Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2024 00:41
Static task
static1
Behavioral task
behavioral1
Sample
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe
Resource
win10v2004-20240802-en
General
-
Target
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe
-
Size
1.8MB
-
MD5
d27e91c1a583fbb0ad75d1ed0e071c36
-
SHA1
5d0490f1a41e7db58173b22e0987a580ef4948b7
-
SHA256
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634
-
SHA512
55b2ba4d4acbd72e1dbcd8787d84428bf45c6907eedcc2ecf6592faec0227c760f599cffadbcdd81214037ad46d2c7668716a6b137814703c83e76b67981652d
-
SSDEEP
49152:AjivmJs0NfMNRrk5FUa2bTPv03Ntfp1kC+:AjdhMNmFUa2Md5p1k
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
explorti.exeexplorti.exef0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeexplorti.exeexplorti.exef0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exeexplorti.exeRegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exe5ceef40c6c.exed6212392b6.exef6119aec5c.exeexplorti.exeexplorti.exeexplorti.exepid process 4116 explorti.exe 3016 5ceef40c6c.exe 5048 d6212392b6.exe 5016 f6119aec5c.exe 5812 explorti.exe 676 explorti.exe 1176 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5ceef40c6c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\5ceef40c6c.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1448-42-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/1448-44-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/1448-46-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 720 f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe 4116 explorti.exe 5812 explorti.exe 676 explorti.exe 1176 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
5ceef40c6c.exed6212392b6.exedescription pid process target process PID 3016 set thread context of 1448 3016 5ceef40c6c.exe RegAsm.exe PID 5048 set thread context of 3184 5048 d6212392b6.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exedescription ioc process File created C:\Windows\Tasks\explorti.job f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exeexplorti.exe5ceef40c6c.exeRegAsm.exed6212392b6.exeRegAsm.exef6119aec5c.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ceef40c6c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d6212392b6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6119aec5c.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 720 f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe 720 f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe 4116 explorti.exe 4116 explorti.exe 5812 explorti.exe 5812 explorti.exe 676 explorti.exe 676 explorti.exe 1176 explorti.exe 1176 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 2004 firefox.exe Token: SeDebugPrivilege 2004 firefox.exe Token: SeDebugPrivilege 2004 firefox.exe Token: SeDebugPrivilege 2004 firefox.exe Token: SeDebugPrivilege 2004 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exeRegAsm.exefirefox.exepid process 720 f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe 1448 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 2004 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exeexplorti.exe5ceef40c6c.exed6212392b6.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 720 wrote to memory of 4116 720 f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe explorti.exe PID 720 wrote to memory of 4116 720 f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe explorti.exe PID 720 wrote to memory of 4116 720 f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe explorti.exe PID 4116 wrote to memory of 3016 4116 explorti.exe 5ceef40c6c.exe PID 4116 wrote to memory of 3016 4116 explorti.exe 5ceef40c6c.exe PID 4116 wrote to memory of 3016 4116 explorti.exe 5ceef40c6c.exe PID 3016 wrote to memory of 1448 3016 5ceef40c6c.exe RegAsm.exe PID 3016 wrote to memory of 1448 3016 5ceef40c6c.exe RegAsm.exe PID 3016 wrote to memory of 1448 3016 5ceef40c6c.exe RegAsm.exe PID 3016 wrote to memory of 1448 3016 5ceef40c6c.exe RegAsm.exe PID 3016 wrote to memory of 1448 3016 5ceef40c6c.exe RegAsm.exe PID 3016 wrote to memory of 1448 3016 5ceef40c6c.exe RegAsm.exe PID 3016 wrote to memory of 1448 3016 5ceef40c6c.exe RegAsm.exe PID 3016 wrote to memory of 1448 3016 5ceef40c6c.exe RegAsm.exe PID 3016 wrote to memory of 1448 3016 5ceef40c6c.exe RegAsm.exe PID 3016 wrote to memory of 1448 3016 5ceef40c6c.exe RegAsm.exe PID 4116 wrote to memory of 5048 4116 explorti.exe d6212392b6.exe PID 4116 wrote to memory of 5048 4116 explorti.exe d6212392b6.exe PID 4116 wrote to memory of 5048 4116 explorti.exe d6212392b6.exe PID 5048 wrote to memory of 3184 5048 d6212392b6.exe RegAsm.exe PID 5048 wrote to memory of 3184 5048 d6212392b6.exe RegAsm.exe PID 5048 wrote to memory of 3184 5048 d6212392b6.exe RegAsm.exe PID 5048 wrote to memory of 3184 5048 d6212392b6.exe RegAsm.exe PID 5048 wrote to memory of 3184 5048 d6212392b6.exe RegAsm.exe PID 5048 wrote to memory of 3184 5048 d6212392b6.exe RegAsm.exe PID 5048 wrote to memory of 3184 5048 d6212392b6.exe RegAsm.exe PID 5048 wrote to memory of 3184 5048 d6212392b6.exe RegAsm.exe PID 5048 wrote to memory of 3184 5048 d6212392b6.exe RegAsm.exe PID 4116 wrote to memory of 5016 4116 explorti.exe f6119aec5c.exe PID 4116 wrote to memory of 5016 4116 explorti.exe f6119aec5c.exe PID 4116 wrote to memory of 5016 4116 explorti.exe f6119aec5c.exe PID 1448 wrote to memory of 2176 1448 RegAsm.exe firefox.exe PID 1448 wrote to memory of 2176 1448 RegAsm.exe firefox.exe PID 2176 wrote to memory of 2004 2176 firefox.exe firefox.exe PID 2176 wrote to memory of 2004 2176 firefox.exe firefox.exe PID 2176 wrote to memory of 2004 2176 firefox.exe firefox.exe PID 2176 wrote to memory of 2004 2176 firefox.exe firefox.exe PID 2176 wrote to memory of 2004 2176 firefox.exe firefox.exe PID 2176 wrote to memory of 2004 2176 firefox.exe firefox.exe PID 2176 wrote to memory of 2004 2176 firefox.exe firefox.exe PID 2176 wrote to memory of 2004 2176 firefox.exe firefox.exe PID 2176 wrote to memory of 2004 2176 firefox.exe firefox.exe PID 2176 wrote to memory of 2004 2176 firefox.exe firefox.exe PID 2176 wrote to memory of 2004 2176 firefox.exe firefox.exe PID 2004 wrote to memory of 1720 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1720 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1720 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1720 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1720 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1720 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1720 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1720 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1720 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1720 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1720 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1720 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1720 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1720 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1720 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1720 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1720 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1720 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1720 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1720 2004 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe"C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcb52d5f-380d-447e-b331-9169b8551ee3} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" gpu7⤵PID:1720
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2336 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b2e420f-9d16-496f-bd57-847f05481e2b} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" socket7⤵PID:3980
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3036 -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3020 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1853433f-9fc9-43eb-be07-f5ec67431c2c} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab7⤵PID:2664
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3876 -childID 2 -isForBrowser -prefsHandle 3868 -prefMapHandle 3016 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4de5bdea-795f-46a8-af25-9a3b29f1b732} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab7⤵PID:5020
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2784 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4740 -prefMapHandle 4736 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5a17bbe-7cec-43bd-9b60-31595eb287d0} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" utility7⤵
- Checks processor information in registry
PID:5276 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5720 -childID 3 -isForBrowser -prefsHandle 5712 -prefMapHandle 5708 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {345bd2cd-3b30-440c-8243-b88a9a80e16f} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab7⤵PID:3016
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5980 -childID 4 -isForBrowser -prefsHandle 5972 -prefMapHandle 5952 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e213a43-a769-43e7-a03c-927fb6069534} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab7⤵PID:4416
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6120 -childID 5 -isForBrowser -prefsHandle 6112 -prefMapHandle 6108 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1a717fa-e71b-4e3b-bba1-9d000c05ac18} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab7⤵PID:4348
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6096 -childID 6 -isForBrowser -prefsHandle 6196 -prefMapHandle 6200 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a11de0a-936e-4212-83a1-fdbc7885e539} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab7⤵PID:4988
-
C:\Users\Admin\1000037002\d6212392b6.exe"C:\Users\Admin\1000037002\d6212392b6.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\1000038001\f6119aec5c.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\f6119aec5c.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5016
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5812
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:676
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1176
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD53ee6242a7467b2c61eb54c046cbe3f22
SHA12665e1c82be292d67de5f5b3b740c709d8515cab
SHA256fd49efadc4c19544493788e57a9433cbb89b740ed4a20e5c7b969dcbcbb853c6
SHA512c67cc3ee3203356906474eea9a265003678975af540da638ccbe788a47031d8aab35242c88d13792dcbdc4f4f02efacebd35b205f83d341e68584cef7aa3f458
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\activity-stream.discovery_stream.json
Filesize41KB
MD5e507bc05c1b7649bdd3611982537d467
SHA1ebeeb431bfc5bf22377cced9315ca69762b38cf9
SHA256d30070f61f20ad6bdad0860fef8edab015d74da6a304023e5f4f834f3fc51199
SHA5123322c1364989035683965e9284ba07252531adb4db4107841165d788f7036a38fe76a078ae95522dbf6138342b56801e579afe1a0ec2da73308dee719670946b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5e06891169a49007d2d2f945f6c147821
SHA1a714bb221247428270b58cebab0ee1449b4dc2c1
SHA2567e3a6d6b9ee2151e485f398b914c10e39843de1c09cc3fef1a9a9619273e83af
SHA51291ba2510e67d07d395417fa0fed8e706ab2d98f882228277438e6389837c95b00935e0fcffdcceb84503546a80026ba95195ae6c57c2dd92e56e36d069666859
-
Filesize
1.8MB
MD5d27e91c1a583fbb0ad75d1ed0e071c36
SHA15d0490f1a41e7db58173b22e0987a580ef4948b7
SHA256f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634
SHA51255b2ba4d4acbd72e1dbcd8787d84428bf45c6907eedcc2ecf6592faec0227c760f599cffadbcdd81214037ad46d2c7668716a6b137814703c83e76b67981652d
-
Filesize
1.2MB
MD5e9f451fbd9478da22063ad6442b7645b
SHA1dd8e4124804fb5f064fc990a25ac3c61e21cf58b
SHA25664a837de134c3db432c0b4a3b02dbd67d72fb85a93fa709536af8660582ec030
SHA51231a019ca16404674bf92a8a716d85cb25aae5e6257d1146c7dd08c08c468c784a35a3f798867d29c349ce61fc536f9357dfa5ec743e2de7e6620a5f4c0d00bdf
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin
Filesize10KB
MD5e41013ad8c05f6f440c96ccd2d809fed
SHA12792b4c39af48897803cc7a126877afb734a6176
SHA25611c348531457ada49fb3f29fcac9babedc773c56499ec58b0d76c2bed0481f1c
SHA51246e35e396e10055de2792a288e659ee5f21afd91a17fe072b9f9bfc6c0c0eff06b280751dd4ea7d458c225e474aaa602de81b2844f270e9e30e398da2eb5c648
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD506cd327f2abb88af2cb3cb5c4aa0ade9
SHA181439e26da78d6aa729ecdb99ab2b5e4110fa163
SHA2567e129baf641732321f69ee2890e565b7c5da2a47314e4bdf01c76838924015ce
SHA51217e6f95e8cf9f6e0d38a000fd5d8ac07ae6d049a41e6efd1e7e35bbf52eb07c85091944a37397cd301be731fe0be644528b75f1124ebe48d4bdf64ae7596e589
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5ef9183b88796b03113a26ee12103079d
SHA13a3a6e91238465ea9769141b399663c96a6ecaeb
SHA256ef70e7c8ce71c77c618215430e469a40edb1646346905ea009d794513fb7aa6b
SHA5123c49524ba2c438910428a4b9c777290555d015ffd1b45d9695e9ee236ec8ff467ccbd603c6c9e9cd5b0bf733a4d8720047cced99574b11d2c5d711bfe7a589d1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD5d37db0ac5a4c632ca3b52cbf97bb0115
SHA16abff479e2b9dd7fc9343c9dccdefdd34edbe4f7
SHA25699095313bc22be50bf40c5440b3c2e7880910893968a47272c5154c103aa255c
SHA512baae7be0ea218aec7d93785bf9b63946fc72b3596331e19722fec87c65d094983a4815c829bd96a7a82e6062292dcd5989c03b0fdb7fbc65c29483102390357a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\b3a138df-433b-4c25-8c58-afa88dab2b8a
Filesize659B
MD5fb60ac4072ade9b1fcfb1c1af8a4aeb9
SHA1c6cb7ef3bad941b7e078a2c5a0b2590c0e8c9711
SHA2562563060d83a1c09cf05ceae4aec862cc33bf6c674fa9b8baeef53567d90dfb3f
SHA512d6c898743a01e6b35db7791511be620e4a5c10d59d9dc20089085c3e9c7735b0221b38492147c7daab72bf5142cca57dd6373e47905dfc007401138f111c03d0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\cbd0e411-82b3-45c7-aabb-4c9c6b795f10
Filesize982B
MD5f83fb5ac3a0b16be70b42a5da913ba1c
SHA16d6ffed374aa4839ad6be9ed299cf5613f3380db
SHA256435ee58acf1fc695b32c2ad8d3261fc906e6ed0c5a5190712fe8612c1278e512
SHA512a9ed597de2c73c7b70501f73906a4575c5fd7ac4fecba5eb954e5f0e66a243ed60612c8e909e1cbd891ba913e41d4638b401e169a4e88f947fb0ec9d7a6d8ba1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD526cec352918e4215d4cf2c96baf5bae8
SHA1657c8df9a3fdb2fe40f5e0e1155a175ff6f60fa7
SHA25689d5b8c148b8e911e40df3f88a3a5919383a12194f92224a52f3ca9bc06297a0
SHA51204920b61526dbd33b58b1e724f208222e8e6ab3df3c2216018ab8897ca01a2889726e867ead056c531ce78888e10a92b98a726ea2a89c02ec3d42313a63026fd
-
Filesize
16KB
MD59ef173ac49f2662fc63f8d59bdc2f258
SHA1effae060c17b90aa5a14962d59fa7507403673d0
SHA256262517b4803bf2e1c82404832c3f811abdbddb0b16b4773c29d954e493ad818b
SHA512f6e4f34e2134e562f3abc51e2690628bc25ddd810efbf089eac391b50cb7d57878922489fb944b7ce2d56ee92725d3bb8c99ac34720c4c7bd40cf99fbd3811d6
-
Filesize
11KB
MD5bba418fa52527d5a9ebb716ef0c4c0b7
SHA1319bc71df67f427b5721c423a45942c2b61d03e5
SHA256fda11fb7f7ed812da3ed1bb1f3769819ac715f25104c41c127c2cd47f31399ce
SHA51264e25f7b60111d4a65264096e720e19a61af1599b7ab6aad01fa98582b44cd38bb37fa687c62d98be31bff346afa83ef192a5b11c6513bdb8cf8afaeba632aad
-
Filesize
11KB
MD5de382925ab34f2dc7bf1e36db5abca03
SHA122987b4a4f36431aac0bdd881a8169603a712a56
SHA25603f38d9aeab9c3a3c3a2f95bad750d358b1f5cebde724096250ab3dd74f68843
SHA51239234357a061de3e349607d2257e2ab4d568c9f64609dfe51b24cde650d6bea33c85b55ec6e58c5588d2e4744b29b3eac3f852d97f79920d7777c30c0b5e1d1d
-
Filesize
16KB
MD53dad41de4dd52842c5978f583084df36
SHA1f1d50603493ae3b2eec4efcd7d483cbed0687b84
SHA2564d20976e397557d5813c1c370963056c71ec6dc6c761d9c8460108cc55fdc8be
SHA512e455ade277e28f9920815dd969cc0f6a4a14231a5ae1175c478885c0fda4713ab3b2adf8458254be947d4fc72677629898b6864ade057886569d03d448f4a7bf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD5ac4362369ad1a50d957e1e4e676fc797
SHA13da71c0eeea6fd549f13a31affcd1030a637ba3a
SHA256fe6d93ef5aee464adab5ff43e352a24b98c90544061ce410cffa2476b7286247
SHA512d74209f5668ce1e56e7121a97e75cbc5c685247e08f16e6a3f347654d3f96ede947647015f85ec8d2f3895978866b0abd6c0b5e227d4ace25ca0c80816a165f3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.3MB
MD5f16af117bee2094478561dff033c9129
SHA1f03cd847c5c8d96d791e6db123f43f137482a5fc
SHA256ae7c57417bef45106a2cd08acc2048411accab65cf12abe171b24fdbb9325754
SHA5129a1cbb0f0b24620263ea571c8c53549365f5993bcbdc6c2b9b994089baa9001682f760576049e02957aaa905d9a71594253bfbc16df167728e12830e05e0dc73