3592 3908 0ae611e92b.exe RegAsm.exe PID 3908 wrote to memory of 3592 3908 0ae611e92b.exe RegAsm.exe PID 3908 wrote to memory of 3592 3908 0ae611e92b.exe RegAsm.exe PID 3908 wrote to memory of 3724 3908 0ae611e92b.exe RegAsm.exe PID 3908 wrote to memory of 3724 3908 0ae611e92b.exe RegAsm.exe PID 3908 wrote to memory of 3724 3908 0ae611e92b.exe RegAsm.exe PID 3908 wrote to memory of 3724 3908 0ae611e92b.exe RegAsm.exe PID 3908 wrote to memory of 3724 3908 0ae611e92b.exe RegAsm.exe PID 3908 wrote to memory of 3724 3908 0ae611e92b.exe RegAsm.exe PID 3908 wrote to memory of 3724 3908 0ae611e92b.exe RegAsm.exe PID 3908 wrote to memory of 3724 3908 0ae611e92b.exe RegAsm.exe PID 3908 wrote to memory of 3724 3908 0ae611e92b.exe RegAsm.exe PID 4360 wrote to memory of 5392 4360 explorti.exe accebe5e21.exe PID 4360 wrote to memory of 5392 4360 explorti.exe accebe5e21.exe PID 4360 wrote to memory of 5392 4360 explorti.exe accebe5e21.exe PID 668 wrote to memory of 5560 668 RegAsm.exe firefox.exe PID 668 wrote to memory of 5560 668 RegAsm.exe firefox.exe PID 5560 wrote to memory of 3984 5560 firefox.exe firefox.exe PID 5560 wrote to memory of 3984 5560 firefox.exe firefox.exe PID 5560 wrote to memory of 3984 5560 firefox.exe firefox.exe PID 5560 wrote to memory of 3984 5560 firefox.exe firefox.exe PID 5560 wrote to memory of 3984 5560 firefox.exe firefox.exe PID 5560 wrote to memory of 3984 5560 firefox.exe firefox.exe PID 5560 wrote to memory of 3984 5560 firefox.exe firefox.exe PID 5560 wrote to memory of 3984 5560 firefox.exe firefox.exe PID 5560 wrote to memory of 3984 5560 firefox.exe firefox.exe PID 5560 wrote to memory of 3984 5560 firefox.exe firefox.exe PID 5560 wrote to memory of 3984 5560 firefox.exe firefox.exe PID 3984 wrote to memory of 2952 3984 firefox.exe firefox.exe PID 3984 wrote to memory of 2952 3984 firefox.exe firefox.exe PID 3984 wrote to memory of 2952 3984 firefox.exe firefox.exe PID 3984 wrote to memory of 2952 3984 firefox.exe firefox.exe PID 3984 wrote to memory of 2952 3984 firefox.exe firefox.exe PID 3984 wrote to memory of 2952 3984 firefox.exe firefox.exe PID 3984 wrote to memory of 2952 3984 firefox.exe firefox.exe PID 3984 wrote to memory of 2952 3984 firefox.exe firefox.exe PID 3984 wrote to memory of 2952 3984 firefox.exe firefox.exe PID 3984 wrote to memory of 2952 3984 firefox.exe firefox.exe PID 3984 wrote to memory of 2952 3984 firefox.exe firefox.exe PID 3984 wrote to memory of 2952 3984 firefox.exe firefox.exe PID 3984 wrote to memory of 2952 3984 firefox.exe firefox.exe PID 3984 wrote to memory of 2952 3984 firefox.exe firefox.exe PID 3984 wrote to memory of 2952 3984 firefox.exe firefox.exe PID 3984 wrote to memory of 2952 3984 firefox.exe firefox.exe PID 3984 wrote to memory of 2952 3984 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe"C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5692 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\1000036001\e6b7eb3454.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\e6b7eb3454.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:5560 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc32a8e1-e18a-4106-8926-55ad7d0846f8} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" gpu7⤵PID:2952
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34a55b2c-48ed-41d1-b242-016c9cf863a0} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" socket7⤵PID:1504
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3328 -childID 1 -isForBrowser -prefsHandle 2892 -prefMapHandle 3348 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42aae668-6b91-41d8-8f6b-80c338e146c4} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" tab7⤵PID:1928
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3908 -childID 2 -isForBrowser -prefsHandle 3904 -prefMapHandle 2872 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b81ac50c-0284-432f-a511-ed47bf8430cf} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" tab7⤵PID:4120
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4840 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4928 -prefMapHandle 4924 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24a529bc-aaba-4b7e-abf0-43a89b1d9b33} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" utility7⤵
- Checks processor information in registry
PID:5008 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4788 -childID 3 -isForBrowser -prefsHandle 5584 -prefMapHandle 5576 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {666008de-7728-4eb5-9a0d-98f8adc04abe} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" tab7⤵PID:224
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 4 -isForBrowser -prefsHandle 5760 -prefMapHandle 5708 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f76aa4c2-edaa-4bd9-8184-e5bf6992d98b} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" tab7⤵PID:3036
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5908 -childID 5 -isForBrowser -prefsHandle 5916 -prefMapHandle 5920 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba007440-d365-4abd-ae1d-caa349536800} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" tab7⤵PID:236
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6408 -childID 6 -isForBrowser -prefsHandle 6356 -prefMapHandle 6212 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fbc5974-2bd4-4773-9c52-c675e91ccf13} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" tab7⤵PID:2092
-
C:\Users\Admin\1000037002\0ae611e92b.exe"C:\Users\Admin\1000037002\0ae611e92b.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3592
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3724 -
C:\Users\Admin\AppData\Local\Temp\1000038001\accebe5e21.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\accebe5e21.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5392
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:912
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2208
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207KB
MD5fa5cd7b86d35c07d61b9251b3d6813f8
SHA1d484235241beade85f2ede79d38ba56dce5d59c7
SHA2561233bbb7a019e56b109ca8606b713aabce6262fb7ff45ea4c854f15380843a96
SHA512572d502952a422f23bf7d5f633833808d710c934df96cebe2d2fdc938cf4bf585e69ce9c492bc2aa06400eaf34e901ca7b18d9893a47dfa811ac3059023af36d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\activity-stream.discovery_stream.json
Filesize45KB
MD503feb84236085c1a652fd4877a8a3b2a
SHA1bc6b1d0e89dcc19d7b43924c2f34d2d133c657ef
SHA256c6525453fbd61b05bb83cca141542afabee1f2b36b90a4dc6ce89cb532233fa2
SHA512de6c450653aef29ea50b75d6980200287a308834643d89e5ebb8a9ed5cd0a046051f09a95999bb537634042e71be7161f5cad9a4dd79bdcc21f1fdfe8977e2b5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD565ca350bc733d972ae549c8c4946de77
SHA103e437200daf614ed3a37d61d59741536f852453
SHA25611e8b8c8691369cef09c21bfb5785f8fe9c14f7c39a25fd197b884e0ecccbe31
SHA512bcd46f6f15cc7c010464eea4c9745644e0fcd9f4b2165e27e53726079c024e091421dbea36f88fd8d9afcc2fb106b16c3bcdafdd72c568b828139d48b841a044
-
Filesize
1.8MB
MD58f051507449e73b6415351694009fb14
SHA144beb908fb82d6eafd3050544695b6ffde58c50c
SHA2569bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf
SHA512d8b4aa25dcb073a09d2ae78de0a9eb50e3ea744a65853ed61e5a6a9c6389495b1979cd9ba6f976b2c2cc4b65c588fa62a8482b3a7ffca83cff1499c1394d6a31
-
Filesize
1.2MB
MD5a97c9397775e0bf9e8270435d4a10385
SHA1fc5479bffdf093b01b116a5c11afa5d4bbddbcfd
SHA2562c84872454e51e5b18e070e7305edf9a164c9e8046d2606335bfe424c748856f
SHA512d413e31614513d900c17a9fbbc8b9ae17f87bae0047f344897bebdc1612f2e532be27c165a7675a8410f8626e070ee89e287d173a727d26334ab05168d39e8ed
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin
Filesize7KB
MD5c5d9a7929dcecbeea5ae6a8380c36401
SHA14b850b825ac2928f6d14593bd739da28c5187f95
SHA256cd243807bef42ae8063c85a2814e24b2acd581872897ee03eaefbb106cb5bbab
SHA5126d4bdcc44f6d1ea1ce65e11cf0f52d1080044040e93f5edcfc60e942a2ef8de33d148a35ff557561c6646ba4b6671f6eef4d36073b70e7c92609545530711e93
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin
Filesize10KB
MD513e4bcd73b8a906a46de2b958eae0c1b
SHA10d5c46d8036bb60fac7b0db5a6fa092a52143847
SHA25604473540d2a0da80a828723a83735372a2fce684c4dedb34e7fce8096389dd07
SHA5120d423276425a593cca00c903236eccec8be9a37f0352c621d853fc065cd7526ed4732d33f3db70072868b45ad932a2bfedb47d611f47aafe5762474511f0b1a4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5e59ff7699511b552d9f859a21a037d87
SHA196c159c149cde9b123c10453e03e315f97fc239e
SHA256022b693713d9370dc68c14e3b3a4664be16e3d03f536c0ec90b5194a962b7c6a
SHA512b343ea316d5dc2fe86850ab4854734c8101fca0a1fc2e0253e5fff77ea637a3f3d0a55a5133a8b57eeef044d005d7187167018fcd36787a31ce9d32095b54274
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD50d6936f3af52275232fc1dbc977f2d50
SHA16eb365dd09efe5c2cf73ffbc078cc4360fbe8263
SHA2561b992fb72d828a408866651ad0674b1900c7165edc61c96e5aed88cd79052e7b
SHA512b7bfed5d25373c06516ddd4fec783ac26ab5f9a6b7cc2aef123accb299e0b1e711e1bda5719221656e379c54508b7e633deb673ff23405fee6062068d58985df
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\ba5a3d2c-de6b-4b25-890b-6d4aeb79c799
Filesize26KB
MD53747f7332718c445c2f4e527e89b4e1f
SHA1125e9da8d4859d3c12a64e4d8e1270033059ef6e
SHA256c4a06f5f887be4d07f204d8934fe716b3949e1b19e64e0727c30e519fb562def
SHA512c249e81a470b9aad9691eedb1efb78f16244e15792861e71acabc0b01b0a76889c8023a89f9e7278d2e29d14f6247c1970bd51c1db194d85ccb1c9d42656e2cb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\d4e8bb5a-767d-4545-842f-e8367259daaf
Filesize671B
MD50f6fc61e6b6a0d58382701e7d232fb63
SHA10c1ad65c0075cea23df394372b730015d0afbdb7
SHA2563d70f73badcfd314f4cf648297999731bafff9d36c6a59be572e17f731453338
SHA5120d871ffbd5613a440eb0d575cc8a33611ff48f5bd7f65dc19eeaf6a3aa472f08bf603bc8e94058cb3b4f8091a5c0fda511e0c0e8009e4b3c4d982ca6041c09cb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\d5cb33db-2452-4ba1-96ad-26bea63daf73
Filesize982B
MD5234f2c22f4dd12bcf1c159a5dcfb9f9c
SHA1b3ab7537645ca7f5e557495d3f712780d17cd124
SHA256a6488d029c6e10e15c4ea9af2fb242bf1180bc4efc0e9d98dc1a1a00a2b034ee
SHA512f45ae8b77b7ef517e189a4625dc65266a98da2b28064808656d5f15bb3401083580d2e35065e041ef520874d235884fdcfb4c11fc8859b5ce65826cc5f11dc0d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5abf6246b2a689e202e357be55bf677ff
SHA1d4f9bf046ef3cd95c608b56f353f6e9a5ed9f3fa
SHA2562f588fe266247db8553c8bb889459ff702afdc491dcbdaa39bc0b690cbe56c28
SHA512fe05aa0e74984ccfa18aa94c69d688331d9915ae7f666077c1c16821ef1077bf7d6699e4bb782eed05e7f4f1298fd443c8d29c1be53261630dc021af86d5af8b
-
Filesize
16KB
MD5f5d80f8efd1439ebce1f5fc127fd8242
SHA121645bdaae77e8f491471a748b408f4498da9347
SHA2564a77c4a31eb1b98e32ba691d52725a6dc6df57a5b95ae5feb2b4f48f96530162
SHA512a8187b1f718c036e6d2824ac11c5fa7ca0356a18ec30826d7c5dc91d43892deb8d04193c73489e583fd68d7b1a2a0cc847322610c5d739ed8041bb87b9badb49
-
Filesize
10KB
MD5a5e7bf82284e1f6bfd18f85115ab75ab
SHA1476841880ab788f87e9322a3ad5139fe6015db8f
SHA256e945f2dda3fa9bb6db9ea7e55647634d673908e8b76717897ff9794eabe1e18c
SHA5124d2a51e7d4243cc5ac181d9c10c0e66472ffc91a672618f13b20decd3261b9a1781231c0a11dfcb476588655940aa7cddbda5c96af62b5fe03abafb2712ce1f2