Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-08-2024 00:19
Static task
static1
Behavioral task
behavioral1
Sample
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe
Resource
win11-20240802-en
General
-
Target
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe
-
Size
1.8MB
-
MD5
089886bf7e26432d1b8871ad0fad7a6f
-
SHA1
658b258103dfa62705e1a8d3a1cc3a0da105c9f7
-
SHA256
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e
-
SHA512
72006c3cfcbba34bfcbc8e4404eef75067ce5945529ae5802bc3b4a4790781ec032ded0ccd4c96df38f5a5a37cdc9b88b72734a6ed0abbccbb09c9ccb1b0c7e5
-
SSDEEP
49152:DYDVWg9g4L78+neMv0+mvHhK2HoIAWXPAEC7Bloj:MTga8LMbmvHhbHoIAWXPhCdlu
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe956ba0e9e9.exe862076a506.exe2acf21079c.exeexplorti.exeexplorti.exepid process 4476 explorti.exe 4484 956ba0e9e9.exe 1796 862076a506.exe 4092 2acf21079c.exe 2216 explorti.exe 4092 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\Run\956ba0e9e9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\956ba0e9e9.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3408-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/3408-46-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/3408-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exeexplorti.exeexplorti.exeexplorti.exepid process 3420 ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe 4476 explorti.exe 2216 explorti.exe 4092 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
956ba0e9e9.exe862076a506.exedescription pid process target process PID 4484 set thread context of 3408 4484 956ba0e9e9.exe RegAsm.exe PID 1796 set thread context of 1080 1796 862076a506.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exedescription ioc process File created C:\Windows\Tasks\explorti.job ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exeexplorti.exe956ba0e9e9.exeRegAsm.exe862076a506.exeRegAsm.exe2acf21079c.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 956ba0e9e9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 862076a506.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2acf21079c.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exeexplorti.exeexplorti.exeexplorti.exepid process 3420 ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe 3420 ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe 4476 explorti.exe 4476 explorti.exe 2216 explorti.exe 2216 explorti.exe 4092 explorti.exe 4092 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 1344 firefox.exe Token: SeDebugPrivilege 1344 firefox.exe Token: SeDebugPrivilege 1344 firefox.exe Token: SeDebugPrivilege 1344 firefox.exe Token: SeDebugPrivilege 1344 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 1344 firefox.exe 1344 firefox.exe 1344 firefox.exe 1344 firefox.exe 1344 firefox.exe 1344 firefox.exe 1344 firefox.exe 1344 firefox.exe 1344 firefox.exe 1344 firefox.exe 1344 firefox.exe 1344 firefox.exe 1344 firefox.exe 1344 firefox.exe 1344 firefox.exe 1344 firefox.exe 1344 firefox.exe 1344 firefox.exe 1344 firefox.exe 1344 firefox.exe 1344 firefox.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exepid process 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe 3408 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 1344 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exeexplorti.exe956ba0e9e9.exe862076a506.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 3420 wrote to memory of 4476 3420 ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe explorti.exe PID 3420 wrote to memory of 4476 3420 ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe explorti.exe PID 3420 wrote to memory of 4476 3420 ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe explorti.exe PID 4476 wrote to memory of 4484 4476 explorti.exe 956ba0e9e9.exe PID 4476 wrote to memory of 4484 4476 explorti.exe 956ba0e9e9.exe PID 4476 wrote to memory of 4484 4476 explorti.exe 956ba0e9e9.exe PID 4484 wrote to memory of 3408 4484 956ba0e9e9.exe RegAsm.exe PID 4484 wrote to memory of 3408 4484 956ba0e9e9.exe RegAsm.exe PID 4484 wrote to memory of 3408 4484 956ba0e9e9.exe RegAsm.exe PID 4484 wrote to memory of 3408 4484 956ba0e9e9.exe RegAsm.exe PID 4484 wrote to memory of 3408 4484 956ba0e9e9.exe RegAsm.exe PID 4484 wrote to memory of 3408 4484 956ba0e9e9.exe RegAsm.exe PID 4484 wrote to memory of 3408 4484 956ba0e9e9.exe RegAsm.exe PID 4484 wrote to memory of 3408 4484 956ba0e9e9.exe RegAsm.exe PID 4484 wrote to memory of 3408 4484 956ba0e9e9.exe RegAsm.exe PID 4484 wrote to memory of 3408 4484 956ba0e9e9.exe RegAsm.exe PID 4476 wrote to memory of 1796 4476 explorti.exe 862076a506.exe PID 4476 wrote to memory of 1796 4476 explorti.exe 862076a506.exe PID 4476 wrote to memory of 1796 4476 explorti.exe 862076a506.exe PID 1796 wrote to memory of 3848 1796 862076a506.exe RegAsm.exe PID 1796 wrote to memory of 3848 1796 862076a506.exe RegAsm.exe PID 1796 wrote to memory of 3848 1796 862076a506.exe RegAsm.exe PID 1796 wrote to memory of 4064 1796 862076a506.exe RegAsm.exe PID 1796 wrote to memory of 4064 1796 862076a506.exe RegAsm.exe PID 1796 wrote to memory of 4064 1796 862076a506.exe RegAsm.exe PID 1796 wrote to memory of 2424 1796 862076a506.exe RegAsm.exe PID 1796 wrote to memory of 2424 1796 862076a506.exe RegAsm.exe PID 1796 wrote to memory of 2424 1796 862076a506.exe RegAsm.exe PID 1796 wrote to memory of 1008 1796 862076a506.exe RegAsm.exe PID 1796 wrote to memory of 1008 1796 862076a506.exe RegAsm.exe PID 1796 wrote to memory of 1008 1796 862076a506.exe RegAsm.exe PID 1796 wrote to memory of 1080 1796 862076a506.exe RegAsm.exe PID 1796 wrote to memory of 1080 1796 862076a506.exe RegAsm.exe PID 1796 wrote to memory of 1080 1796 862076a506.exe RegAsm.exe PID 1796 wrote to memory of 1080 1796 862076a506.exe RegAsm.exe PID 1796 wrote to memory of 1080 1796 862076a506.exe RegAsm.exe PID 1796 wrote to memory of 1080 1796 862076a506.exe RegAsm.exe PID 1796 wrote to memory of 1080 1796 862076a506.exe RegAsm.exe PID 1796 wrote to memory of 1080 1796 862076a506.exe RegAsm.exe PID 1796 wrote to memory of 1080 1796 862076a506.exe RegAsm.exe PID 4476 wrote to memory of 4092 4476 explorti.exe 2acf21079c.exe PID 4476 wrote to memory of 4092 4476 explorti.exe 2acf21079c.exe PID 4476 wrote to memory of 4092 4476 explorti.exe 2acf21079c.exe PID 3408 wrote to memory of 1596 3408 RegAsm.exe firefox.exe PID 3408 wrote to memory of 1596 3408 RegAsm.exe firefox.exe PID 1596 wrote to memory of 1344 1596 firefox.exe firefox.exe PID 1596 wrote to memory of 1344 1596 firefox.exe firefox.exe PID 1596 wrote to memory of 1344 1596 firefox.exe firefox.exe PID 1596 wrote to memory of 1344 1596 firefox.exe firefox.exe PID 1596 wrote to memory of 1344 1596 firefox.exe firefox.exe PID 1596 wrote to memory of 1344 1596 firefox.exe firefox.exe PID 1596 wrote to memory of 1344 1596 firefox.exe firefox.exe PID 1596 wrote to memory of 1344 1596 firefox.exe firefox.exe PID 1596 wrote to memory of 1344 1596 firefox.exe firefox.exe PID 1596 wrote to memory of 1344 1596 firefox.exe firefox.exe PID 1596 wrote to memory of 1344 1596 firefox.exe firefox.exe PID 1344 wrote to memory of 1668 1344 firefox.exe firefox.exe PID 1344 wrote to memory of 1668 1344 firefox.exe firefox.exe PID 1344 wrote to memory of 1668 1344 firefox.exe firefox.exe PID 1344 wrote to memory of 1668 1344 firefox.exe firefox.exe PID 1344 wrote to memory of 1668 1344 firefox.exe firefox.exe PID 1344 wrote to memory of 1668 1344 firefox.exe firefox.exe PID 1344 wrote to memory of 1668 1344 firefox.exe firefox.exe PID 1344 wrote to memory of 1668 1344 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe"C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\1000036001\956ba0e9e9.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\956ba0e9e9.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d272be49-d0a7-4c27-bb5b-c33d772f911b} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" gpu7⤵PID:1668
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58b5bcb1-e2c7-41b5-9b1a-33878b67c070} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" socket7⤵PID:1188
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3032 -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 3160 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b9a325c-858e-4cb5-8cfd-3eff045a9bef} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" tab7⤵PID:4224
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3660 -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 3648 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d891df1f-c586-4fa6-9ca1-487d14448944} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" tab7⤵PID:3104
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4720 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4712 -prefMapHandle 4708 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e780f50-0acf-4618-a85b-3d5f22ff7028} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" utility7⤵
- Checks processor information in registry
PID:2736 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 3 -isForBrowser -prefsHandle 5524 -prefMapHandle 4964 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9efe8be-256c-49d9-874d-cdae36239068} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" tab7⤵PID:1148
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 4 -isForBrowser -prefsHandle 5504 -prefMapHandle 5480 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7c6ad1e-de36-4baa-b53b-2a3e3d64de01} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" tab7⤵PID:4724
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5828 -childID 5 -isForBrowser -prefsHandle 5908 -prefMapHandle 5840 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52ee6c6b-4b26-40a8-86be-f7b536ce4b19} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" tab7⤵PID:1004
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6212 -childID 6 -isForBrowser -prefsHandle 6192 -prefMapHandle 6200 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9e95919-d9f2-44ad-b8f0-e62ca9dcac2d} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" tab7⤵PID:1320
-
C:\Users\Admin\1000037002\862076a506.exe"C:\Users\Admin\1000037002\862076a506.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3848
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4064
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2424
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:1008
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\1000038001\2acf21079c.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\2acf21079c.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4092
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2216
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4092
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5e826e5dda653e04af408850d34bcde30
SHA1ef68ca7be13805e1a4ce73320015567df98b07ff
SHA256bdf3491c9a75b80277746b1d6c105da79a3b5fba637236b87dd4af15af33e3b2
SHA512c2750171b88c7d138299b29341af7cd20d97c2a22f6cb82b5e7711cc28f7947ac943fbf9ba8c038f49678b1b38d6a752706242786ed627fa69db267690da3072
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\activity-stream.discovery_stream.json
Filesize42KB
MD52ac362a52039a5922510cdc8c9ee0276
SHA11c95973d8ac54dd3e7bd642c2e00eb7c9ab760ca
SHA25627c421c684b7f3b3fba22ce67f9d931fac4dc1542d896dcec74c0f7f397d6b27
SHA5121d99042759bf9e744d9965784cd8ddc4c225da194da650b454960f806547224d06ab71a4f2da4dc262c7546eb7702444d75bbc292cba08fa185e593eb71a84a1
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5e5a22c6f531aa155abb9ce2f72d9f2bf
SHA16e65c3e4cb8ea5040c9f415f76ef04a7b27e7fdd
SHA2560e79c60b5c0651cdd1fbe641cac40ede80ce15f4b3e9097299ba03a00d03d45e
SHA512b8d94727edca57596b6e7724c0268c67059561c53176b66e6823671e001c34c91a5ccd2b4d1fcecb53b63bd825b881a4df688995b3f509be4d58d9bafeb93537
-
Filesize
1.8MB
MD5089886bf7e26432d1b8871ad0fad7a6f
SHA1658b258103dfa62705e1a8d3a1cc3a0da105c9f7
SHA256ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e
SHA51272006c3cfcbba34bfcbc8e4404eef75067ce5945529ae5802bc3b4a4790781ec032ded0ccd4c96df38f5a5a37cdc9b88b72734a6ed0abbccbb09c9ccb1b0c7e5
-
Filesize
1.2MB
MD5b4b7887bba964f06c545500381908ba9
SHA1c8a668c954d459269b3fcf7d4f4359a5630f731c
SHA25600d63a7e31523200db556616515fdd747cdfee7788adc5a5c946f2b6bcb8e4c5
SHA512285acc9fe1b166dec1793e55c47abe5fe96d7edee670808f0b424f9bcf88d5027a9a29f74189625539c1dff9bc6cc8ca31b23df86982266f72d8bb436d55c018
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin
Filesize7KB
MD511a04ffb8a56dc73459bebc8cada4a9e
SHA132e26e072658e986c449b85415da75e22c73ddfc
SHA2561c84a6f87f267431a6346f3d6b71820da4b2f27ec50f741c61df3df8bea5146d
SHA512dadfe10ea7705f7491c0d4ff8060230d45dc16edb8e616d0c7498f00a7cfa627c438574201539c260129375c457ad6a592032293a8fc10b2aacac71bcf653803
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin
Filesize10KB
MD5b7171d1f303692170ed29432880f8b6f
SHA14b9e3275c949e8db3cdc699abeaee0cfb7ecb406
SHA256143ab86c08e7e1230c5e24546149242b77dfd080a5e076bb04cecc94ea1ea847
SHA512be51d0d9313735e30e73a2a832cfae3072cd1c6914d5ca9bbf95a0bbca53d52cdff50d47ec0721117229ef1c00988ac11ce06e4c3f4e259be4aeccdb57922657
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5048b0562edbb71d460867b8775dc54a3
SHA19d9868e03c19a73b882f5878aaf5a07bfbba0fd3
SHA2562f89cd7316776ab3c83f27e99341fa3f5769c24f1d8f95cca39623f3ba4270a3
SHA5125e0f8fc1f1ca8eb6b48213cc989504ebe458ea81fdd31fc1f5bcc310dfe2de628392f1b4d5d2ceafe206e74e0bd3f444a7f6c8f4406fca4f9373f8f071e98cab
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5e0f9b342eacc7cadd0748ea07c1e2869
SHA108786b2778e9f7b17daca6930dc72af375968c30
SHA256928c0f0192bd68b94c90bb5f0cc4ab89378d079e68ddb3858ac7280d4febc2df
SHA51288b37a4814ccdc60bc3c2d42e0370c12c845d887452fcad2e9b59a9668127422f56f060efd62e1c53f852eb953bbd66b390d6a2a1b377894a534f238b5e579d6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD5fa71151beb808c8e158ae6eda226fa7e
SHA18d3386bbf885edfeba60a41f3cc98d96e882e28c
SHA256c926d5789236d8dd34cdebd6ba7b9bf0c1e0f1a3152ffc10d7b2476fa3b2d6b6
SHA512341bfed3eba158ef148766995ecf852c4d6b376b6ea669c1dd8a370f9c8244c4fe41d1e250ecd3061d86f26c68e972c1d7107cf187c236474de05a24be4aa32c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
Filesize36KB
MD51cda6583524728632df5d1e63084e8ca
SHA176db7dea43e03608e29dbdf29db7d8c1224d69b0
SHA25687de0b96b83ae76efeab1c207250bac583a7d277a24c343a34c9758acece8a0c
SHA5129b7e93e580312159ec1370c6c669bcf63eece27f76a69d876e769a1e1de0ca86d24a8ffbd8786d9146d14c1a45c8627780253d68da1c5b2dee97f09f22347e4e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\3651c471-30e8-4cfd-a2e8-3ffaafd4727b
Filesize982B
MD5e527c15db8c9beddf3367ced57c996bc
SHA11be2b2731e656349e622cfca33bb4894a309cac0
SHA256d592b4dc54613b4f1f51d6e5ab9a4a3c1b3a233dcb9eb7869a93122ac95ca28c
SHA512c1dcbbe98a823a258fb2574172550f71774aa06c31173f22355fd73fa0f57a5d1e9556f5f394f5ed14f87a725db9990da5d0c07d5df1ee00407798c7a4e6ec2a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\e0f51a9d-abef-4372-a7cb-6653e2d36ea1
Filesize659B
MD5ae1d8021082daf4c60f264cf54048436
SHA18a593004089b05c527240eac9bc89c61e43d6224
SHA25684e67b07aefc61638ae9625c073433290a9169af7c542e69adcc59a5cc995895
SHA5128bc04cedc99b42128ce8afbe5ad4a2a0503a6d8809325d383f50980a9c33b4a4c35046a85d9aa829d017e3a30e4f5a2948f70ca64cc41536fef7627331bf59b9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD55de705aaef068cf2300e9e475e484595
SHA1299b087f8d7f568da636b04b6f5cdb77be382890
SHA256f6df3ff53e5ff4eb775c7fe9166ca5eb151ffca36945f4ce090d0dd51f1be017
SHA512d9655c51c9d8d79c01b4f6b56838a37ac6f19599ff8dd47fb8942ee8dede9921c699a8959cda351da3158bb774e777a3a7589412778a9b3e054494c5d579f911
-
Filesize
16KB
MD5ae185a0def0fcc971d93e718fb28c012
SHA19cf3f91c017fff67bfd874e0280cc4b1986055b5
SHA256d00dfb18247eb193c7894b6566f607f584894f15eb31583e153074ab1c715082
SHA51266494c764ccede73f631ba56f0df4fe03a3e8fe39b94463571da5dd3475fc600eb4b12ac59b3768f7edc16f5f903275373582efeb75181418c7c7817c6a2ca00
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD583e0dc026c821198609fab4ad6d1fc96
SHA10511441d74d67ae24ba0750b74026853d6a65748
SHA256d0f381a1493c5d8bf38afd240b8398be5ba2de077232f33b4d4068795018ad71
SHA512f152a457ebc338b39a11b430f522fd94916620b1d86c994fbc4fe37ff3d5174eeedc953e15f68a88fc1c764e7a2faa6e2a2943d50ef1f79181e889d18bac7d5c