Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-08-2024 19:28
Static task
static1
Behavioral task
behavioral1
Sample
f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe
Resource
win11-20240802-en
General
-
Target
f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe
-
Size
1.9MB
-
MD5
2e2977372ee576ba8ebb129e504a0f67
-
SHA1
e3b233216c22918b1726bd6f14036e0ca625ee8b
-
SHA256
f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8
-
SHA512
cf88d2deac28308cd53b2085ef1cf34df1e1b152afcef7ab67fa4c26725262b70a2b9139adfd4b61fcd36470a94638b424a0b0a72ebaa62727566e2c8798e3df
-
SSDEEP
49152:bU/e476MT5bbzWsoZDcIKn/mT+KSds2LxD4xV:bU26l5bbqsoZdK/4+KSds2LxDo
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
explorti.exef498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeexplorti.exeexplorti.exef498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exedfc59f1b1b.exe0e0cad4653.exe99f358204c.exeexplorti.exeexplorti.exeexplorti.exepid process 4052 explorti.exe 1560 dfc59f1b1b.exe 4560 0e0cad4653.exe 4264 99f358204c.exe 4728 explorti.exe 3376 explorti.exe 3932 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exef498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\dfc59f1b1b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\dfc59f1b1b.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2972-44-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/2972-48-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/2972-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 2224 f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe 4052 explorti.exe 4728 explorti.exe 3376 explorti.exe 3932 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
dfc59f1b1b.exe0e0cad4653.exedescription pid process target process PID 1560 set thread context of 2972 1560 dfc59f1b1b.exe RegAsm.exe PID 4560 set thread context of 2040 4560 0e0cad4653.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exedescription ioc process File created C:\Windows\Tasks\explorti.job f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exe0e0cad4653.exeRegAsm.exe99f358204c.exef498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exeexplorti.exedfc59f1b1b.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0e0cad4653.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 99f358204c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfc59f1b1b.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 2224 f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe 2224 f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe 4052 explorti.exe 4052 explorti.exe 4728 explorti.exe 4728 explorti.exe 3376 explorti.exe 3376 explorti.exe 3932 explorti.exe 3932 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 4016 firefox.exe Token: SeDebugPrivilege 4016 firefox.exe Token: SeDebugPrivilege 4016 firefox.exe Token: SeDebugPrivilege 4016 firefox.exe Token: SeDebugPrivilege 4016 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exeRegAsm.exefirefox.exepid process 2224 f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 4016 firefox.exe 4016 firefox.exe 4016 firefox.exe 4016 firefox.exe 4016 firefox.exe 4016 firefox.exe 4016 firefox.exe 4016 firefox.exe 4016 firefox.exe 4016 firefox.exe 4016 firefox.exe 4016 firefox.exe 4016 firefox.exe 4016 firefox.exe 4016 firefox.exe 4016 firefox.exe 4016 firefox.exe 4016 firefox.exe 4016 firefox.exe 4016 firefox.exe 4016 firefox.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exepid process 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe 2972 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 4016 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exeexplorti.exedfc59f1b1b.exe0e0cad4653.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 2224 wrote to memory of 4052 2224 f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe explorti.exe PID 2224 wrote to memory of 4052 2224 f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe explorti.exe PID 2224 wrote to memory of 4052 2224 f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe explorti.exe PID 4052 wrote to memory of 1560 4052 explorti.exe dfc59f1b1b.exe PID 4052 wrote to memory of 1560 4052 explorti.exe dfc59f1b1b.exe PID 4052 wrote to memory of 1560 4052 explorti.exe dfc59f1b1b.exe PID 1560 wrote to memory of 2972 1560 dfc59f1b1b.exe RegAsm.exe PID 1560 wrote to memory of 2972 1560 dfc59f1b1b.exe RegAsm.exe PID 1560 wrote to memory of 2972 1560 dfc59f1b1b.exe RegAsm.exe PID 1560 wrote to memory of 2972 1560 dfc59f1b1b.exe RegAsm.exe PID 1560 wrote to memory of 2972 1560 dfc59f1b1b.exe RegAsm.exe PID 1560 wrote to memory of 2972 1560 dfc59f1b1b.exe RegAsm.exe PID 1560 wrote to memory of 2972 1560 dfc59f1b1b.exe RegAsm.exe PID 1560 wrote to memory of 2972 1560 dfc59f1b1b.exe RegAsm.exe PID 1560 wrote to memory of 2972 1560 dfc59f1b1b.exe RegAsm.exe PID 1560 wrote to memory of 2972 1560 dfc59f1b1b.exe RegAsm.exe PID 4052 wrote to memory of 4560 4052 explorti.exe 0e0cad4653.exe PID 4052 wrote to memory of 4560 4052 explorti.exe 0e0cad4653.exe PID 4052 wrote to memory of 4560 4052 explorti.exe 0e0cad4653.exe PID 4560 wrote to memory of 2040 4560 0e0cad4653.exe RegAsm.exe PID 4560 wrote to memory of 2040 4560 0e0cad4653.exe RegAsm.exe PID 4560 wrote to memory of 2040 4560 0e0cad4653.exe RegAsm.exe PID 4560 wrote to memory of 2040 4560 0e0cad4653.exe RegAsm.exe PID 4560 wrote to memory of 2040 4560 0e0cad4653.exe RegAsm.exe PID 4560 wrote to memory of 2040 4560 0e0cad4653.exe RegAsm.exe PID 4560 wrote to memory of 2040 4560 0e0cad4653.exe RegAsm.exe PID 4560 wrote to memory of 2040 4560 0e0cad4653.exe RegAsm.exe PID 4560 wrote to memory of 2040 4560 0e0cad4653.exe RegAsm.exe PID 4052 wrote to memory of 4264 4052 explorti.exe 99f358204c.exe PID 4052 wrote to memory of 4264 4052 explorti.exe 99f358204c.exe PID 4052 wrote to memory of 4264 4052 explorti.exe 99f358204c.exe PID 2972 wrote to memory of 3308 2972 RegAsm.exe firefox.exe PID 2972 wrote to memory of 3308 2972 RegAsm.exe firefox.exe PID 3308 wrote to memory of 4016 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 4016 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 4016 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 4016 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 4016 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 4016 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 4016 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 4016 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 4016 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 4016 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 4016 3308 firefox.exe firefox.exe PID 4016 wrote to memory of 1016 4016 firefox.exe firefox.exe PID 4016 wrote to memory of 1016 4016 firefox.exe firefox.exe PID 4016 wrote to memory of 1016 4016 firefox.exe firefox.exe PID 4016 wrote to memory of 1016 4016 firefox.exe firefox.exe PID 4016 wrote to memory of 1016 4016 firefox.exe firefox.exe PID 4016 wrote to memory of 1016 4016 firefox.exe firefox.exe PID 4016 wrote to memory of 1016 4016 firefox.exe firefox.exe PID 4016 wrote to memory of 1016 4016 firefox.exe firefox.exe PID 4016 wrote to memory of 1016 4016 firefox.exe firefox.exe PID 4016 wrote to memory of 1016 4016 firefox.exe firefox.exe PID 4016 wrote to memory of 1016 4016 firefox.exe firefox.exe PID 4016 wrote to memory of 1016 4016 firefox.exe firefox.exe PID 4016 wrote to memory of 1016 4016 firefox.exe firefox.exe PID 4016 wrote to memory of 1016 4016 firefox.exe firefox.exe PID 4016 wrote to memory of 1016 4016 firefox.exe firefox.exe PID 4016 wrote to memory of 1016 4016 firefox.exe firefox.exe PID 4016 wrote to memory of 1016 4016 firefox.exe firefox.exe PID 4016 wrote to memory of 1016 4016 firefox.exe firefox.exe PID 4016 wrote to memory of 1016 4016 firefox.exe firefox.exe PID 4016 wrote to memory of 1016 4016 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe"C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1936 -parentBuildID 20240401114208 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b5ee4ea-8e07-4bac-8662-dfb88c42100b} 4016 "\\.\pipe\gecko-crash-server-pipe.4016" gpu7⤵PID:1016
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2344 -prefMapHandle 2332 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83ffd137-0704-4b46-9e77-0eea5303c03c} 4016 "\\.\pipe\gecko-crash-server-pipe.4016" socket7⤵PID:2816
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3272 -childID 1 -isForBrowser -prefsHandle 3264 -prefMapHandle 3260 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d921ccf1-b0f9-4334-bae6-11361b9aeed3} 4016 "\\.\pipe\gecko-crash-server-pipe.4016" tab7⤵PID:3284
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3628 -childID 2 -isForBrowser -prefsHandle 3984 -prefMapHandle 3980 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b0cbf31-5e12-4441-aba0-9ff45e747656} 4016 "\\.\pipe\gecko-crash-server-pipe.4016" tab7⤵PID:3400
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4736 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4728 -prefMapHandle 4724 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {191a680a-3435-45e8-9532-2e8e1ac9111c} 4016 "\\.\pipe\gecko-crash-server-pipe.4016" utility7⤵
- Checks processor information in registry
PID:3768 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 3 -isForBrowser -prefsHandle 5504 -prefMapHandle 4472 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5012300-47bc-41b0-a3b9-ce724c5d4c97} 4016 "\\.\pipe\gecko-crash-server-pipe.4016" tab7⤵PID:1532
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5720 -childID 4 -isForBrowser -prefsHandle 5640 -prefMapHandle 5644 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb610763-9042-4325-acdf-29995afe06f9} 4016 "\\.\pipe\gecko-crash-server-pipe.4016" tab7⤵PID:1620
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5956 -childID 5 -isForBrowser -prefsHandle 5948 -prefMapHandle 5944 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b712c615-cc48-43d6-b928-e653e3fa14f3} 4016 "\\.\pipe\gecko-crash-server-pipe.4016" tab7⤵PID:2884
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6292 -childID 6 -isForBrowser -prefsHandle 6280 -prefMapHandle 6284 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2850160d-2333-4cb3-9a08-87cd5d824eed} 4016 "\\.\pipe\gecko-crash-server-pipe.4016" tab7⤵PID:3568
-
C:\Users\Admin\1000037002\0e0cad4653.exe"C:\Users\Admin\1000037002\0e0cad4653.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\1000038001\99f358204c.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\99f358204c.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4264
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4728
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3376
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3932
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD50062f8023ae661666d3878556e8dd739
SHA193874148f18869b9c2bc0bfadae20b7a7c4dbfa3
SHA25683890cbc687e678653b1a67c6affb59a37dca660ad16c6d4f39dff8669aa6b3f
SHA5127e4e9e7c83c28d4d0c7081f21105c3dc6a13d5fd5dfe6fe9256d12a56a63c63491738ad592527b07c35fbb00f86def4d875c753389c50966474b9798bf3af6e3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\activity-stream.discovery_stream.json
Filesize35KB
MD54c81b2385741815d4bda8701c8a08c93
SHA18e09c8267f9b678e4175191b6222a8a9f604ef28
SHA256409b740b8cffb48693442c3c6e381bb4cd1bb987f350ffe7581e7d7ef5052273
SHA51277ac985ec8b1871e06a449dead6b421034b0205c8a66045c9609ef3b88e2ee7f00acf71181d33621ad2087fa530bcb34ad81d0f562d5f7b81c85982b146a3b6b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD529cfef1b52704542a9d2d673dbe9a1ff
SHA15a131bc782b140df735b6cefd871aee834553b38
SHA2564cc59c6c223401b2238f5d53dc29ad5bdf629af84d1a2e9f8c0ad210a9de8dcb
SHA512340a7bc09536e20610d9e61e633779a442b5afe47a652d6479b1b18dcf477c0d34710f2e8256ddc22e1e88f74a2c30de6be70bc7bd0a9d4122923587ae2f6212
-
Filesize
1.9MB
MD52e2977372ee576ba8ebb129e504a0f67
SHA1e3b233216c22918b1726bd6f14036e0ca625ee8b
SHA256f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8
SHA512cf88d2deac28308cd53b2085ef1cf34df1e1b152afcef7ab67fa4c26725262b70a2b9139adfd4b61fcd36470a94638b424a0b0a72ebaa62727566e2c8798e3df
-
Filesize
1.2MB
MD5287552245031dbfba5adc56e5595f06b
SHA1bc243787cfd42946785ef87f47066d9d26d8693d
SHA256c48ecabd6f927fb1c758a5cbdd416e6f64f49ae2734b39a028bff15e55fed27f
SHA512631a29d55b04f807e989a4021b934557b3a7bef7329d5cf9dc8caaafac1b408b227ffe9b9c19eea55d4a412ae19958413500d078dfe4f87cc0fd8794ff797d66
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin
Filesize7KB
MD51c4b698e012b5030ca005710092563fd
SHA1525d82148feb731ff47c5b1bf449725b06d34456
SHA2569814b09e11ab37e137f8ce35489e3a92414264a1f39673c543676c668600cc87
SHA512ad280be88b7b8bf127408772ad0c621bf308e96c2bb9ec22f40de437a77e1a7abf584ca659ec121f6d8c778b28df6a56385b9a49daf37194715bca85c61283be
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin
Filesize10KB
MD5bad269d8367c1b2902c7b4b4a14f5270
SHA1ea8a570949893a81d8f67e3016d49a4c1dd5bb6f
SHA25611767c43ac38d84ca8c87e0d2ec6da794673d6c4bfface880ab36fd1ea7126d2
SHA5126c6d44791bbbda688e76df72f0429be807a844944da82a01a9f1e2b531f101efb8c06c70f480928e63713919ca4bbe1d7716ca11e1747d371c48de0c6f0d3c87
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5c1922c66d9ae0a236357682a616b2298
SHA1e8fbbf69afe2c084c2296381085f4aceecbc48fb
SHA256cfbe5e8e89e4ae342d9af376803c11e66103a43975e907419f9b9fb0f53891f9
SHA512a02fa0d10406e54597fcbaa6f71cfc80e9fd0859ddbb51257b8383f375743adfa22e51da66c969ea947c7410cec741ccba302183dc6ee71e03cb64870c6b13ba
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD534eb86ddc42b1c2fecc1cb4ce05e92db
SHA16a7266329a2bea21d7147c8a18cc13882e06af30
SHA256f68cdb275885909b7f38dc96da5d3b86ba591185d65a4350577d86a720d6864a
SHA5125b14e215915af41b227738a39d37fb4ef9575eb52f84969d5b97d7e866ae4bdae20d393507065043d51043ccd67059917b52d059d772c93b55b0ad6735082e3d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD586ced1a9b6db269bf94cf75c35d7d526
SHA1c7185157b8affe62250f37647fc1745671a328fe
SHA256d66100e579b65305896a43ff4b1765d3029b6125b6442c00238043ab6c5af588
SHA512f8bb3f90fe96d694a23981f340be556960fad6a419a5479442788e72b69ff6f918b5154cb0adaab2311fddcd4ff5164d06d47538883b11ea4e4fc50cecadebb1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\32e38795-73ba-42f3-9900-68115b98fc87
Filesize982B
MD5d9b45a08f704b696112abdb3883ff3d8
SHA1520b2bc49eb59fad504bfd726668c5eb4064cab7
SHA2562cb8451295abab9edebdbdb7d1eae5bfb9cdd3b30284e6c3f9ee166f234c089b
SHA5127930b29911279b4b4e460412923a70cf169056f8d5881605e2c4c3f483ceca50c8211e5dfce3c1a23f081a6b19783eeecaf212b819c1aabb2553ca7b1d40501d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\66a85559-8f66-407c-ac9c-1cdbc6576a98
Filesize25KB
MD5a962e8bfb147cac717e790858a216d82
SHA1104741f7044b58477c8818cc426507f8ef0f696d
SHA25621713c951307d3f6f04caee4debdbddc8180256661edcdb0350a20add3e675d5
SHA51267fe8cbf82619dccde1d2fe5607a271e778360a897f939a30d454bcfebd26fa5b0f9e5e8806d51f60fc3312fef5520c77bf682f240e642167f447047b8c3034d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\6b7a6aee-a19a-409a-a414-ca81535390bd
Filesize671B
MD52a2a1f3bb6de118b0f63a6050ac45bd5
SHA1bd1deb1732237e197505daffac872b4c06087166
SHA256f0132b69e92a2ec48be69b00a81436f5e1cb6f46263601053424356ffc6915d4
SHA512ef5f74bb1e28acdac43800ce9e69a134ab27c42c735a337bb26475468f62f59e6d9b81272cc0036b687e5e13455d7644339295909e8d7c2b31741d251336948a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5ff1b06a0ae7c93aa4d72f804fc06c758
SHA173a164f9e92583bade67ebf27c9dae8a1c9490c4
SHA25657be2b27b8528c5805074729b8b18e920f7abed69920b38a4dca2d49466bc786
SHA512a65824543389418d27c2e8d94f0c58143e11d3148e1ef51d3044f79b6ccef3c42cafe947f2859e4fcf2dd3926ba93b58e06af55a65440395da2ddbc65cbc8e40
-
Filesize
16KB
MD5cf229914a6614806a9d5465f0528d636
SHA1dd51c6c9079ae501463772c13f4f89b19cabfb0f
SHA2569b2b6d0dc63cc7432141a77b59c7563c8a70b933cd8d26c8eab9bca19ef661fa
SHA512ace41f81c60ce2cb6ddc6055e9db0b98649aba8279a5323a4de5f7b3b881965719ef3dd1f61cae1918ae45d1740f9489460ae68d2bfd64a9d0c3b78354f21427
-
Filesize
11KB
MD52e3edea57adec6d658f57ac7ab606cfd
SHA13de8830086457178c167f3a3731d04bb9363638b
SHA256458be141f13be29033e1072bf7fe955fe0d8f4da0cbbcae5796c1d38577410d2
SHA5129c93b8565413b53cecfb3ece602f6e5f837128c804aee15373216b373567b53d2c3b1cd3406bbbcb6f1f4f043d559bacd82f5da67e16a1ef5b371bb183def6e9
-
Filesize
11KB
MD5a0804141231899b1f08b0cc4063c0ad6
SHA19eb0998d2708ee82e0c3504cb07fd3098a52b245
SHA256c4f460fb28babdd8161c091cc6b9c83a67e39ac8fe20fdb639abe95b4804a026
SHA51250246b6fce94155b04f80e5019e43e88508d409cb3cd7629477fc7f3d1e4a7aa336559b78f0c2bc4a411cc0ad8b147d1475ea0f05f5f7fb1d227e84a72966b9d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.3MB
MD53ca1c21e18352f63afef9e188a813ae6
SHA1387d02132e4eef29f14e7af434245533c326caa2
SHA256a01682945f4d21e76d399c05327c0eb12f8428019df891bf6896b1f404f4f35c
SHA51247c3c944fb8da2c1e80e2cb809b2d06fac9237ffcaa285106176ba5c829ee862c43af44122dfba0196c9df82da6bec7869fe851dacd08edd63252a3552e9e43b