Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-08-2024 14:30
Static task
static1
Behavioral task
behavioral1
Sample
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe
Resource
win11-20240802-en
General
-
Target
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe
-
Size
1.9MB
-
MD5
31a21e0d2689f00347aba47d01baf807
-
SHA1
7dcebcf70a24796476e8a863de9eff5222ee9f3c
-
SHA256
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb
-
SHA512
2424d31df7b9d48f7a4721b40fd57b0667a04b9b73ffdb3b96da5cd972e8ee03cfeb539c72cafa13153da94dd5f59fe6b01a67ac41b68b5afd7d8cc7f818f292
-
SSDEEP
24576:D7zaKqiUWCIt/rppGWIrhsPB0vnCAQ7M1jmmpRf2/Drsy1uwWrJuesBMZzEeUI5:P2limkVmKAQIjmm/Grs0uP8S405
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exe5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exeb6bee4fcd6.exef65e7ae959.exe27b15fc051.exeexplorti.exeexplorti.exeexplorti.exepid process 4380 explorti.exe 5100 b6bee4fcd6.exe 900 f65e7ae959.exe 4336 27b15fc051.exe 4060 explorti.exe 1288 explorti.exe 3672 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\b6bee4fcd6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\b6bee4fcd6.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4744-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/4744-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/4744-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 896 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe 4380 explorti.exe 4060 explorti.exe 1288 explorti.exe 3672 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
b6bee4fcd6.exef65e7ae959.exedescription pid process target process PID 5100 set thread context of 4744 5100 b6bee4fcd6.exe RegAsm.exe PID 900 set thread context of 1752 900 f65e7ae959.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exedescription ioc process File created C:\Windows\Tasks\explorti.job 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exe27b15fc051.exe5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exeexplorti.exeb6bee4fcd6.exeRegAsm.exef65e7ae959.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27b15fc051.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b6bee4fcd6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f65e7ae959.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 896 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe 896 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe 4380 explorti.exe 4380 explorti.exe 4060 explorti.exe 4060 explorti.exe 1288 explorti.exe 1288 explorti.exe 3672 explorti.exe 3672 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 4804 firefox.exe Token: SeDebugPrivilege 4804 firefox.exe Token: SeDebugPrivilege 4804 firefox.exe Token: SeDebugPrivilege 4804 firefox.exe Token: SeDebugPrivilege 4804 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4804 firefox.exe 4804 firefox.exe 4804 firefox.exe 4804 firefox.exe 4804 firefox.exe 4804 firefox.exe 4804 firefox.exe 4804 firefox.exe 4804 firefox.exe 4804 firefox.exe 4804 firefox.exe 4804 firefox.exe 4804 firefox.exe 4804 firefox.exe 4804 firefox.exe 4804 firefox.exe 4804 firefox.exe 4804 firefox.exe 4804 firefox.exe 4804 firefox.exe 4804 firefox.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exepid process 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 4804 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exeexplorti.exeb6bee4fcd6.exef65e7ae959.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 896 wrote to memory of 4380 896 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe explorti.exe PID 896 wrote to memory of 4380 896 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe explorti.exe PID 896 wrote to memory of 4380 896 5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe explorti.exe PID 4380 wrote to memory of 5100 4380 explorti.exe b6bee4fcd6.exe PID 4380 wrote to memory of 5100 4380 explorti.exe b6bee4fcd6.exe PID 4380 wrote to memory of 5100 4380 explorti.exe b6bee4fcd6.exe PID 5100 wrote to memory of 4744 5100 b6bee4fcd6.exe RegAsm.exe PID 5100 wrote to memory of 4744 5100 b6bee4fcd6.exe RegAsm.exe PID 5100 wrote to memory of 4744 5100 b6bee4fcd6.exe RegAsm.exe PID 5100 wrote to memory of 4744 5100 b6bee4fcd6.exe RegAsm.exe PID 5100 wrote to memory of 4744 5100 b6bee4fcd6.exe RegAsm.exe PID 5100 wrote to memory of 4744 5100 b6bee4fcd6.exe RegAsm.exe PID 5100 wrote to memory of 4744 5100 b6bee4fcd6.exe RegAsm.exe PID 5100 wrote to memory of 4744 5100 b6bee4fcd6.exe RegAsm.exe PID 5100 wrote to memory of 4744 5100 b6bee4fcd6.exe RegAsm.exe PID 5100 wrote to memory of 4744 5100 b6bee4fcd6.exe RegAsm.exe PID 4380 wrote to memory of 900 4380 explorti.exe f65e7ae959.exe PID 4380 wrote to memory of 900 4380 explorti.exe f65e7ae959.exe PID 4380 wrote to memory of 900 4380 explorti.exe f65e7ae959.exe PID 900 wrote to memory of 1752 900 f65e7ae959.exe RegAsm.exe PID 900 wrote to memory of 1752 900 f65e7ae959.exe RegAsm.exe PID 900 wrote to memory of 1752 900 f65e7ae959.exe RegAsm.exe PID 900 wrote to memory of 1752 900 f65e7ae959.exe RegAsm.exe PID 900 wrote to memory of 1752 900 f65e7ae959.exe RegAsm.exe PID 900 wrote to memory of 1752 900 f65e7ae959.exe RegAsm.exe PID 900 wrote to memory of 1752 900 f65e7ae959.exe RegAsm.exe PID 900 wrote to memory of 1752 900 f65e7ae959.exe RegAsm.exe PID 900 wrote to memory of 1752 900 f65e7ae959.exe RegAsm.exe PID 4380 wrote to memory of 4336 4380 explorti.exe 27b15fc051.exe PID 4380 wrote to memory of 4336 4380 explorti.exe 27b15fc051.exe PID 4380 wrote to memory of 4336 4380 explorti.exe 27b15fc051.exe PID 4744 wrote to memory of 836 4744 RegAsm.exe firefox.exe PID 4744 wrote to memory of 836 4744 RegAsm.exe firefox.exe PID 836 wrote to memory of 4804 836 firefox.exe firefox.exe PID 836 wrote to memory of 4804 836 firefox.exe firefox.exe PID 836 wrote to memory of 4804 836 firefox.exe firefox.exe PID 836 wrote to memory of 4804 836 firefox.exe firefox.exe PID 836 wrote to memory of 4804 836 firefox.exe firefox.exe PID 836 wrote to memory of 4804 836 firefox.exe firefox.exe PID 836 wrote to memory of 4804 836 firefox.exe firefox.exe PID 836 wrote to memory of 4804 836 firefox.exe firefox.exe PID 836 wrote to memory of 4804 836 firefox.exe firefox.exe PID 836 wrote to memory of 4804 836 firefox.exe firefox.exe PID 836 wrote to memory of 4804 836 firefox.exe firefox.exe PID 4804 wrote to memory of 660 4804 firefox.exe firefox.exe PID 4804 wrote to memory of 660 4804 firefox.exe firefox.exe PID 4804 wrote to memory of 660 4804 firefox.exe firefox.exe PID 4804 wrote to memory of 660 4804 firefox.exe firefox.exe PID 4804 wrote to memory of 660 4804 firefox.exe firefox.exe PID 4804 wrote to memory of 660 4804 firefox.exe firefox.exe PID 4804 wrote to memory of 660 4804 firefox.exe firefox.exe PID 4804 wrote to memory of 660 4804 firefox.exe firefox.exe PID 4804 wrote to memory of 660 4804 firefox.exe firefox.exe PID 4804 wrote to memory of 660 4804 firefox.exe firefox.exe PID 4804 wrote to memory of 660 4804 firefox.exe firefox.exe PID 4804 wrote to memory of 660 4804 firefox.exe firefox.exe PID 4804 wrote to memory of 660 4804 firefox.exe firefox.exe PID 4804 wrote to memory of 660 4804 firefox.exe firefox.exe PID 4804 wrote to memory of 660 4804 firefox.exe firefox.exe PID 4804 wrote to memory of 660 4804 firefox.exe firefox.exe PID 4804 wrote to memory of 660 4804 firefox.exe firefox.exe PID 4804 wrote to memory of 660 4804 firefox.exe firefox.exe PID 4804 wrote to memory of 660 4804 firefox.exe firefox.exe PID 4804 wrote to memory of 660 4804 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe"C:\Users\Admin\AppData\Local\Temp\5f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\1000036001\b6bee4fcd6.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\b6bee4fcd6.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1840 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1646ed55-d615-428c-9bf5-f87c306c3581} 4804 "\\.\pipe\gecko-crash-server-pipe.4804" gpu7⤵PID:660
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4f168a1-7eed-4831-b26d-f471431c36ab} 4804 "\\.\pipe\gecko-crash-server-pipe.4804" socket7⤵PID:2704
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3164 -childID 1 -isForBrowser -prefsHandle 2824 -prefMapHandle 2884 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1132 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85cf4a05-513e-47e2-8392-d15fd028ff40} 4804 "\\.\pipe\gecko-crash-server-pipe.4804" tab7⤵PID:4164
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3712 -childID 2 -isForBrowser -prefsHandle 3692 -prefMapHandle 3688 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1132 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9eb88910-1cf1-43cb-9766-d7e2aa8d2f27} 4804 "\\.\pipe\gecko-crash-server-pipe.4804" tab7⤵PID:3740
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4488 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4600 -prefMapHandle 4608 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43a7bd9c-bc39-456e-bc42-f2b9aef9d969} 4804 "\\.\pipe\gecko-crash-server-pipe.4804" utility7⤵
- Checks processor information in registry
PID:896 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 3 -isForBrowser -prefsHandle 5548 -prefMapHandle 5592 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1132 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48307287-583d-4df6-8d07-4905c7cbb702} 4804 "\\.\pipe\gecko-crash-server-pipe.4804" tab7⤵PID:3424
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5744 -prefMapHandle 5748 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1132 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0ca4416-3f8f-4df5-bfe2-52f0f9f07399} 4804 "\\.\pipe\gecko-crash-server-pipe.4804" tab7⤵PID:852
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5912 -childID 5 -isForBrowser -prefsHandle 5448 -prefMapHandle 5532 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1132 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5a7cdb0-561a-4b17-b058-f98771e1fbfa} 4804 "\\.\pipe\gecko-crash-server-pipe.4804" tab7⤵PID:464
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6220 -childID 6 -isForBrowser -prefsHandle 6032 -prefMapHandle 6184 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1132 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43c49d5e-4aaf-49c0-ac4b-8dfbdb0d9d29} 4804 "\\.\pipe\gecko-crash-server-pipe.4804" tab7⤵PID:2664
-
C:\Users\Admin\1000037002\f65e7ae959.exe"C:\Users\Admin\1000037002\f65e7ae959.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\1000038001\27b15fc051.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\27b15fc051.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4336
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4060
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1288
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3672
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD54c49157471d5a6c1fc1981ca91471124
SHA15210db72295c4683619a3f64e23580b17ddae4db
SHA2563fe97184d08241370b0d19ee68ad88ae6b9af172a0004a17f747d6c10bc977e3
SHA5127169ee3ed61a2de954021ce8e132b532035b39b636b0fa55e3354100b2a059af6e9bda891a085fed5d8720d23be80f6507a7597a60a59aa6b3fdf0b8c551aa3c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json
Filesize41KB
MD51fa69f2b590cbdc7d1f8053e6daf9898
SHA110febd4adbde06e634f2b8ab79a8f38cacd8c23e
SHA256297430a40557fe79a3e2206c327459a6c0c56e00a8227d064fc93ec6f110e731
SHA512cf99c46fc81ce58d09cd69e838d59d6bbbbdafb0467d43d9737c9300009e7394111f723f3bccfbc8aa7a558dec9bfd237f0b6265ea6d50f7076d82c56c32dcd9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5f2920e88f37bfa3c02749b25ef8b02b4
SHA141d90ff5041826547ebb6f9b10a84baca900c54e
SHA25603ad694ee7bd780e3b45123c46e1b8ced6ecadb4f5dd6df0aff0a61340a63133
SHA512836454312c42e82787b604f5b8e2da8872d0d080c42e141571f0fb905770cb4f8c7205e2be16d5cbbf16d2bd58900dfd5c78675230878e4317cc59770b290c8f
-
Filesize
1.9MB
MD531a21e0d2689f00347aba47d01baf807
SHA17dcebcf70a24796476e8a863de9eff5222ee9f3c
SHA2565f0aa5a8f4c08125436955f162c8af500f3a39e5aa133afd0904aa24461877cb
SHA5122424d31df7b9d48f7a4721b40fd57b0667a04b9b73ffdb3b96da5cd972e8ee03cfeb539c72cafa13153da94dd5f59fe6b01a67ac41b68b5afd7d8cc7f818f292
-
Filesize
1.2MB
MD5d3675b336c4a489e48ced9f4d763fff8
SHA1f95a1dd04278d6811ad43d2e2df75d74ac5c5938
SHA25624ab780777f1b33c8fcb240620994c31df63fa4d9114daf58a70b595e035c0be
SHA512ead3ad7bf9ba46e1e1a67430be52a378c85ed900b5da40b3ab1750bbb7bf6347f6c283ca64a73abaa6ea60565d7309bdf12dbf9cf1132a84232d6f1135593575
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin
Filesize10KB
MD5e6b813e7c080f70075dc86599e85b6ce
SHA13449c51501e097c2ebca041bfc0fbde53c64cb86
SHA2565bacacf9fb039c480745c44d660e4537d50c2527bd4db86c2ca381e0d00f89f7
SHA51219868bd1bfb3e29619bf3c2472f183be6a44ea4dec416af7ece54610067c6cfdf917c79d55c1a2d7d393bb60365ac7fef34a2ebd775175a3033651d33bd2a62d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5bbc035ae5b63f9d1ae65ab08c5da1cd9
SHA14f9de3ac6515ce1e5d9dedf13954243ed919fde5
SHA2566d823e345b7844714a40e3cf1b8b96353710b580c0155cf267ae43fd9d73b128
SHA51248207921a604b5315930f7912f598a67efc91c7f53e99ad1a3be4e014a94f20e931e0766e502a6f35e9693b1a980a4a1269968b54026e9f793c5840110f4151d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD53f34f201c89daee7da768d08e843a537
SHA163d036a6480ecbcff4739665d3113f0e57bfd2c0
SHA25683cd870b7df15a3d9519815f69c336716cb5e72ac4b856e3ff4cb3cc9f2dd6ee
SHA512eca90ce513e7cc56fa303899d6440cfeda4166bf47b6c55967fad543198278c5272355d800bd4687edba7ee4bc201d5580abe32d0d574774bcad105bda2d4cb9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5964c139209f83129fbaf1f27216e7153
SHA1e8f45cbbfa6bbfef08bcd58e330d3af30d1d038f
SHA25629e3a605cb8b5fb8ce6bbd6c4e786bb86e4239d499675b2ab371db82e2caf781
SHA5127a5fb55e295168e862550729526453a18eda89af55ed6b7f03b49e5b34435604269315a865da944765bea2a3d140a4e5e7275c64caf26ee96a6f4128f034ba52
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD59ad976eb726a1a52eb7c8fa3927550d9
SHA1d176dd93500aa3073fc30069fdf4ee0432fa7886
SHA2567ba0a8b1f0a1742f58b96eade2c302183acfa66f9b04f71858265b4398528653
SHA512b78e912ccc1cd400cb6a0b28cf3c4a6f9d200327228f95899bb903df50fa088b000136eb7cd00b92d6037d8293aaa58d9432a84224f76f037c78059c1df8fd35
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\753f1687-2b69-468b-9165-6c7822e5fa1e
Filesize982B
MD5da09b1fa1a836f003dea5bdc4bca8386
SHA1e932bf3fd5c43b75db7ecaf76567aecc72d4a428
SHA256cbe5ffdd918447412ffe77310d17807720e73a812a1265e7d56ca86535be0733
SHA51261e77fa176ddf17ee509ad681c1188a36b045187da3f9653a1c35d611ff64946493417a975dac5cae130c2a59886793c52971f7db83a27f51ba99c6a5f55c70d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\86d5264e-2eb1-4ddd-937d-8cc1a915a820
Filesize671B
MD5112e9032213553e239dfde74b8859e9c
SHA18e6316f775c3c2142f62db32b17080978ec7bf9c
SHA256115fce25c215f4953e60b870bd929f58c1e493c028952feb6a8ed07a5095a5e5
SHA512e2f5285c8fe32c6293d2d856d5c47e5104b0acd3bf9a3387900243a6b677d277f310c4ef19ced8cae92614d6330c4b11535195ebdadef946357317adb80eade2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\dd080cd8-cb4f-4a9f-80ab-2bf3604421ad
Filesize27KB
MD586c1389894395008578b654fcdd74d23
SHA1e99648c2abf8fba60825f383eea27e3c7aa8e33a
SHA25661d97c893cd8a9370346ca2fac0d5bfe9d18df638b0a6b01514799d63365c523
SHA512a86296ee5487a747832260adc1bb9b798a44dbd6ae3ca227c094ecf93f4bc794a0da2deeeb100c0dd0c7c42e3ff3faecb2845f90692a42c6bcba2df30c87b7c9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5f7f9dcb1e7c67e07934246da5f06744e
SHA172a7f15cce8364ad08ddb345d6014d97373e8fda
SHA25625ce88d75f51bd0ae855088f04b77b49c5568115916b7c81c9d374487be16ccb
SHA512514afd02ae99fbcbe4190d99f9ca979c9fe8be4d07d6af8026f09d33dcaa8f7c9b7dc82a59f2f98b6bb7287dd7844608c7e8ef82a714d8da460ad93d2c1f6b3d
-
Filesize
12KB
MD5be32b074885159ab3cb713a08f622227
SHA1f713e80615676b7a07c6249e36b0c4c199c8fd28
SHA256ec977cef1397b046e1335ba52dfb1d9ce56c606802089d5392d020647dbdcd1f
SHA512ed2e89cef7ebe324cfbeca02e17f858033e8f4c35f2c878bbc86b7ec860f84d7592f7eb0f2e194239462f557e4451437939a384755d7df2eea331554082287ca
-
Filesize
16KB
MD58fe89e9f4e0480618c62df8efe313597
SHA184ae79931fc5811a18bd0056aa011a119a7f8cce
SHA256aeca91a967af677d31c731c90e7cf005627cdd95a62023ca1c41833c5ad602fa
SHA51289445c529877f9efbf58ff698254c49a823b57191ad9b7c84547c6c662a8512a2f4af402fda0f93431788e18d41761b00f9314d8ac1c618385caabee81e5e134
-
Filesize
10KB
MD5722edf72aac843fd1be0d4ee4b1e3741
SHA1c5a5590e9cb7df2360ca2785063e8e4fc933726d
SHA25645d9d6ebddaa1ebc0f6a0e0a14897198ac2268f20cb5116422d9ce9839dd8dd5
SHA512706e49a85da8609acdbafcac16e46e7f184c56067761951d61557716c355d459a7cf005e6cad2862e76589910145305a8d1e3076d69366eaf68f73926bc30807
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.3MB
MD598fc8a13e74923bcf08a33ea109933b7
SHA1a46116aee992829d53a94d053e9fe40bbe87c6a4
SHA256aa009f269675531940f66743cde86105fed58247272877f2811864ad79955b90
SHA512aa1e718dfa9200ad5d9a9cd40e063612cdee59c474a1c59389a1f76eeea460fbfe6e1b9935463e966491cb4b8f862943e87fd729a997458a8e41518ad3160a35
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.0MB
MD5d96002ad2075a08ba2606874494360d8
SHA18b80b8ecde208f5d0a99d1b6e569e8e00f2628b2
SHA2567fc892e4090eb3920b7063c0cb9c4b7dd5de4342ef1035d19c2336b594af21dd
SHA5124679bb683a86aace0c0de6950ff01e2db13a2e4f9e9828951de0272bc54d035d8cd16348fe0eaf2f6d709a055fdf52c15ce8b160352cd4a0ab0bccefe61efa97