Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-08-2024 04:24
Static task
static1
Behavioral task
behavioral1
Sample
13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe
Resource
win10v2004-20240802-en
General
-
Target
13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe
-
Size
1.8MB
-
MD5
113bc038fe84de38995f20642177dc1e
-
SHA1
faffde07789a90122d2480a0396b994d65e31c4d
-
SHA256
13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065
-
SHA512
4fb3622a05bb899f343c0eab645a1802c8f8f4213344540ae8a7982ad7ff4f68193f1c6968c4962412e6d00d619884ec0f3013ca5ae2ce857ce42d9184659660
-
SSDEEP
24576:quV4CKl9kAHhTZ8VK5201kNSuYSmNVcZzehy2to2vx/BN29CQsAC8QqkNXW4sJRg:quV4NoOhN8/NwJXcZsy+VOkHMkNgJR
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeexplorti.exe13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exeexplorti.exeRegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation 13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exe92d9271426.exef08a015692.exe521782bbed.exeexplorti.exeexplorti.exeexplorti.exepid process 3420 explorti.exe 2640 92d9271426.exe 1840 f08a015692.exe 4296 521782bbed.exe 4456 explorti.exe 6008 explorti.exe 864 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exe13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine 13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\92d9271426.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\92d9271426.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1684-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/1684-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/1684-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 3760 13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe 3420 explorti.exe 4456 explorti.exe 6008 explorti.exe 864 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
92d9271426.exef08a015692.exedescription pid process target process PID 2640 set thread context of 1684 2640 92d9271426.exe RegAsm.exe PID 1840 set thread context of 1448 1840 f08a015692.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exedescription ioc process File created C:\Windows\Tasks\explorti.job 13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exe521782bbed.exe13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exeexplorti.exe92d9271426.exeRegAsm.exef08a015692.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 521782bbed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 92d9271426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f08a015692.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 3760 13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe 3760 13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe 3420 explorti.exe 3420 explorti.exe 4456 explorti.exe 4456 explorti.exe 6008 explorti.exe 6008 explorti.exe 864 explorti.exe 864 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 5008 firefox.exe Token: SeDebugPrivilege 5008 firefox.exe Token: SeDebugPrivilege 5008 firefox.exe Token: SeDebugPrivilege 5008 firefox.exe Token: SeDebugPrivilege 5008 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 5008 firefox.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe 1684 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 5008 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exeexplorti.exe92d9271426.exef08a015692.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 3760 wrote to memory of 3420 3760 13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe explorti.exe PID 3760 wrote to memory of 3420 3760 13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe explorti.exe PID 3760 wrote to memory of 3420 3760 13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe explorti.exe PID 3420 wrote to memory of 2640 3420 explorti.exe 92d9271426.exe PID 3420 wrote to memory of 2640 3420 explorti.exe 92d9271426.exe PID 3420 wrote to memory of 2640 3420 explorti.exe 92d9271426.exe PID 2640 wrote to memory of 1684 2640 92d9271426.exe RegAsm.exe PID 2640 wrote to memory of 1684 2640 92d9271426.exe RegAsm.exe PID 2640 wrote to memory of 1684 2640 92d9271426.exe RegAsm.exe PID 2640 wrote to memory of 1684 2640 92d9271426.exe RegAsm.exe PID 2640 wrote to memory of 1684 2640 92d9271426.exe RegAsm.exe PID 2640 wrote to memory of 1684 2640 92d9271426.exe RegAsm.exe PID 2640 wrote to memory of 1684 2640 92d9271426.exe RegAsm.exe PID 2640 wrote to memory of 1684 2640 92d9271426.exe RegAsm.exe PID 2640 wrote to memory of 1684 2640 92d9271426.exe RegAsm.exe PID 2640 wrote to memory of 1684 2640 92d9271426.exe RegAsm.exe PID 3420 wrote to memory of 1840 3420 explorti.exe f08a015692.exe PID 3420 wrote to memory of 1840 3420 explorti.exe f08a015692.exe PID 3420 wrote to memory of 1840 3420 explorti.exe f08a015692.exe PID 1840 wrote to memory of 3388 1840 f08a015692.exe RegAsm.exe PID 1840 wrote to memory of 3388 1840 f08a015692.exe RegAsm.exe PID 1840 wrote to memory of 3388 1840 f08a015692.exe RegAsm.exe PID 1840 wrote to memory of 5112 1840 f08a015692.exe RegAsm.exe PID 1840 wrote to memory of 5112 1840 f08a015692.exe RegAsm.exe PID 1840 wrote to memory of 5112 1840 f08a015692.exe RegAsm.exe PID 1840 wrote to memory of 1448 1840 f08a015692.exe RegAsm.exe PID 1840 wrote to memory of 1448 1840 f08a015692.exe RegAsm.exe PID 1840 wrote to memory of 1448 1840 f08a015692.exe RegAsm.exe PID 1840 wrote to memory of 1448 1840 f08a015692.exe RegAsm.exe PID 1840 wrote to memory of 1448 1840 f08a015692.exe RegAsm.exe PID 1840 wrote to memory of 1448 1840 f08a015692.exe RegAsm.exe PID 1840 wrote to memory of 1448 1840 f08a015692.exe RegAsm.exe PID 1840 wrote to memory of 1448 1840 f08a015692.exe RegAsm.exe PID 1840 wrote to memory of 1448 1840 f08a015692.exe RegAsm.exe PID 3420 wrote to memory of 4296 3420 explorti.exe 521782bbed.exe PID 3420 wrote to memory of 4296 3420 explorti.exe 521782bbed.exe PID 3420 wrote to memory of 4296 3420 explorti.exe 521782bbed.exe PID 1684 wrote to memory of 4788 1684 RegAsm.exe firefox.exe PID 1684 wrote to memory of 4788 1684 RegAsm.exe firefox.exe PID 4788 wrote to memory of 5008 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 5008 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 5008 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 5008 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 5008 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 5008 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 5008 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 5008 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 5008 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 5008 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 5008 4788 firefox.exe firefox.exe PID 5008 wrote to memory of 2424 5008 firefox.exe firefox.exe PID 5008 wrote to memory of 2424 5008 firefox.exe firefox.exe PID 5008 wrote to memory of 2424 5008 firefox.exe firefox.exe PID 5008 wrote to memory of 2424 5008 firefox.exe firefox.exe PID 5008 wrote to memory of 2424 5008 firefox.exe firefox.exe PID 5008 wrote to memory of 2424 5008 firefox.exe firefox.exe PID 5008 wrote to memory of 2424 5008 firefox.exe firefox.exe PID 5008 wrote to memory of 2424 5008 firefox.exe firefox.exe PID 5008 wrote to memory of 2424 5008 firefox.exe firefox.exe PID 5008 wrote to memory of 2424 5008 firefox.exe firefox.exe PID 5008 wrote to memory of 2424 5008 firefox.exe firefox.exe PID 5008 wrote to memory of 2424 5008 firefox.exe firefox.exe PID 5008 wrote to memory of 2424 5008 firefox.exe firefox.exe PID 5008 wrote to memory of 2424 5008 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe"C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\1000036001\92d9271426.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\92d9271426.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {adf7f162-5dd9-4ff8-90df-e66882e513db} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" gpu7⤵PID:2424
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2380 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6631501-0e16-4617-81da-587db248417f} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" socket7⤵PID:3536
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3188 -childID 1 -isForBrowser -prefsHandle 3092 -prefMapHandle 2808 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b334a1c3-737b-4c82-b508-36a7e288c81f} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" tab7⤵PID:1156
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2896 -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3668 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d2df664-5857-42bd-b383-6cbfc77077da} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" tab7⤵PID:1688
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4356 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 1456 -prefMapHandle 4108 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ce1cdd6-176d-4200-ac25-127d5522e804} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" utility7⤵
- Checks processor information in registry
PID:5296 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 5228 -prefMapHandle 5276 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b9b83af-f195-4e04-8187-3ac77fd38311} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" tab7⤵PID:6048
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 4 -isForBrowser -prefsHandle 5464 -prefMapHandle 5468 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {374f732f-8f70-42c3-bac4-f3b507b6bf1c} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" tab7⤵PID:6060
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5736 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e5eb6b0-2ecd-46ec-91fb-47f97d630059} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" tab7⤵PID:6072
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6272 -childID 6 -isForBrowser -prefsHandle 6264 -prefMapHandle 6268 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13195f84-5bda-44aa-a399-e3d8bf2f21d0} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" tab7⤵PID:5140
-
C:\Users\Admin\1000037002\f08a015692.exe"C:\Users\Admin\1000037002\f08a015692.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3388
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:5112
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\1000038001\521782bbed.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\521782bbed.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4296
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4456
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6008
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:864
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207KB
MD584f6ebedcc92bf18d5f52eef5055bd03
SHA1ac5796ab6a6c5221b3e6a35a582ad57f8703b477
SHA2564c947aa4de82538d4fd7e4f3bc3b6fca0fbd4dda8b5697deec2241a3765741ad
SHA51222031302adfeebd2765d30e26556bc1817f89c8bcd452d2b6cbeae4ffe5c80b61f333822ea25bd297df45fdb57f82321a4f5441792e49b1b8b1f261d0ff1f311
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5466ed8e7583f9cebd8a8ccf554252c9d
SHA18e0e61f8b2b822b8c8fd1f8a8eb6cba234e549ff
SHA256bdd38e5e4f195262ddff8a0563398ac75234eec2bc45a1dadeafdfde8ea39793
SHA5126cc363b0d7d21a7659cd6a5388b737cd004cfe7212a591dc7c360959d88b4e953f523dfd2100319b201a24e1027aede2350017b4c6bb90c2e8f97a45047ad8c7
-
Filesize
1.8MB
MD5113bc038fe84de38995f20642177dc1e
SHA1faffde07789a90122d2480a0396b994d65e31c4d
SHA25613c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065
SHA5124fb3622a05bb899f343c0eab645a1802c8f8f4213344540ae8a7982ad7ff4f68193f1c6968c4962412e6d00d619884ec0f3013ca5ae2ce857ce42d9184659660
-
Filesize
1.2MB
MD5a071730d9855b71c24be356e715bc481
SHA15889bb6a5f2884491dc6a47b5d5ab91d22296dea
SHA256ea76ee73ec3bdc0ffdc801621f5c827c847dee2657700e7c5d73593587323323
SHA5122a66103984a51f85eb5718169ed3fde288a45ae05ee3216b2da88f6fa3a4798256e6d9ed77f2482184f7390d7e41aa64f67e2c959f18e04e9a3f430658c830bd
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin
Filesize7KB
MD57e2a04d1ceedf1cd9d92beb8ecff4bea
SHA1ae70d1923e08f0bf005e810dcf35d4262d28c8a6
SHA256b48f8c9d8abfa66daa091fb8661a8836e7f2271be06eeb832e15a19a842f0886
SHA51253446cb4dfc3a1efbbac9d8173bd127c4f81669ed57f1cf3349e1b3ac6c5428d5b65983abcfcce1c92f1419fea5f738c10df91c2e326b5e32284511aadf09c5e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin
Filesize10KB
MD5e63952a37d4409bf1e93460aeb750c84
SHA1d9e5aee2d62c66c6309dc719b740a4f438128a97
SHA256e349f03c9a291b233159d808448d031a13aa0e8dbcc92193ab70c3026fbba28e
SHA5122db636367c4321d1c40c5b8efb9473b6f457c17347ef58ab4601faeff0300357ffca7e7919d33174d349c98e6281fd76f8f344c443422254db70033316c7ce75
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5379dfc92491b188fdf0482f0c141afa3
SHA1937bf6f1ccfd719a9447d0214d97269b5b18f07b
SHA256b779b7e74f3b501206d9d387bb51f8997a1ae977f828bdffaa541d1cf578dfcb
SHA512b4206ad96a095b3672807d2cccaba975ed07940083a622a39c35b0d328cd61d5445c8948cfaf3fc2eb0a403f95f645456b3434c496fe28ae2d856344f4da0f64
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp
Filesize31KB
MD556e3149a9f9eab5900c2a08855a979ba
SHA17720c101da23fb17df151526947a8291bd2be20d
SHA256255cceb7fa739059e82fece3e73d504fcf27c2b4ac734efd916fa219067799d6
SHA51205ff69863339ffdc1fafbad68aa99ac3b2ecdd5a6a97d8735198faf676fcb52e44fcfee20bbd4358bd31c10d99588b02fa9fcc62508e95f014437fa8b245b7c8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5ba69521d6b73e666d3b44cb5eccec19b
SHA1e4ac3004f52e909dc9fdd3fa2a47485ae41b15d0
SHA2569a37d06d19d2be21b4fc83a4b5de384f3aa16a9bead6ae050408578f597e2a59
SHA512741ef1c7dac5c8d539588937a38bf4a00ba1fa2b75f2640f5c4013604fccdac7daad204413dd83462d8572bd1c66641e31feefd31ab42c52c45b55558d82057b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\57d23599-f8a3-4858-a69d-f5b99d938b61
Filesize671B
MD5d1e87647b0041ad98d0cc5e91b799d5a
SHA14a4cdcb51b4f365107811d66f8ded98f6d7bd758
SHA256e2b9a38916a1aec4ff527afde77a748936f5ca50f0eb644445e848556b749463
SHA512a19338ef0a19584db499a6300c287e11994cc9189f4c333ca8b6a818838ca2017951fe5d070ea9892374da6077d40f977a960294f1b928f546c3222731ef5bdb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\5e5f2b11-228d-4b90-bb26-c22a745133e9
Filesize982B
MD580e48e34475aae1d60a8353f88dd3228
SHA13ac813da79c00aa9556b559f70a8bd7e86715961
SHA25680736e784f2bc38b2ac82327a26850ae50ea61bc8bf30c3cc7b2bb27b640d0a7
SHA512bd9cf0a43e78a8f240be5ec421a1ed81ce7f0de4f81658523a9afa342257a8f5a90183d854891de1c0f5978e05cfd23e9cdeb77515919e838cf1901e5950167b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\e1d1b7b7-733c-4e6d-a2f2-2e02942b12ed
Filesize26KB
MD5aa9b39a656845a3f049428d327ed4a79
SHA14162935a5c5cc3980f783f7efd3873b6c8c4e36c
SHA256b411f51ed41d26e38027888985b75f02f1c5270fa968540c779a7d0d3635c268
SHA512873b46248f314dc221e202df329411898bc39b704c387fad62f84c80df086c511ca22099a3ebe106abe6344ba77d3a0ceab1c5932ba54fbf264506579db20d38
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5d7e1cd831273576386f7370ca4bd24e2
SHA11c45f5a7c9378d0346b92a266825ddf385e942f4
SHA25630af9e2e2a51876bd3bd63015974835eba2f1598c553e19c8a54f52def537b30
SHA5129e06cff4c4604a7e4bdbbc840a77963ca427a60dddd866b2083b57ea5ffeaa4b58bfac9d9e66bccd5aa9b5b8f763864a50b8bd73cf779fcd5ad5cdf3049739cc
-
Filesize
11KB
MD5f34a8e37d2eafef5e215d61dbb8e0eee
SHA1f45437fc208b824e10ac5351d4b360e8577e4dfe
SHA2562b8f978bba4cf1d57c93a09c569745063379e6d73c6dc301d9c0c588be7bd4a9
SHA512d106541d952f1a1053b9b9ad472273389191d865d543a89e78a2fcbe989ebc870c157d7f1363c52351ef9ecbf795d2e189f4ac59e4ebc4d94c5bc272ead04e0c
-
Filesize
16KB
MD54242fb70ae284aedfa0e66d4822d6be3
SHA19c3ed9cfd6a5f03802052726a6ac2b1816d49eb7
SHA256b1a895976f2e6991fa5b510d7ab07aec33dc4e0e5e01b259d906b0e77f082672
SHA5122bf9cc6f4575ddfeca46a22b6df49dbc7b51c87251e7a21b79df9d12ccd2ddb681f9d8d4980bba4764486c567a027789eb95bfc803123f6a76e306fe47b295d0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.6MB
MD5cb262e2dee1d32c0942f341b2a39d37b
SHA1e06b4a67ad5bf50ed991cfb7f1b0397ffbc9e89a
SHA256999a6d7336593899da8345d7002eb3b6f89d8b303eba96d8d106c52242b2506f
SHA512fe15a03552ba97016cacf75e3e8ab7627a70da86fca3ff5da19332ce1153bfc8c3ca507e7a6368c4d17c0779e8805b235d574ed18c9f1cfd16ca8fcceb3e268a