Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2024 21:07
Static task
static1
Behavioral task
behavioral1
Sample
5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe
Resource
win10v2004-20240802-en
General
-
Target
5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe
-
Size
1.8MB
-
MD5
e4b66dca73b9df6e615b29127344497f
-
SHA1
af8dea556b8bea1fa0abdbca3c743ebc20744288
-
SHA256
5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863
-
SHA512
77b3edf2bc70da1ccb11a9b8a68c132ca2b42b1bc8a524a7ab1d883c95686adca0afa528610dda1ddce3db4c42920753fe05302b858a6d2851256069e341d83e
-
SSDEEP
49152:07TRmgI3cpdo2sjC/njuUXzHFe2T54MCidlzZs0xhNfNhthg:mTRSki2sjC/iUjHFDT54M91ZsQFhg
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
explorti.exe5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exeexplorti.exeRegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exeb892d81e5b.exed88b586c75.exeb0cf8055f1.exeexplorti.exeexplorti.exepid process 3172 explorti.exe 3116 b892d81e5b.exe 4060 d88b586c75.exe 760 b0cf8055f1.exe 3164 explorti.exe 5528 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b892d81e5b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\b892d81e5b.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/4612-44-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/4612-46-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/4612-48-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exeexplorti.exeexplorti.exeexplorti.exepid process 1020 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe 3172 explorti.exe 3164 explorti.exe 5528 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
b892d81e5b.exed88b586c75.exedescription pid process target process PID 3116 set thread context of 4612 3116 b892d81e5b.exe RegAsm.exe PID 4060 set thread context of 2164 4060 d88b586c75.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exedescription ioc process File created C:\Windows\Tasks\explorti.job 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exeb0cf8055f1.exe5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exeexplorti.exeb892d81e5b.exeRegAsm.exed88b586c75.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0cf8055f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b892d81e5b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d88b586c75.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exeexplorti.exeexplorti.exeexplorti.exepid process 1020 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe 1020 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe 3172 explorti.exe 3172 explorti.exe 3164 explorti.exe 3164 explorti.exe 5528 explorti.exe 5528 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 4412 firefox.exe Token: SeDebugPrivilege 4412 firefox.exe Token: SeDebugPrivilege 4412 firefox.exe Token: SeDebugPrivilege 4412 firefox.exe Token: SeDebugPrivilege 4412 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe 4612 RegAsm.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
firefox.exepid process 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe 4412 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exeexplorti.exeb892d81e5b.exed88b586c75.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 1020 wrote to memory of 3172 1020 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe explorti.exe PID 1020 wrote to memory of 3172 1020 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe explorti.exe PID 1020 wrote to memory of 3172 1020 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe explorti.exe PID 3172 wrote to memory of 3116 3172 explorti.exe b892d81e5b.exe PID 3172 wrote to memory of 3116 3172 explorti.exe b892d81e5b.exe PID 3172 wrote to memory of 3116 3172 explorti.exe b892d81e5b.exe PID 3116 wrote to memory of 3440 3116 b892d81e5b.exe RegAsm.exe PID 3116 wrote to memory of 3440 3116 b892d81e5b.exe RegAsm.exe PID 3116 wrote to memory of 3440 3116 b892d81e5b.exe RegAsm.exe PID 3116 wrote to memory of 4612 3116 b892d81e5b.exe RegAsm.exe PID 3116 wrote to memory of 4612 3116 b892d81e5b.exe RegAsm.exe PID 3116 wrote to memory of 4612 3116 b892d81e5b.exe RegAsm.exe PID 3116 wrote to memory of 4612 3116 b892d81e5b.exe RegAsm.exe PID 3116 wrote to memory of 4612 3116 b892d81e5b.exe RegAsm.exe PID 3116 wrote to memory of 4612 3116 b892d81e5b.exe RegAsm.exe PID 3116 wrote to memory of 4612 3116 b892d81e5b.exe RegAsm.exe PID 3116 wrote to memory of 4612 3116 b892d81e5b.exe RegAsm.exe PID 3116 wrote to memory of 4612 3116 b892d81e5b.exe RegAsm.exe PID 3116 wrote to memory of 4612 3116 b892d81e5b.exe RegAsm.exe PID 3172 wrote to memory of 4060 3172 explorti.exe d88b586c75.exe PID 3172 wrote to memory of 4060 3172 explorti.exe d88b586c75.exe PID 3172 wrote to memory of 4060 3172 explorti.exe d88b586c75.exe PID 4060 wrote to memory of 2164 4060 d88b586c75.exe RegAsm.exe PID 4060 wrote to memory of 2164 4060 d88b586c75.exe RegAsm.exe PID 4060 wrote to memory of 2164 4060 d88b586c75.exe RegAsm.exe PID 4060 wrote to memory of 2164 4060 d88b586c75.exe RegAsm.exe PID 4060 wrote to memory of 2164 4060 d88b586c75.exe RegAsm.exe PID 4060 wrote to memory of 2164 4060 d88b586c75.exe RegAsm.exe PID 4060 wrote to memory of 2164 4060 d88b586c75.exe RegAsm.exe PID 4060 wrote to memory of 2164 4060 d88b586c75.exe RegAsm.exe PID 4060 wrote to memory of 2164 4060 d88b586c75.exe RegAsm.exe PID 3172 wrote to memory of 760 3172 explorti.exe b0cf8055f1.exe PID 3172 wrote to memory of 760 3172 explorti.exe b0cf8055f1.exe PID 3172 wrote to memory of 760 3172 explorti.exe b0cf8055f1.exe PID 4612 wrote to memory of 4332 4612 RegAsm.exe firefox.exe PID 4612 wrote to memory of 4332 4612 RegAsm.exe firefox.exe PID 4332 wrote to memory of 4412 4332 firefox.exe firefox.exe PID 4332 wrote to memory of 4412 4332 firefox.exe firefox.exe PID 4332 wrote to memory of 4412 4332 firefox.exe firefox.exe PID 4332 wrote to memory of 4412 4332 firefox.exe firefox.exe PID 4332 wrote to memory of 4412 4332 firefox.exe firefox.exe PID 4332 wrote to memory of 4412 4332 firefox.exe firefox.exe PID 4332 wrote to memory of 4412 4332 firefox.exe firefox.exe PID 4332 wrote to memory of 4412 4332 firefox.exe firefox.exe PID 4332 wrote to memory of 4412 4332 firefox.exe firefox.exe PID 4332 wrote to memory of 4412 4332 firefox.exe firefox.exe PID 4332 wrote to memory of 4412 4332 firefox.exe firefox.exe PID 4412 wrote to memory of 4876 4412 firefox.exe firefox.exe PID 4412 wrote to memory of 4876 4412 firefox.exe firefox.exe PID 4412 wrote to memory of 4876 4412 firefox.exe firefox.exe PID 4412 wrote to memory of 4876 4412 firefox.exe firefox.exe PID 4412 wrote to memory of 4876 4412 firefox.exe firefox.exe PID 4412 wrote to memory of 4876 4412 firefox.exe firefox.exe PID 4412 wrote to memory of 4876 4412 firefox.exe firefox.exe PID 4412 wrote to memory of 4876 4412 firefox.exe firefox.exe PID 4412 wrote to memory of 4876 4412 firefox.exe firefox.exe PID 4412 wrote to memory of 4876 4412 firefox.exe firefox.exe PID 4412 wrote to memory of 4876 4412 firefox.exe firefox.exe PID 4412 wrote to memory of 4876 4412 firefox.exe firefox.exe PID 4412 wrote to memory of 4876 4412 firefox.exe firefox.exe PID 4412 wrote to memory of 4876 4412 firefox.exe firefox.exe PID 4412 wrote to memory of 4876 4412 firefox.exe firefox.exe PID 4412 wrote to memory of 4876 4412 firefox.exe firefox.exe PID 4412 wrote to memory of 4876 4412 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe"C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3440
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c6ef72f-4318-42dd-9167-42054568727e} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" gpu7⤵PID:4876
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcfd7d41-1639-40d7-84f8-2783244962e8} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" socket7⤵PID:4708
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2884 -childID 1 -isForBrowser -prefsHandle 2788 -prefMapHandle 1456 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c1b378a-cacc-45e2-bc41-49aa403563e2} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" tab7⤵PID:4808
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3804 -childID 2 -isForBrowser -prefsHandle 3836 -prefMapHandle 3832 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e410f823-1072-4124-b4ee-98b07a7d096d} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" tab7⤵PID:812
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4524 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4556 -prefMapHandle 4552 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b194cad1-ef64-4288-93ef-4f37b7114411} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" utility7⤵
- Checks processor information in registry
PID:4832 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 3 -isForBrowser -prefsHandle 5360 -prefMapHandle 4856 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9b4f017-e5b6-42f6-825e-b8e6d2c3c733} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" tab7⤵PID:5880
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 4 -isForBrowser -prefsHandle 5692 -prefMapHandle 5688 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {974e4f8d-fd39-47a3-a944-ff30c1ab4779} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" tab7⤵PID:5892
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5836 -childID 5 -isForBrowser -prefsHandle 5780 -prefMapHandle 5776 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04200812-8999-4014-8b9a-c4b5a88b262b} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" tab7⤵PID:5912
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6348 -childID 6 -isForBrowser -prefsHandle 6260 -prefMapHandle 6196 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8517620b-b798-4f8b-b89e-2bce3a08a35b} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" tab7⤵PID:3168
-
C:\Users\Admin\1000037002\d88b586c75.exe"C:\Users\Admin\1000037002\d88b586c75.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\1000038001\b0cf8055f1.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\b0cf8055f1.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:760
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3164
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5528
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207KB
MD508c4a58bbadc6ca9b4c015f6d73d682f
SHA139e3fb93c93a7518e3fac3d5b6bae8fd2d2dc072
SHA2568e6ceaf7c0ef571561f2ddadfc11ee4519b0d6fae6746e34381e393400c9fbab
SHA5126b0db9a73bcee0ea9faba522cd1c7250c0bfa307f6c32dc2ecdea8cc0303837ed7b5258a3c7f3120207b49c83d7d1cc50024e4e404db8848ee3a4b5a633672b3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\activity-stream.discovery_stream.json
Filesize38KB
MD5088c333cdcecb29515d5af272a94f7f7
SHA1110baf92d4b92317278dd84c99629d24583d5bee
SHA25615cd9018af02827a938d4931f2e5a2956a4690461d2a9682def32ea3845452b3
SHA51250b7cd09835e0f202266c5bfd0a2bab3f1b7c5c374403f00e74a871b584b603fa345f9375ac9f3e27ae81a20e0de038e165066fe9c3db0278ab915e3c200104d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5b401c28debac00edb9828154df4c8db1
SHA167d2915fa938e9ce473f1babd669e1a7ba425c54
SHA25613230ec6ac5db777abe8bfe63877dc58a5e8ed5f9341160e1af9a3cb9a313e72
SHA5120da648e53f03f26b24b3cf06fc7aa27d21670033f228e269c9ba48266acca1526aa2f9edaf4e5fb9adb12b95c7d2aa3f1ea148522634a6ee8bba71a5f2239df4
-
Filesize
1.8MB
MD5e4b66dca73b9df6e615b29127344497f
SHA1af8dea556b8bea1fa0abdbca3c743ebc20744288
SHA2565f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863
SHA51277b3edf2bc70da1ccb11a9b8a68c132ca2b42b1bc8a524a7ab1d883c95686adca0afa528610dda1ddce3db4c42920753fe05302b858a6d2851256069e341d83e
-
Filesize
1.2MB
MD5627b7e7a593c56c3952ae9ef80f5af4a
SHA17fc9bb380f9efcfd3aa42f9e7b58cdb41530c8d8
SHA256d89781341164e48965db98c8d05d83046a4d827b197c54108f0b35df9a9942be
SHA5126a1c77db5de5a7696901846a8c05f188162acc4729cb8a8e76c5a38527e104710e2dfcd38c32fce9421bf31a95e2be96e4e30e3eb2d40c81c892911e15fc05f4
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin
Filesize7KB
MD52607b0a383606156e22d725564729ce3
SHA13e6ccc4fa458f2edbe61f2658da6f181a1eb743f
SHA2567a0e47effb409d3e1366533ab1056efacca427d9f24584f91a215d634500c36a
SHA5121da28b4318bffd5675cbfdddae5bf5ddf3d62811d185ec494900b12457227fb490222d12dc732b9b176fac0857d16372e4bde794ab83cf32eddd5e7f896f42e6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin
Filesize10KB
MD585995fe074f5d964befd79b0fb63f283
SHA15e9e80fcb79401baadd35b5822fd946b8fdc80a9
SHA256fba9cb40fbbea5d5721a16db90afa5833b691bea00d779c094bb9fadd43c3767
SHA512b9f37ee70e8b23689db7ceb64ea22b79b79425fcbbb4df78b081961a390a02fcb36093e50255299bd2d322a2a3e523e25f24803ac899090f078eede4e59205c3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5394173413f36dc731a1b3f07049bb9d8
SHA121c7ec9ebaa7fdcafd46a42239c2dff20d496ab5
SHA256c185de7cdd8ab4f4394f4955d5fc93f954fd91db283f60c6ffe1011c07db9c4f
SHA5121a75c57553a27e5eb6750186e7285fcf513089876aae1ecd2757beb3c6322d2283540ce77ae6725a18e06ff970f0951a78d8e1c8f3930f3f05687501cd7c003d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5cc445cdce0c53785da0a02b4a69cf43c
SHA1a8d08a462247002540e2622ebffeee1845068dd8
SHA25617ae02631c7a5757a20bd71abee5eb6f95c4edf407af39b89d237063604b3c67
SHA51293eec2b244fbd1550239e1561168f0ffd676b6f0c4e02d51e883bf146a50a371fc64c10827a52b8dfcb9faac74a2498c96acdcc59d2f76a3c509f5a77f312316
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\2fd4c81e-b9c5-4732-9ad5-fc025350de52
Filesize982B
MD56dda0d82f54f12993f7fbd4bc2781305
SHA1e5be5ab3804eaf057678f39c90e6cd188ee29692
SHA256a3ec468ff95f7250b47b511c87c12302ef2d59cb2bd6bc714ffe3fe1773f72de
SHA51298b142c2b716bf0065768c9bb8c1d8acd9f40f2ba16f585e3fd850467e4480d65d306226e9d869aedd7214ce1f2cf1c696250a338faa7b940b02ef704a320269
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\8f646a82-334c-46ac-94ec-70c0bb202721
Filesize28KB
MD53d690572fb606b01e48c2ee1f0eacac8
SHA1c4a50bdda64f615ab1ad99d61554a4dc48f0cab4
SHA256df90b06d8a5d0bc3c7f67a25c193cc8af8fd65179e0c7a7c63d7aa9c2cf19e55
SHA5121c856d3b3aae932d69aa880ba24a41668c7e9f609cbb0cad859df26ec3d7acfa7aef8d3b1ed11979ad7a830ad68ccd707c2caf1c0bef8e22eb4f9d13a298ba4d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\c08f99e3-9351-495c-95ac-7d66dc54ca34
Filesize671B
MD5661844e45a0b0c6defd937355f5951e8
SHA1f529bd932cbce823f04eaa0fd442deac7eb6b401
SHA2566fb70a8d3561100d7614da16715dc13067be725199f82f06ca1f06b5678b63e5
SHA5126b9593b297f5f04c44262368afb6b6afec5f432cc414ed21db1591eac8d976e8155be88c4cb02c71a355796ca9056faab350d485da98a2d807942988da8d6e0f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD51a818c28df302138c54b29971a5cf9c7
SHA11cbcc34a573488fdba159daa2eba7ff8ed309f3b
SHA25671348faff9728c7ca51f55fada2253e84cdaf662b64003ffcbae83541a54e298
SHA512c3c5ea571a4d61ef25cee0a284fc7588f7676ec2538fa55819326f4fbbbc7873800e9121fde574c4f4d89cdaa3bec3c43829118fef40dcd794ad7274e256a785
-
Filesize
14KB
MD5e4f65bf33d12c50f187147267d61fcb5
SHA1b9822e283c2756807fe9a0662d1ce68cde670c7e
SHA2562488fe05df44927dff65457fae52661e260aa86a1225aebf603a5857d5810842
SHA5125fb8ea2cb0d237836c4bea89f2d53b89853d7e8910f1c270676225544a05e2e2e036a41fd05101b8a9b95a008dc33da593d3474644c6285d94ace5867d6eb5d5
-
Filesize
11KB
MD5121ad46b3cf87401bcfac99cfc91e426
SHA12b85027d85ff6843d0238eff6e65f7c54d5b3a6d
SHA256877283fcd45904f2a5ec96d8e7c20839a09ac53d5cda6fa3cc3b99191cb66ca5
SHA5128f7e47008a522ed3e9d034177f77f9fee0cd42e94325ca23c5ba1bccbbd97fd5166933364073975e05ac108593830af7f3b6f8bd91697780e709481d40228252
-
Filesize
11KB
MD5b68fadf18b4b03c270b6aa0ada5ce8be
SHA1b4bc0403220494bfe85da37a47e957932f178cba
SHA256b8b0a431a83cc6b7895b7f5655da79788c4d0bdf70b323c45a73fd61330fa81c
SHA512ab81c50f57516c4a4684eb72839f9d5eb5a753ec41f244c1abdf7c5d2ae9987b83a66c6d3ecadfa72d07be15613d5a6ccfe58272e55f979fdbafc5931b38d7e2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.0MB
MD5d9760a41ad4ad677c1b93955e33f1ad5
SHA186b0988ff52e50baed93e1524ef96c8fe89810a9
SHA256e64ad9801b71a921d4c85e1cb9444a0cc2a14cfa114aec3d1236cd518b08eec3
SHA512bdd329399cd81d062b93d45a8b4c645fe46587d53451b31975a36b8d2351af1af4eef8a178b7ebcc732de3c029177af3c9806e978736bd0d2e52a9d88f9facd2