Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-08-2024 02:33
Static task
static1
Behavioral task
behavioral1
Sample
284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe
Resource
win10v2004-20240802-en
General
-
Target
284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe
-
Size
1.8MB
-
MD5
48c24a152ce98431b83006650bc02fc8
-
SHA1
d76713abc3ba7c3fbe823fbefc49d30484ea6ad9
-
SHA256
284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f
-
SHA512
35296079dcf7a710a3aeda4e5eca0cb6998f2f1253da50a7393fa42ff26a98ee36d2ba79fbd0c0c513db2bd0c7958d29a4e7ddd70d58b27080c2fa17492147fb
-
SSDEEP
49152:wIQoAqAqx7YRidXvdrG4O1aTd49puiyvOED:wjoAqlYRipv84nd49puiyvOED
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exeexplorti.exeRegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exe8fe311e5a2.exe7dd822c344.exe048e239034.exeexplorti.exeexplorti.exeexplorti.exepid process 1944 explorti.exe 3992 8fe311e5a2.exe 2080 7dd822c344.exe 4832 048e239034.exe 1928 explorti.exe 5956 explorti.exe 1428 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8fe311e5a2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\8fe311e5a2.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/4140-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/4140-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/4140-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 3032 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe 1944 explorti.exe 1928 explorti.exe 5956 explorti.exe 1428 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
8fe311e5a2.exe7dd822c344.exedescription pid process target process PID 3992 set thread context of 4140 3992 8fe311e5a2.exe RegAsm.exe PID 2080 set thread context of 2012 2080 7dd822c344.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exedescription ioc process File created C:\Windows\Tasks\explorti.job 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exe048e239034.exe284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exeexplorti.exe8fe311e5a2.exeRegAsm.exe7dd822c344.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 048e239034.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe311e5a2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dd822c344.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 3032 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe 3032 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe 1944 explorti.exe 1944 explorti.exe 1928 explorti.exe 1928 explorti.exe 5956 explorti.exe 5956 explorti.exe 1428 explorti.exe 1428 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 2628 firefox.exe Token: SeDebugPrivilege 2628 firefox.exe Token: SeDebugPrivilege 2628 firefox.exe Token: SeDebugPrivilege 2628 firefox.exe Token: SeDebugPrivilege 2628 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 2628 firefox.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe 4140 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 2628 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exeexplorti.exe8fe311e5a2.exe7dd822c344.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 3032 wrote to memory of 1944 3032 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe explorti.exe PID 3032 wrote to memory of 1944 3032 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe explorti.exe PID 3032 wrote to memory of 1944 3032 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe explorti.exe PID 1944 wrote to memory of 3992 1944 explorti.exe 8fe311e5a2.exe PID 1944 wrote to memory of 3992 1944 explorti.exe 8fe311e5a2.exe PID 1944 wrote to memory of 3992 1944 explorti.exe 8fe311e5a2.exe PID 3992 wrote to memory of 4140 3992 8fe311e5a2.exe RegAsm.exe PID 3992 wrote to memory of 4140 3992 8fe311e5a2.exe RegAsm.exe PID 3992 wrote to memory of 4140 3992 8fe311e5a2.exe RegAsm.exe PID 3992 wrote to memory of 4140 3992 8fe311e5a2.exe RegAsm.exe PID 3992 wrote to memory of 4140 3992 8fe311e5a2.exe RegAsm.exe PID 3992 wrote to memory of 4140 3992 8fe311e5a2.exe RegAsm.exe PID 3992 wrote to memory of 4140 3992 8fe311e5a2.exe RegAsm.exe PID 3992 wrote to memory of 4140 3992 8fe311e5a2.exe RegAsm.exe PID 3992 wrote to memory of 4140 3992 8fe311e5a2.exe RegAsm.exe PID 3992 wrote to memory of 4140 3992 8fe311e5a2.exe RegAsm.exe PID 1944 wrote to memory of 2080 1944 explorti.exe 7dd822c344.exe PID 1944 wrote to memory of 2080 1944 explorti.exe 7dd822c344.exe PID 1944 wrote to memory of 2080 1944 explorti.exe 7dd822c344.exe PID 2080 wrote to memory of 2228 2080 7dd822c344.exe RegAsm.exe PID 2080 wrote to memory of 2228 2080 7dd822c344.exe RegAsm.exe PID 2080 wrote to memory of 2228 2080 7dd822c344.exe RegAsm.exe PID 2080 wrote to memory of 2012 2080 7dd822c344.exe RegAsm.exe PID 2080 wrote to memory of 2012 2080 7dd822c344.exe RegAsm.exe PID 2080 wrote to memory of 2012 2080 7dd822c344.exe RegAsm.exe PID 2080 wrote to memory of 2012 2080 7dd822c344.exe RegAsm.exe PID 2080 wrote to memory of 2012 2080 7dd822c344.exe RegAsm.exe PID 2080 wrote to memory of 2012 2080 7dd822c344.exe RegAsm.exe PID 2080 wrote to memory of 2012 2080 7dd822c344.exe RegAsm.exe PID 2080 wrote to memory of 2012 2080 7dd822c344.exe RegAsm.exe PID 2080 wrote to memory of 2012 2080 7dd822c344.exe RegAsm.exe PID 1944 wrote to memory of 4832 1944 explorti.exe 048e239034.exe PID 1944 wrote to memory of 4832 1944 explorti.exe 048e239034.exe PID 1944 wrote to memory of 4832 1944 explorti.exe 048e239034.exe PID 4140 wrote to memory of 740 4140 RegAsm.exe firefox.exe PID 4140 wrote to memory of 740 4140 RegAsm.exe firefox.exe PID 740 wrote to memory of 2628 740 firefox.exe firefox.exe PID 740 wrote to memory of 2628 740 firefox.exe firefox.exe PID 740 wrote to memory of 2628 740 firefox.exe firefox.exe PID 740 wrote to memory of 2628 740 firefox.exe firefox.exe PID 740 wrote to memory of 2628 740 firefox.exe firefox.exe PID 740 wrote to memory of 2628 740 firefox.exe firefox.exe PID 740 wrote to memory of 2628 740 firefox.exe firefox.exe PID 740 wrote to memory of 2628 740 firefox.exe firefox.exe PID 740 wrote to memory of 2628 740 firefox.exe firefox.exe PID 740 wrote to memory of 2628 740 firefox.exe firefox.exe PID 740 wrote to memory of 2628 740 firefox.exe firefox.exe PID 2628 wrote to memory of 4924 2628 firefox.exe firefox.exe PID 2628 wrote to memory of 4924 2628 firefox.exe firefox.exe PID 2628 wrote to memory of 4924 2628 firefox.exe firefox.exe PID 2628 wrote to memory of 4924 2628 firefox.exe firefox.exe PID 2628 wrote to memory of 4924 2628 firefox.exe firefox.exe PID 2628 wrote to memory of 4924 2628 firefox.exe firefox.exe PID 2628 wrote to memory of 4924 2628 firefox.exe firefox.exe PID 2628 wrote to memory of 4924 2628 firefox.exe firefox.exe PID 2628 wrote to memory of 4924 2628 firefox.exe firefox.exe PID 2628 wrote to memory of 4924 2628 firefox.exe firefox.exe PID 2628 wrote to memory of 4924 2628 firefox.exe firefox.exe PID 2628 wrote to memory of 4924 2628 firefox.exe firefox.exe PID 2628 wrote to memory of 4924 2628 firefox.exe firefox.exe PID 2628 wrote to memory of 4924 2628 firefox.exe firefox.exe PID 2628 wrote to memory of 4924 2628 firefox.exe firefox.exe PID 2628 wrote to memory of 4924 2628 firefox.exe firefox.exe PID 2628 wrote to memory of 4924 2628 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe"C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\1000036001\8fe311e5a2.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\8fe311e5a2.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {adf143da-4b5a-42f5-96bc-86eb78e22efc} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" gpu7⤵PID:4924
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2376 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f5288d8-a037-4528-8a0e-945140890909} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" socket7⤵PID:2268
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3344 -childID 1 -isForBrowser -prefsHandle 1416 -prefMapHandle 2604 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {327dff68-c94a-4fd8-8770-37c03682c35d} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" tab7⤵PID:4796
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3276 -childID 2 -isForBrowser -prefsHandle 3752 -prefMapHandle 3748 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1a3ce74-5f3f-4ed2-9893-38bcb2b363e2} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" tab7⤵PID:4848
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4872 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4864 -prefMapHandle 4860 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {163d84e9-0eb8-456a-8b68-b55dfa0a0ac4} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" utility7⤵
- Checks processor information in registry
PID:5424 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 3 -isForBrowser -prefsHandle 5584 -prefMapHandle 5532 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71a9466b-0eb4-4a78-930e-3b5d1814674e} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" tab7⤵PID:4404
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 4 -isForBrowser -prefsHandle 5712 -prefMapHandle 5720 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68f4f68e-9d7c-4021-a9b5-9f956b5fcfd8} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" tab7⤵PID:1488
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6016 -childID 5 -isForBrowser -prefsHandle 5932 -prefMapHandle 5936 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fcb8807-8de8-41a4-a558-f831f44d3120} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" tab7⤵PID:1500
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6120 -childID 6 -isForBrowser -prefsHandle 6128 -prefMapHandle 6136 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec34e08a-ea55-4bd3-baba-2758def7e9fe} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" tab7⤵PID:4884
-
C:\Users\Admin\1000037002\7dd822c344.exe"C:\Users\Admin\1000037002\7dd822c344.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2228
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\1000038001\048e239034.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\048e239034.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4832
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1928
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5956
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1428
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207KB
MD52b845ae9efa4fee06f704f96b9828fdd
SHA1c3ebc546d88d08c19fb65ba086d153aae2fe46fe
SHA256da122348356834ca10d6bf9efa9cf352ba2db2e851699f981753e126cae9e508
SHA5127f1631de67e75bf5b8e08f33b7d3c5cc07b843b48ae8fc40b36cf9698538fca79f2b1cb496d2018a4d93459cc6b83d2cd3d052b1d72997694fa6221547de85c3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\activity-stream.discovery_stream.json
Filesize41KB
MD53da92ffdf29f0bb696b5904bdec2a24a
SHA144ba9a67551c3bae54390a2c044a50be55699797
SHA25602ce1558068fb0e66c8e7d0c4261d9cf766ffde438d0b0deb54fe9f9846a41af
SHA5126cc241c9d53ece621fdfe15ad6b8eb029289941384bd8644cdb1f1e6f0e3fd3450e5c5d7c60682646782d8a82bfce55996f706106e2b5bcab13b1bbc07ba0a25
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5b5bbfc39be5ee3c7f6ee96c15f0fdfb3
SHA1188eb0d45b6d5c1371a5a47a2b18087285e7c76a
SHA256ef298c646b38603836aa115c4420a8beeda6530f9dd1df470763f1380084243c
SHA51212737b70539e445f7a91da4096cac0012fed4395fa0ac674fe846d15546d2001cc44e6f981e584fb5d8c3af6b5cc6e3e0ffde9b6c676bd49005866f75c575021
-
Filesize
1.8MB
MD548c24a152ce98431b83006650bc02fc8
SHA1d76713abc3ba7c3fbe823fbefc49d30484ea6ad9
SHA256284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f
SHA51235296079dcf7a710a3aeda4e5eca0cb6998f2f1253da50a7393fa42ff26a98ee36d2ba79fbd0c0c513db2bd0c7958d29a4e7ddd70d58b27080c2fa17492147fb
-
Filesize
1.2MB
MD58af76706f6ecb73d3ed8680a5e2cdc0f
SHA13668dbf5a57164102d1b0adea941316fa55f47fc
SHA256922c12d506652b85601064eb571333ef395c88e201acfd6f2a4b69ee13eae5f9
SHA512ea7f1cd1b32705e3f80a0f050ca9630505604343099e787fb57aa5cdcfee1b75218eb252519e6854ad368513e4af0756256ae7443c8dae93c9cd08829aeab3cd
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin
Filesize10KB
MD5cfff79e0532a9464c1a3d5a5c666414b
SHA18c69dea435f86e3abae6f636b8401522177bd295
SHA25635a0327d42e768ca08521d0c9e303c4e75141bfe2024f479b637726d726a5c4e
SHA5123ad032911c287cabbc2c4caf2e38fb013653f04519699345aaa0c6de85ec8f0536dffb88b4f59da66993bdd0b65801d613bd6a0b257038c7908930ff75f924d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD577a168465b3e3a3e181977262fb5935e
SHA182ac3117c1b722bf5f7bfe4f41594177a69be8b0
SHA2561d9589b37b312f7e7db97443e4c8f3720b358fa13a5fc9f7d2d288f0cc5b91bc
SHA512bef94c569af740769de11cedbd27190a0816d2cfeda4cfb2d6cb0dc9ab362f198bf687b3e18978834ecd3311e167147e1534da46939d1ea815c08ec58860fd2a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD544972857816f057defc1991c6a808db7
SHA1b66887538f9784f0190cd1ac4c70ab8e59981342
SHA25658d7370b595bf3e57180be1784dc6a644026de5f1f76f006b6595afe6d4a9273
SHA512ee2cbc85083323dd51c74f5e1c888e6db7999671ff54bde9e21e25276e7182a53c0c7982afc86868146eb816c56e80fa9bbb18f4446f86347a8fc7674f3f2466
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD5691e003c5feda10e7d33d6477d1cda26
SHA124d8a0e8ff718f4d1e957f0fb7220f40fbb6b3c9
SHA256010e6ca104fd293bd505a849f0c64590ff04b19ebdef2337924ef039855e5cfb
SHA512fba4d94d1c546521cb7e137f91e82274cd765f4bace7518e6234c8324976ffe8883055e38ba8b52d30f5719fc932f78fd10ee1dd69ac3c6785ac15c00c6a8a91
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\64c704f8-3f82-429e-a653-5c5f85458463
Filesize659B
MD5ef607567b9a2d687c0456f9e05207df2
SHA1ba26f2340f3207024159f0408ef37673ee7c3a6e
SHA256cbca9299324f8ee40e5488aa59775beacd35d3ae6e7977bb72bbe5af0379e665
SHA51275125171dd32fbb2e5803bac468e5afb468b9d8c397d359d784b8da29ff2cd4fbaa02be7ab5987c67a9645ac9efbb018f35a6be13a7fa4907e7edea40f4068a1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\a00c5435-683c-4aba-b46c-4accc7cb12ad
Filesize982B
MD58e54ac017ecdc241c21e821308385334
SHA11c5797caa4d2a5c1d35f0d7ac6cbfe100bb76082
SHA256409d64d0a2446af71773ecf25505a9f71ec68183a34a2586e41d5e441afef87f
SHA5122d5fb20d75fe95b6a120b21f3d06ec65d92ff77261299660e93e9e3376fc33baaca75023456c90682e731c0ababec5906983e17762d633cd3e5f97248b9bdd26
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD53f5da7069fc1f0e5d8d756e9218078b7
SHA15bbc2aa69a188a0c572bbee627da5dcac52bf41d
SHA2569fe199a898e48fe85c235e40745467264b7a4655ee5d45a2f6912bde64bcf069
SHA51259573cfd7845382966711f168060b250e9899d7fda7ee82f9cdb306045d49f1203b00fd2e8f60080be11c1b75e994d913a324331032fa266ffdc8036b619d0c9
-
Filesize
16KB
MD5da4196141486f422b0b781dd07192e3d
SHA1b85bdd05a3ebeeb910a3d4f10f79fb2e3f92261e
SHA2566dafc3d4d7757d994f03befffe6cd4335a1b35cb7529559c2a283aae9ce4ff85
SHA5122133a7548011b3c0ff11bd00e91ce728e15c031664425cb57fd32281388b97cf3fb5ea550e71a8ac8b1cbb88669a8db15632dcc08ea169e4dd630de7026210fa
-
Filesize
11KB
MD5f00f53d57745f26f19e6e2119d514926
SHA15a8385a6f87c40d2da8e19c56372cc9ddf38b1c6
SHA25659b1bc316d9c5c7fff9d36d9a9e920ae92b8a41bab75068793de31bc7ebd8f61
SHA512b007764c22c9e7e5f0f49ddf44311dcfe7ef487b0ca8c72449ea3a3704b6cbcc58199f34f2f9ebc0013e1dac40ab6003e80e022d1775fd6b1f415a2c2e91856b
-
Filesize
11KB
MD5c7e96def6fc1dd58acb34e5cc7bf527c
SHA14f62ec35664cde5eddb8c22e2ff7b7d535387ca6
SHA25613a7cc3a0d056cdb307c6672193caab1bef418c816724f61f74eb010f2261c81
SHA51215949055f0e6ec6ae97855dfd7ba09958cbb0cff229abdd7bef14cca9688c880597401e77044331f5342706efeabbd66eaf8a09b873f410bf0945e00cf1f5cad
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.6MB
MD50ba3d9b2aa32c3c4b297f88af8f8f218
SHA14d727d50a80fae5fa95cef87dc3efde880282b35
SHA256340a9cae1deab8c6de5dbe4d653e4d5d52f2b5d7c8f0cb18d956a7397c96f036
SHA5122d6bbcbbac7e2240429a47955101cdf79d7cea4c2811a2cb28a4f6bd86bbe92b9ae51d78a0dc96e9a7a354a2d564498bf73d1cc5ba8e21401e1472fd8c568622