Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2024 11:40
Static task
static1
Behavioral task
behavioral1
Sample
122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe
Resource
win10v2004-20240802-en
General
-
Target
122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe
-
Size
1.8MB
-
MD5
8cfd11d6a5f1ba80b9f0ca53a2f35b64
-
SHA1
6eb30457da8fc3b449da94b37620dc8bc8e6d884
-
SHA256
122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b
-
SHA512
c452673edda6c6b02894bb92121ff230ae0167bfe7b8645145dccd33e0a1a726dbda8e6abf5e7432e75f8d49c3e2be81d454e3e34515acd5659ad64c55408de5
-
SSDEEP
49152:4IEH6xME9v+EHHjcNjYsATPAhHufRGW5Phj:4Is6/92EHHjSYsA7lRGW5Phj
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exe122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exeexplorti.exeRegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe8e93e0185a.exe17916c21f1.exe648bc05d34.exeexplorti.exeexplorti.exepid process 4400 explorti.exe 3396 8e93e0185a.exe 1764 17916c21f1.exe 4608 648bc05d34.exe 5272 explorti.exe 1528 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8e93e0185a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\8e93e0185a.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/4744-42-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/4744-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/4744-46-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exeexplorti.exeexplorti.exeexplorti.exepid process 4736 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe 4400 explorti.exe 5272 explorti.exe 1528 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
8e93e0185a.exe17916c21f1.exedescription pid process target process PID 3396 set thread context of 4744 3396 8e93e0185a.exe RegAsm.exe PID 1764 set thread context of 1996 1764 17916c21f1.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exedescription ioc process File created C:\Windows\Tasks\explorti.job 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
648bc05d34.exe122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exeexplorti.exe8e93e0185a.exeRegAsm.exe17916c21f1.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648bc05d34.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e93e0185a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 17916c21f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exeexplorti.exeexplorti.exeexplorti.exepid process 4736 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe 4736 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe 4400 explorti.exe 4400 explorti.exe 5272 explorti.exe 5272 explorti.exe 1528 explorti.exe 1528 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 1740 firefox.exe Token: SeDebugPrivilege 1740 firefox.exe Token: SeDebugPrivilege 1740 firefox.exe Token: SeDebugPrivilege 1740 firefox.exe Token: SeDebugPrivilege 1740 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exeRegAsm.exefirefox.exepid process 4736 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe 4744 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 1740 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exeexplorti.exe8e93e0185a.exe17916c21f1.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 4736 wrote to memory of 4400 4736 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe explorti.exe PID 4736 wrote to memory of 4400 4736 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe explorti.exe PID 4736 wrote to memory of 4400 4736 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe explorti.exe PID 4400 wrote to memory of 3396 4400 explorti.exe 8e93e0185a.exe PID 4400 wrote to memory of 3396 4400 explorti.exe 8e93e0185a.exe PID 4400 wrote to memory of 3396 4400 explorti.exe 8e93e0185a.exe PID 3396 wrote to memory of 4240 3396 8e93e0185a.exe RegAsm.exe PID 3396 wrote to memory of 4240 3396 8e93e0185a.exe RegAsm.exe PID 3396 wrote to memory of 4240 3396 8e93e0185a.exe RegAsm.exe PID 3396 wrote to memory of 4744 3396 8e93e0185a.exe RegAsm.exe PID 3396 wrote to memory of 4744 3396 8e93e0185a.exe RegAsm.exe PID 3396 wrote to memory of 4744 3396 8e93e0185a.exe RegAsm.exe PID 3396 wrote to memory of 4744 3396 8e93e0185a.exe RegAsm.exe PID 3396 wrote to memory of 4744 3396 8e93e0185a.exe RegAsm.exe PID 3396 wrote to memory of 4744 3396 8e93e0185a.exe RegAsm.exe PID 3396 wrote to memory of 4744 3396 8e93e0185a.exe RegAsm.exe PID 3396 wrote to memory of 4744 3396 8e93e0185a.exe RegAsm.exe PID 3396 wrote to memory of 4744 3396 8e93e0185a.exe RegAsm.exe PID 3396 wrote to memory of 4744 3396 8e93e0185a.exe RegAsm.exe PID 4400 wrote to memory of 1764 4400 explorti.exe 17916c21f1.exe PID 4400 wrote to memory of 1764 4400 explorti.exe 17916c21f1.exe PID 4400 wrote to memory of 1764 4400 explorti.exe 17916c21f1.exe PID 1764 wrote to memory of 1996 1764 17916c21f1.exe RegAsm.exe PID 1764 wrote to memory of 1996 1764 17916c21f1.exe RegAsm.exe PID 1764 wrote to memory of 1996 1764 17916c21f1.exe RegAsm.exe PID 1764 wrote to memory of 1996 1764 17916c21f1.exe RegAsm.exe PID 1764 wrote to memory of 1996 1764 17916c21f1.exe RegAsm.exe PID 1764 wrote to memory of 1996 1764 17916c21f1.exe RegAsm.exe PID 1764 wrote to memory of 1996 1764 17916c21f1.exe RegAsm.exe PID 1764 wrote to memory of 1996 1764 17916c21f1.exe RegAsm.exe PID 1764 wrote to memory of 1996 1764 17916c21f1.exe RegAsm.exe PID 4400 wrote to memory of 4608 4400 explorti.exe 648bc05d34.exe PID 4400 wrote to memory of 4608 4400 explorti.exe 648bc05d34.exe PID 4400 wrote to memory of 4608 4400 explorti.exe 648bc05d34.exe PID 4744 wrote to memory of 1496 4744 RegAsm.exe firefox.exe PID 4744 wrote to memory of 1496 4744 RegAsm.exe firefox.exe PID 1496 wrote to memory of 1740 1496 firefox.exe firefox.exe PID 1496 wrote to memory of 1740 1496 firefox.exe firefox.exe PID 1496 wrote to memory of 1740 1496 firefox.exe firefox.exe PID 1496 wrote to memory of 1740 1496 firefox.exe firefox.exe PID 1496 wrote to memory of 1740 1496 firefox.exe firefox.exe PID 1496 wrote to memory of 1740 1496 firefox.exe firefox.exe PID 1496 wrote to memory of 1740 1496 firefox.exe firefox.exe PID 1496 wrote to memory of 1740 1496 firefox.exe firefox.exe PID 1496 wrote to memory of 1740 1496 firefox.exe firefox.exe PID 1496 wrote to memory of 1740 1496 firefox.exe firefox.exe PID 1496 wrote to memory of 1740 1496 firefox.exe firefox.exe PID 1740 wrote to memory of 1000 1740 firefox.exe firefox.exe PID 1740 wrote to memory of 1000 1740 firefox.exe firefox.exe PID 1740 wrote to memory of 1000 1740 firefox.exe firefox.exe PID 1740 wrote to memory of 1000 1740 firefox.exe firefox.exe PID 1740 wrote to memory of 1000 1740 firefox.exe firefox.exe PID 1740 wrote to memory of 1000 1740 firefox.exe firefox.exe PID 1740 wrote to memory of 1000 1740 firefox.exe firefox.exe PID 1740 wrote to memory of 1000 1740 firefox.exe firefox.exe PID 1740 wrote to memory of 1000 1740 firefox.exe firefox.exe PID 1740 wrote to memory of 1000 1740 firefox.exe firefox.exe PID 1740 wrote to memory of 1000 1740 firefox.exe firefox.exe PID 1740 wrote to memory of 1000 1740 firefox.exe firefox.exe PID 1740 wrote to memory of 1000 1740 firefox.exe firefox.exe PID 1740 wrote to memory of 1000 1740 firefox.exe firefox.exe PID 1740 wrote to memory of 1000 1740 firefox.exe firefox.exe PID 1740 wrote to memory of 1000 1740 firefox.exe firefox.exe PID 1740 wrote to memory of 1000 1740 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe"C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4240
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {679ee0ec-2a80-4e3b-a529-357eaeabf966} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" gpu7⤵PID:1000
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2460 -parentBuildID 20240401114208 -prefsHandle 2452 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {943d522f-749a-40ca-be1d-8353fd930a86} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" socket7⤵PID:2720
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3288 -childID 1 -isForBrowser -prefsHandle 3292 -prefMapHandle 3012 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41bc57b7-635c-4637-b1b0-06f95355372b} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" tab7⤵PID:3172
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3844 -childID 2 -isForBrowser -prefsHandle 3832 -prefMapHandle 3824 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f2f73d0-7c9d-496c-9853-bf2c698bd0f7} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" tab7⤵PID:64
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4820 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4796 -prefMapHandle 4772 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e19ed5c2-0849-4ca4-93ad-6ef912d67893} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" utility7⤵
- Checks processor information in registry
PID:2764 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3804 -childID 3 -isForBrowser -prefsHandle 5160 -prefMapHandle 5140 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f439df39-14de-450c-adee-44a62bd3cea9} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" tab7⤵PID:5904
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -childID 4 -isForBrowser -prefsHandle 4896 -prefMapHandle 5184 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2436cec-b880-4e46-b2cc-ca4d682f1c43} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" tab7⤵PID:5916
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 5 -isForBrowser -prefsHandle 5516 -prefMapHandle 5204 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0286d7c5-29a0-4ecf-9843-b452d493e2c4} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" tab7⤵PID:5928
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6012 -childID 6 -isForBrowser -prefsHandle 5992 -prefMapHandle 6100 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5025546b-eee5-460c-937d-8f574dd03f84} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" tab7⤵PID:5460
-
C:\Users\Admin\1000037002\17916c21f1.exe"C:\Users\Admin\1000037002\17916c21f1.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\1000038001\648bc05d34.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\648bc05d34.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4608
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5272
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1528
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD55db5a3f06b620db20b518a768af52ff0
SHA1627943735db2423a4e477e51a4f13d285c1c5c5b
SHA2565f969cdb5dd215f67b7668507b227129f1a5699bc2999d4ebf049bda5a825f52
SHA512adda99e0edb76bc3f53b3fd56ef8c1b03fd78d410a856d96d6d673ae22156ccf6e52b4154cbb6d5ec1076b04d030cd841b311c2cdeadca867a054ce22b0e440a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\activity-stream.discovery_stream.json
Filesize41KB
MD5c5e01178834d398121f49cb7efa1ffb1
SHA122977523093d1230f0958ba418a2ccc7768f804c
SHA256d3ceea71051972cc2d850528ca3e44f1f9b1e48d920d4276452da219968bc7f2
SHA512488dc1be567ba80bcd4248c9a571367ee9cceb41851d6573e9d022b6f795b7531106b181bd7ec1c320442dbcc51f281eb61f43ae13f2b35e7c38b4fbbd6ba803
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5cd56f755f0eb22c5090da70d3900d310
SHA1cabf393c511c2a627c520ac20bd8207832a1cb8c
SHA256633cc8ac27439054819ff276643441c227e4268cfe2ca428ff8db0de5cf7c8cc
SHA51261e4fb871db1327efab16401c4c36775daf2be7cf8beefc7ab9e22e049be47f512b9e8066f953f54f4b0ecc9588a5aa3ad5584821da768e3531c4fd9fda47246
-
Filesize
1.8MB
MD58cfd11d6a5f1ba80b9f0ca53a2f35b64
SHA16eb30457da8fc3b449da94b37620dc8bc8e6d884
SHA256122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b
SHA512c452673edda6c6b02894bb92121ff230ae0167bfe7b8645145dccd33e0a1a726dbda8e6abf5e7432e75f8d49c3e2be81d454e3e34515acd5659ad64c55408de5
-
Filesize
1.2MB
MD5b7cb9408ec3a1dc9887d66a2486bba84
SHA1aeb00177710bf797ced31a0b010a8479e04a1df6
SHA2563764af516112d1eca7d13f26f5a62c0539ece509d8ca370085f5ce5522df5975
SHA512363ad813ac09ee7a10b6d290e56b4301182ae1db638b5c35d08af3b3ec59deb52d22424bf9b6fe6cf86361ababd7be8a766989aad28305e3f7858b0f3285bb3f
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin
Filesize10KB
MD5e104c09ca8544556cf2d76aa7bb1574c
SHA1aa7a48795f25ecebaa26df540da3cf016e60376d
SHA2564e2e3571fd68e9e7e1042e3725df913a764bfbf575aa6a4669c355d0b2fec66a
SHA512b65340d0ad093708f21e5c55c952a3c2d666cd69fd989f7fe2555856c3ef16d2b1ba6d850fb0768d4bfe082c2e62379ab48cf41799cd9de08482aae3dd4be540
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp
Filesize3KB
MD5ca2d830c4cd3178f683771e1a2537b32
SHA1ede41f9391248cfdcee9fe8a7596e53c703ef0d6
SHA2565aacc13f396ac42d79caef65fe58ead149249b8457065fb1de95d204911fbf0c
SHA512bc127ce42a6b5837ca75eca84a2bac50ed29e28d7badf648f1213143cab430df9c5e47f2f06ff19aabe8bcf5f3527a513deab0f6b82f53c5ee2e06c3b117014f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD58e2e55804b1f8d66720f9223ae8f40bf
SHA16430446fe609edf84a2c7fd7b2cdab3e6e3a82c2
SHA2567d0e15430ce14dcc2cf1d852f1c4c6c831b070f6604e417c5c71bc48fd48c25f
SHA5127a1d4926d486b709d3123e2677795796699796c127acf61e336c88cfa947edfe8be1c53c8f77769cd6648dcfec080ed86d214b45485cd1a6ca4cbbd139f52fd6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD504a13330cd5d66d4776e9db2a925c07f
SHA168813597929bd79406e9fb1baec6b56d72c0dd4d
SHA256cf8516f60b373c7c1022dd32edd8ddec729509c4d27cb25f3a6775afff90fdf2
SHA512bbe19ae9800112c23ebc2990abcab1f659eda4087b5df617f196d5c12114fc696be8aa57f94e40774616e8f29e3ad2f2445989d1d19cefd8d609eb27395f6fd5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp
Filesize32KB
MD518c5504095913a8409fea3148ace184a
SHA1650cda1cd07fe0b2cfdfce3310c8cb2169964473
SHA256ebc2e9b607402881be0c6f72be8ca9d0e8cb495b2a815d2f125290a1f66a11f0
SHA5121b7346500fbd963dbfb9ceb3f7d785fa1a568cdf2cad23a851bcff022b99ab104544ed1869766685c28e50763de38dc111df4347c534cf6f3dad5f97ba0b00c2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp
Filesize32KB
MD54186feba1257cb4c9d0e0b3799de4990
SHA10406c5a8820b7d31237a44ae1af0fe75bba175ab
SHA2565479a5723ad3b53425e158411e436d393e51885f9d7d87956804eb776eb1ed5a
SHA512fb178dfe31988329546fb41835630fcd39d6e4442fd14ff04d80ab4c94c814100aeced481d8b80eece1942db95c394c979bdf45a5a682b313f03a36509742e84
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\0a0eb32b-a3ad-4568-a44b-1d7fd7c3a796
Filesize671B
MD558ebcdc327aa05e71a65e796c0e3c885
SHA148365ccf1bbf32650944dbb9ac52b1619cf1341d
SHA256dcce2662a8a19448272c86f738dd9ddf20fca571e90a16fc8689f330cd38a1df
SHA51287ab0bb4ff07810496f1014ca7f361ddca78b8cf6b73a1aef1faaf66d6e3a4f3f238c63b02bdb412fd88e1168320a9a1a2a714037ec9b2928c7e03f9ef018d95
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\2a777787-cc19-4fff-a9c8-11ee0c5eab1c
Filesize982B
MD574fe160157b27f77bffa54f3206914f4
SHA1f79af85d952cf9c7a9a78cb8c4b55ed6215e9825
SHA256f168e8006f22bb46897a0c895e6dafe93d1425804b31ae2047fe3526d8cd2c91
SHA512a6b6514c3f2f9842f687ce9db25e6d88ac80daba6ec15ef1ab0a75f481eff667b8b2f1bebdbe1597bfde368ca17ca604da4423ad79296c3f46c34561f0ee9839
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\fd287f41-e7a6-40b6-9dd1-5a5efe514a39
Filesize27KB
MD533fda98281be9129f9c230cc2b8d921d
SHA1ba352cac704f2b35aed8302ae48c222ffdeef07f
SHA256217213c3fa02ae320cc345ad50606146ec45102b8fb207d2a4f5a1ac1e1510d0
SHA51287ec9777f66e311717c9bf9f79b403df314301a76d282ed12e1a53f50ee3409171fdb809260030154b7e60bde29b72a9f367d0e97a758ce87ebfe22ef4eb2fda
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5744aea72875dd25032f2102720feced4
SHA12a6f5243f6f8245996d13c78cb172b24da673983
SHA256309e369c10cc6b73e8b582b6fa1100df45a5f417896b4cf1d4e79db9136aef28
SHA5124a1a99dc603a849f189477e4fcba32b31c9dd3464ffb18f743cdfa346ae97459151f940d674112f5d24d7488ab9d331819c1ae6866d15651b695ea7b15518c3e
-
Filesize
12KB
MD5679fc0ec596765c48e65e980a37e22bf
SHA195f90eab47ac9fe8a6023f12ce511acb81126108
SHA25622bbaf3d52eb8e4869a2a010349fb24eb80f470ef27ca2333d0da1ffcb4bea11
SHA51242892dc7e201dc102865b921c3f7d0232a161eae47bd41f92be3edc9481d260227da5ed4de261ece79268e99fbd3b0adf439d1c335bbc748b21191c7ec46d455
-
Filesize
16KB
MD5b266c87947683f85424703b5f9305de2
SHA15d38b3cd9c0cba4f612909e04605459cee9721a3
SHA2568ad007ee35a0e78031fe8d1e00ddb692e5a1085119694c3d61baa4c266b0304e
SHA5125bf63c1f5311f7de9e432c3fcedbda10eab4679b65e4d136c456b6d5a349761343d70d63cae2252e4217e7b7e0d5e7f966e6bf17517374b77b0cf2ded4009750
-
Filesize
11KB
MD5635c1ddd9c42ee9bdff35d7f130f4476
SHA1b2eb458487a1c56c925c16e413bb52ad7f4b4eeb
SHA256ef853b7c34b2df729bfa2b08cd83805ab052d3ae619856427fd3269748ba8d61
SHA512d2d94b30b4dee5c74a13e01bf5c4928b61ab3b7329f30f23535a7566b2461c17d6e060f726477cd6e6ac118d198b7a4e2baf4510dfa2d7bfcc0e4740c3be1a57
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5d79d55ee8bb20f323964e6beffb4098d
SHA11a744c4caaf8fdc6b00c2f9bad8522d0c339ebb8
SHA2567a12318489f66d7e321b33cfd49840e29e3c42c7041854d039788bbd946e30dd
SHA51274842bfee5f4c8abd89e57b14e068225eace2688b4280a01e463ced7bcc41b6723f7d0a0423c45ab9c65e75992bc157c73c7f8ee12b61b3cb784ebd70d2028cf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD52927a7d18f4634e823aac8a35195a22f
SHA11669b4fe7702df3cf4ca0e9d6af08959ed289192
SHA2566b4e71b8e1f529ff68c400ec47114e0dd8ca56836502d9f2e1dff039cf69e05c
SHA512c978a0de03389ed3ff5cb416f1bf44eea6b8f8d5dff698699af9ce20accf1a96d7d2ffb8ee608569ed8aabaadf1013b3764657091d23fb267e23710b815febcc