Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
15-08-2024 14:37
Static task
static1
Behavioral task
behavioral1
Sample
6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe
Resource
win10v2004-20240802-en
General
-
Target
6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe
-
Size
1.8MB
-
MD5
6d0f73b4a2b84bef406470efcd79a990
-
SHA1
3e76cd04a8655c14330a7392bbeedb2e17f2e015
-
SHA256
6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf
-
SHA512
54ba08bb0194c37dbbcf0f017ba9f7a87f370b9378e6191c6f4654c479c89de398e4b467d7506dc93f580d4cb773563eaa3c4da97c46e0b10feda0a82a9a627d
-
SSDEEP
49152:HfpD+gCvPwVQBncS0hkViHM+aWKdya3dW:HxKgMw6cS8kEHfaWIyaN
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
explorti.exeexplorti.exeexplorti.exe6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeexplorti.exe6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exeb86952c565.exea8675ae254.exe46065650d9.exeexplorti.exeexplorti.exepid process 484 explorti.exe 5068 b86952c565.exe 1300 a8675ae254.exe 2976 46065650d9.exe 2360 explorti.exe 5924 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine 6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1000-71-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/1000-69-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/1000-66-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exeexplorti.exeexplorti.exeexplorti.exepid process 3604 6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe 484 explorti.exe 2360 explorti.exe 5924 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
a8675ae254.exeb86952c565.exedescription pid process target process PID 1300 set thread context of 3100 1300 a8675ae254.exe RegAsm.exe PID 5068 set thread context of 1000 5068 b86952c565.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exedescription ioc process File created C:\Windows\Tasks\explorti.job 6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exe46065650d9.exe6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exeexplorti.exeb86952c565.exea8675ae254.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46065650d9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b86952c565.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8675ae254.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exeexplorti.exeexplorti.exeexplorti.exepid process 3604 6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe 3604 6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe 484 explorti.exe 484 explorti.exe 2360 explorti.exe 2360 explorti.exe 5924 explorti.exe 5924 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 428 firefox.exe Token: SeDebugPrivilege 428 firefox.exe Token: SeDebugPrivilege 428 firefox.exe Token: SeDebugPrivilege 428 firefox.exe Token: SeDebugPrivilege 428 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exeRegAsm.exefirefox.exepid process 3604 6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 428 firefox.exe 428 firefox.exe 428 firefox.exe 428 firefox.exe 1000 RegAsm.exe 428 firefox.exe 428 firefox.exe 428 firefox.exe 428 firefox.exe 428 firefox.exe 428 firefox.exe 428 firefox.exe 428 firefox.exe 428 firefox.exe 428 firefox.exe 428 firefox.exe 428 firefox.exe 428 firefox.exe 428 firefox.exe 428 firefox.exe 428 firefox.exe 428 firefox.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exepid process 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe 1000 RegAsm.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
firefox.exepid process 428 firefox.exe 428 firefox.exe 428 firefox.exe 428 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exeexplorti.exea8675ae254.exeb86952c565.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 3604 wrote to memory of 484 3604 6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe explorti.exe PID 3604 wrote to memory of 484 3604 6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe explorti.exe PID 3604 wrote to memory of 484 3604 6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe explorti.exe PID 484 wrote to memory of 5068 484 explorti.exe b86952c565.exe PID 484 wrote to memory of 5068 484 explorti.exe b86952c565.exe PID 484 wrote to memory of 5068 484 explorti.exe b86952c565.exe PID 484 wrote to memory of 1300 484 explorti.exe a8675ae254.exe PID 484 wrote to memory of 1300 484 explorti.exe a8675ae254.exe PID 484 wrote to memory of 1300 484 explorti.exe a8675ae254.exe PID 1300 wrote to memory of 3100 1300 a8675ae254.exe RegAsm.exe PID 1300 wrote to memory of 3100 1300 a8675ae254.exe RegAsm.exe PID 1300 wrote to memory of 3100 1300 a8675ae254.exe RegAsm.exe PID 1300 wrote to memory of 3100 1300 a8675ae254.exe RegAsm.exe PID 1300 wrote to memory of 3100 1300 a8675ae254.exe RegAsm.exe PID 1300 wrote to memory of 3100 1300 a8675ae254.exe RegAsm.exe PID 1300 wrote to memory of 3100 1300 a8675ae254.exe RegAsm.exe PID 1300 wrote to memory of 3100 1300 a8675ae254.exe RegAsm.exe PID 1300 wrote to memory of 3100 1300 a8675ae254.exe RegAsm.exe PID 5068 wrote to memory of 1000 5068 b86952c565.exe RegAsm.exe PID 5068 wrote to memory of 1000 5068 b86952c565.exe RegAsm.exe PID 5068 wrote to memory of 1000 5068 b86952c565.exe RegAsm.exe PID 5068 wrote to memory of 1000 5068 b86952c565.exe RegAsm.exe PID 5068 wrote to memory of 1000 5068 b86952c565.exe RegAsm.exe PID 5068 wrote to memory of 1000 5068 b86952c565.exe RegAsm.exe PID 5068 wrote to memory of 1000 5068 b86952c565.exe RegAsm.exe PID 5068 wrote to memory of 1000 5068 b86952c565.exe RegAsm.exe PID 5068 wrote to memory of 1000 5068 b86952c565.exe RegAsm.exe PID 5068 wrote to memory of 1000 5068 b86952c565.exe RegAsm.exe PID 484 wrote to memory of 2976 484 explorti.exe 46065650d9.exe PID 484 wrote to memory of 2976 484 explorti.exe 46065650d9.exe PID 484 wrote to memory of 2976 484 explorti.exe 46065650d9.exe PID 1000 wrote to memory of 1216 1000 RegAsm.exe firefox.exe PID 1000 wrote to memory of 1216 1000 RegAsm.exe firefox.exe PID 1216 wrote to memory of 428 1216 firefox.exe firefox.exe PID 1216 wrote to memory of 428 1216 firefox.exe firefox.exe PID 1216 wrote to memory of 428 1216 firefox.exe firefox.exe PID 1216 wrote to memory of 428 1216 firefox.exe firefox.exe PID 1216 wrote to memory of 428 1216 firefox.exe firefox.exe PID 1216 wrote to memory of 428 1216 firefox.exe firefox.exe PID 1216 wrote to memory of 428 1216 firefox.exe firefox.exe PID 1216 wrote to memory of 428 1216 firefox.exe firefox.exe PID 1216 wrote to memory of 428 1216 firefox.exe firefox.exe PID 1216 wrote to memory of 428 1216 firefox.exe firefox.exe PID 1216 wrote to memory of 428 1216 firefox.exe firefox.exe PID 428 wrote to memory of 2044 428 firefox.exe firefox.exe PID 428 wrote to memory of 2044 428 firefox.exe firefox.exe PID 428 wrote to memory of 2044 428 firefox.exe firefox.exe PID 428 wrote to memory of 2044 428 firefox.exe firefox.exe PID 428 wrote to memory of 2044 428 firefox.exe firefox.exe PID 428 wrote to memory of 2044 428 firefox.exe firefox.exe PID 428 wrote to memory of 2044 428 firefox.exe firefox.exe PID 428 wrote to memory of 2044 428 firefox.exe firefox.exe PID 428 wrote to memory of 2044 428 firefox.exe firefox.exe PID 428 wrote to memory of 2044 428 firefox.exe firefox.exe PID 428 wrote to memory of 2044 428 firefox.exe firefox.exe PID 428 wrote to memory of 2044 428 firefox.exe firefox.exe PID 428 wrote to memory of 2044 428 firefox.exe firefox.exe PID 428 wrote to memory of 2044 428 firefox.exe firefox.exe PID 428 wrote to memory of 2044 428 firefox.exe firefox.exe PID 428 wrote to memory of 2044 428 firefox.exe firefox.exe PID 428 wrote to memory of 2044 428 firefox.exe firefox.exe PID 428 wrote to memory of 2044 428 firefox.exe firefox.exe PID 428 wrote to memory of 2044 428 firefox.exe firefox.exe PID 428 wrote to memory of 2044 428 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe"C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Users\Admin\AppData\Local\Temp\1000036001\b86952c565.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\b86952c565.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1944 -parentBuildID 20240401114208 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec721dba-2944-4c63-8c0b-5a7dc29fe52a} 428 "\\.\pipe\gecko-crash-server-pipe.428" gpu7⤵PID:2044
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2376 -parentBuildID 20240401114208 -prefsHandle 2272 -prefMapHandle 2252 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ca3f127-1c4a-4a23-b8ea-17ae5c79737f} 428 "\\.\pipe\gecko-crash-server-pipe.428" socket7⤵PID:2196
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3192 -childID 1 -isForBrowser -prefsHandle 3184 -prefMapHandle 3180 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2769cd0e-09c2-4adb-ae9e-402997b45b04} 428 "\\.\pipe\gecko-crash-server-pipe.428" tab7⤵PID:3640
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4008 -childID 2 -isForBrowser -prefsHandle 4000 -prefMapHandle 3996 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5ab2480-1832-4ead-9df1-067b6e0f6a46} 428 "\\.\pipe\gecko-crash-server-pipe.428" tab7⤵PID:3384
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4716 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4860 -prefMapHandle 4820 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51b40630-59ba-4e35-9e03-6b0ecde01670} 428 "\\.\pipe\gecko-crash-server-pipe.428" utility7⤵
- Checks processor information in registry
PID:5188 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 3 -isForBrowser -prefsHandle 4984 -prefMapHandle 5356 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2b00365-8e74-48c2-a7e4-5df03ee0b4c7} 428 "\\.\pipe\gecko-crash-server-pipe.428" tab7⤵PID:5772
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 4 -isForBrowser -prefsHandle 5564 -prefMapHandle 5568 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {555567e1-ba81-49e6-8921-145f185e9edd} 428 "\\.\pipe\gecko-crash-server-pipe.428" tab7⤵PID:5784
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5772 -childID 5 -isForBrowser -prefsHandle 5756 -prefMapHandle 5776 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c21c849e-7cc6-4b61-b1bc-921f05684c16} 428 "\\.\pipe\gecko-crash-server-pipe.428" tab7⤵PID:5800
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4752 -childID 6 -isForBrowser -prefsHandle 6092 -prefMapHandle 6088 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5af2d903-afa5-4a25-84e6-17ec16adff2d} 428 "\\.\pipe\gecko-crash-server-pipe.428" tab7⤵PID:480
-
C:\Users\Admin\1000037002\a8675ae254.exe"C:\Users\Admin\1000037002\a8675ae254.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\1000038001\46065650d9.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\46065650d9.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2360
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196KB
MD5c98386f4432190c0c37be9ebc2e19eda
SHA1fad3e282c5987117de21508674eb3f0f28f958c7
SHA2566d47e2a31348815e467a4e421edc44abbc0080393e0a9c32608e74757f038bab
SHA512262864defaf0bc2f8b1e20967725e741fad90b288ea640b33f77305bc69357cf85648264902b03f581f4de95bc7b06ffabf897410efe4abf0b28201f6e1fbca7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5e7c20e75674352217687e1394f71d7f7
SHA1ff09141876ac071352decfde5e355ffbb5652178
SHA25676ae014498f99d024efcab893e6b2886f66f33d8be302a9de504a17dbfa9d536
SHA512362bdc079d7bc446491582f3505e9d2f9600a043748f2e68c9225806076fc6c071631153d225994c12e58c60415da36e102e3b7f25e09b40d5fa711795f247b4
-
Filesize
1.8MB
MD56d0f73b4a2b84bef406470efcd79a990
SHA13e76cd04a8655c14330a7392bbeedb2e17f2e015
SHA2566dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf
SHA51254ba08bb0194c37dbbcf0f017ba9f7a87f370b9378e6191c6f4654c479c89de398e4b467d7506dc93f580d4cb773563eaa3c4da97c46e0b10feda0a82a9a627d
-
Filesize
1.2MB
MD5d1be0f6f034c55fc17558f2ae445f1b2
SHA16b7f7599af54f730451f8344906acc7d0a206af7
SHA25621a8a20a3cf2e59afeea5b810da2fd7b132780a8167ab28b0bf8da4d7061478e
SHA5123e96bbee8cb19b3dc7c45d302f5321122722562f2ad41ce9d61bb34d2fdd65c7eaf133bdb097445df327629b2fea78caa22041ca122884a9ec1758da0288f465
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin
Filesize7KB
MD5f220805f09a46813f9df53c4966d72d2
SHA10da9338ca74414f96df10d87f83417d04e341151
SHA25687483bb807191c5904205210363d657ea89561360e274b3d5c70839a6b2ddcb4
SHA512d239fd957b301bc5835da6d7f25f0e5ac5907bbd5679022724b853c0a028ca9ba765d81fef337469a6d9ef87bfdd89e7432f2ae9a63f4a1d730d6a34d52b1d02
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin
Filesize10KB
MD5a8f2ae8c583a53050f3abadd96e2f566
SHA1313e82fb5ce3de208db5aa93cfb062e25fadcecf
SHA256913a5f2c8fb3fd8d3f011cc0b5800245f5abdbaad01ccb22fc5d8e60b30a20d4
SHA51230cc6a4c6281261d29edcceb8f97950e727e1ba721a5c77e3db65d99a4271cd150d36fde399fc7dcf45c8bc7f95f0c869a4616394cf64c970ee7ca6d145a0550
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin
Filesize16KB
MD594e8cc503e0ebeac948deb6ed42f44b2
SHA1c79a3426e3892cf5c29b923c75b5bf11b24f909a
SHA256e465f5574464fe1aa8f0f8a9aa34f1417faf11e03a9d2d03de88d184442fd4b8
SHA5125520468c3647b054d1406c34aa50f2a400d3b39314a8a859fc604c4572907dce0d8f693e8a1bbba780d85d53cfb55a086de3757466fa1cc37b96cf50edb22586
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5dc6db0bd2f7dc80e8945c44c67fa1f85
SHA144d9a2d4c1c07a71aeb5a45daa1b1b85b2816d3b
SHA256a158e13c3e7bac7d250de5c8087037166b39c4927c0b03e9f4a6f85f4d6449b8
SHA512425578ccd38dedd1c0c45810452eedc68a9222732b5fa89b972592f0592f7ac784aec7cbd1221596043b707838587e7b488dbe83f24af701a62badccb708292d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD50cb59d2bfad9323dd3d6213964ea9e68
SHA1caa2134cd5b050303dd5df7c2417ab0169a76f8f
SHA256dcf902ad556ab014b28b99d0665bc3273ac0a3ead3482a760af03a1bc6c2a501
SHA51250406ec16ca9b59e396c05b4ba667b1024b9420d278b7c50dcdaf04d96d470f4db933e7782ef3994ae10062428a9f5874ecddebc8f4f24451d98cf59bf32f0db
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5735ede49c8ea9f0711a06aadab896f54
SHA146eadf4be604052a9e808838f9c43626f420090a
SHA256bcbdc885549ae98243fa8443c551350ce589e7f51ef08277322f79b4eca27a8a
SHA512c7ff265467ec5845fac0626d878653caf2c46be1a69707fe9a11a193e6e54b9e29011241d062774a195f02c7a19ffc9cc53ab5d2cd062086ff96143a452cd54c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5435f9e6d9d2e5dc13c902cfc02dc09ba
SHA1db251630da7375400b30ac1e8dc925f4dae500f9
SHA2565540adb52e99dbf455ca6d08312294f2326a179041ca1a3a0c7b56049fca276a
SHA512c4f7bfa633cd9722279952cf1892b8b9d64d31e4bc29fa6ff8d8d741c3bcbeb4c1c1ea0b4a2425a691a6082921e157a4eb6e4ccb1a0fc54b652a364b21e542a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\05900276-573e-4e61-b838-b8a59bc97b1f
Filesize27KB
MD52822dffedd003f6daa9a3f3347f1f050
SHA10f434d9f601a95135a48012230e6edca39651a0b
SHA256f0953ee40e4af8ac6b4ac81b3ac1a1682253a48d3ec8ecb020ceb513c6c2fca6
SHA512b3bad12bd76b069621147e6f85459601ac01eb43b6f57de0faea31107a25a4930d6a542d88f8db73c6096761538257bfb3b52a7559e605075ce1bda1a45f1aaf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\194c8863-0b2a-4c77-a259-56e6315dfd33
Filesize671B
MD577b3791d443aebd5560a79ec9d0d94d3
SHA14013dd6948c1bac769b04c7b13c383aeb96bbcaf
SHA256261c53b05ff57b7b6b94460c7a26ace2530e1f39ce7e744e4db1326bd86ad0cb
SHA5129964719ca41fac92109c9d574eaea8ab82bda0329abb0ea0f93c34e62cbb2c5950cfb8d87548f074a9914d4d46641319e0280d31edc77a0ab6e3f509caaf5d5b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\2e1928e2-e2e8-4934-8df5-6d30bba168f1
Filesize982B
MD5231d06b8b8f23b1bad1ce90a0d47b3ac
SHA18ce4624eecb46220acf15129f012f56bb28fb439
SHA2568bddf656254b2335fd766b0e84a2b43bd7cc343297641d1d887dc7ec3bb3ab50
SHA512f720df527ede6ac66f3079acdbf1e4f67bf7f0da9ac3c98109088ff819d88079a538ab0cb8448fac843c13a6cb0c37d978dafbed0b0847859cb493d688b92951
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5dd791456cc408182fa8fc50e91acae54
SHA16cdd7d8aeab6be96d5ac1db01ed42e84684f93fc
SHA25682c0c3b2dce6bcf34112f879c7eb7eb935abc58c4125809b1d5a94a00757bafe
SHA51245cb06687a1eb8cae364321087d9c51702b4a87990edfe900e0e72bd254132ab2bd1348416d9098545dd819a1e5a6336713b836833cdc991ba6d8e02a170ab8e
-
Filesize
12KB
MD59fe5a8372f763158fdf082d7d43caa53
SHA1efe329338967a9dc165171b0525945f4237da755
SHA2563256d498036df81cca7940793b9ffe49fae7ef71387cd7a4bbb6d1abf4ce4606
SHA512768af1a8cd44ea06eed9b26b53f22b15e223d991020d32d0ac2ddd5459059483bda646cd2b4f4ced44ed0e9c3b902abee3211783b3b8387a21e2b590bcdfc88f
-
Filesize
14KB
MD5dabbc195f9fea4bd4c49c1da0c02920f
SHA1c0562568635a23dbc262485e73c625c8f1a8effe
SHA25625c732de29967912e0c340e1982e6817f1b9c16364a443404ff2888df8cccba9
SHA5124d8f490aa3ad40b270381a5b99ea28b095019bc4e7ee374ad8f763eae28ef42ad41198d1138078fe771df6fab231c7a8206cbf8cda6e3443b48a52f7789ce46a
-
Filesize
10KB
MD5bd97ec8b118e79872d9c474bed28eb01
SHA1de6b05edec04441ce954826158b0bb0d1b6f13d1
SHA256efbc6ade041eeff4cb05a850146b7bca66cf9d8ab52fe4c36c1fd3ca7a585c36
SHA512de657938621ae80af3c30695e773ce597468ea79d3542008c94249a7f46daa0a3d5738e6882396275ed26fee2d6bb7a699c589a8c975f74b5bbaf8ac6a5f427c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.2MB
MD5b988cf93a180a7790a7b9d81581f6f51
SHA15bc4b2553e1b30c7adbfa4690d6cf1f7e75d4fe8
SHA256ff6a72f81253c6cd8bf7ce5c9937fa5f9bb10fc717459f00e5eb5c049c000969
SHA512ef3247fbf30aea83acfc0146884d6fa5746c2b3081726ba03f73d661bf0ca7bf3a8c17ba63e5e5ffa150dc4212d32dffa3c07bb56ae51f7f44358d0cf7431934