Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-08-2024 01:17
Static task
static1
Behavioral task
behavioral1
Sample
e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe
Resource
win10v2004-20240802-en
General
-
Target
e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe
-
Size
1.8MB
-
MD5
d3d78e1c124fae22319920f6cd2519fd
-
SHA1
4dc7763f9097c4f88e5ea69c05f8d591c3ff4628
-
SHA256
e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be
-
SHA512
c1ac5b72b44720b75010aa09674f35bda28a49f0c09ffaeba46e2eb911bbc3ec5976aef957e896b60e43e186a6344f96a9fde8a66da31ed033c04cb8f077ef98
-
SSDEEP
24576:zny4cxyFlHVMcEqyJPjQwFueUz0BnabD9dRXZFkYPRsAC2x5BkDRKhTzIc7yQNw:D1lpiPjvCz0Bn4MoRfCuLkDRwl77
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeexplorti.exee2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe8a3825124e.exef3eaefc4f8.exe942e9218a2.exeexplorti.exeexplorti.exepid process 4116 explorti.exe 820 8a3825124e.exe 1544 f3eaefc4f8.exe 1572 942e9218a2.exe 3948 explorti.exe 5160 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exee2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Run\8a3825124e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\8a3825124e.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/132-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/132-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/132-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exeexplorti.exeexplorti.exeexplorti.exepid process 3696 e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe 4116 explorti.exe 3948 explorti.exe 5160 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
8a3825124e.exef3eaefc4f8.exedescription pid process target process PID 820 set thread context of 132 820 8a3825124e.exe RegAsm.exe PID 1544 set thread context of 3292 1544 f3eaefc4f8.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exedescription ioc process File created C:\Windows\Tasks\explorti.job e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exef3eaefc4f8.exeRegAsm.exe942e9218a2.exeexplorti.exee2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exeexplorti.exe8a3825124e.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f3eaefc4f8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 942e9218a2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a3825124e.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exeexplorti.exeexplorti.exeexplorti.exepid process 3696 e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe 3696 e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe 4116 explorti.exe 4116 explorti.exe 3948 explorti.exe 3948 explorti.exe 5160 explorti.exe 5160 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 4468 firefox.exe Token: SeDebugPrivilege 4468 firefox.exe Token: SeDebugPrivilege 4468 firefox.exe Token: SeDebugPrivilege 4468 firefox.exe Token: SeDebugPrivilege 4468 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 4468 firefox.exe 4468 firefox.exe 4468 firefox.exe 4468 firefox.exe 4468 firefox.exe 4468 firefox.exe 4468 firefox.exe 4468 firefox.exe 4468 firefox.exe 4468 firefox.exe 4468 firefox.exe 4468 firefox.exe 4468 firefox.exe 4468 firefox.exe 4468 firefox.exe 4468 firefox.exe 4468 firefox.exe 132 RegAsm.exe 4468 firefox.exe 4468 firefox.exe 4468 firefox.exe 4468 firefox.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exepid process 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe 132 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 4468 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exeexplorti.exe8a3825124e.exef3eaefc4f8.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 3696 wrote to memory of 4116 3696 e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe explorti.exe PID 3696 wrote to memory of 4116 3696 e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe explorti.exe PID 3696 wrote to memory of 4116 3696 e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe explorti.exe PID 4116 wrote to memory of 820 4116 explorti.exe 8a3825124e.exe PID 4116 wrote to memory of 820 4116 explorti.exe 8a3825124e.exe PID 4116 wrote to memory of 820 4116 explorti.exe 8a3825124e.exe PID 820 wrote to memory of 132 820 8a3825124e.exe RegAsm.exe PID 820 wrote to memory of 132 820 8a3825124e.exe RegAsm.exe PID 820 wrote to memory of 132 820 8a3825124e.exe RegAsm.exe PID 820 wrote to memory of 132 820 8a3825124e.exe RegAsm.exe PID 820 wrote to memory of 132 820 8a3825124e.exe RegAsm.exe PID 820 wrote to memory of 132 820 8a3825124e.exe RegAsm.exe PID 820 wrote to memory of 132 820 8a3825124e.exe RegAsm.exe PID 820 wrote to memory of 132 820 8a3825124e.exe RegAsm.exe PID 820 wrote to memory of 132 820 8a3825124e.exe RegAsm.exe PID 820 wrote to memory of 132 820 8a3825124e.exe RegAsm.exe PID 4116 wrote to memory of 1544 4116 explorti.exe f3eaefc4f8.exe PID 4116 wrote to memory of 1544 4116 explorti.exe f3eaefc4f8.exe PID 4116 wrote to memory of 1544 4116 explorti.exe f3eaefc4f8.exe PID 1544 wrote to memory of 3292 1544 f3eaefc4f8.exe RegAsm.exe PID 1544 wrote to memory of 3292 1544 f3eaefc4f8.exe RegAsm.exe PID 1544 wrote to memory of 3292 1544 f3eaefc4f8.exe RegAsm.exe PID 1544 wrote to memory of 3292 1544 f3eaefc4f8.exe RegAsm.exe PID 1544 wrote to memory of 3292 1544 f3eaefc4f8.exe RegAsm.exe PID 1544 wrote to memory of 3292 1544 f3eaefc4f8.exe RegAsm.exe PID 1544 wrote to memory of 3292 1544 f3eaefc4f8.exe RegAsm.exe PID 1544 wrote to memory of 3292 1544 f3eaefc4f8.exe RegAsm.exe PID 1544 wrote to memory of 3292 1544 f3eaefc4f8.exe RegAsm.exe PID 4116 wrote to memory of 1572 4116 explorti.exe 942e9218a2.exe PID 4116 wrote to memory of 1572 4116 explorti.exe 942e9218a2.exe PID 4116 wrote to memory of 1572 4116 explorti.exe 942e9218a2.exe PID 132 wrote to memory of 2852 132 RegAsm.exe firefox.exe PID 132 wrote to memory of 2852 132 RegAsm.exe firefox.exe PID 2852 wrote to memory of 4468 2852 firefox.exe firefox.exe PID 2852 wrote to memory of 4468 2852 firefox.exe firefox.exe PID 2852 wrote to memory of 4468 2852 firefox.exe firefox.exe PID 2852 wrote to memory of 4468 2852 firefox.exe firefox.exe PID 2852 wrote to memory of 4468 2852 firefox.exe firefox.exe PID 2852 wrote to memory of 4468 2852 firefox.exe firefox.exe PID 2852 wrote to memory of 4468 2852 firefox.exe firefox.exe PID 2852 wrote to memory of 4468 2852 firefox.exe firefox.exe PID 2852 wrote to memory of 4468 2852 firefox.exe firefox.exe PID 2852 wrote to memory of 4468 2852 firefox.exe firefox.exe PID 2852 wrote to memory of 4468 2852 firefox.exe firefox.exe PID 4468 wrote to memory of 5008 4468 firefox.exe firefox.exe PID 4468 wrote to memory of 5008 4468 firefox.exe firefox.exe PID 4468 wrote to memory of 5008 4468 firefox.exe firefox.exe PID 4468 wrote to memory of 5008 4468 firefox.exe firefox.exe PID 4468 wrote to memory of 5008 4468 firefox.exe firefox.exe PID 4468 wrote to memory of 5008 4468 firefox.exe firefox.exe PID 4468 wrote to memory of 5008 4468 firefox.exe firefox.exe PID 4468 wrote to memory of 5008 4468 firefox.exe firefox.exe PID 4468 wrote to memory of 5008 4468 firefox.exe firefox.exe PID 4468 wrote to memory of 5008 4468 firefox.exe firefox.exe PID 4468 wrote to memory of 5008 4468 firefox.exe firefox.exe PID 4468 wrote to memory of 5008 4468 firefox.exe firefox.exe PID 4468 wrote to memory of 5008 4468 firefox.exe firefox.exe PID 4468 wrote to memory of 5008 4468 firefox.exe firefox.exe PID 4468 wrote to memory of 5008 4468 firefox.exe firefox.exe PID 4468 wrote to memory of 5008 4468 firefox.exe firefox.exe PID 4468 wrote to memory of 5008 4468 firefox.exe firefox.exe PID 4468 wrote to memory of 5008 4468 firefox.exe firefox.exe PID 4468 wrote to memory of 5008 4468 firefox.exe firefox.exe PID 4468 wrote to memory of 5008 4468 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe"C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\1000036001\8a3825124e.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\8a3825124e.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:132 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc4da207-5b60-4b8c-960a-62a36885bd0f} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" gpu7⤵PID:5008
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e17d7382-0f05-4cd5-8836-c3f0ed8d2d0d} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" socket7⤵PID:656
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3492 -childID 1 -isForBrowser -prefsHandle 3212 -prefMapHandle 3352 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a62eb83-6d51-4ab6-b9f4-404f010f8e5e} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" tab7⤵PID:2020
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2724 -childID 2 -isForBrowser -prefsHandle 3012 -prefMapHandle 3576 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2713f370-a174-4316-b8ba-84566ad2081c} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" tab7⤵PID:1836
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4696 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4708 -prefMapHandle 4492 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8c3d8b1-904d-441b-a606-4c6b84b212f5} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" utility7⤵
- Checks processor information in registry
PID:364 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 3 -isForBrowser -prefsHandle 5484 -prefMapHandle 4504 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {747517b2-de06-4e7e-a90a-1dd16d398553} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" tab7⤵PID:4276
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5812 -childID 4 -isForBrowser -prefsHandle 5860 -prefMapHandle 5856 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdfa73ec-74f8-494b-90a6-0faeb2f221c6} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" tab7⤵PID:1224
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6072 -childID 5 -isForBrowser -prefsHandle 5988 -prefMapHandle 5992 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5a73493-c9dd-4031-a2bb-c35f79447700} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" tab7⤵PID:3432
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6180 -childID 6 -isForBrowser -prefsHandle 6188 -prefMapHandle 6192 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08293983-4eeb-4b10-9a6f-f9ced65f0d40} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" tab7⤵PID:3492
-
C:\Users\Admin\1000037002\f3eaefc4f8.exe"C:\Users\Admin\1000037002\f3eaefc4f8.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\1000038001\942e9218a2.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\942e9218a2.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1572
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3948
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5160
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5bbe806cb79b33ffa22e8936f13aa6f2a
SHA1130f60ce2aa9160eb3f56178e40153c9ff0ba04c
SHA2568d2938ce81c0bdec367c5d8843d1c10d7ff99ff384342fbd832cdfdb301d733c
SHA512264534078c13bef72a571dcea5f67172938f1b18655b16e3ef629c44fb0d14a77254c3714c08171ff63254beca78c1aea5dce69a5a6757e165cd1cf212568841
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\seoxtri5.default-release\activity-stream.discovery_stream.json
Filesize41KB
MD52ad12b2f5aac3a6644408518ebeb21e2
SHA1339c0e562dda8e9be59aa0fbf70f5fb13ed35794
SHA2561c2d60100055e706948458ed2b7dc358e1d79b2c3945e0f6f46f39988923c5be
SHA5120789c5b412b28286750e7eb9d31e9b370c40f98ead1fec4d1cc26a783c465c717f5fe25f496b09e3f8f790b06c14bf1535f58c3dc9e19259742f943f075c5334
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\seoxtri5.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD51c0c09c92a94aa8cfdbf06397f8e9f24
SHA1f9b1dc3c548d05f5138ea8f8d75479edecae6ff4
SHA25695e00fb40d697cd62bc58b7820180b216786a72b033a5b1a696b120c9b7c74ab
SHA5129fd0781624705925531a6fdfe37af15728081e6906cd8668edc6962723512b1f0ae9a745f6b3ea3b728798b61a9e12a290919c6dd6ac7e7164f1f3925b74e1be
-
Filesize
1.8MB
MD5d3d78e1c124fae22319920f6cd2519fd
SHA14dc7763f9097c4f88e5ea69c05f8d591c3ff4628
SHA256e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be
SHA512c1ac5b72b44720b75010aa09674f35bda28a49f0c09ffaeba46e2eb911bbc3ec5976aef957e896b60e43e186a6344f96a9fde8a66da31ed033c04cb8f077ef98
-
Filesize
1.2MB
MD55d0ffc867062f7deae37eede861b190d
SHA12fea2ad5abd61031c200b0d54c0534aaf216cdd3
SHA25686aefa1f3bd48d3e58d04159ece977abaa54d0e1dd18eb50c1382a2838e3b793
SHA5128367eceb7fcfa060d9df57277d45ce8a2e479530556ebccd76331c5ffa07107482a156edfea50656b83a58f39074c8ca4d88fbb403775fb0c6231180b77370c5
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin
Filesize7KB
MD507b0d444f954dcc025a51e4eaf454c1d
SHA1049c877d465aab92618209aa753bc026454c9e4c
SHA256f5bd1d2566666243f87133e37a78e7927067e1aca50c8f7bd7553e15668eda6a
SHA512ed882c219e3b9e57f5d72dd41d551fb24d641f430dea2adc05139d80d2ac493926a81b9b43c3891e211e5cfe1b2c93465e87c475a299975506377ee0370a9793
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin
Filesize10KB
MD542a8b63b2eefc0ba9b1bb7b7d10c9140
SHA1e117b7c72b83baba5e721ab4a879b0dbff0c6073
SHA2561be036483a09cfcaf5f6e7f8f81096b5e10e7cbd991dde0c32b4064c4874e2fa
SHA51296de5853abbe94c5f26b13445425f35624a668ec4664646d332a9979b0f456e18c7347ec69a2a56a2be766dac762cf242ebf4bb0c9a859dc7e5049d360f8b7c5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin
Filesize11KB
MD5e56175bc005df6df5796f8e8d9b789e1
SHA14555ed14d9ef530cf0b71cb8a8085b46b5e8e312
SHA256206979481461b930d46675200687403a8f5279883187af6c21c0e771ccd0b3d0
SHA512761aa3cda16d4b1ab4be0e3d8851f9d2b441bfd60147cd81dbec1e2e82865ba974ba542e9eb1b99ffc8c86e6772f578441c067560ccdd91754774868c73c300b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5c906deac29733e62048eff4c079e88a5
SHA16af4e4f5e38e82dfda8150f1ed3fea2fcb1c9710
SHA2562a8d5844302f8d61b6861e3233cac0191708cedf08649d4efc72bb570666cea6
SHA512d9e614adc402218721092593d25700696d1363651a15a30b4681ab7d7ad64551b2f0912462489b540af00381ab80d505691a3e7e13d9d4583b8d21ef8278da07
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5278646e175d9c62c21a533f716e05478
SHA1ea451c80ed153db779f45de10733ab345f7d6efd
SHA256e2b70ff6786f8a8ac0f5e9fe65a54fb332b41414dbe74960dbdf73db716bb94a
SHA512b57e0bdc4bbd0c669ea969d9c69cc033163303c451b808238b583d87c456963ad86f512e0dbf14efec3822af60d08e512e81cbad7410a18496a48f19746b7b1a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD5077e4c901fe3984f7cfb9d35539b2841
SHA14e21cbd01be9eb7506444d9657b29a3013a623c7
SHA256f0022c5a2f68fa293f583ab5b854e715352fa399118d726cf01b2408b44f7ecd
SHA5126abe83754f8983e3664e5bc4c141620b9021372b2a943d6370be08df15bec4bbae6dfff6a5bf2e99874c956d2dc602448b76c83f90f8c967b44b09373a702c2c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\d6f48094-1f97-4b56-9c44-a3516470d6e2
Filesize659B
MD5d880fefda0ba2cb8f8544c5a2a564d25
SHA11fb93c07a504de1b4851aa4f206e41e8e8540bb7
SHA256bf9c30d4934e6c09e7e3ea9cf55530bf6190425161e45caac26cef9a5e659aaa
SHA5126cf10097ea3b824f98eee617ade186a68ba70942004754054462e71873705c7383a59798e77291079dac584de6702db8db7a92da241cf4076189061d96c388f1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\df8eaa53-47f8-4a13-8fb8-973fe1de6d7d
Filesize982B
MD574b84790335312776e11e7a526d292cc
SHA1ba527e75bfde083044ba89be9084e598f5f09b81
SHA2568146bdc512ffa98709db47326ea844c67f09ddd36b32e694cbf4c83cbedd4189
SHA512bce44f7c5ed829b6e5bad5eeee58b6270e654dfa8b5e94194fc78aeb209996ea5ecc75f310fd0b32497d4c8e39c9978c603b8369db516f868f095fef7c58bfa5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD548d544c47b971fe715f1f13cd2d2b208
SHA1260baa15ac31e71a2b7347dcd466facc7adeb6e9
SHA256211d7a47f472b402c19cf5ad99d1925989f20a22be11bc8863cee9d69c037fb4
SHA51247ee4db694097686911dbdee5aa323ba51b710bff57cd43aa7c1a8c75380a6f195c4f7128dd8eed25bb33fd2ce4f8fd558d5ecdb8dd56e31c8203218d73546a3
-
Filesize
16KB
MD5581db68b692a064fb2afbfb7132b0115
SHA162e0da11a5a0a50527c95fbc6da07fcbe80d6391
SHA2569a3e99b56a0dba3286523727ad6b3013cd0c3e821efa87e87dc7b78f5f02a33c
SHA51270c5711d6ede3a393b78a9361a99f86fb54d00843e7b444cdbb2a46b0eb1441465b5d383181fdbf5f013851f3a118fa466685f2ea94141a956c6805e7cfa34ba
-
Filesize
11KB
MD5a8f8c51a86e49d08e1dccd58c23eadcc
SHA1bf4b24ba5064b883ca3cf5d4e0eb6419e1e7be77
SHA25646b4d8fe818efc4a2902f25f13362f74f3c9487dbbfb6e8a0f195425dbc3e32a
SHA512a548c953d4debc1d2c4b79d0da2bda6676bdfac929def7e563dfd67530f1699edcb63ad866422d313d7fb8d7d28b985e3d5b5ca91d9b46d2e980208f9e32041e
-
Filesize
10KB
MD525a87fc271e59b233bc57a0186d42a1a
SHA13365b48aeba3719582eacc777675db93c7e566b8
SHA2566e48a3b8a979e66f3a7e9ad1c35e9b53c373c01fd223deaa549a891cec37f25f
SHA512280ecda138ea99b3a61d32d75285136921912e449fc84c6bcfa79f5f3e661b4dc3d68b9a53018ee9904b2b487c8d8519995ecb4c7823cbf8834b456b29e303ab
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD5aaa94c2ca484c4519367b35dc288259f
SHA1b7a5318441826ed9f457304e919c81a059047a07
SHA2560c091f5e5d1b624a449f3cc0171544b54269f357dc24ebee0c09ddabcfd191cc
SHA512a60f430684453a94a8ed445556d3be4a62bf77aec5422131f5397f735fa4163f13467519973305e5b303ef60713140a9e2f62048760a3becd5ae2fbe6142cdad