Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-08-2024 14:30
Static task
static1
Behavioral task
behavioral1
Sample
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe
Resource
win11-20240802-en
General
-
Target
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe
-
Size
1.9MB
-
MD5
31a21e0d2689f00347aba47d01baf807
-
SHA1
7dcebcf70a24796476e8a863de9eff5222ee9f3c
-
SHA256
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb
-
SHA512
2424d31df7b9d48f7a4721b40fd57b0667a04b9b73ffdb3b96da5cd972e8ee03cfeb539c72cafa13153da94dd5f59fe6b01a67ac41b68b5afd7d8cc7f818f292
-
SSDEEP
24576:D7zaKqiUWCIt/rppGWIrhsPB0vnCAQ7M1jmmpRf2/Drsy1uwWrJuesBMZzEeUI5:P2limkVmKAQIjmm/Grs0uP8S405
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exeexplorti.exeRegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exe61fdf520a3.exef65e7ae959.exe27b15fc051.exeexplorti.exeexplorti.exeexplorti.exepid process 2256 explorti.exe 2104 61fdf520a3.exe 3364 f65e7ae959.exe 716 27b15fc051.exe 3516 explorti.exe 440 explorti.exe 5316 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exe5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\61fdf520a3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\61fdf520a3.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/4856-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/4856-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/4856-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 4476 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe 2256 explorti.exe 3516 explorti.exe 440 explorti.exe 5316 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
61fdf520a3.exef65e7ae959.exedescription pid process target process PID 2104 set thread context of 4856 2104 61fdf520a3.exe RegAsm.exe PID 3364 set thread context of 4948 3364 f65e7ae959.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exedescription ioc process File created C:\Windows\Tasks\explorti.job 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exe27b15fc051.exe5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exeexplorti.exe61fdf520a3.exeRegAsm.exef65e7ae959.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27b15fc051.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61fdf520a3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f65e7ae959.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 4476 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe 4476 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe 2256 explorti.exe 2256 explorti.exe 3516 explorti.exe 3516 explorti.exe 440 explorti.exe 440 explorti.exe 5316 explorti.exe 5316 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 4564 firefox.exe Token: SeDebugPrivilege 4564 firefox.exe Token: SeDebugPrivilege 4564 firefox.exe Token: SeDebugPrivilege 4564 firefox.exe Token: SeDebugPrivilege 4564 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exeRegAsm.exefirefox.exepid process 4476 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4564 firefox.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe 4856 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 4564 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exeexplorti.exe61fdf520a3.exef65e7ae959.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 4476 wrote to memory of 2256 4476 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe explorti.exe PID 4476 wrote to memory of 2256 4476 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe explorti.exe PID 4476 wrote to memory of 2256 4476 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe explorti.exe PID 2256 wrote to memory of 2104 2256 explorti.exe 61fdf520a3.exe PID 2256 wrote to memory of 2104 2256 explorti.exe 61fdf520a3.exe PID 2256 wrote to memory of 2104 2256 explorti.exe 61fdf520a3.exe PID 2104 wrote to memory of 4856 2104 61fdf520a3.exe RegAsm.exe PID 2104 wrote to memory of 4856 2104 61fdf520a3.exe RegAsm.exe PID 2104 wrote to memory of 4856 2104 61fdf520a3.exe RegAsm.exe PID 2104 wrote to memory of 4856 2104 61fdf520a3.exe RegAsm.exe PID 2104 wrote to memory of 4856 2104 61fdf520a3.exe RegAsm.exe PID 2104 wrote to memory of 4856 2104 61fdf520a3.exe RegAsm.exe PID 2104 wrote to memory of 4856 2104 61fdf520a3.exe RegAsm.exe PID 2104 wrote to memory of 4856 2104 61fdf520a3.exe RegAsm.exe PID 2104 wrote to memory of 4856 2104 61fdf520a3.exe RegAsm.exe PID 2104 wrote to memory of 4856 2104 61fdf520a3.exe RegAsm.exe PID 2256 wrote to memory of 3364 2256 explorti.exe f65e7ae959.exe PID 2256 wrote to memory of 3364 2256 explorti.exe f65e7ae959.exe PID 2256 wrote to memory of 3364 2256 explorti.exe f65e7ae959.exe PID 3364 wrote to memory of 4948 3364 f65e7ae959.exe RegAsm.exe PID 3364 wrote to memory of 4948 3364 f65e7ae959.exe RegAsm.exe PID 3364 wrote to memory of 4948 3364 f65e7ae959.exe RegAsm.exe PID 3364 wrote to memory of 4948 3364 f65e7ae959.exe RegAsm.exe PID 3364 wrote to memory of 4948 3364 f65e7ae959.exe RegAsm.exe PID 3364 wrote to memory of 4948 3364 f65e7ae959.exe RegAsm.exe PID 3364 wrote to memory of 4948 3364 f65e7ae959.exe RegAsm.exe PID 3364 wrote to memory of 4948 3364 f65e7ae959.exe RegAsm.exe PID 3364 wrote to memory of 4948 3364 f65e7ae959.exe RegAsm.exe PID 2256 wrote to memory of 716 2256 explorti.exe 27b15fc051.exe PID 2256 wrote to memory of 716 2256 explorti.exe 27b15fc051.exe PID 2256 wrote to memory of 716 2256 explorti.exe 27b15fc051.exe PID 4856 wrote to memory of 5004 4856 RegAsm.exe firefox.exe PID 4856 wrote to memory of 5004 4856 RegAsm.exe firefox.exe PID 5004 wrote to memory of 4564 5004 firefox.exe firefox.exe PID 5004 wrote to memory of 4564 5004 firefox.exe firefox.exe PID 5004 wrote to memory of 4564 5004 firefox.exe firefox.exe PID 5004 wrote to memory of 4564 5004 firefox.exe firefox.exe PID 5004 wrote to memory of 4564 5004 firefox.exe firefox.exe PID 5004 wrote to memory of 4564 5004 firefox.exe firefox.exe PID 5004 wrote to memory of 4564 5004 firefox.exe firefox.exe PID 5004 wrote to memory of 4564 5004 firefox.exe firefox.exe PID 5004 wrote to memory of 4564 5004 firefox.exe firefox.exe PID 5004 wrote to memory of 4564 5004 firefox.exe firefox.exe PID 5004 wrote to memory of 4564 5004 firefox.exe firefox.exe PID 4564 wrote to memory of 1168 4564 firefox.exe firefox.exe PID 4564 wrote to memory of 1168 4564 firefox.exe firefox.exe PID 4564 wrote to memory of 1168 4564 firefox.exe firefox.exe PID 4564 wrote to memory of 1168 4564 firefox.exe firefox.exe PID 4564 wrote to memory of 1168 4564 firefox.exe firefox.exe PID 4564 wrote to memory of 1168 4564 firefox.exe firefox.exe PID 4564 wrote to memory of 1168 4564 firefox.exe firefox.exe PID 4564 wrote to memory of 1168 4564 firefox.exe firefox.exe PID 4564 wrote to memory of 1168 4564 firefox.exe firefox.exe PID 4564 wrote to memory of 1168 4564 firefox.exe firefox.exe PID 4564 wrote to memory of 1168 4564 firefox.exe firefox.exe PID 4564 wrote to memory of 1168 4564 firefox.exe firefox.exe PID 4564 wrote to memory of 1168 4564 firefox.exe firefox.exe PID 4564 wrote to memory of 1168 4564 firefox.exe firefox.exe PID 4564 wrote to memory of 1168 4564 firefox.exe firefox.exe PID 4564 wrote to memory of 1168 4564 firefox.exe firefox.exe PID 4564 wrote to memory of 1168 4564 firefox.exe firefox.exe PID 4564 wrote to memory of 1168 4564 firefox.exe firefox.exe PID 4564 wrote to memory of 1168 4564 firefox.exe firefox.exe PID 4564 wrote to memory of 1168 4564 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe"C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\1000036001\61fdf520a3.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\61fdf520a3.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd19b80a-b99e-4236-b7fb-32733cb3f177} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" gpu7⤵PID:1168
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad92a7c0-2a9a-43e6-8edb-bcc4f229dd81} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" socket7⤵PID:1904
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3160 -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3032 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0ced6b3-afcd-4131-96ea-276a6008c7ab} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" tab7⤵PID:2316
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3708 -childID 2 -isForBrowser -prefsHandle 3684 -prefMapHandle 3696 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b35d6422-0bc7-4ae7-9868-2d5ce59291a0} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" tab7⤵PID:1144
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4692 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4672 -prefMapHandle 4668 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8fe8886-9e78-4be4-b410-154663c59059} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" utility7⤵
- Checks processor information in registry
PID:5348 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5260 -childID 3 -isForBrowser -prefsHandle 5332 -prefMapHandle 5288 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7019d424-ab22-4ada-9b50-61b81b5b59ba} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" tab7⤵PID:6068
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5464 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f81becb3-106c-467c-a6d8-68dc5d69f2c8} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" tab7⤵PID:6096
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 5 -isForBrowser -prefsHandle 5480 -prefMapHandle 5428 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d124bb5c-c7ac-40fa-88ef-328802c47b3f} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" tab7⤵PID:6112
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6012 -childID 6 -isForBrowser -prefsHandle 6184 -prefMapHandle 6164 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59e66b5b-7fb3-4fdd-a6ed-faca615bb72b} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" tab7⤵PID:5228
-
C:\Users\Admin\1000037002\f65e7ae959.exe"C:\Users\Admin\1000037002\f65e7ae959.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\1000038001\27b15fc051.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\27b15fc051.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:716
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3516
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:440
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5316
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD54c49157471d5a6c1fc1981ca91471124
SHA15210db72295c4683619a3f64e23580b17ddae4db
SHA2563fe97184d08241370b0d19ee68ad88ae6b9af172a0004a17f747d6c10bc977e3
SHA5127169ee3ed61a2de954021ce8e132b532035b39b636b0fa55e3354100b2a059af6e9bda891a085fed5d8720d23be80f6507a7597a60a59aa6b3fdf0b8c551aa3c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5d34003d017f3ae4591909b5d138e003d
SHA16301f45ede10c72780f080fda396d59ac41ee934
SHA2568c11a6dbc22e87df0fb5d4d244ffebe0a39a41113d4dd480b862d85c2bf1400a
SHA5129c359feffacd7f43f33c867e07552abe28d8d0ba30768d989480fc5fd8f093ff843e857782fce5fd34b5ca076fac09f87f4f195695189ca67146a3bd97220cb1
-
Filesize
1.9MB
MD531a21e0d2689f00347aba47d01baf807
SHA17dcebcf70a24796476e8a863de9eff5222ee9f3c
SHA2565f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb
SHA5122424d31df7b9d48f7a4721b40fd57b0667a04b9b73ffdb3b96da5cd972e8ee03cfeb539c72cafa13153da94dd5f59fe6b01a67ac41b68b5afd7d8cc7f818f292
-
Filesize
1.2MB
MD5d3675b336c4a489e48ced9f4d763fff8
SHA1f95a1dd04278d6811ad43d2e2df75d74ac5c5938
SHA25624ab780777f1b33c8fcb240620994c31df63fa4d9114daf58a70b595e035c0be
SHA512ead3ad7bf9ba46e1e1a67430be52a378c85ed900b5da40b3ab1750bbb7bf6347f6c283ca64a73abaa6ea60565d7309bdf12dbf9cf1132a84232d6f1135593575
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin
Filesize7KB
MD540065be7ca842db7edabbdc5eb762a65
SHA1f5b173cc3ac14cb5431b7a925970229d12800a62
SHA25689502a75d879045f9ec2e7fd74093a4fe2800f8f8c1c9fc75d4d826c2c947e39
SHA512dda67c7b489edd475702878862de76c449519cac76886d8b5b1923dd82b7453532fb13f20fc248ad8b6336061bdacf2fddeee4ca058994a05cb93ae781361115
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin
Filesize10KB
MD5fffe14c81daac23423d83e80d534d00e
SHA15a3aedaf44f6f6279fd9cf76cf20aad7e25a2955
SHA256beaff4348a31efed91850c65f7aae85ac0c4b66f115eb46b8570b5d4b0c4a447
SHA512f248a41c684e5bd34dd1d28a67374955aeff40c8debaf1dab21d0f1a639ce388dad4d5f1fd083769f08098cc4f2612105e49404f677e8b7b00280ec90b437fac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5209b1adce277248bf5a0efe8edaca44c
SHA132b40cb83fa417a793452d65654a97d156279403
SHA2566f3d4e576c1bcae5f1f5e813f74969192a21d03fffe680e52363301f7082fd5f
SHA51284ac8de959dcfb7593cf6c38749ab66d2ba05efdb3bce4109eec0a2a6c2cdbe24626ebbcde99de3806c223c2f83c2e590a3b9359810c9afafc3d787b0f5c5f82
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5195d05f55e33953da9a3a866fabf375b
SHA1a5cf5983c1ab1d451e0a17ddedfd94baa57c0ed5
SHA2568364d057a69f40f0bcb2c6293ffc4de5a0b94d6f719fad7a319b667f5c18d017
SHA5127532d7e824c1f10cedec6440ee9049276414c2febad35b7d37ad3e95bae62021ff912fa7e12647d92311cd2c6b03ce16b97d314b282060af8ef7a277196f1441
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\c0b168f5-9014-425c-9742-d2a9a232b775
Filesize671B
MD59e99c3e20989a37ac73775698ba165a5
SHA16419c226af47974badd596ba7fec9118dead4a66
SHA256b6045efb8a2a6d7c3dac8b9700bd5cd793d81dc17d2136e012013213adc4af84
SHA512db1fed1ded52f5e5bae8b86860c0744c716a7a54bf5479ded2917fec1748ee17c09485ce65f39be49a99a2165f6d00943084521d82333612d66d4692bab265d7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\de0f17a5-fe3e-4742-b1b7-f9abe745ecfb
Filesize982B
MD559af491571ea8fabb384c66bca7807fa
SHA1f51d6a927817b09a4a317963fb7f1e7b867d16de
SHA2564f77114bfbe33d5086efdf2158130086be2ca35f073d0433ebf77eba7eb3831c
SHA512d5bb0f250569a7736316118c244a59304f80b893475cf86336f69908f98f0b30f32bfb03f27022f47188ed35d9c9b4277d3f282512c5711a5bfeb72db638f9f8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\ff7f66c1-7896-4a15-a5e7-99f4f37af737
Filesize27KB
MD5d5cb35629e7197dbdaf840330cb8f91d
SHA1ec68034b11e6e7c1be0c68fb1ff98129ddcc0b58
SHA2562d916dff2c1a271d25723c2f36f0f24c5a987f55a8d6da62a8d527d32f3988fe
SHA5121fb21b02b3a4ac274e3ed22f564a4899cbf0a1bad4a580a12134961b1672cf4dd6566affb030bad546a91fe4a165b0b2b773989e18e5f3a18bc4b7d51dcc577b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5d64528af1a0e22e5e3eb61c84e7c4789
SHA102bd2f91895ab6013cde6df009fb8faf6bd824f9
SHA25629045de8a664f8ee59c8daa86850f0b1bc2ce199fe4fc9ff30469b52f8dcbe72
SHA5128fb7d49203544edbd5bec1652d866183609d838fb99a199889b54226ce6fdf18ce207be2a08f3b0257cb0d4e951840fe42ac19064b7344d7cad1b0fc1f1ce588
-
Filesize
11KB
MD526e8edd707e268e1cedbaad8da408ec7
SHA1fa935dae45a64c91e31e33829f4f86fbaef74c40
SHA2562f6af02c6f46a4da617ae6eb24bb652bf1ca6773c3bdb651381f95eabd863fe2
SHA512a0acd8e846dadaef3e5c2fb0d9dd937138946867c4afd99d9c3cbdf84fba6b8abf286e48000d61a6e551e3d0ce0accc3c33572a1a83f65a314602b7717889bd6
-
Filesize
11KB
MD50a31e8c3ae22d6bb8cf8108d2a09ea20
SHA1b3f5c1dbd0d4e06a32a4a60ef3e20cc64b4151e7
SHA2564306cc81f86096e9370917ebe9e39281849fe5a31d05a79e9a2764ebb0c76bb4
SHA512f63aafba9bf60185bf0b169a085c1f6e11f6ef56018f62dd15afd610fcbfc7befd0a5fed99acc9dcd9f7bb20d39f7b8f678bb27e1cbcdeb1fba11dedfd22b71a
-
Filesize
15KB
MD5f9597afd7f621a7c8678815e8e378fad
SHA1c88e403c351143cf909741ebfe45ef62a06e6208
SHA256fbfb8b86485cffbb48f65b7dce111133be471d9d8404ab33a8c033a491cf9112
SHA512c7106c2fa6cd71142df85b8b4e47a39ac3d663f45ecd18418161cfb6973a7b514f3aac39f3bff2ff9cdcbb92a58fa3bc8ae14d01450bce2baf20b2f080aa3f0b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD5a8ad25ff1ccb1b1cddc62a509b069543
SHA12497b94ed16a3edf60551d8ddb587026762f41d3
SHA2560c639858285a193e75c6201bfc453ceb29eb5aec5d569409932b6e34b180770a
SHA5124d81661181c3575b355d997e05aba9c11869a508e5b933c0b6bc9f92158c1ea5d0240afcaf8579ea99debf3737eb7ef9a479ac9719a4c61b1fe3249890c3d359