Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2024 06:31
Static task
static1
Behavioral task
behavioral1
Sample
b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe
Resource
win10v2004-20240802-en
General
-
Target
b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe
-
Size
1.8MB
-
MD5
f8348bd316750a70f9c1f56eb9d4c700
-
SHA1
5166b30fc5b622863e4edb83ef13905dff6e5295
-
SHA256
b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b
-
SHA512
1495d3e0961447ca074a61e493b14d03cdcbebfafd95ec29ad55721556a52457186801cf42597f1aa4a04400dd56ade7d151ec926301c6a0df9d55b3e25ee0ef
-
SSDEEP
49152:Lj4rgB1bGh5MikKCHGvjRnK606KOeLZjgwVy1DuO:LjweJKMikclnfHtwV
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
explorti.exeb0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeb0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RegAsm.exeb0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exeexplorti.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation explorti.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exee5cf423e52.exea65be0d694.exe13a21bf0df.exeexplorti.exeexplorti.exeexplorti.exepid process 5032 explorti.exe 4228 e5cf423e52.exe 2636 a65be0d694.exe 4444 13a21bf0df.exe 5420 explorti.exe 5600 explorti.exe 2420 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exeexplorti.exeexplorti.exeb0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e5cf423e52.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\e5cf423e52.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2328-49-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2328-51-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2328-53-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 2924 b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe 5032 explorti.exe 5420 explorti.exe 5600 explorti.exe 2420 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
e5cf423e52.exea65be0d694.exedescription pid process target process PID 4228 set thread context of 2328 4228 e5cf423e52.exe RegAsm.exe PID 2636 set thread context of 4920 2636 a65be0d694.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exedescription ioc process File created C:\Windows\Tasks\explorti.job b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exe13a21bf0df.exeb0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exeexplorti.exee5cf423e52.exeRegAsm.exea65be0d694.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 13a21bf0df.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5cf423e52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a65be0d694.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 2924 b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe 2924 b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe 5032 explorti.exe 5032 explorti.exe 5420 explorti.exe 5420 explorti.exe 5600 explorti.exe 5600 explorti.exe 2420 explorti.exe 2420 explorti.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exepid process 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exepid process 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe 2328 RegAsm.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exeexplorti.exee5cf423e52.exea65be0d694.exeRegAsm.exefirefox.exedescription pid process target process PID 2924 wrote to memory of 5032 2924 b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe explorti.exe PID 2924 wrote to memory of 5032 2924 b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe explorti.exe PID 2924 wrote to memory of 5032 2924 b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe explorti.exe PID 5032 wrote to memory of 4228 5032 explorti.exe e5cf423e52.exe PID 5032 wrote to memory of 4228 5032 explorti.exe e5cf423e52.exe PID 5032 wrote to memory of 4228 5032 explorti.exe e5cf423e52.exe PID 4228 wrote to memory of 2328 4228 e5cf423e52.exe RegAsm.exe PID 4228 wrote to memory of 2328 4228 e5cf423e52.exe RegAsm.exe PID 4228 wrote to memory of 2328 4228 e5cf423e52.exe RegAsm.exe PID 4228 wrote to memory of 2328 4228 e5cf423e52.exe RegAsm.exe PID 4228 wrote to memory of 2328 4228 e5cf423e52.exe RegAsm.exe PID 4228 wrote to memory of 2328 4228 e5cf423e52.exe RegAsm.exe PID 4228 wrote to memory of 2328 4228 e5cf423e52.exe RegAsm.exe PID 4228 wrote to memory of 2328 4228 e5cf423e52.exe RegAsm.exe PID 4228 wrote to memory of 2328 4228 e5cf423e52.exe RegAsm.exe PID 4228 wrote to memory of 2328 4228 e5cf423e52.exe RegAsm.exe PID 5032 wrote to memory of 2636 5032 explorti.exe a65be0d694.exe PID 5032 wrote to memory of 2636 5032 explorti.exe a65be0d694.exe PID 5032 wrote to memory of 2636 5032 explorti.exe a65be0d694.exe PID 2636 wrote to memory of 4920 2636 a65be0d694.exe RegAsm.exe PID 2636 wrote to memory of 4920 2636 a65be0d694.exe RegAsm.exe PID 2636 wrote to memory of 4920 2636 a65be0d694.exe RegAsm.exe PID 2636 wrote to memory of 4920 2636 a65be0d694.exe RegAsm.exe PID 2636 wrote to memory of 4920 2636 a65be0d694.exe RegAsm.exe PID 2636 wrote to memory of 4920 2636 a65be0d694.exe RegAsm.exe PID 2636 wrote to memory of 4920 2636 a65be0d694.exe RegAsm.exe PID 2636 wrote to memory of 4920 2636 a65be0d694.exe RegAsm.exe PID 2636 wrote to memory of 4920 2636 a65be0d694.exe RegAsm.exe PID 5032 wrote to memory of 4444 5032 explorti.exe 13a21bf0df.exe PID 5032 wrote to memory of 4444 5032 explorti.exe 13a21bf0df.exe PID 5032 wrote to memory of 4444 5032 explorti.exe 13a21bf0df.exe PID 2328 wrote to memory of 2132 2328 RegAsm.exe firefox.exe PID 2328 wrote to memory of 2132 2328 RegAsm.exe firefox.exe PID 2132 wrote to memory of 924 2132 firefox.exe firefox.exe PID 2132 wrote to memory of 924 2132 firefox.exe firefox.exe PID 2132 wrote to memory of 924 2132 firefox.exe firefox.exe PID 2132 wrote to memory of 924 2132 firefox.exe firefox.exe PID 2132 wrote to memory of 924 2132 firefox.exe firefox.exe PID 2132 wrote to memory of 924 2132 firefox.exe firefox.exe PID 2132 wrote to memory of 924 2132 firefox.exe firefox.exe PID 2132 wrote to memory of 924 2132 firefox.exe firefox.exe PID 2132 wrote to memory of 924 2132 firefox.exe firefox.exe PID 2132 wrote to memory of 924 2132 firefox.exe firefox.exe PID 2132 wrote to memory of 924 2132 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe"C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\1000036001\e5cf423e52.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\e5cf423e52.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
PID:924 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1912 -parentBuildID 20240401114208 -prefsHandle 1840 -prefMapHandle 1832 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {98f318d0-238f-4f11-b5d4-ae97eb9992a6} 924 "\\.\pipe\gecko-crash-server-pipe.924" gpu7⤵PID:2760
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2328 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00428ba7-5044-4d01-aa7e-d9d5203989cb} 924 "\\.\pipe\gecko-crash-server-pipe.924" socket7⤵PID:2096
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2976 -childID 1 -isForBrowser -prefsHandle 2916 -prefMapHandle 2888 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37e94fc3-12af-44c8-99b9-79e5bd2e3065} 924 "\\.\pipe\gecko-crash-server-pipe.924" tab7⤵PID:1384
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2700 -childID 2 -isForBrowser -prefsHandle 3644 -prefMapHandle 3640 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42bcaee0-3913-416d-9b03-df8c657b90fc} 924 "\\.\pipe\gecko-crash-server-pipe.924" tab7⤵PID:3812
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4484 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4496 -prefMapHandle 4472 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7037ef16-f0ee-4877-b9f8-4fc5f00e9135} 924 "\\.\pipe\gecko-crash-server-pipe.924" utility7⤵
- Checks processor information in registry
PID:4244 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5164 -childID 3 -isForBrowser -prefsHandle 5096 -prefMapHandle 5128 -prefsLen 27050 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {898692df-d495-4460-bfe0-c155904252c5} 924 "\\.\pipe\gecko-crash-server-pipe.924" tab7⤵PID:892
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5328 -childID 4 -isForBrowser -prefsHandle 5248 -prefMapHandle 5252 -prefsLen 27050 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e514d63-fddd-451f-99b8-3957989e4c68} 924 "\\.\pipe\gecko-crash-server-pipe.924" tab7⤵PID:2904
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 5 -isForBrowser -prefsHandle 5144 -prefMapHandle 5136 -prefsLen 27050 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dca09e17-13f3-4b09-ac95-c43e05bf4a41} 924 "\\.\pipe\gecko-crash-server-pipe.924" tab7⤵PID:1992
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6000 -childID 6 -isForBrowser -prefsHandle 5940 -prefMapHandle 5908 -prefsLen 27181 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46b8dd2d-9d12-420e-a5bf-4bd745c34dd8} 924 "\\.\pipe\gecko-crash-server-pipe.924" tab7⤵PID:5172
-
C:\Users\Admin\1000037002\a65be0d694.exe"C:\Users\Admin\1000037002\a65be0d694.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\1000038001\13a21bf0df.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\13a21bf0df.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4444
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5420
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5600
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5c4e52e6c6a04afe8e1a0edb8fb8236a2
SHA1e3d70bab8a8882ed26a5e5d206b50862a32a0112
SHA256a4fcfe7074b0d307133c98530614d6de7f5e0fd27a64a00f30f7933583b63fa6
SHA5123e89f085dd83274db01305ef8b66c481e202ba889125ae5d7f74aa09359f782557950d9d357cc54bf23a10e239e5b5760000ca2012f3b833e6481c6750d73478
-
Filesize
1.8MB
MD5f8348bd316750a70f9c1f56eb9d4c700
SHA15166b30fc5b622863e4edb83ef13905dff6e5295
SHA256b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b
SHA5121495d3e0961447ca074a61e493b14d03cdcbebfafd95ec29ad55721556a52457186801cf42597f1aa4a04400dd56ade7d151ec926301c6a0df9d55b3e25ee0ef
-
Filesize
1.2MB
MD50cd9988143ed0889f0ec75b9ce302cc1
SHA1a85827b7497b66554f2f8bf86d044afec100eed0
SHA256f40952c3693d14eb42a3785136841e3f3fd2f6f0336272e09860a7b93db1e59d
SHA512715ae0560d5540494ef0e12e9750ad5e864aafc341584c660406c2158e881d38831d4a72d0a6300c634804a2d49e9bb8abd18ee3e9c6d587e029cd9da26fabb6
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0