Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
15-08-2024 03:45
Static task
static1
Behavioral task
behavioral1
Sample
b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe
Resource
win10v2004-20240802-en
General
-
Target
b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe
-
Size
1.9MB
-
MD5
b0793df68563b6c6e89ec848478ad0e7
-
SHA1
0d4d1e949a624613448d2e8c8007185823408234
-
SHA256
b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09
-
SHA512
fc4cd0a359b91d8e9d5c07572abb57e6b0be58f502432018b6657615eceb7a3bbc633bf6b3ca8b40ba77899e3ac839b0d98b7adc160fbdb04226675548bad42e
-
SSDEEP
24576:aJmQl5FsB1PyY8FE9ThJJhsz8jFv9/LuDCeN4OqTKr4M+XNinNvP8zZnW8TIkEFW:Ojk8i9JhT6H7qe4jintPiWUAufqDU
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeexplorti.exeexplorti.exeb6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exeexplorti.exe79005ad8df.exea97ffb87e3.exedc1b820db4.exeexplorti.exeexplorti.exepid process 248 explorti.exe 1132 explorti.exe 5044 79005ad8df.exe 4428 a97ffb87e3.exe 3452 dc1b820db4.exe 4220 explorti.exe 1524 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\79005ad8df.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\79005ad8df.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1884-48-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/1884-52-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/1884-50-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 4804 b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe 248 explorti.exe 1132 explorti.exe 4220 explorti.exe 1524 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
79005ad8df.exea97ffb87e3.exedescription pid process target process PID 5044 set thread context of 1884 5044 79005ad8df.exe RegAsm.exe PID 4428 set thread context of 4360 4428 a97ffb87e3.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exedescription ioc process File created C:\Windows\Tasks\explorti.job b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
dc1b820db4.exeb6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exeexplorti.exe79005ad8df.exeRegAsm.exea97ffb87e3.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc1b820db4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 79005ad8df.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a97ffb87e3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 4804 b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe 4804 b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe 248 explorti.exe 248 explorti.exe 1132 explorti.exe 1132 explorti.exe 4220 explorti.exe 4220 explorti.exe 1524 explorti.exe 1524 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 4012 firefox.exe Token: SeDebugPrivilege 4012 firefox.exe Token: SeDebugPrivilege 4012 firefox.exe Token: SeDebugPrivilege 4012 firefox.exe Token: SeDebugPrivilege 4012 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exeRegAsm.exefirefox.exepid process 4804 b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 4012 firefox.exe 4012 firefox.exe 4012 firefox.exe 4012 firefox.exe 1884 RegAsm.exe 4012 firefox.exe 4012 firefox.exe 4012 firefox.exe 4012 firefox.exe 4012 firefox.exe 4012 firefox.exe 4012 firefox.exe 4012 firefox.exe 4012 firefox.exe 4012 firefox.exe 4012 firefox.exe 4012 firefox.exe 4012 firefox.exe 4012 firefox.exe 4012 firefox.exe 4012 firefox.exe 4012 firefox.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exepid process 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe 1884 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 4012 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exeexplorti.exe79005ad8df.exea97ffb87e3.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 4804 wrote to memory of 248 4804 b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe explorti.exe PID 4804 wrote to memory of 248 4804 b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe explorti.exe PID 4804 wrote to memory of 248 4804 b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe explorti.exe PID 248 wrote to memory of 5044 248 explorti.exe 79005ad8df.exe PID 248 wrote to memory of 5044 248 explorti.exe 79005ad8df.exe PID 248 wrote to memory of 5044 248 explorti.exe 79005ad8df.exe PID 5044 wrote to memory of 1884 5044 79005ad8df.exe RegAsm.exe PID 5044 wrote to memory of 1884 5044 79005ad8df.exe RegAsm.exe PID 5044 wrote to memory of 1884 5044 79005ad8df.exe RegAsm.exe PID 5044 wrote to memory of 1884 5044 79005ad8df.exe RegAsm.exe PID 5044 wrote to memory of 1884 5044 79005ad8df.exe RegAsm.exe PID 5044 wrote to memory of 1884 5044 79005ad8df.exe RegAsm.exe PID 5044 wrote to memory of 1884 5044 79005ad8df.exe RegAsm.exe PID 5044 wrote to memory of 1884 5044 79005ad8df.exe RegAsm.exe PID 5044 wrote to memory of 1884 5044 79005ad8df.exe RegAsm.exe PID 5044 wrote to memory of 1884 5044 79005ad8df.exe RegAsm.exe PID 248 wrote to memory of 4428 248 explorti.exe a97ffb87e3.exe PID 248 wrote to memory of 4428 248 explorti.exe a97ffb87e3.exe PID 248 wrote to memory of 4428 248 explorti.exe a97ffb87e3.exe PID 4428 wrote to memory of 4360 4428 a97ffb87e3.exe RegAsm.exe PID 4428 wrote to memory of 4360 4428 a97ffb87e3.exe RegAsm.exe PID 4428 wrote to memory of 4360 4428 a97ffb87e3.exe RegAsm.exe PID 4428 wrote to memory of 4360 4428 a97ffb87e3.exe RegAsm.exe PID 4428 wrote to memory of 4360 4428 a97ffb87e3.exe RegAsm.exe PID 4428 wrote to memory of 4360 4428 a97ffb87e3.exe RegAsm.exe PID 4428 wrote to memory of 4360 4428 a97ffb87e3.exe RegAsm.exe PID 4428 wrote to memory of 4360 4428 a97ffb87e3.exe RegAsm.exe PID 4428 wrote to memory of 4360 4428 a97ffb87e3.exe RegAsm.exe PID 248 wrote to memory of 3452 248 explorti.exe dc1b820db4.exe PID 248 wrote to memory of 3452 248 explorti.exe dc1b820db4.exe PID 248 wrote to memory of 3452 248 explorti.exe dc1b820db4.exe PID 1884 wrote to memory of 1080 1884 RegAsm.exe firefox.exe PID 1884 wrote to memory of 1080 1884 RegAsm.exe firefox.exe PID 1080 wrote to memory of 4012 1080 firefox.exe firefox.exe PID 1080 wrote to memory of 4012 1080 firefox.exe firefox.exe PID 1080 wrote to memory of 4012 1080 firefox.exe firefox.exe PID 1080 wrote to memory of 4012 1080 firefox.exe firefox.exe PID 1080 wrote to memory of 4012 1080 firefox.exe firefox.exe PID 1080 wrote to memory of 4012 1080 firefox.exe firefox.exe PID 1080 wrote to memory of 4012 1080 firefox.exe firefox.exe PID 1080 wrote to memory of 4012 1080 firefox.exe firefox.exe PID 1080 wrote to memory of 4012 1080 firefox.exe firefox.exe PID 1080 wrote to memory of 4012 1080 firefox.exe firefox.exe PID 1080 wrote to memory of 4012 1080 firefox.exe firefox.exe PID 4012 wrote to memory of 4324 4012 firefox.exe firefox.exe PID 4012 wrote to memory of 4324 4012 firefox.exe firefox.exe PID 4012 wrote to memory of 4324 4012 firefox.exe firefox.exe PID 4012 wrote to memory of 4324 4012 firefox.exe firefox.exe PID 4012 wrote to memory of 4324 4012 firefox.exe firefox.exe PID 4012 wrote to memory of 4324 4012 firefox.exe firefox.exe PID 4012 wrote to memory of 4324 4012 firefox.exe firefox.exe PID 4012 wrote to memory of 4324 4012 firefox.exe firefox.exe PID 4012 wrote to memory of 4324 4012 firefox.exe firefox.exe PID 4012 wrote to memory of 4324 4012 firefox.exe firefox.exe PID 4012 wrote to memory of 4324 4012 firefox.exe firefox.exe PID 4012 wrote to memory of 4324 4012 firefox.exe firefox.exe PID 4012 wrote to memory of 4324 4012 firefox.exe firefox.exe PID 4012 wrote to memory of 4324 4012 firefox.exe firefox.exe PID 4012 wrote to memory of 4324 4012 firefox.exe firefox.exe PID 4012 wrote to memory of 4324 4012 firefox.exe firefox.exe PID 4012 wrote to memory of 4324 4012 firefox.exe firefox.exe PID 4012 wrote to memory of 4324 4012 firefox.exe firefox.exe PID 4012 wrote to memory of 4324 4012 firefox.exe firefox.exe PID 4012 wrote to memory of 4324 4012 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe"C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:248 -
C:\Users\Admin\AppData\Local\Temp\1000036001\79005ad8df.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\79005ad8df.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1900 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8391a761-eff9-4e15-9dcb-912881f7e316} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" gpu7⤵PID:4324
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2424 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2404 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b403a29b-232e-4e87-8a2c-e1a2ea04ef21} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" socket7⤵PID:3248
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3208 -childID 1 -isForBrowser -prefsHandle 3108 -prefMapHandle 2756 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed872b4f-73c0-4e86-aec0-5707cce083be} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" tab7⤵PID:4656
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4028 -childID 2 -isForBrowser -prefsHandle 4020 -prefMapHandle 4016 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbdd4419-2891-41ba-a31f-f8fecaa37521} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" tab7⤵PID:3812
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4904 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4896 -prefMapHandle 4892 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38768ed5-2fe5-4f3e-91c6-a05278cac601} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" utility7⤵
- Checks processor information in registry
PID:428 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 3 -isForBrowser -prefsHandle 5476 -prefMapHandle 5512 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a712341b-eeca-4930-9404-cf26787b5dcd} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" tab7⤵PID:5860
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 4 -isForBrowser -prefsHandle 5772 -prefMapHandle 5768 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3534fbd6-c150-4d77-9c43-5f03a00453c4} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" tab7⤵PID:5876
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5900 -childID 5 -isForBrowser -prefsHandle 5976 -prefMapHandle 5972 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1aaf9843-3bd3-49e1-9f02-3ee2088547aa} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" tab7⤵PID:5888
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 6 -isForBrowser -prefsHandle 6100 -prefMapHandle 6104 -prefsLen 27101 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a89d07ab-3699-4cde-ad79-8daa078c37ba} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" tab7⤵PID:4660
-
C:\Users\Admin\1000037002\a97ffb87e3.exe"C:\Users\Admin\1000037002\a97ffb87e3.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\1000038001\dc1b820db4.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\dc1b820db4.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3452
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1132
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4220
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1524
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
330KB
MD5b9725e6125233dee3e1feb1a5877850b
SHA1fa69edc44d562ede0c1dbafe263a847c638dad60
SHA256dd6aca77dc5c84918250f8c681a3a7391d0b6e512c763f9eaf4eb7e4c3695fd4
SHA5125b1a9520b5dc10085756fd72a20de62f6f6ed48f1d76f7a93ebbf847a6c699c03121ebe56dadc1b0bf90855b7d446af47a46b3ce8527a07abd7457d62b4271d9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD56d902274d3c48ad4c6e87906170222a5
SHA14aee4d740f8eace33fd2b9a6fb68fc859e36c8c3
SHA256c93a208227e66439927fa1b210c7264286a43e493fb8704a48bebba7a85dbe54
SHA512500363e2f088e0840c3223d7b601223b5f4691258de0f4f8413212ae9e88750fb9ed28732bd6f9b2d4d67dd020f1f72bde58f6a2e06394c2bc7007c231dc0234
-
Filesize
1.9MB
MD5b0793df68563b6c6e89ec848478ad0e7
SHA10d4d1e949a624613448d2e8c8007185823408234
SHA256b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09
SHA512fc4cd0a359b91d8e9d5c07572abb57e6b0be58f502432018b6657615eceb7a3bbc633bf6b3ca8b40ba77899e3ac839b0d98b7adc160fbdb04226675548bad42e
-
Filesize
1.3MB
MD503dea3374e443f985819c31eca10560c
SHA144b963d221b2b52835ac389b41754873a7a48779
SHA2566fbef0d57502a0dcbebe0c8bb1d592bbb03c605ec403dc67fc2f972e4fb91c05
SHA512df33d2d8561895417f486ac6264bec591324f8e2083dab2783c5ad18035013478599b080d193bab601bcb77324502deebe01a44da4f413e335a0de91a45fc489
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin
Filesize10KB
MD5e8cb66fa5e7ea47c2d527613a759f789
SHA105f0fcfee4e489aebb590fdc328728f798bb5292
SHA256ae98b7fd44e9b4e24d81d4de0173996a7bfd86ff3cfb980d373b60a02107008f
SHA512e05bb8279c70778966c2449362fd0bc51898f9339d0af0b05e631157b84ef26716549d9f853ff5d467488e02ef4b171955e568ab1dfdfbfba932d002100236b1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin
Filesize12KB
MD548f5b9848159511471c06448bf0af945
SHA1bc09c144d98b8cbc32ea2453676a1ce86a4d00f8
SHA256b5f03725adad6bdb953261d9daaf968f9f15e157961cdf73fc7b43ac66e7b114
SHA5120377af524dd0414beda9e52c29ff8c75856d468b6cccd44ca0cb608d8a6d5bb4b9303e45c012f873122b50c5fbc0d364e823aa037544b87d0b16f42a695a5d11
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD5c8b4ab04f2cb0626f2109432b0cf1cce
SHA161860e6c20948398c0adc6a95c85f3180fba3047
SHA25679ff4edb6ae7ced74f8ceb5ad665751981689184aa3e1e6ff55cc2df4675edc6
SHA512cca6381a8c751155f3289af70d4e230b577637245e726a6c126b775115e377a2c7232ae120f5252af9215d6c68f47aaa85c80327cd29065cf3fea7499b505fc6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5ec28abdc9f73abbe17282a090bb581b2
SHA1a7cec4a5ab0e174bb87c7b1435c7417689321212
SHA256649bf262bc0ba56c8a00eab97a9e39e559b195856a10511bf67115d5f03d9c98
SHA512e2fccbfd25d973917e563c2fb605f109158395e9f519c9163886933682a1973b167cb246f2ba9f50b3636e9f99bb5c78597217d68d9a5f14171efa6306427f33
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD50333783b0751e4e0f192a7225dae0b8a
SHA1abc7b4f3df32ba7e3ca6dbaf1108e6fb5f9407c5
SHA2561de1073df075f089273c8623ae7e97a6078ca16f4868f82c09f3d9ee70669095
SHA512f525e1df05e15bbad2a11ad7a7967c3d91db7b4adc59ab48fca2850d6c2cd0078c3109050c960c71b3365a732c3ec61c9d69bf91b1d0aa1ff33b3f5ab81b93fd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD5706387e24c549230d3bd629f2c3bd1ea
SHA15e3a7e7645eb67219300d906752902a41a2d1b10
SHA256f0d149990b3a75f46b99af35a9cde6056c6ff698fa1586fbadf022d01031e099
SHA512812d008538d3c75edf389079c4b09954e3423b35bec62ae6b3c6a96638bb195089a8a85f84039224af1762feaab59c1d5b5e6c4fb0f3cd6ac0d7a929295fd940
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\4c25bc39-04ca-48bf-8511-7cab93484900
Filesize659B
MD5a4b7ef159f5bc24464adfedd8b1166f1
SHA1ebd410c404d4ca119e93f8d46f1dbb40d277554b
SHA25646a01b63ab8fb2456891a1b06f0d9c218bc6961015e7b0c9fa3a9645de87a663
SHA51206cb98a9c0d0d248613c67e8f8d345da9855503845027511e7386b3aa2e72c495934b70b172325fa61cb244bd8d840ab79e4eca9cae0f082a6293036e7be50ce
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\692edcee-e6a4-4850-8092-3a2ca5409545
Filesize982B
MD5cef06387b3b885dffa1c4ebc70aeca39
SHA134375d53bbfa76c20f74092d45bb181778ca626b
SHA25605345c327ace3025e56d480f9f95951d1ab5bbe271e0d0f8b8907b9bfb62e57d
SHA51234d4f5dcb78e77e5e59164cf0da31de043ee172681ff6c0a36b4cbfa379821d5d95dc22f6c6a90c2bb78a4cbe6735cf2570e544440269922f1890891fe49998c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD5cade517ac00e177bca8d9f04f29aa7e9
SHA102edfb5ab586d8d5ad51d566b0b8b76f85117ee5
SHA2564e40976c04081d766c1d23de39a901701c4175444d818adf60f5e2010081a6e4
SHA5122d2d14c271494fe2f06300ce691fa56f0ffdc08fe919a9c309e7dffbbd8d7b32fe56a5d1c70412cd6e0403225c7b14069cdf7cb6606c085ff41c56947d24d2eb
-
Filesize
16KB
MD50607c3ff27c2adda08452687f692578c
SHA17f4f369829e778eb5d09947015dbd238fc39e747
SHA256e45de415801e207d73f3e8c9941625b192bbcc07069523a57a086db4217f82fd
SHA51266324b27cb1af825394933f5ed6ad7f4dc3b8c076aecf224fdda4f0c20f95915e0b13faf556c84fe5bc900adb57dafa93820d5b2d8144e6c9a85211e9e06aa38
-
Filesize
11KB
MD54ea996795959ece12c4a83d63845ab97
SHA1d09241cc52558aa83e318a55eed71d66ceaa7f1d
SHA2563a408b9c82750a05d536e202d0370dcd6d56e67a47956498e8e17b13843fe4d7
SHA5123ad8b9c934adba7599829a87b63b41813fe31dc310b4997817cf3b7a8c3a06d85f3405e247337bacf9863abe2fd90f7e0e01fc95666356f6fe52790708e1bef3
-
Filesize
11KB
MD5e5ad804db29edd8acfea91c4c2b13f33
SHA127d049697ac01161b524e7767a668cae38a2fef2
SHA25611ac016fcee27d9e46082e0b7aada7bddc98743599cf4b2f7c455a7870e0f5fd
SHA512eeb87e477759f87f63ebdce63c0beb2f649a6508ec70a5c40f573423a15f5d0cea5d4709dd04d1f2e4bfd5144b11d88ae157544808a8b1dea80cd6ef7639f252