Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-08-2024 06:16
Static task
static1
Behavioral task
behavioral1
Sample
3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe
Resource
win11-20240802-en
General
-
Target
3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe
-
Size
1.8MB
-
MD5
b34e3f1eba1a4c3c26104128f3df2e94
-
SHA1
e1e8b98be081cf73205e90c5fef03d7d19611590
-
SHA256
3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab
-
SHA512
dddf13d6bddf77ec846fe3e91296d28865e723b84f7331f333c4ccdba5372b4f5e2f6521d27e2d8381a4ea3bda7fa5516b70222b99b6ed7594428d8b3a470e76
-
SSDEEP
49152:t9QGsvc5L4WK5zkxy9fnSTt4M4YHCGeS:EGsvMLHyRyyM4YHFe
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
explorti.exeexplorti.exeexplorti.exe3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exe3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe01630fd316.exe76dd4c8052.exe2b77e4b2a5.exeexplorti.exeexplorti.exepid process 3484 explorti.exe 3152 01630fd316.exe 1028 76dd4c8052.exe 5096 2b77e4b2a5.exe 4068 explorti.exe 5924 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\01630fd316.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\01630fd316.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1800-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/1800-49-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/1800-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exeexplorti.exeexplorti.exeexplorti.exepid process 4916 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe 3484 explorti.exe 4068 explorti.exe 5924 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
01630fd316.exe76dd4c8052.exedescription pid process target process PID 3152 set thread context of 1800 3152 01630fd316.exe RegAsm.exe PID 1028 set thread context of 1116 1028 76dd4c8052.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exedescription ioc process File created C:\Windows\Tasks\explorti.job 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
explorti.exe01630fd316.exeRegAsm.exe76dd4c8052.exeRegAsm.exe2b77e4b2a5.exe3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 01630fd316.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 76dd4c8052.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b77e4b2a5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exeexplorti.exeexplorti.exeexplorti.exepid process 4916 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe 4916 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe 3484 explorti.exe 3484 explorti.exe 4068 explorti.exe 4068 explorti.exe 5924 explorti.exe 5924 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 2032 firefox.exe Token: SeDebugPrivilege 2032 firefox.exe Token: SeDebugPrivilege 2032 firefox.exe Token: SeDebugPrivilege 2032 firefox.exe Token: SeDebugPrivilege 2032 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 2032 firefox.exe 2032 firefox.exe 2032 firefox.exe 2032 firefox.exe 2032 firefox.exe 2032 firefox.exe 2032 firefox.exe 2032 firefox.exe 2032 firefox.exe 2032 firefox.exe 2032 firefox.exe 2032 firefox.exe 2032 firefox.exe 2032 firefox.exe 2032 firefox.exe 2032 firefox.exe 2032 firefox.exe 2032 firefox.exe 2032 firefox.exe 2032 firefox.exe 2032 firefox.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exepid process 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe 1800 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 2032 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exeexplorti.exe01630fd316.exe76dd4c8052.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 4916 wrote to memory of 3484 4916 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe explorti.exe PID 4916 wrote to memory of 3484 4916 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe explorti.exe PID 4916 wrote to memory of 3484 4916 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe explorti.exe PID 3484 wrote to memory of 3152 3484 explorti.exe 01630fd316.exe PID 3484 wrote to memory of 3152 3484 explorti.exe 01630fd316.exe PID 3484 wrote to memory of 3152 3484 explorti.exe 01630fd316.exe PID 3152 wrote to memory of 2112 3152 01630fd316.exe RegAsm.exe PID 3152 wrote to memory of 2112 3152 01630fd316.exe RegAsm.exe PID 3152 wrote to memory of 2112 3152 01630fd316.exe RegAsm.exe PID 3152 wrote to memory of 1800 3152 01630fd316.exe RegAsm.exe PID 3152 wrote to memory of 1800 3152 01630fd316.exe RegAsm.exe PID 3152 wrote to memory of 1800 3152 01630fd316.exe RegAsm.exe PID 3152 wrote to memory of 1800 3152 01630fd316.exe RegAsm.exe PID 3152 wrote to memory of 1800 3152 01630fd316.exe RegAsm.exe PID 3152 wrote to memory of 1800 3152 01630fd316.exe RegAsm.exe PID 3152 wrote to memory of 1800 3152 01630fd316.exe RegAsm.exe PID 3152 wrote to memory of 1800 3152 01630fd316.exe RegAsm.exe PID 3152 wrote to memory of 1800 3152 01630fd316.exe RegAsm.exe PID 3152 wrote to memory of 1800 3152 01630fd316.exe RegAsm.exe PID 3484 wrote to memory of 1028 3484 explorti.exe 76dd4c8052.exe PID 3484 wrote to memory of 1028 3484 explorti.exe 76dd4c8052.exe PID 3484 wrote to memory of 1028 3484 explorti.exe 76dd4c8052.exe PID 1028 wrote to memory of 4580 1028 76dd4c8052.exe RegAsm.exe PID 1028 wrote to memory of 4580 1028 76dd4c8052.exe RegAsm.exe PID 1028 wrote to memory of 4580 1028 76dd4c8052.exe RegAsm.exe PID 1028 wrote to memory of 3960 1028 76dd4c8052.exe RegAsm.exe PID 1028 wrote to memory of 3960 1028 76dd4c8052.exe RegAsm.exe PID 1028 wrote to memory of 3960 1028 76dd4c8052.exe RegAsm.exe PID 1028 wrote to memory of 1568 1028 76dd4c8052.exe RegAsm.exe PID 1028 wrote to memory of 1568 1028 76dd4c8052.exe RegAsm.exe PID 1028 wrote to memory of 1568 1028 76dd4c8052.exe RegAsm.exe PID 1028 wrote to memory of 1116 1028 76dd4c8052.exe RegAsm.exe PID 1028 wrote to memory of 1116 1028 76dd4c8052.exe RegAsm.exe PID 1028 wrote to memory of 1116 1028 76dd4c8052.exe RegAsm.exe PID 1028 wrote to memory of 1116 1028 76dd4c8052.exe RegAsm.exe PID 1028 wrote to memory of 1116 1028 76dd4c8052.exe RegAsm.exe PID 1028 wrote to memory of 1116 1028 76dd4c8052.exe RegAsm.exe PID 1028 wrote to memory of 1116 1028 76dd4c8052.exe RegAsm.exe PID 1028 wrote to memory of 1116 1028 76dd4c8052.exe RegAsm.exe PID 1028 wrote to memory of 1116 1028 76dd4c8052.exe RegAsm.exe PID 1800 wrote to memory of 3496 1800 RegAsm.exe firefox.exe PID 1800 wrote to memory of 3496 1800 RegAsm.exe firefox.exe PID 3496 wrote to memory of 2032 3496 firefox.exe firefox.exe PID 3496 wrote to memory of 2032 3496 firefox.exe firefox.exe PID 3496 wrote to memory of 2032 3496 firefox.exe firefox.exe PID 3496 wrote to memory of 2032 3496 firefox.exe firefox.exe PID 3496 wrote to memory of 2032 3496 firefox.exe firefox.exe PID 3496 wrote to memory of 2032 3496 firefox.exe firefox.exe PID 3496 wrote to memory of 2032 3496 firefox.exe firefox.exe PID 3496 wrote to memory of 2032 3496 firefox.exe firefox.exe PID 3496 wrote to memory of 2032 3496 firefox.exe firefox.exe PID 3496 wrote to memory of 2032 3496 firefox.exe firefox.exe PID 3496 wrote to memory of 2032 3496 firefox.exe firefox.exe PID 2032 wrote to memory of 3516 2032 firefox.exe firefox.exe PID 2032 wrote to memory of 3516 2032 firefox.exe firefox.exe PID 2032 wrote to memory of 3516 2032 firefox.exe firefox.exe PID 2032 wrote to memory of 3516 2032 firefox.exe firefox.exe PID 2032 wrote to memory of 3516 2032 firefox.exe firefox.exe PID 2032 wrote to memory of 3516 2032 firefox.exe firefox.exe PID 2032 wrote to memory of 3516 2032 firefox.exe firefox.exe PID 2032 wrote to memory of 3516 2032 firefox.exe firefox.exe PID 2032 wrote to memory of 3516 2032 firefox.exe firefox.exe PID 2032 wrote to memory of 3516 2032 firefox.exe firefox.exe PID 2032 wrote to memory of 3516 2032 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe"C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2112
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1860 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6cd32f6-1ffa-4cd0-a642-93d73ba4a93f} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" gpu7⤵PID:3516
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {196b54e8-eeac-4820-920b-c9024b75e131} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" socket7⤵PID:4512
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3148 -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 3276 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e35575b3-f605-40ae-a364-603b9525dba9} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" tab7⤵PID:3196
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3944 -childID 2 -isForBrowser -prefsHandle 3936 -prefMapHandle 2940 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bce0595-a402-404b-b429-54b47ae83276} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" tab7⤵PID:3028
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4572 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4612 -prefMapHandle 4608 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81240042-c327-4e4d-9829-9ddbe9ccdbe4} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" utility7⤵
- Checks processor information in registry
PID:5404 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -childID 3 -isForBrowser -prefsHandle 5316 -prefMapHandle 5312 -prefsLen 27025 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b469d50-304b-42b1-b4cf-d17f5f868050} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" tab7⤵PID:5892
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -childID 4 -isForBrowser -prefsHandle 5528 -prefMapHandle 5524 -prefsLen 27025 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {430c2be4-4d42-4bb6-94a2-18a31f643e74} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" tab7⤵PID:5904
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5716 -childID 5 -isForBrowser -prefsHandle 5556 -prefMapHandle 5644 -prefsLen 27025 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7112f7d3-3802-4f25-9c8f-b7d8ef6e1eb7} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" tab7⤵PID:5916
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6216 -childID 6 -isForBrowser -prefsHandle 6200 -prefMapHandle 6204 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb4958cb-4929-4a71-a40b-de7bd10a7d00} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" tab7⤵PID:5352
-
C:\Users\Admin\1000037002\76dd4c8052.exe"C:\Users\Admin\1000037002\76dd4c8052.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4580
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3960
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:1568
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\1000038001\2b77e4b2a5.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\2b77e4b2a5.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5096
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4068
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5924
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5f936e41f331f3bcfa5479fc12569dfa0
SHA10fbf4b66a04ac0c756b85e79df9aff371a0e46be
SHA256c607af07435b71602537fbe78096da145867130ab1dd1e33f0c3a4bda2524217
SHA5122d21e55033462c4330fd42c52664d8cf6a01c4421a046a2ef37451024e76844b81e3fc4be7b22d5541079d7b0922ee8c24970ccc2e0bdc50bd5c4dd742fd6d50
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\activity-stream.discovery_stream.json
Filesize45KB
MD54b84d69607cac35100513a634c3a3b81
SHA1283671385ec5b44c466c9a7bf528c85fd9f02ae1
SHA256b69fccb43d9527ab9adfba650e883b1d5ab76303add320dda78b77b08b4636df
SHA512a721e25bfdaee089a2133b0c9a00c6218d75bff5e733dd43a8927c87390c41e41543ec255234461fd3152194d28a61d488e452df452fa34349a93f970371ea48
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD59bc99886217c8014a3c12fabdd64de2a
SHA1e4d14e8a89081c19bacf37f48e88689bd17d830d
SHA256fdcc72f7d8889db81aaf4088bd1b2b174cb0b9f4279a488081c28f978a2b04c5
SHA51221586bf7de070e63975fc977daa14d68c0093e687516456c48f8f781cbe0a6da24ffc040c82b983d81ac03e61f9a93423f8c08a5d5ffe84494a8e7331d931a68
-
Filesize
1.8MB
MD5b34e3f1eba1a4c3c26104128f3df2e94
SHA1e1e8b98be081cf73205e90c5fef03d7d19611590
SHA2563e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab
SHA512dddf13d6bddf77ec846fe3e91296d28865e723b84f7331f333c4ccdba5372b4f5e2f6521d27e2d8381a4ea3bda7fa5516b70222b99b6ed7594428d8b3a470e76
-
Filesize
1.2MB
MD52cf4fe66d4e93a2aa66cfffdf7b9d55c
SHA1c94b44c29812518331d7981984b45d35af5bb77b
SHA2565e53e477950bf652646e1faeee7507c6db804d3d0dd19046f0832f7d778af835
SHA512bf86555ad8838deb7c94bacd2d0ac41d5af5ea1693ed31f515e7ef73b4e258e78ed92653cd216b01009b64abc1811e9f7a903b6d24d0827de60d4623dbf4ed73
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin
Filesize7KB
MD55f74ba46cbd4c8b89a86e92bcb5eca15
SHA1b9f93d61869f641aeb11e547e60da8a558d0d1f0
SHA256e0de6b67fa91da0333f3e5eee1546e0cfa35d75f57abbb55345ec699ae2a2242
SHA5120b05f2081b8bf26ba9cb2ae50955d7a24ceeca4962e8fdf873f349c49b02297e9599859cafdac138653d7f8c06afa5a2910d41e8ba5e74c08478522195e81270
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin
Filesize16KB
MD541f755d03838d73b0b6bd384419e5de9
SHA17bf3c5655694897ced14fd848d819f007d6dde69
SHA25637cbf983a583e2affa7a444588758b128138c6037c879412adc0ec32bcecae40
SHA51234352a90d7e013db239e8f4d01c5301813dd17f6b96e453ef95153ecfd8c4a46935282131c626f5b903e1c882a53bc53367ad09f4d8c219818f8fcec719ebe6f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5b26f79b2ec3e51030aad0e81e8082546
SHA1bff3095a68d778530a8f7bb5de242c0175a623cc
SHA256a6bf1d8558ead5f54476899f44ee037a35efc62e26cb1ab1b915d0f1e6a6dfca
SHA512419ed175f1306b17e89291c44823b890a5389eca1f098c9298e3d43adb8bdc249f1b1a21fed1950c4a7581de0b8b7ddee33b546362c23377e501169872255bf0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD53122bf88981f45169b9c285b42e21f36
SHA172e26370625effd20f28606d85587ef12a36ebab
SHA256000556b3b923fd3fc726ec09a79a989744063a87d858058cc2c9178b4074e5a9
SHA512216d21c25b70048131477cf577a02453a4ef51a7a50887928046f74559232bdf251d4a7e71409994d751edd0661fb4651c49a34f5b4307c070e21ac14fe6be14
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\0076e695-cd2a-481a-a8e8-cf026ad944d7
Filesize982B
MD5b9528ddd51b1f310ef6b8105e3edc38c
SHA1bd7c3b364b98f9239fa4d900d7d4d3c25a61ff22
SHA256d403cc4279e510277657fc0214c894331a092bdf5012649678498c89440c8a24
SHA512f35274fc7c0f43e5a914af484cdbd32974dd84d5929493a24c422dabdbc9fac64a41de2b516d26abfebd85972d6a7ee72a0fc4e71a4a5a4627bd0459e721de54
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\6b9d5982-b399-43ff-bcca-da178f4edc22
Filesize24KB
MD54d5553ce3d9da52f03d99473e66c3bce
SHA1bb4d5e0e98f406b4b78f640d8cbba58ffbbcba68
SHA2561d7d10d1eb2f7862ada4e852b1e4a8c8b6d4a7dad806807392f70148872d627a
SHA512bffa7a7ac05ac87dce8e36d6110aa7e7d0db1279a50b124392a97eb8eabc69184c54d08ef825338f342b0e675578fe2543df21161c8bde0629b073b1c917a7f4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\98d097ed-6683-46c8-926c-159096085ef6
Filesize671B
MD5139dedd3a313489a7703c84ca1429c64
SHA1610175c8f391849f86ef6e433cbf7ac25444b3d7
SHA2568a38b98e422b2a53a35457443f78bc62fb5d78329f2eb4662acbc8b48d60478a
SHA51208c2585ba30c3126deab53d1c929b749d787ade65583d8123b16ccc54c3c539e9a4eeb0df95c8426d99ea6ff23caa422a91baad6664a1b34b8c1f64630b2d9b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5f462e33be570c408c19a2d8af0fc0978
SHA1110bfd03674243734b1699089c05bd2e43ea738b
SHA256a006092fe755350a1cf7b5e0dd09e2d4c878ade563941c71c870528156559f69
SHA512a5851332dbbfc17157778ba94f4f6cafcea1b47363fa04d1a6d96d5393be3af68bd2d68d7902de91eca36d6c966dfb8170eca061ece031d59000c4f1c3afd4f7
-
Filesize
14KB
MD5ed082fb0cfac79916934cf1f09109a44
SHA168a72d84fed563f03adf229febe3407a05fc50f3
SHA256ae38ecadb5a610baebc173ed36d85d9251004b47e9778b141da8bb94f8ae0e8c
SHA51274c7606aa42017c00fbdcfc60be211d10fe8a8c93542ff75f44a3d47139d33549f2550e7691a832df26124a72979db36dc218d1c6d200bc3e17d4654a6f94e02
-
Filesize
11KB
MD52d3c1edcbd79efa29cd634e233eaf0ce
SHA1aa4f5137065b7d751eb7de1e2139cd90e5fb6d43
SHA256f839d6c1c285761931cc45704fc815356cf186292c218c420e5c1d3482d965c8
SHA5124594e4ee365a77c7d522b85c39ed463b928024129495c9dd844695c327027c2e34507c05c1a65e08d80827d2b2cf50567020666109027e85e6c3bf10c940c02f
-
Filesize
10KB
MD50670192e4807db011b9d0ab53561dfcf
SHA17564a4036813e4b1fde4d00be18f615301810e48
SHA25672aaf2baf8b50d952d2d5c70795428d88efa6546005ee41aa2e29b7489f4c2a1
SHA5129c3d1d802d79b82cd6b0e2574a628b35ce7b36dc0540c0a4dca0d758f2288f890cfb7e1f19940069d13ef37b8ffe2fba3ea64d2abe51052d641349d99485bdca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5b0da08b4b02530429dec82788ef07b21
SHA12d6012846674f295e9a89c0c0baa50d01bc5b1c3
SHA256efff9f547104f946ea8c5d9594ce43d771fb197429324f0b0879957705cffede
SHA512f898b16d0d213576161f62bd5c56d533dfbc6d0488cb049cfbe7434904552d3d3297010cb2f89dcc1d4100323100eed4b8dc2c766ef5a83e3757bf1a62e66271
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.0MB
MD545aad0dcc000cf050645e0051af8f604
SHA1cdc2673f587af4bb20fda0d65b8db13f8e2bd799
SHA256f57e3be6c75a3bad4fbaa4797ac93658ea0734001ebc1a84eb2c29e8c19459a9
SHA51294f9a3380c0d578419a89793095e48cc3ee72590244b75b2c77ac1e3cee571410455886e0fc873320d8cef18304a9da353d3cd8f22126ad944696659b3476676
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.6MB
MD5d3c022c085ef8b9509ccabfc3ecf196d
SHA146487089deedec13e9f490f245b82ae346d5e7b2
SHA25678e0bf02c5d527462e9a109e81981fbd039d78e5a43e0fd9c89dea237fed7e38
SHA5127cf6c3b2afbe129339452cb187a754a8fef4d010ac9fb5bb3a99335195911e28a04ad5ba212d7b62872b87c27a5505851264eb08d93933bc365f433a7e16f04b