Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-08-2024 17:22
Static task
static1
Behavioral task
behavioral1
Sample
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe
Resource
win10v2004-20240802-en
General
-
Target
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe
-
Size
1.9MB
-
MD5
a8963ee5ca072f13559f19a434575162
-
SHA1
5cf8ff672194be0b1cc4de3d199bb42f0fbcc944
-
SHA256
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6
-
SHA512
9476a7ba19be415888a513970eb55e86e1455246d614e5523972526721a6599a64eb68597a1ff699a939c20f1936157b38b7a12311e8b5cbdea450a71854f877
-
SSDEEP
49152:Gqufc9qFxZWNLfTOUiVOi8coqOLhzWRGn:GqufcwDZWJQEqO96U
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
explorti.exe0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exe0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exeexplorti.exeRegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exef25a552626.exe8a527b58d9.exec5203a22e9.exeexplorti.exeexplorti.exepid process 2764 explorti.exe 4856 f25a552626.exe 4024 8a527b58d9.exe 4332 c5203a22e9.exe 3976 explorti.exe 5796 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f25a552626.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\f25a552626.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4124-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/4124-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/4124-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exeexplorti.exeexplorti.exeexplorti.exepid process 3404 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe 2764 explorti.exe 3976 explorti.exe 5796 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
f25a552626.exe8a527b58d9.exedescription pid process target process PID 4856 set thread context of 4124 4856 f25a552626.exe RegAsm.exe PID 4024 set thread context of 1000 4024 8a527b58d9.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exedescription ioc process File created C:\Windows\Tasks\explorti.job 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exeexplorti.exef25a552626.exeRegAsm.exe8a527b58d9.exeRegAsm.exec5203a22e9.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f25a552626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a527b58d9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c5203a22e9.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exeexplorti.exeexplorti.exeexplorti.exepid process 3404 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe 3404 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe 2764 explorti.exe 2764 explorti.exe 3976 explorti.exe 3976 explorti.exe 5796 explorti.exe 5796 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 1300 firefox.exe Token: SeDebugPrivilege 1300 firefox.exe Token: SeDebugPrivilege 1300 firefox.exe Token: SeDebugPrivilege 1300 firefox.exe Token: SeDebugPrivilege 1300 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 1300 firefox.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe 4124 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 1300 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exeexplorti.exef25a552626.exe8a527b58d9.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 3404 wrote to memory of 2764 3404 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe explorti.exe PID 3404 wrote to memory of 2764 3404 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe explorti.exe PID 3404 wrote to memory of 2764 3404 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe explorti.exe PID 2764 wrote to memory of 4856 2764 explorti.exe f25a552626.exe PID 2764 wrote to memory of 4856 2764 explorti.exe f25a552626.exe PID 2764 wrote to memory of 4856 2764 explorti.exe f25a552626.exe PID 4856 wrote to memory of 4124 4856 f25a552626.exe RegAsm.exe PID 4856 wrote to memory of 4124 4856 f25a552626.exe RegAsm.exe PID 4856 wrote to memory of 4124 4856 f25a552626.exe RegAsm.exe PID 4856 wrote to memory of 4124 4856 f25a552626.exe RegAsm.exe PID 4856 wrote to memory of 4124 4856 f25a552626.exe RegAsm.exe PID 4856 wrote to memory of 4124 4856 f25a552626.exe RegAsm.exe PID 4856 wrote to memory of 4124 4856 f25a552626.exe RegAsm.exe PID 4856 wrote to memory of 4124 4856 f25a552626.exe RegAsm.exe PID 4856 wrote to memory of 4124 4856 f25a552626.exe RegAsm.exe PID 4856 wrote to memory of 4124 4856 f25a552626.exe RegAsm.exe PID 2764 wrote to memory of 4024 2764 explorti.exe 8a527b58d9.exe PID 2764 wrote to memory of 4024 2764 explorti.exe 8a527b58d9.exe PID 2764 wrote to memory of 4024 2764 explorti.exe 8a527b58d9.exe PID 4024 wrote to memory of 1000 4024 8a527b58d9.exe RegAsm.exe PID 4024 wrote to memory of 1000 4024 8a527b58d9.exe RegAsm.exe PID 4024 wrote to memory of 1000 4024 8a527b58d9.exe RegAsm.exe PID 4024 wrote to memory of 1000 4024 8a527b58d9.exe RegAsm.exe PID 4024 wrote to memory of 1000 4024 8a527b58d9.exe RegAsm.exe PID 4024 wrote to memory of 1000 4024 8a527b58d9.exe RegAsm.exe PID 4024 wrote to memory of 1000 4024 8a527b58d9.exe RegAsm.exe PID 4024 wrote to memory of 1000 4024 8a527b58d9.exe RegAsm.exe PID 4024 wrote to memory of 1000 4024 8a527b58d9.exe RegAsm.exe PID 2764 wrote to memory of 4332 2764 explorti.exe c5203a22e9.exe PID 2764 wrote to memory of 4332 2764 explorti.exe c5203a22e9.exe PID 2764 wrote to memory of 4332 2764 explorti.exe c5203a22e9.exe PID 4124 wrote to memory of 2036 4124 RegAsm.exe firefox.exe PID 4124 wrote to memory of 2036 4124 RegAsm.exe firefox.exe PID 2036 wrote to memory of 1300 2036 firefox.exe firefox.exe PID 2036 wrote to memory of 1300 2036 firefox.exe firefox.exe PID 2036 wrote to memory of 1300 2036 firefox.exe firefox.exe PID 2036 wrote to memory of 1300 2036 firefox.exe firefox.exe PID 2036 wrote to memory of 1300 2036 firefox.exe firefox.exe PID 2036 wrote to memory of 1300 2036 firefox.exe firefox.exe PID 2036 wrote to memory of 1300 2036 firefox.exe firefox.exe PID 2036 wrote to memory of 1300 2036 firefox.exe firefox.exe PID 2036 wrote to memory of 1300 2036 firefox.exe firefox.exe PID 2036 wrote to memory of 1300 2036 firefox.exe firefox.exe PID 2036 wrote to memory of 1300 2036 firefox.exe firefox.exe PID 1300 wrote to memory of 1836 1300 firefox.exe firefox.exe PID 1300 wrote to memory of 1836 1300 firefox.exe firefox.exe PID 1300 wrote to memory of 1836 1300 firefox.exe firefox.exe PID 1300 wrote to memory of 1836 1300 firefox.exe firefox.exe PID 1300 wrote to memory of 1836 1300 firefox.exe firefox.exe PID 1300 wrote to memory of 1836 1300 firefox.exe firefox.exe PID 1300 wrote to memory of 1836 1300 firefox.exe firefox.exe PID 1300 wrote to memory of 1836 1300 firefox.exe firefox.exe PID 1300 wrote to memory of 1836 1300 firefox.exe firefox.exe PID 1300 wrote to memory of 1836 1300 firefox.exe firefox.exe PID 1300 wrote to memory of 1836 1300 firefox.exe firefox.exe PID 1300 wrote to memory of 1836 1300 firefox.exe firefox.exe PID 1300 wrote to memory of 1836 1300 firefox.exe firefox.exe PID 1300 wrote to memory of 1836 1300 firefox.exe firefox.exe PID 1300 wrote to memory of 1836 1300 firefox.exe firefox.exe PID 1300 wrote to memory of 1836 1300 firefox.exe firefox.exe PID 1300 wrote to memory of 1836 1300 firefox.exe firefox.exe PID 1300 wrote to memory of 1836 1300 firefox.exe firefox.exe PID 1300 wrote to memory of 1836 1300 firefox.exe firefox.exe PID 1300 wrote to memory of 1836 1300 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe"C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\1000036001\f25a552626.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\f25a552626.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1a504ed-4322-47c5-a4b9-32d51c48d135} 1300 "\\.\pipe\gecko-crash-server-pipe.1300" gpu7⤵PID:1836
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5117ec61-1983-4ebc-adfd-dbbbf47bfb0f} 1300 "\\.\pipe\gecko-crash-server-pipe.1300" socket7⤵PID:368
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3164 -childID 1 -isForBrowser -prefsHandle 2652 -prefMapHandle 3220 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94b44a48-42ee-48ed-9687-4ccfd1a728de} 1300 "\\.\pipe\gecko-crash-server-pipe.1300" tab7⤵PID:4016
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3664 -childID 2 -isForBrowser -prefsHandle 2664 -prefMapHandle 3048 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05d7761c-90a9-4b12-ac29-fe4e453d6a9e} 1300 "\\.\pipe\gecko-crash-server-pipe.1300" tab7⤵PID:2596
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4528 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4440 -prefMapHandle 4508 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd06b048-fa90-4f04-af77-bb7c1cde6ab2} 1300 "\\.\pipe\gecko-crash-server-pipe.1300" utility7⤵
- Checks processor information in registry
PID:5392 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 3 -isForBrowser -prefsHandle 5624 -prefMapHandle 5600 -prefsLen 27101 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ab52035-828c-46ad-9251-04cb305b7103} 1300 "\\.\pipe\gecko-crash-server-pipe.1300" tab7⤵PID:408
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5756 -childID 4 -isForBrowser -prefsHandle 5824 -prefMapHandle 5828 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81c8b9db-5dbd-4934-a345-2794ba14da27} 1300 "\\.\pipe\gecko-crash-server-pipe.1300" tab7⤵PID:2924
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5956 -childID 5 -isForBrowser -prefsHandle 5572 -prefMapHandle 5664 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fd51052-ee43-454b-8b79-78dd67b2ef24} 1300 "\\.\pipe\gecko-crash-server-pipe.1300" tab7⤵PID:2896
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5964 -childID 6 -isForBrowser -prefsHandle 6116 -prefMapHandle 6148 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96755ee1-41bc-4739-ab06-bbc2b0729b7c} 1300 "\\.\pipe\gecko-crash-server-pipe.1300" tab7⤵PID:2516
-
C:\Users\Admin\1000037002\8a527b58d9.exe"C:\Users\Admin\1000037002\8a527b58d9.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\1000038001\c5203a22e9.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\c5203a22e9.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4332
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3976
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5796
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5264c7b385f725f6d1ec540e66a34889e
SHA10d792dccf1d140874b6816d2764ae2dc7d041d5d
SHA2566f8bb2f210e76d0fb8bd0995c574f59eb9f212126b44eda9763462acede9f1c1
SHA512b48c9d003291d0373da6f7e57772c70790496accf22ba180837d4b32d0e6da38300088a239a23cfc2faa41bf4e39e65e341fe33c251385de93830b978df3fb90
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD55edfc8cda8c59e949687f8ccfecc8b16
SHA11bbc27c8c0dc95da5edf779d2f85a46c2893f9da
SHA256b01ce331ea7218ec5d36f15b5f783115db52cfede59c53d5c6f9a8cf6b8c3717
SHA512a6ebe346eaeeb15c4904c4689c639d3a6ba8d9854ed7a07a5d2fe43c582a48cdefe32798d3b3ed1fdedf56b0e3fa7c6e9f16afd87229d22ba3412d159177ed38
-
Filesize
1.9MB
MD5a8963ee5ca072f13559f19a434575162
SHA15cf8ff672194be0b1cc4de3d199bb42f0fbcc944
SHA2560fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6
SHA5129476a7ba19be415888a513970eb55e86e1455246d614e5523972526721a6599a64eb68597a1ff699a939c20f1936157b38b7a12311e8b5cbdea450a71854f877
-
Filesize
1.2MB
MD5a9d08832d00dd0c9dc7f78f8d00fa67a
SHA1b636ea5c2d14de4dd4139d0aae7240a9e1120456
SHA256215d9ba94d29bc1a536420be578c066908b13e8fbefeadaede15b9ed72b562c1
SHA51221fdef0123e1f048da2e7f25da6eff97712ebd16d789d7e8e4933ea0341f94d581ab04c227266998cbb9845b3af98dc1cfd4c9e6881d5229e493405a559aa08c
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin
Filesize7KB
MD5b68ce8ba5716147090175fe337a7f5f6
SHA1dc12eea9fb2ca0c61a449cd891af0831b313cade
SHA256ddba883b000c632032f28a7016f6cf70be72438c7d311fb3cc9580a18c628ca4
SHA512685f9df89e2b0f8855089c902c5b734d7a9876170d2344048f42030a46f01b3b22aea852e810083094429e72597ddab070a8375cdd1bd4d6bbfd8375c26a0937
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin
Filesize12KB
MD539dc66255dddf9391b7e9234ca7002df
SHA1cf67fc15777535f01dd62351b03e2bc2e219eaf5
SHA25628f34a58225a6d1fd10cd489b547662c521d266a1f261afa9f95b58a35c9c7c5
SHA51219c389737fdfc525315342de62391251814dba9c02456eb9ff1aa0501eb62aca094bafad670bbfebad2918e4010a9664f0a5f5677cdcd6abe14c6e8273c183ff
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD52bb0a632974dca4234590d915574964d
SHA15e900e9c8260403b0069f4cc55f726f3b4561134
SHA256210aa29ed990890cd80ceaa3edabd82624478324604c14e934de4f09455f0f4b
SHA512e416ebe4c3e793b9d893a3834ed9ece09b0b8ab56b9c00d749c516e503a95a0914b557aea030c912ef91b622234997a6706bdf3547a328157686fd191d82b7af
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp
Filesize31KB
MD535144abc5a53ab48445563a5d2262453
SHA1d12597f786fb9a8648c4816f5de59f5fc9901ae0
SHA2569111519729d7113b4dcddd99f37fe76f8cf2f54d5aff41a63fc7ca3f738cc4d4
SHA5125a4a048d55f6b6544f06cf7c468b9334e82e25ecddbd621b69229a062772f0b1117045ce4ff83a3ba9e9a9af2bffa5ede808c87abd05297588347de73f870689
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\359d3209-6231-48b9-84d0-002f31b70b59
Filesize671B
MD5f3145f467ba2eb30ef2875caae8e86e3
SHA1c27bed97837a85ecc57862052dfa3efb1be87d69
SHA256ee2b990fa888a6ce59338095e1f37eeccb48b75d2cf5949882757261eff56363
SHA512081c06cd11f55a7616bf9c051f97cf714600fca9fdbb2a4e415bfbdfe2a410d0d2a28885afd5b9f4b2b8df3d76534e33a1d2dd8b2b85b9f00a8f6392cc9e6552
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\48732d46-59be-4b6b-817d-e5e1f7111015
Filesize982B
MD59d5d73142d70aff9cf3edfe1cf42f0f1
SHA1f0013f455b176e859f128438fab2f3cd1d798af2
SHA2564160f35f62c6fcc8e01a69dafa506b434194a6cf97d96db8d0e5730a91faa1c1
SHA512b1926d8004fc4f09aa0a941f289ac206ff3d7f548078239482fa9931bfd9609db305be7a5454b9a464ccd1466c9d62cef4eed41de59b0a577006b6177f1efc0a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\c818f1aa-b65d-4975-a134-4b628da66bde
Filesize27KB
MD50d3ac175d4c3afcfa7279a1082a7cce3
SHA15a3f65877eb05254cb2d520132f78f86738e1404
SHA2565feab3d9c7ba575d39ddb07e4aa0086d06b0aff88c3dd6e16a63cb43227c785f
SHA51298777ccd3a44964b734334151cf11c18cc51f94eeb6dc84e0cd6454a6d07cf012311d3410547d182c4340f87d76c3d10b1df46dee82d41c7997f79b6fb9dab61
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD5a16ccdd91082486bc5be968c31021b2d
SHA1674bd2230a4d1f3a5b9f5af8d6182bfdf7f9cf2c
SHA2566dd284f12a267517ec92dd1405c0d4bf6faac5d2ff92781e23383885af75a684
SHA512ffb782e68379e456b56e7d206504fc0ebe807000917d475b8ad6190ae967bc3f2f0939f02628b30ff52071143496cea48f2ba3c119c6c35ca917166b7abd637a
-
Filesize
16KB
MD57dc51df793760a38da7107c23ad1973b
SHA16fb7124f9b50fd6bcfba12436273c37ed3889c93
SHA2560392ac25fd425ddb7e27de5f025feefa210e8eacaccd13f135f808dd5c9e4e77
SHA512bfb692b341e1ab49241b92e1a9e48c30334e37e168c723b09101f14d0c8490e21178ad74595c0922cdb0d651af17b6e2c5bcee9136c5c321e5608e2f0e64805e
-
Filesize
11KB
MD50a31e8c3ae22d6bb8cf8108d2a09ea20
SHA1b3f5c1dbd0d4e06a32a4a60ef3e20cc64b4151e7
SHA2564306cc81f86096e9370917ebe9e39281849fe5a31d05a79e9a2764ebb0c76bb4
SHA512f63aafba9bf60185bf0b169a085c1f6e11f6ef56018f62dd15afd610fcbfc7befd0a5fed99acc9dcd9f7bb20d39f7b8f678bb27e1cbcdeb1fba11dedfd22b71a
-
Filesize
11KB
MD51fef23ed4c296132b601f8e823e3d5db
SHA15e00a5d946ac3f57567208835bb78540de72df72
SHA256392224edb279582474baa2983edc8f0b3d9167fb18819e8a837f636b3c207c70
SHA51201e0cbc83b60952c3fe5520a45e0c2da5b05bdf93fc772db981a28af6a7734596d5d8de6583054aabf26b86b4ede3f27c8b39afd5170a8f1201fd31637f8f5e6
-
Filesize
11KB
MD5c22ef92a43cb2be734948106e76b67fd
SHA1adc14861c160fa01afd2dc755e7148c30ac17dff
SHA25610d8272cee86f066300c868a891cda760ef6cbce40fdd95d87f8eb22ce9a7abb
SHA5126212f335e105a4bc4d3e8dc1d1678fd2e1407b0bb95879a5de5098d0748908cb2d045af117435898a0ac130adbdb5e595d18f32e5b0f4318db47690c592d3258
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD5a8ad25ff1ccb1b1cddc62a509b069543
SHA12497b94ed16a3edf60551d8ddb587026762f41d3
SHA2560c639858285a193e75c6201bfc453ceb29eb5aec5d569409932b6e34b180770a
SHA5124d81661181c3575b355d997e05aba9c11869a508e5b933c0b6bc9f92158c1ea5d0240afcaf8579ea99debf3737eb7ef9a479ac9719a4c61b1fe3249890c3d359