Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-08-2024 21:27
Static task
static1
Behavioral task
behavioral1
Sample
66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe
Resource
win10v2004-20240802-en
General
-
Target
66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe
-
Size
1.8MB
-
MD5
16a0efa2b6695032ed7c293ac609b548
-
SHA1
3c00ff7eb82cbb8439b3499f468000fd1ffaa12a
-
SHA256
66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613
-
SHA512
cffae5effbf09dfed4625a28385578f1c27f6caa10f691406a3fa8eeed4d6749217d9e2ae806256aca1acbb597d37bf726bfa07901fdb64854a297a4da28ca26
-
SSDEEP
49152:TMYsyaxDs9VIYKl9UPCshhDfQn69BDCh8yRRhJMKu3B:ToyaxD+V1KfUPGkASyRFo
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
explorti.exe66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exe66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RegAsm.exe66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exeexplorti.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exefb3b92899b.exe4684fd6485.exe98f682bca6.exeexplorti.exeexplorti.exepid process 4832 explorti.exe 748 fb3b92899b.exe 4856 4684fd6485.exe 2560 98f682bca6.exe 2776 explorti.exe 3316 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exeexplorti.exe66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fb3b92899b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\fb3b92899b.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2144-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2144-46-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2144-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exeexplorti.exeexplorti.exeexplorti.exepid process 5092 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe 4832 explorti.exe 2776 explorti.exe 3316 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
fb3b92899b.exe4684fd6485.exedescription pid process target process PID 748 set thread context of 2144 748 fb3b92899b.exe RegAsm.exe PID 4856 set thread context of 3596 4856 4684fd6485.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exedescription ioc process File created C:\Windows\Tasks\explorti.job 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
explorti.exefb3b92899b.exeRegAsm.exe4684fd6485.exeRegAsm.exe98f682bca6.exe66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb3b92899b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4684fd6485.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 98f682bca6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exeexplorti.exeexplorti.exeexplorti.exepid process 5092 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe 5092 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe 4832 explorti.exe 4832 explorti.exe 2776 explorti.exe 2776 explorti.exe 3316 explorti.exe 3316 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 868 firefox.exe Token: SeDebugPrivilege 868 firefox.exe Token: SeDebugPrivilege 868 firefox.exe Token: SeDebugPrivilege 868 firefox.exe Token: SeDebugPrivilege 868 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe 2144 RegAsm.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
firefox.exepid process 868 firefox.exe 868 firefox.exe 868 firefox.exe 868 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exeexplorti.exefb3b92899b.exe4684fd6485.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 5092 wrote to memory of 4832 5092 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe explorti.exe PID 5092 wrote to memory of 4832 5092 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe explorti.exe PID 5092 wrote to memory of 4832 5092 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe explorti.exe PID 4832 wrote to memory of 748 4832 explorti.exe fb3b92899b.exe PID 4832 wrote to memory of 748 4832 explorti.exe fb3b92899b.exe PID 4832 wrote to memory of 748 4832 explorti.exe fb3b92899b.exe PID 748 wrote to memory of 3088 748 fb3b92899b.exe RegAsm.exe PID 748 wrote to memory of 3088 748 fb3b92899b.exe RegAsm.exe PID 748 wrote to memory of 3088 748 fb3b92899b.exe RegAsm.exe PID 748 wrote to memory of 2140 748 fb3b92899b.exe RegAsm.exe PID 748 wrote to memory of 2140 748 fb3b92899b.exe RegAsm.exe PID 748 wrote to memory of 2140 748 fb3b92899b.exe RegAsm.exe PID 748 wrote to memory of 2144 748 fb3b92899b.exe RegAsm.exe PID 748 wrote to memory of 2144 748 fb3b92899b.exe RegAsm.exe PID 748 wrote to memory of 2144 748 fb3b92899b.exe RegAsm.exe PID 748 wrote to memory of 2144 748 fb3b92899b.exe RegAsm.exe PID 748 wrote to memory of 2144 748 fb3b92899b.exe RegAsm.exe PID 748 wrote to memory of 2144 748 fb3b92899b.exe RegAsm.exe PID 748 wrote to memory of 2144 748 fb3b92899b.exe RegAsm.exe PID 748 wrote to memory of 2144 748 fb3b92899b.exe RegAsm.exe PID 748 wrote to memory of 2144 748 fb3b92899b.exe RegAsm.exe PID 748 wrote to memory of 2144 748 fb3b92899b.exe RegAsm.exe PID 4832 wrote to memory of 4856 4832 explorti.exe 4684fd6485.exe PID 4832 wrote to memory of 4856 4832 explorti.exe 4684fd6485.exe PID 4832 wrote to memory of 4856 4832 explorti.exe 4684fd6485.exe PID 4856 wrote to memory of 3596 4856 4684fd6485.exe RegAsm.exe PID 4856 wrote to memory of 3596 4856 4684fd6485.exe RegAsm.exe PID 4856 wrote to memory of 3596 4856 4684fd6485.exe RegAsm.exe PID 4856 wrote to memory of 3596 4856 4684fd6485.exe RegAsm.exe PID 4856 wrote to memory of 3596 4856 4684fd6485.exe RegAsm.exe PID 4856 wrote to memory of 3596 4856 4684fd6485.exe RegAsm.exe PID 4856 wrote to memory of 3596 4856 4684fd6485.exe RegAsm.exe PID 4856 wrote to memory of 3596 4856 4684fd6485.exe RegAsm.exe PID 4856 wrote to memory of 3596 4856 4684fd6485.exe RegAsm.exe PID 4832 wrote to memory of 2560 4832 explorti.exe 98f682bca6.exe PID 4832 wrote to memory of 2560 4832 explorti.exe 98f682bca6.exe PID 4832 wrote to memory of 2560 4832 explorti.exe 98f682bca6.exe PID 2144 wrote to memory of 728 2144 RegAsm.exe firefox.exe PID 2144 wrote to memory of 728 2144 RegAsm.exe firefox.exe PID 728 wrote to memory of 868 728 firefox.exe firefox.exe PID 728 wrote to memory of 868 728 firefox.exe firefox.exe PID 728 wrote to memory of 868 728 firefox.exe firefox.exe PID 728 wrote to memory of 868 728 firefox.exe firefox.exe PID 728 wrote to memory of 868 728 firefox.exe firefox.exe PID 728 wrote to memory of 868 728 firefox.exe firefox.exe PID 728 wrote to memory of 868 728 firefox.exe firefox.exe PID 728 wrote to memory of 868 728 firefox.exe firefox.exe PID 728 wrote to memory of 868 728 firefox.exe firefox.exe PID 728 wrote to memory of 868 728 firefox.exe firefox.exe PID 728 wrote to memory of 868 728 firefox.exe firefox.exe PID 868 wrote to memory of 2092 868 firefox.exe firefox.exe PID 868 wrote to memory of 2092 868 firefox.exe firefox.exe PID 868 wrote to memory of 2092 868 firefox.exe firefox.exe PID 868 wrote to memory of 2092 868 firefox.exe firefox.exe PID 868 wrote to memory of 2092 868 firefox.exe firefox.exe PID 868 wrote to memory of 2092 868 firefox.exe firefox.exe PID 868 wrote to memory of 2092 868 firefox.exe firefox.exe PID 868 wrote to memory of 2092 868 firefox.exe firefox.exe PID 868 wrote to memory of 2092 868 firefox.exe firefox.exe PID 868 wrote to memory of 2092 868 firefox.exe firefox.exe PID 868 wrote to memory of 2092 868 firefox.exe firefox.exe PID 868 wrote to memory of 2092 868 firefox.exe firefox.exe PID 868 wrote to memory of 2092 868 firefox.exe firefox.exe PID 868 wrote to memory of 2092 868 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe"C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3088
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2140
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c25d8d45-a14a-42c6-bf8d-0772a8482622} 868 "\\.\pipe\gecko-crash-server-pipe.868" gpu7⤵PID:2092
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2416 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aee996c0-0a38-4e2c-b0e8-1518d2d73e26} 868 "\\.\pipe\gecko-crash-server-pipe.868" socket7⤵PID:5056
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2904 -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 2916 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d332acf2-5732-4b12-8e91-c815ad7e082f} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab7⤵PID:3752
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3656 -childID 2 -isForBrowser -prefsHandle 3648 -prefMapHandle 1308 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a03baaa0-8a49-4746-82ba-5e269a913d96} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab7⤵PID:3504
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4548 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4596 -prefMapHandle 4592 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4b2b312-1979-42f8-bd0a-8c46a765b210} 868 "\\.\pipe\gecko-crash-server-pipe.868" utility7⤵
- Checks processor information in registry
PID:5332 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 3 -isForBrowser -prefsHandle 5352 -prefMapHandle 5324 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {719b5434-83c8-4e81-acd2-bae0e610c428} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab7⤵PID:5960
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 4 -isForBrowser -prefsHandle 5600 -prefMapHandle 5596 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8131d2ac-7f63-4ffc-a494-7c35979f5398} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab7⤵PID:5980
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5760 -childID 5 -isForBrowser -prefsHandle 5488 -prefMapHandle 5492 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c820fa59-ad86-4877-8e1e-bec0298b50d7} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab7⤵PID:5996
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6252 -childID 6 -isForBrowser -prefsHandle 6296 -prefMapHandle 6276 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69ccddf8-dd7f-4fa0-94ea-3d62241f8fe3} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab7⤵PID:2764
-
C:\Users\Admin\1000037002\4684fd6485.exe"C:\Users\Admin\1000037002\4684fd6485.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\1000038001\98f682bca6.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\98f682bca6.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2560
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2776
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3316
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
330KB
MD57bdc4dd6037f1f49611576c723466332
SHA1a7cbc0ee6529f261db5d164b3e502b36d2c8bcef
SHA256f13cdb9370460f2909bf758ffd985178fe657a4ab0ef8f40ed6931637dda4b73
SHA512a914b56d4c2c4a8dd1f8d2a8fdd8956741e1fc98836b5845e62a4737fba0a7ad854fba341ce94034b4a4c8f665e7a61ab8f1cd5a020da19207695909322fe637
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5a0389a0b7f318d67b96a1117ab00cc29
SHA1370a109f8bfeba0ac4fa734561cce869f42b19c9
SHA2566df952e6efb28cf1d2ec618fadfce1024093db61d74651e3c47234b0c816999f
SHA512bf7619015b2d2e9f73465bf1e97448993f674fd48323051daa76c7dc824ec737e23588c769c580dd8f31b1698d6b1bd6af871208744e22f733a4bae32c47f824
-
Filesize
1.8MB
MD516a0efa2b6695032ed7c293ac609b548
SHA13c00ff7eb82cbb8439b3499f468000fd1ffaa12a
SHA25666814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613
SHA512cffae5effbf09dfed4625a28385578f1c27f6caa10f691406a3fa8eeed4d6749217d9e2ae806256aca1acbb597d37bf726bfa07901fdb64854a297a4da28ca26
-
Filesize
1.3MB
MD5929e5d8768ad2142515bc380fb050012
SHA1857996d4d7f7d75cf8f8839c6d51c53825286017
SHA2562a7cb9a967e2842a517b585b92a07e0542d4a330e602b633439b71c9c386e9e1
SHA512446eff6fe391873573879584d89cb75f15d0b6301c0eca21736647740bdbeb109171d95fc7b13bcf89826dc2dd838bf0d12bfd7d9608b5022f1e24028703f66f
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin
Filesize7KB
MD556b1308fd29129087f3bce9403e067dc
SHA1124487a6433ca47f092404237c52f55fbccc5eb7
SHA256501c22883fa2b50603098ff9eda44c38e9490ced674802c7cbc06536271a6d11
SHA512f9ffd614e7cb1c7fa5525c9a62620f3bd852423827ad3f9185767be6d26a44b1eb864362229581a5c99be68fb6d9ae126cd4fb8771bb7907965abd4cd1c6ef5b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin
Filesize10KB
MD5a0ae0dfe0d5a90a9a3ba5c0843512b4e
SHA1c8abb9f553eceb07ef9eecf52609409dad78c50a
SHA2564ef1574bae5495f4243c18242da9eabf27f2d915e25731875afbd9a7a42315d5
SHA512f3bdd1a28dc238e082ab073d7f70f8ae675261633253f83ab663d0b8cc31ef91bf2b9aa4e1e9837038ac76cfa76de4fa25cc3f9a031745a93946f53d3f1aa4d5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD532fa78c473f4f0a48358a6a3e085ae01
SHA1ab5af836444a1ecb0d17b6c67fd4c1a6fbc760cd
SHA2561cefc2f6587acbbe1dc353a6ecc1e511f16e96a394c56d31b3718da3f89c0c81
SHA5126e0fa953d7c7b10b2a2f19eea64b83df94d2eda77b68ef4ee7d0fba3e0ffc6f15ff4e12195c82939ede01f4e731a616ee9b776ac6cfe1b54507abafb52dbb9cc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp
Filesize33KB
MD50ae3d93f2dfb8118907cd7691147a35a
SHA1bfd978a91dd3dd69a3991516a01b5022de3ac481
SHA256593ada1a249db32958751b7bcce8eca15b23ec1330d65881a4fbeb76da92d6bb
SHA5124e6089652ac7ab8b5946356430e91b1fede8846be56f27b6d3abf9e8a07f416c90c52f9e934c60d6cebd0e726488f9d8751802f5baf728899e6ee6c284e1ca8e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp
Filesize33KB
MD534a339491c73c5f6e1d5b8de2924bacf
SHA10d68844ceb4c7fdbb3aca58b70937249c1c35113
SHA2563dd9599a69ee21be10721562806813105e37e1c4c89c97d4e36485e5847c6d48
SHA5120cd8c2d5e463a3b63fd8d53cdac881f8b1b90f0746205e20922bfc54019bde11d88dbf9f3b6deae0ab1fb818878b21d7ba701380d437e9dc5f4c0a0e20ac7b52
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5d5c2bd7e5e223f07281e0d93f7027fe9
SHA1d98a828937ee7bf47c51a8f0098a40b997afd3db
SHA256838d98459a53ef527261a7e35fb23e36440a8fbd72934569a1d25a05f82f598e
SHA5128da6b592a4811070f316d831479baa5744316a75d11fdc7ce8f9f680938a74ddc7ad013d5e3782467df7b2f7a3843548c8f49336ef106bd580ab4f29351c6eeb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5a4d7e1c9c1c3857b89b13598a3746ec3
SHA1344dd3912ecfb3f352d8b09fdf4d3467d38a023b
SHA256a86411ca90422e50e40be49d7166f95e31669ea2133e6822f325116fca087b9e
SHA5125c606b3761212f52417936243ad3e07d8c844c8c28eb6b83078323e0b215a823e2fbb517fe4aa48eac0793fdbbf017a09582def429c335f46bcd36aa4d942bb0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\69d0302c-3f0c-4cef-b84b-7c6f7c213fe1
Filesize25KB
MD5a58aea079ba8e89792f4acb9d45dc5d7
SHA1d34cbdb834b8316a43582245f2abda36dd4b8882
SHA2563ab39664ecb432cad6693707f81f47151355c133b2864086b1c4e94d458b208a
SHA51286bc37e5c33f583b00aa1691d3def91e64104a611298dac657ff48354849f740914162755bbcd66beb6ed247380e73de4c2939a70541e98d4d5cc6cb0cd2c50c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\7dfec531-c2be-4284-8f28-253f108ce822
Filesize671B
MD5ee6ffe75dc3f7e50d9cce3ac6285ed84
SHA1c5f504b4ddce2d355053d1056f31e27c97de94eb
SHA256fca59843bc3b5201186269a7c949c422f78bf93b75b9b998048f4e8e0c86d2f7
SHA5125b4a590726cbd230b7872e00268c4a4773fc1e308ccbb5a65799e400c411f7cf65369e3410bc2b36a343041dbcbc1c66ba1fa48163c423415fd8d9b6ea555f12
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\e9f48ae5-df4b-49a3-a7d4-afcd238b6049
Filesize982B
MD5adc74d5d5c25717b200a4f7a322fe5a3
SHA196cb00c6443432c33b5423ce6644315f6ab7f5e9
SHA256b7b937f6fcb8bd2664aad1ee1ab9f35cafc2de3dbd7c1ef2b2703b070c42c953
SHA512eaeae677c15d33e74ddb844fc4542dc44c1970c116c28bc0276586b3de305e4cb1ebcdadeff727407f6894b6045b6164a482976522a37a93c69c0fba1f0ccc63
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5e6611004e6ac671b46f9c63b577c0b0f
SHA15c6867d26fc3d9354ea266f0b733692c72554615
SHA256e5f93698d4466957661dcc02b980b534f8b12a12b4b598163a8fc6ddacc92db1
SHA512e2102134e6ab298d2d2b36b58e02e33b1f73b92a0af0967506dd7f84b7b54413aead3f91af21b2bb57798fda82428bd3fcb16907ce2bc4a9691f64f297110de3
-
Filesize
16KB
MD50e56d6a36590aed9de6f004a37da3680
SHA182c53053a7769108543cc13e860cd9ed203a1b4d
SHA256fdbffd33af6fb04342b7671eef8aeaac7acebdd77960d3fef63d04e0c2c85b35
SHA51247e8d6840391ac2bce3a9288ccd9100fafd7fa2f6186aa4feaddb215027a16eda533755f060051125ec99b0c782e088c3141d0572622a7aedc85ff34f1a5a5ef
-
Filesize
12KB
MD5b7274e6e8a0a16180a9ca0520c417512
SHA11cc725b0dcf3141fec2ba4907e586bf98ecb6324
SHA256840703fa60c6571d16e0cb19a1bca8a53a874d19c3f2660e0ba89fd225490071
SHA51271a5de619cde9d6c0aa54ee819327982278e79acbc8aedf4f01b1403a61c4cef23c765188a43917b202795fff7b4a1734bd0f3011128184ea1ba1d2766753d8e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5d5459249724feb208f2afbf13d05d351
SHA1e17e49a15b0971141afe3aa07ac959c184e3badd
SHA256178b1f26a0c1086cf3a2cd3e90de8bc537f7f989b3d838f823b3612265e245e6
SHA512c680fd12e2724a7626a0d1d89a889309156796a97cb9b878879cad3256c0fa4db55ca95632d311d262f61ecb0461c414dc9cedffe95bfc35d87ee505663684da