Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-08-2024 22:49
Static task
static1
Behavioral task
behavioral1
Sample
74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe
Resource
win10v2004-20240802-en
General
-
Target
74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe
-
Size
1.8MB
-
MD5
1c001b7c1daa650908f734203a11329f
-
SHA1
d5cbdc631e0fc50f85ade35e12b9fd1d78053205
-
SHA256
74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1
-
SHA512
7f3eebb2d11f77ce9d242fb5610faa43081cb41b17bff3f37416b1b15bf71495f227f228f6b3efa6c5b685c0a1e5f1fdea8145ea6507fe4ac59483cdb0c42fa7
-
SSDEEP
49152:2GVkZJYb8UXrgcujxbbjNz5UT0kxe9QhcmmfVuZD:2GeU7gvjxXpmx/hcDf8p
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeexplorti.exe74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exeexplorti.exeRegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe4b740206d4.exe004c0c619f.execc9647d99c.exeexplorti.exeexplorti.exepid process 2116 explorti.exe 544 4b740206d4.exe 1948 004c0c619f.exe 4184 cc9647d99c.exe 3944 explorti.exe 1876 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4b740206d4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\4b740206d4.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/3540-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/3540-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/3540-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exeexplorti.exeexplorti.exeexplorti.exepid process 3144 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe 2116 explorti.exe 3944 explorti.exe 1876 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
4b740206d4.exe004c0c619f.exedescription pid process target process PID 544 set thread context of 3540 544 4b740206d4.exe RegAsm.exe PID 1948 set thread context of 5080 1948 004c0c619f.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exedescription ioc process File created C:\Windows\Tasks\explorti.job 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
4b740206d4.exeRegAsm.exe004c0c619f.exeRegAsm.execc9647d99c.exe74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b740206d4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 004c0c619f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cc9647d99c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exeexplorti.exeexplorti.exeexplorti.exepid process 3144 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe 3144 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe 2116 explorti.exe 2116 explorti.exe 3944 explorti.exe 3944 explorti.exe 1876 explorti.exe 1876 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 2328 firefox.exe Token: SeDebugPrivilege 2328 firefox.exe Token: SeDebugPrivilege 2328 firefox.exe Token: SeDebugPrivilege 2328 firefox.exe Token: SeDebugPrivilege 2328 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe 3540 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 2328 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exeexplorti.exe4b740206d4.exe004c0c619f.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 3144 wrote to memory of 2116 3144 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe explorti.exe PID 3144 wrote to memory of 2116 3144 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe explorti.exe PID 3144 wrote to memory of 2116 3144 74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe explorti.exe PID 2116 wrote to memory of 544 2116 explorti.exe 4b740206d4.exe PID 2116 wrote to memory of 544 2116 explorti.exe 4b740206d4.exe PID 2116 wrote to memory of 544 2116 explorti.exe 4b740206d4.exe PID 544 wrote to memory of 3540 544 4b740206d4.exe RegAsm.exe PID 544 wrote to memory of 3540 544 4b740206d4.exe RegAsm.exe PID 544 wrote to memory of 3540 544 4b740206d4.exe RegAsm.exe PID 544 wrote to memory of 3540 544 4b740206d4.exe RegAsm.exe PID 544 wrote to memory of 3540 544 4b740206d4.exe RegAsm.exe PID 544 wrote to memory of 3540 544 4b740206d4.exe RegAsm.exe PID 544 wrote to memory of 3540 544 4b740206d4.exe RegAsm.exe PID 544 wrote to memory of 3540 544 4b740206d4.exe RegAsm.exe PID 544 wrote to memory of 3540 544 4b740206d4.exe RegAsm.exe PID 544 wrote to memory of 3540 544 4b740206d4.exe RegAsm.exe PID 2116 wrote to memory of 1948 2116 explorti.exe 004c0c619f.exe PID 2116 wrote to memory of 1948 2116 explorti.exe 004c0c619f.exe PID 2116 wrote to memory of 1948 2116 explorti.exe 004c0c619f.exe PID 1948 wrote to memory of 1516 1948 004c0c619f.exe RegAsm.exe PID 1948 wrote to memory of 1516 1948 004c0c619f.exe RegAsm.exe PID 1948 wrote to memory of 1516 1948 004c0c619f.exe RegAsm.exe PID 1948 wrote to memory of 5080 1948 004c0c619f.exe RegAsm.exe PID 1948 wrote to memory of 5080 1948 004c0c619f.exe RegAsm.exe PID 1948 wrote to memory of 5080 1948 004c0c619f.exe RegAsm.exe PID 1948 wrote to memory of 5080 1948 004c0c619f.exe RegAsm.exe PID 1948 wrote to memory of 5080 1948 004c0c619f.exe RegAsm.exe PID 1948 wrote to memory of 5080 1948 004c0c619f.exe RegAsm.exe PID 1948 wrote to memory of 5080 1948 004c0c619f.exe RegAsm.exe PID 1948 wrote to memory of 5080 1948 004c0c619f.exe RegAsm.exe PID 1948 wrote to memory of 5080 1948 004c0c619f.exe RegAsm.exe PID 2116 wrote to memory of 4184 2116 explorti.exe cc9647d99c.exe PID 2116 wrote to memory of 4184 2116 explorti.exe cc9647d99c.exe PID 2116 wrote to memory of 4184 2116 explorti.exe cc9647d99c.exe PID 3540 wrote to memory of 2572 3540 RegAsm.exe firefox.exe PID 3540 wrote to memory of 2572 3540 RegAsm.exe firefox.exe PID 2572 wrote to memory of 2328 2572 firefox.exe firefox.exe PID 2572 wrote to memory of 2328 2572 firefox.exe firefox.exe PID 2572 wrote to memory of 2328 2572 firefox.exe firefox.exe PID 2572 wrote to memory of 2328 2572 firefox.exe firefox.exe PID 2572 wrote to memory of 2328 2572 firefox.exe firefox.exe PID 2572 wrote to memory of 2328 2572 firefox.exe firefox.exe PID 2572 wrote to memory of 2328 2572 firefox.exe firefox.exe PID 2572 wrote to memory of 2328 2572 firefox.exe firefox.exe PID 2572 wrote to memory of 2328 2572 firefox.exe firefox.exe PID 2572 wrote to memory of 2328 2572 firefox.exe firefox.exe PID 2572 wrote to memory of 2328 2572 firefox.exe firefox.exe PID 2328 wrote to memory of 3612 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 3612 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 3612 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 3612 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 3612 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 3612 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 3612 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 3612 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 3612 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 3612 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 3612 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 3612 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 3612 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 3612 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 3612 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 3612 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 3612 2328 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe"C:\Users\Admin\AppData\Local\Temp\74526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\1000036001\4b740206d4.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\4b740206d4.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1928 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cf2a4bd-0993-4bee-ba63-dd33dbe21876} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" gpu7⤵PID:3612
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2452 -prefMapHandle 2448 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1dbfe358-012a-48a1-b412-0bd7b28b9a6e} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" socket7⤵PID:4952
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3272 -childID 1 -isForBrowser -prefsHandle 3292 -prefMapHandle 3288 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96981efc-b796-4d07-b94b-1d735d6788df} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" tab7⤵PID:1260
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3992 -childID 2 -isForBrowser -prefsHandle 3032 -prefMapHandle 4000 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38ab5151-0863-4a66-9b8d-13db076bb969} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" tab7⤵PID:4088
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4232 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4440 -prefMapHandle 4436 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bba19ab-3bf8-4aee-829d-9f872bf97a8a} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" utility7⤵
- Checks processor information in registry
PID:5180 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 3 -isForBrowser -prefsHandle 5592 -prefMapHandle 5556 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f60d6379-e6ac-4d58-8b42-3c60db15f0a0} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" tab7⤵PID:992
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5716 -childID 4 -isForBrowser -prefsHandle 5724 -prefMapHandle 5728 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {646d114e-e2a2-41a3-912d-c639b9ed93c4} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" tab7⤵PID:5428
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6004 -childID 5 -isForBrowser -prefsHandle 5924 -prefMapHandle 5928 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c38d377-62ad-44e8-9b46-c7308db4fd91} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" tab7⤵PID:4184
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6600 -childID 6 -isForBrowser -prefsHandle 6608 -prefMapHandle 6516 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72f2e460-92eb-4541-b45e-5c6fe0a1d4a1} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" tab7⤵PID:5252
-
C:\Users\Admin\1000037002\004c0c619f.exe"C:\Users\Admin\1000037002\004c0c619f.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:1516
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\1000038001\cc9647d99c.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\cc9647d99c.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4184
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3944
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1876
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5184ac865439679ad7884b845084b1aad
SHA1cdf22ebfa466e18e2e7e2d7bfa419e04d0bca2dc
SHA256a5105e830cde1a2cd8b5464114e3684b7c71b4680122918e6e213d86cb62b59f
SHA512cbe62b31319dbc5775cc67855be5413f0c13e050629cf12a4dde478080e22f0210078ec7b0c718346ead1cb5cec7959f907d4167d003877cf10d0e14f539c10b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\activity-stream.discovery_stream.json
Filesize35KB
MD5af2325e86f7c935a016fdb9da1453176
SHA173515fac53941fca2e706b1335337a84a1e5ecf3
SHA256ee11df9d2c7d8fe6bf84f68106d8f1b85fccb1a7c5fe3b15af77bfee6441e44b
SHA512385513cff9e584e9aa301acb0da262fdb8dc80e23fe4b2e3f451975dcf84ec6987b05c1a07b7a3fa16bc3fbeedd622ed54853922e05932e9c7583690f930c2c3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5cd3b5a150658841721110d493ce8eeeb
SHA1b45dda4b383fd5ccca90fe5b345ac061d7671e4a
SHA2568cda48c5c521ae0a089f210465e55cb98300805137a1001bedd1249776845121
SHA5128811720314c7e921644285dd63de44946d84c8d4623fcd15d71fac75de537c7db4e6e43050840db83a2b12dddd75af63b24fe57ceb4c8d4dbe22d4669dbc6300
-
Filesize
1.8MB
MD51c001b7c1daa650908f734203a11329f
SHA1d5cbdc631e0fc50f85ade35e12b9fd1d78053205
SHA25674526e54eb59d8804296c282956d430668c784af2bebb99d872fb24b4aa689c1
SHA5127f3eebb2d11f77ce9d242fb5610faa43081cb41b17bff3f37416b1b15bf71495f227f228f6b3efa6c5b685c0a1e5f1fdea8145ea6507fe4ac59483cdb0c42fa7
-
Filesize
1.2MB
MD50034ee4a88a9fc8d25c363524fa9fa0f
SHA1c1f17b6ccea75290c2c9c8d7f42856428e7fad29
SHA25645b08cdfdae665ef8140d7a099c7031c7ee582ba7a30dc9a484ac03775ec29a2
SHA512624e7aa712e79fae69a4e1e301f01710f584f0a85768aeab7a18739b26c9e1c146d007795b776c8e23721f42dec98d6a7edd04cc168e1995345a58ace71fa85a
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin
Filesize10KB
MD55b486b71e38a8c12a62471fc16c359ed
SHA1187fd8d02b3add7ddbc6e4051d4f184cf3be5c0c
SHA256132536e91c434cbbf875d3767137820bfc6fe3acc26c7a896d1cd8f649c580a7
SHA512b0c506f1fd48aacb4d4e46af7150238a374f7d1fd93be978cf1b1018ad45f9be19ebd9b10a8768270c6d605c0ff8f4685b14144390b841804e7537124ff27bc8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5d7c2f01a9a7de6f8b662a7bac281c4b7
SHA1d2ab0ecd0ffe4e929100fa8663f49d64cd78049c
SHA25638d6dfce8a8f42a61c7784924ff9d070cc6a8cb8760599800a36a9210bc3ffa1
SHA5127783e6a16de8b06e28b2ee49c912146bed4655372994e2303c5d179760cbfb61052cc286fbcd714b05729b2a235b785ab8765360ae6fd855883d9d2c21664615
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5cbee26e6ae42d84893598223b50c8676
SHA162a02b9152166d6c75976ecd3ca7161cbdf6c1f2
SHA2563ac8de18957a6376e1610498af5964b6d212cd404bd1773f67e2748b138449af
SHA5127be570a3718b19f13beaca1813bb238290c669c50b2a0d7872a521c3493452d0d0113fabcc0a04a092fa87f15199da6c04c3ece10815752c6f92a1a7873fb360
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5ce689b86559bd7562fa47ea9fad899e5
SHA1d5f54568102b92cd824fb3da47194f5710f6c6d9
SHA2561e549f375f4f185991fcd0c2ee009fac9ab642eadeb47c7dcdeb80b3d67d3d4d
SHA512ff79e785bbec3a8eb002ed4cadb79331c87385a9f359ff71542f8375bfe9bf79b6f21ef728a3b56156aab27c1ac7db04f147bc5ab49b619b1348fbdecb989e53
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5ca01201882b0b9d1adf73194c3d457af
SHA1bda18cff07aa5f653422f03433de24705b867185
SHA256b61e7e60c0c5476c406ba42c19efaa4457becfcdc560cffffde0fb8bc3ab5b48
SHA51250ec4a5e1b2817c5f624430a97d89fc6794472fe2fffc7864277c35d438c7be2abf2d0485f8be139bb0f7a82af97452485f9ae3132282a569181009a97c7964d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\41a8f4a1-9193-42a3-88d7-2826be7e6567
Filesize26KB
MD5dbdd1679647b13c43e0970d4ef01b8ed
SHA1c4b8672d15321ee1cdba7c0a5fab90c8583ac7ca
SHA256a00d0c665653622d4e58dc9aaab747dedbb6597d11f7ed80db76e631268c28ef
SHA512428d9e7c8aa9e76b1f5aa19acac5af43e16ce2043f34cfabbdb6c2c7df91049ca363c1be83a95257b94d623b8cbbe09a1eaffbc51eaf3564092f0728dbd7a8d6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\72dd1379-4fd8-42ce-880e-c239a9b1f481
Filesize982B
MD5494a2eacaba107de831c59a2a0f58b76
SHA1498a3e5bea62721a93c62c99529d37dd46018452
SHA256cda54a3153936b94122884c4523688a02d2b03dc2d751831ed800be5e392c86a
SHA512e28833661f93dae21665bc5bf743cfa42e420dac4ac371446f718570f5933019255a80b7295996eda6e947164a9e912ad76dd29b3dcf1f14784c8457c6e5dc67
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\dd80f20e-f427-40a6-9f78-52ebf257db00
Filesize671B
MD50bd472804d29abc418e560ce7404575f
SHA15aec6bbdbd2b0a213ed58b56d9a1acd87d44e4e1
SHA2569c36fdd2781265d8b8ed8fa728282f17438024a6d587283a5a791ab1d8fa92fd
SHA512365e99abda22dfb3f99647559a9bfe272232b9ed269feaa60fcea56189f75a6006d46c0b6306d77a65315e9c85ab52eeb9317ba710a1ae658a689693845fd39d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5b9be4d26f240cce56372456a49c08d43
SHA1681b0045a65ce001050e25f2f74f3ff2cf8cad3c
SHA2567f85094d6ac8978f265c732ba59d61d328c898f313bae9dad8abd6e7c690bfcf
SHA512af4bac9d552385100e98e962ed8a62f2109f50be3e1ab87786416090ad125401a04c58df2e6542af231111673efd62ac6d67e011fe23e5384c11e06a25141eb9
-
Filesize
15KB
MD5dcb7257cf824d67c27536a77785deb28
SHA1dc5fe252346b47e80969b401c6f4e2943142079d
SHA25631b661337b589e52f782e6c706c8d637a6cca10ea5db4db5c9a21fcbfea0b2e4
SHA5124bcf691a06d539efe27c08c5cd0506c70eb2df99650c67d8226da88f2d29dff641e777aebd9b1b856fc6d886397e6e5e616af2c55ebbe67c694fe720fd0ba0cd
-
Filesize
11KB
MD5a0f3b5158d81b2fbd74906f2c8a28408
SHA1873b71782d6fefa44e83390c2e53dfee65679de8
SHA256fe1134ded02e45289066899f8ee271051db6fcbbffa84ac9ec2b8f6b6a752760
SHA512fe86d6d76bb24fd3d9f66b14f6ef2ce94e02beb67e9620431b339b2c5cc3a3be83fa2d9150dc896302a79544c1b12dad745610aa1525d0aa9196c836f44b3939
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD593f5fc7d2c19ce3e83fd3d643a446388
SHA15482cf6a44cac0819b8841c4604512e3d1ca3845
SHA2563700f28dcc63b34ad1c15fb3259d5df6d99b9c205b617499f1a6037c766b8adb
SHA512c0b4465845b1c404a0ca597d0b945970c51fd7ff92045466371c47ddcd7853327ca36df7593f5465159efac08d59ccfc92d50bf649a317820cb7d28d4193fe88