Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-08-2024 00:41
Static task
static1
Behavioral task
behavioral1
Sample
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe
Resource
win10v2004-20240802-en
General
-
Target
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe
-
Size
1.8MB
-
MD5
d27e91c1a583fbb0ad75d1ed0e071c36
-
SHA1
5d0490f1a41e7db58173b22e0987a580ef4948b7
-
SHA256
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634
-
SHA512
55b2ba4d4acbd72e1dbcd8787d84428bf45c6907eedcc2ecf6592faec0227c760f599cffadbcdd81214037ad46d2c7668716a6b137814703c83e76b67981652d
-
SSDEEP
49152:AjivmJs0NfMNRrk5FUa2bTPv03Ntfp1kC+:AjdhMNmFUa2Md5p1k
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exe5ceef40c6c.exed6212392b6.exef6119aec5c.exeexplorti.exeexplorti.exeexplorti.exepid process 3540 explorti.exe 5000 5ceef40c6c.exe 460 d6212392b6.exe 1828 f6119aec5c.exe 4464 explorti.exe 6064 explorti.exe 5424 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\5ceef40c6c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\5ceef40c6c.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/576-49-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/576-52-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/576-53-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 2208 f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe 3540 explorti.exe 4464 explorti.exe 6064 explorti.exe 5424 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
5ceef40c6c.exed6212392b6.exedescription pid process target process PID 5000 set thread context of 576 5000 5ceef40c6c.exe RegAsm.exe PID 460 set thread context of 1616 460 d6212392b6.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exedescription ioc process File created C:\Windows\Tasks\explorti.job f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exed6212392b6.exeRegAsm.exef6119aec5c.exef0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exeexplorti.exe5ceef40c6c.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d6212392b6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6119aec5c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ceef40c6c.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 2208 f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe 2208 f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe 3540 explorti.exe 3540 explorti.exe 4464 explorti.exe 4464 explorti.exe 6064 explorti.exe 6064 explorti.exe 5424 explorti.exe 5424 explorti.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 3484 firefox.exe Token: SeDebugPrivilege 3484 firefox.exe Token: SeDebugPrivilege 3484 firefox.exe Token: SeDebugPrivilege 3484 firefox.exe Token: SeDebugPrivilege 3484 firefox.exe Token: SeDebugPrivilege 3484 firefox.exe Token: SeDebugPrivilege 3484 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exepid process 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe 576 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 3484 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exeexplorti.exe5ceef40c6c.exed6212392b6.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 2208 wrote to memory of 3540 2208 f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe explorti.exe PID 2208 wrote to memory of 3540 2208 f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe explorti.exe PID 2208 wrote to memory of 3540 2208 f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe explorti.exe PID 3540 wrote to memory of 5000 3540 explorti.exe 5ceef40c6c.exe PID 3540 wrote to memory of 5000 3540 explorti.exe 5ceef40c6c.exe PID 3540 wrote to memory of 5000 3540 explorti.exe 5ceef40c6c.exe PID 5000 wrote to memory of 576 5000 5ceef40c6c.exe RegAsm.exe PID 5000 wrote to memory of 576 5000 5ceef40c6c.exe RegAsm.exe PID 5000 wrote to memory of 576 5000 5ceef40c6c.exe RegAsm.exe PID 5000 wrote to memory of 576 5000 5ceef40c6c.exe RegAsm.exe PID 5000 wrote to memory of 576 5000 5ceef40c6c.exe RegAsm.exe PID 5000 wrote to memory of 576 5000 5ceef40c6c.exe RegAsm.exe PID 5000 wrote to memory of 576 5000 5ceef40c6c.exe RegAsm.exe PID 5000 wrote to memory of 576 5000 5ceef40c6c.exe RegAsm.exe PID 5000 wrote to memory of 576 5000 5ceef40c6c.exe RegAsm.exe PID 5000 wrote to memory of 576 5000 5ceef40c6c.exe RegAsm.exe PID 3540 wrote to memory of 460 3540 explorti.exe d6212392b6.exe PID 3540 wrote to memory of 460 3540 explorti.exe d6212392b6.exe PID 3540 wrote to memory of 460 3540 explorti.exe d6212392b6.exe PID 460 wrote to memory of 1616 460 d6212392b6.exe RegAsm.exe PID 460 wrote to memory of 1616 460 d6212392b6.exe RegAsm.exe PID 460 wrote to memory of 1616 460 d6212392b6.exe RegAsm.exe PID 460 wrote to memory of 1616 460 d6212392b6.exe RegAsm.exe PID 460 wrote to memory of 1616 460 d6212392b6.exe RegAsm.exe PID 460 wrote to memory of 1616 460 d6212392b6.exe RegAsm.exe PID 460 wrote to memory of 1616 460 d6212392b6.exe RegAsm.exe PID 460 wrote to memory of 1616 460 d6212392b6.exe RegAsm.exe PID 460 wrote to memory of 1616 460 d6212392b6.exe RegAsm.exe PID 3540 wrote to memory of 1828 3540 explorti.exe f6119aec5c.exe PID 3540 wrote to memory of 1828 3540 explorti.exe f6119aec5c.exe PID 3540 wrote to memory of 1828 3540 explorti.exe f6119aec5c.exe PID 576 wrote to memory of 4732 576 RegAsm.exe firefox.exe PID 576 wrote to memory of 4732 576 RegAsm.exe firefox.exe PID 4732 wrote to memory of 3484 4732 firefox.exe firefox.exe PID 4732 wrote to memory of 3484 4732 firefox.exe firefox.exe PID 4732 wrote to memory of 3484 4732 firefox.exe firefox.exe PID 4732 wrote to memory of 3484 4732 firefox.exe firefox.exe PID 4732 wrote to memory of 3484 4732 firefox.exe firefox.exe PID 4732 wrote to memory of 3484 4732 firefox.exe firefox.exe PID 4732 wrote to memory of 3484 4732 firefox.exe firefox.exe PID 4732 wrote to memory of 3484 4732 firefox.exe firefox.exe PID 4732 wrote to memory of 3484 4732 firefox.exe firefox.exe PID 4732 wrote to memory of 3484 4732 firefox.exe firefox.exe PID 4732 wrote to memory of 3484 4732 firefox.exe firefox.exe PID 3484 wrote to memory of 2904 3484 firefox.exe firefox.exe PID 3484 wrote to memory of 2904 3484 firefox.exe firefox.exe PID 3484 wrote to memory of 2904 3484 firefox.exe firefox.exe PID 3484 wrote to memory of 2904 3484 firefox.exe firefox.exe PID 3484 wrote to memory of 2904 3484 firefox.exe firefox.exe PID 3484 wrote to memory of 2904 3484 firefox.exe firefox.exe PID 3484 wrote to memory of 2904 3484 firefox.exe firefox.exe PID 3484 wrote to memory of 2904 3484 firefox.exe firefox.exe PID 3484 wrote to memory of 2904 3484 firefox.exe firefox.exe PID 3484 wrote to memory of 2904 3484 firefox.exe firefox.exe PID 3484 wrote to memory of 2904 3484 firefox.exe firefox.exe PID 3484 wrote to memory of 2904 3484 firefox.exe firefox.exe PID 3484 wrote to memory of 2904 3484 firefox.exe firefox.exe PID 3484 wrote to memory of 2904 3484 firefox.exe firefox.exe PID 3484 wrote to memory of 2904 3484 firefox.exe firefox.exe PID 3484 wrote to memory of 2904 3484 firefox.exe firefox.exe PID 3484 wrote to memory of 2904 3484 firefox.exe firefox.exe PID 3484 wrote to memory of 2904 3484 firefox.exe firefox.exe PID 3484 wrote to memory of 2904 3484 firefox.exe firefox.exe PID 3484 wrote to memory of 2904 3484 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe"C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bcea04a-52e1-49c2-bf76-d7456733b3c5} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" gpu7⤵PID:2904
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2264 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {493cf393-9661-4941-9053-14cc65e0df74} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" socket7⤵PID:868
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2604 -childID 1 -isForBrowser -prefsHandle 2808 -prefMapHandle 1416 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c61f757-3269-4d1e-aea0-a17a15f6ba39} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab7⤵PID:3688
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3712 -childID 2 -isForBrowser -prefsHandle 3524 -prefMapHandle 3552 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a5d717a-9bc0-4b5b-914c-2f60d63aee7a} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab7⤵PID:2144
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4460 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4468 -prefMapHandle 4520 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c037097-5b50-4ae3-9391-3dbb7c6b38b3} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" utility7⤵
- Checks processor information in registry
PID:1036 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 3 -isForBrowser -prefsHandle 5640 -prefMapHandle 5584 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {029d0720-ce03-40b2-bc48-5e86bef5aeee} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab7⤵PID:6040
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5912 -childID 4 -isForBrowser -prefsHandle 5904 -prefMapHandle 5900 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1702e0aa-bb1e-49d6-8f01-9455c5d927df} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab7⤵PID:4972
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6044 -childID 5 -isForBrowser -prefsHandle 6052 -prefMapHandle 6056 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef636588-bfb7-44a8-8c2e-b42dcccab29c} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab7⤵PID:2748
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6244 -childID 6 -isForBrowser -prefsHandle 6332 -prefMapHandle 6328 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a38f64c0-e6a9-4ef0-841e-d581cff3c5ee} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab7⤵PID:3732
-
C:\Users\Admin\1000037002\d6212392b6.exe"C:\Users\Admin\1000037002\d6212392b6.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\1000038001\f6119aec5c.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\f6119aec5c.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1828
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4464
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6064
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5424
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD53ee6242a7467b2c61eb54c046cbe3f22
SHA12665e1c82be292d67de5f5b3b740c709d8515cab
SHA256fd49efadc4c19544493788e57a9433cbb89b740ed4a20e5c7b969dcbcbb853c6
SHA512c67cc3ee3203356906474eea9a265003678975af540da638ccbe788a47031d8aab35242c88d13792dcbdc4f4f02efacebd35b205f83d341e68584cef7aa3f458
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\activity-stream.discovery_stream.json
Filesize41KB
MD5a42d45ef98a75859a2d7a1e3ba6bd5c4
SHA106227bed68e9d76b6f791da172e0ed2d77ceef5f
SHA256d8444372162366254a573f9ab47983c922238895b05fae1cc26ac8da88c1a63f
SHA5123ad91034f604e6bc7cb1f366128e876567fcfd36d290c0712cedb2d3425888cc3111b5510e14fc1defcbbc4138fb0710b8be0d018fca535913348b3e6208d468
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD509b08586bd9377dd031754642ddd1781
SHA1f8a921679f37ac1b54390d62f27eb1b7144d9cb6
SHA256b38c50056d687aa1f4bb74172167650fe0f55c031aa74a208c0760723efdeb2c
SHA512e69ce15b3058131df03fe2f7bd9a6d9495767db2aa56e4608f36938c4d3d98151f71205bed7af56560e0da5b489e864c3316f628ba578ba64b97355ecdea1b0c
-
Filesize
1.8MB
MD5d27e91c1a583fbb0ad75d1ed0e071c36
SHA15d0490f1a41e7db58173b22e0987a580ef4948b7
SHA256f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634
SHA51255b2ba4d4acbd72e1dbcd8787d84428bf45c6907eedcc2ecf6592faec0227c760f599cffadbcdd81214037ad46d2c7668716a6b137814703c83e76b67981652d
-
Filesize
1.2MB
MD5e9f451fbd9478da22063ad6442b7645b
SHA1dd8e4124804fb5f064fc990a25ac3c61e21cf58b
SHA25664a837de134c3db432c0b4a3b02dbd67d72fb85a93fa709536af8660582ec030
SHA51231a019ca16404674bf92a8a716d85cb25aae5e6257d1146c7dd08c08c468c784a35a3f798867d29c349ce61fc536f9357dfa5ec743e2de7e6620a5f4c0d00bdf
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin
Filesize10KB
MD5f196da37b5356169eecf5afa4079c849
SHA1ba3d90b394b03e320da33b3d319063fa2524fa73
SHA2561bb51323d5d4bacca49762255224449f007a8b828a2f0261d17ff0610dffe550
SHA512553900334176379ded879113c3ebd6e92c5307c1608ad458db3a49f7245069ea40c5f61d402d0113748f05b34b26c45afa6d1357d2a85c2694db7b4e05c68a5d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5acb1c20833f2744fd729b2b875dffa66
SHA1acf500df22bbaaef1432033e53673f45b89b45fa
SHA256343a70ce8674c326d2998e4771d22afcd8400123e72b82d3b3d8ba38f5200ae2
SHA5128befb0ba1e808f99c8fefac8cd3ab6426c1442b426f57738766a68df10f0e5ff565df97f66d1a9600ba37ea60cb79b82fdbd0b170104071e080837657c99dea5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5225a4ea7593dd7081a415489d0a0623e
SHA1da718d1b994195b29226f6faa1daddf13a8271fa
SHA25655022b91b8752a7bc634b62e92499ef5de59ed7b812edc639859a706bee23743
SHA512f4ef4d9fa659098204966f64e518e3bbbaa7a8d9aef97d197af32453c7aaab01dd799fd9bc3a2a653a49af70ada9c51426f63ea95d5554ea7aa4afbd8567ab2c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD52bc4d74ee4af9fea558e0c2092489f80
SHA1b2af36aa304f72a886ce4d2c978a1c57ce0b1e2c
SHA2563f3b147836a98abfcf6821388a6ba2e220843686f3e4c8f2446773ae346dd961
SHA5122137459552808c35bc95411bdb72be48b601f2c5a5f4b369167eedb97cda56f188a24fd433ad38fdc76c8b7d39c42d6cc135433f3d01af7599196d031e8af4fb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\ccf378a9-9708-4952-be86-317115058d8d
Filesize982B
MD59a7b99ff41aff4dc89ee5041291d0387
SHA1d7418407e86e8a14c2f3523f3bfd736e38ac3f7f
SHA256225f1a6e3c8a6eb835abf21e49f4edeeb84999cb9ebe6513cb787272f929d95d
SHA51264f274b664ecef95210f7f8c9981638dab50f331a2c75f8c3b1eabf7cea2342894aceb7cf4c465e904695681683dba35b18ff19ab9dd1811af737ebfaaff782f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\f49bc2d3-535f-4a7c-9ae8-95390735b66f
Filesize659B
MD516c8f16f3b0d89e0e9a87fdc1abc49ce
SHA16c80c7ad5f96381384be839917af56da26037387
SHA2561f6d5c48719bce8e5494a8647d995ad24615c0f4e03993327075f97e2151839c
SHA512cd7a8352800427f7f3f98c053ea1f78abce1e216e8b8e9fc2175ee01efb63a905f84af88b8f6374c372da1bbd7c634963034cbbe999feb147bd7b47f86e4fd11
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD58a063e314ad28697f408932eaf606b6f
SHA19f408d5639795711edcc4fe81cdca0d8bb68b7a7
SHA256dd95cc12ef8176889ff0f5eefa5fed2ab34ccdb9ac92ceb86b924f8256f6e137
SHA5129e1f063493aa80fdb8da7b073e4ba9136233889949b7283caeceff75fd64ca8c7480865e013e8664e3ffc58d272cd2782bcd2b82e2e55ba93d9de5f3c0060720
-
Filesize
16KB
MD50ce571a9489e0e3d3d37808a0e239873
SHA1df74df9598accb2109a3e264d911ebf96d8b659b
SHA2560789970cc71f38213048aefbad06a4025d9c5b735cf53227e44ae177745bdf04
SHA512973eadac90028ced16f7ff4f41e5ebb0cef2cdf5251a6572e17ee802a2a4ce5c1f54a00fced04fe71c9b4cfc861482d26cb1e66a80eaf22294a5943caf45b93b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD5c837bf8d0c32cf41c680922331b8677b
SHA1cd2cf3892f8cfef8a28c123a826a5163eb84a8b2
SHA25659541c7342c795a4ccb80a75ccdfdba6be709be3b3fb78372437731db460529e
SHA512a963553a8a898b45cb0c102ab1064721d60c68fe8cb59eb0db6c43293be74549f7b21106e395643dc9f899bb2192ba14cd946b5aba7817a71d4baebc0a32e2ea