Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-08-2024 00:19
Static task
static1
Behavioral task
behavioral1
Sample
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe
Resource
win11-20240802-en
General
-
Target
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe
-
Size
1.8MB
-
MD5
089886bf7e26432d1b8871ad0fad7a6f
-
SHA1
658b258103dfa62705e1a8d3a1cc3a0da105c9f7
-
SHA256
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e
-
SHA512
72006c3cfcbba34bfcbc8e4404eef75067ce5945529ae5802bc3b4a4790781ec032ded0ccd4c96df38f5a5a37cdc9b88b72734a6ed0abbccbb09c9ccb1b0c7e5
-
SSDEEP
49152:DYDVWg9g4L78+neMv0+mvHhK2HoIAWXPAEC7Bloj:MTga8LMbmvHhbHoIAWXPhCdlu
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exeexplorti.exeRegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe287dd4930a.exe956ba0e9e9.exe7906e48338.exeexplorti.exeexplorti.exepid process 212 explorti.exe 4188 287dd4930a.exe 840 956ba0e9e9.exe 3956 7906e48338.exe 5560 explorti.exe 3000 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\287dd4930a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\287dd4930a.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2068-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2068-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2068-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exeexplorti.exeexplorti.exeexplorti.exepid process 1148 ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe 212 explorti.exe 5560 explorti.exe 3000 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
287dd4930a.exe956ba0e9e9.exedescription pid process target process PID 4188 set thread context of 2068 4188 287dd4930a.exe RegAsm.exe PID 840 set thread context of 4296 840 956ba0e9e9.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exedescription ioc process File created C:\Windows\Tasks\explorti.job ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
956ba0e9e9.exeRegAsm.exe7906e48338.exeef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exeexplorti.exe287dd4930a.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 956ba0e9e9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7906e48338.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 287dd4930a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exeexplorti.exeexplorti.exeexplorti.exepid process 1148 ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe 1148 ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe 212 explorti.exe 212 explorti.exe 5560 explorti.exe 5560 explorti.exe 3000 explorti.exe 3000 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 1116 firefox.exe Token: SeDebugPrivilege 1116 firefox.exe Token: SeDebugPrivilege 1116 firefox.exe Token: SeDebugPrivilege 1116 firefox.exe Token: SeDebugPrivilege 1116 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 2068 RegAsm.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 2068 RegAsm.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe 2068 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 1116 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exeexplorti.exe287dd4930a.exe956ba0e9e9.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 1148 wrote to memory of 212 1148 ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe explorti.exe PID 1148 wrote to memory of 212 1148 ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe explorti.exe PID 1148 wrote to memory of 212 1148 ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe explorti.exe PID 212 wrote to memory of 4188 212 explorti.exe 287dd4930a.exe PID 212 wrote to memory of 4188 212 explorti.exe 287dd4930a.exe PID 212 wrote to memory of 4188 212 explorti.exe 287dd4930a.exe PID 4188 wrote to memory of 2068 4188 287dd4930a.exe RegAsm.exe PID 4188 wrote to memory of 2068 4188 287dd4930a.exe RegAsm.exe PID 4188 wrote to memory of 2068 4188 287dd4930a.exe RegAsm.exe PID 4188 wrote to memory of 2068 4188 287dd4930a.exe RegAsm.exe PID 4188 wrote to memory of 2068 4188 287dd4930a.exe RegAsm.exe PID 4188 wrote to memory of 2068 4188 287dd4930a.exe RegAsm.exe PID 4188 wrote to memory of 2068 4188 287dd4930a.exe RegAsm.exe PID 4188 wrote to memory of 2068 4188 287dd4930a.exe RegAsm.exe PID 4188 wrote to memory of 2068 4188 287dd4930a.exe RegAsm.exe PID 4188 wrote to memory of 2068 4188 287dd4930a.exe RegAsm.exe PID 212 wrote to memory of 840 212 explorti.exe 956ba0e9e9.exe PID 212 wrote to memory of 840 212 explorti.exe 956ba0e9e9.exe PID 212 wrote to memory of 840 212 explorti.exe 956ba0e9e9.exe PID 840 wrote to memory of 4952 840 956ba0e9e9.exe RegAsm.exe PID 840 wrote to memory of 4952 840 956ba0e9e9.exe RegAsm.exe PID 840 wrote to memory of 4952 840 956ba0e9e9.exe RegAsm.exe PID 840 wrote to memory of 1096 840 956ba0e9e9.exe RegAsm.exe PID 840 wrote to memory of 1096 840 956ba0e9e9.exe RegAsm.exe PID 840 wrote to memory of 1096 840 956ba0e9e9.exe RegAsm.exe PID 840 wrote to memory of 924 840 956ba0e9e9.exe RegAsm.exe PID 840 wrote to memory of 924 840 956ba0e9e9.exe RegAsm.exe PID 840 wrote to memory of 924 840 956ba0e9e9.exe RegAsm.exe PID 840 wrote to memory of 4296 840 956ba0e9e9.exe RegAsm.exe PID 840 wrote to memory of 4296 840 956ba0e9e9.exe RegAsm.exe PID 840 wrote to memory of 4296 840 956ba0e9e9.exe RegAsm.exe PID 840 wrote to memory of 4296 840 956ba0e9e9.exe RegAsm.exe PID 840 wrote to memory of 4296 840 956ba0e9e9.exe RegAsm.exe PID 840 wrote to memory of 4296 840 956ba0e9e9.exe RegAsm.exe PID 840 wrote to memory of 4296 840 956ba0e9e9.exe RegAsm.exe PID 840 wrote to memory of 4296 840 956ba0e9e9.exe RegAsm.exe PID 840 wrote to memory of 4296 840 956ba0e9e9.exe RegAsm.exe PID 212 wrote to memory of 3956 212 explorti.exe 7906e48338.exe PID 212 wrote to memory of 3956 212 explorti.exe 7906e48338.exe PID 212 wrote to memory of 3956 212 explorti.exe 7906e48338.exe PID 2068 wrote to memory of 3976 2068 RegAsm.exe firefox.exe PID 2068 wrote to memory of 3976 2068 RegAsm.exe firefox.exe PID 3976 wrote to memory of 1116 3976 firefox.exe firefox.exe PID 3976 wrote to memory of 1116 3976 firefox.exe firefox.exe PID 3976 wrote to memory of 1116 3976 firefox.exe firefox.exe PID 3976 wrote to memory of 1116 3976 firefox.exe firefox.exe PID 3976 wrote to memory of 1116 3976 firefox.exe firefox.exe PID 3976 wrote to memory of 1116 3976 firefox.exe firefox.exe PID 3976 wrote to memory of 1116 3976 firefox.exe firefox.exe PID 3976 wrote to memory of 1116 3976 firefox.exe firefox.exe PID 3976 wrote to memory of 1116 3976 firefox.exe firefox.exe PID 3976 wrote to memory of 1116 3976 firefox.exe firefox.exe PID 3976 wrote to memory of 1116 3976 firefox.exe firefox.exe PID 1116 wrote to memory of 3608 1116 firefox.exe firefox.exe PID 1116 wrote to memory of 3608 1116 firefox.exe firefox.exe PID 1116 wrote to memory of 3608 1116 firefox.exe firefox.exe PID 1116 wrote to memory of 3608 1116 firefox.exe firefox.exe PID 1116 wrote to memory of 3608 1116 firefox.exe firefox.exe PID 1116 wrote to memory of 3608 1116 firefox.exe firefox.exe PID 1116 wrote to memory of 3608 1116 firefox.exe firefox.exe PID 1116 wrote to memory of 3608 1116 firefox.exe firefox.exe PID 1116 wrote to memory of 3608 1116 firefox.exe firefox.exe PID 1116 wrote to memory of 3608 1116 firefox.exe firefox.exe PID 1116 wrote to memory of 3608 1116 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe"C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Users\Admin\AppData\Local\Temp\1000036001\287dd4930a.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\287dd4930a.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1936 -prefMapHandle 1928 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da708147-397a-45ab-9409-447d8d920bd5} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" gpu7⤵PID:3608
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15514122-c61c-436b-8c30-83f6b46c3620} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" socket7⤵PID:812
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1576 -childID 1 -isForBrowser -prefsHandle 2968 -prefMapHandle 3204 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d3b098f-d7c9-4a29-b1a7-c0b66c3004ad} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" tab7⤵PID:3468
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2680 -childID 2 -isForBrowser -prefsHandle 3616 -prefMapHandle 3632 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0b3f03b-17d2-4575-9c7a-9aa33a06d735} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" tab7⤵PID:4496
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4688 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4648 -prefMapHandle 4644 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71bf4753-179a-4fcd-a545-4219481967ed} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" utility7⤵
- Checks processor information in registry
PID:5212 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 3 -isForBrowser -prefsHandle 5612 -prefMapHandle 5608 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {715a827a-8638-4ecb-9d93-02ab4170b983} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" tab7⤵PID:4808
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5884 -childID 4 -isForBrowser -prefsHandle 5844 -prefMapHandle 5876 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {804c5693-a8ec-4a02-9c71-85336d039aff} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" tab7⤵PID:956
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5892 -childID 5 -isForBrowser -prefsHandle 5772 -prefMapHandle 5644 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76198f52-577d-48ec-9c1f-fe2a0de028eb} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" tab7⤵PID:4320
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6228 -childID 6 -isForBrowser -prefsHandle 6308 -prefMapHandle 6304 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cd19a29-3e2d-46be-b59a-5afcc7866233} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" tab7⤵PID:5404
-
C:\Users\Admin\1000037002\956ba0e9e9.exe"C:\Users\Admin\1000037002\956ba0e9e9.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4952
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:1096
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:924
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\1000038001\7906e48338.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\7906e48338.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3956
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5560
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3000
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5e826e5dda653e04af408850d34bcde30
SHA1ef68ca7be13805e1a4ce73320015567df98b07ff
SHA256bdf3491c9a75b80277746b1d6c105da79a3b5fba637236b87dd4af15af33e3b2
SHA512c2750171b88c7d138299b29341af7cd20d97c2a22f6cb82b5e7711cc28f7947ac943fbf9ba8c038f49678b1b38d6a752706242786ed627fa69db267690da3072
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\activity-stream.discovery_stream.json
Filesize42KB
MD501ac7a4a7050eeffdc399be6f4328250
SHA169f15fc79e886d106a2892e739bbe2b4724ab486
SHA256904b21330c1cf8aa0fbd01b05e6e3ec1703106057a4be7c6f39ca6642c11f9bb
SHA51238e80670624936e704d6a844c98383338884869369b0803aab37bc13eb37ce49864509ce82294bc6fd8aa6203d574ba46cc81bcc4f110babf8ecefddb2c8d239
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5b512a27125d39872f175ecec1e1f70b5
SHA14238f7ea47829d871424dcbd8d2286b68f61e939
SHA256f603f8cd65f4144ae628924629947557b8377bd64c4da1c26c81e450bb50502f
SHA512c45696aef229a84cb3c48fb9a0d58ed38bbc3b9627e0912b345a3016c18cf078bdc1f064512e8fb42e1a49da625b0ad909345ca22c638c858ff753b313acfeff
-
Filesize
1.8MB
MD5089886bf7e26432d1b8871ad0fad7a6f
SHA1658b258103dfa62705e1a8d3a1cc3a0da105c9f7
SHA256ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e
SHA51272006c3cfcbba34bfcbc8e4404eef75067ce5945529ae5802bc3b4a4790781ec032ded0ccd4c96df38f5a5a37cdc9b88b72734a6ed0abbccbb09c9ccb1b0c7e5
-
Filesize
1.2MB
MD5b4b7887bba964f06c545500381908ba9
SHA1c8a668c954d459269b3fcf7d4f4359a5630f731c
SHA25600d63a7e31523200db556616515fdd747cdfee7788adc5a5c946f2b6bcb8e4c5
SHA512285acc9fe1b166dec1793e55c47abe5fe96d7edee670808f0b424f9bcf88d5027a9a29f74189625539c1dff9bc6cc8ca31b23df86982266f72d8bb436d55c018
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin
Filesize16KB
MD5b9d371f11b4a8b5f28b2dfb7cec3edc9
SHA10dbabd17604f11f0385388e1117ae7b9f9747f64
SHA25651e54e56c1f27946bfe02ab7805e0dc352478de440c0cdb8c60b5d2fd271e233
SHA512fde2e6c356857dda87c17e30fe4f641197591ca38c379cefd88ae245d157568084de20a3c504708fd90ac0c4aeef458336530ade03a92b4c3379e1b7d6f14f2f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin
Filesize10KB
MD5a5e32b464a7bb339ab28f2ba8d355fe8
SHA1b7980b94c555f0d456bb03342c710bad10fd179e
SHA25633c0b251816599ed8d43cfb19c53de139664aae8fbcd92f8d60a48ced35f87e9
SHA512cb2147a765bb6063419c620e871160b417754673b01b169729bba8c001a734e996aec89fabdb92e91b99c4ecf3427ec1c79cb33f647f9f551ccc1fdaabd8399a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5247e8d4a73bf6d392806f666e0456530
SHA12f14236a1b1c64c1c5d04262b064f3592e148709
SHA256deb2051e550d77f075533ec713fc2c956a095b0d6cd6929e6ee4afcf8ce8b20d
SHA5126bd8bbab48facb19c9bcec96d09e2f43df39f4f275eaa7fb9c1ce8a2c74b45f43d6079f8028920f4235ed7e9293c00d8002aac7925b704788cb460a660129864
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD53bce1625dedef6649f36cad10db103d3
SHA12be5624b878b66a01cf17be18edf66efa6f9f680
SHA2560cd9534b5eaa27d33f140862c49f57ddf7b28776ee380e5f08b7c4daf500b68a
SHA512c497597b0d49ec1b3fb4b773a457d14aa771e2272a6c3a1737472c8e3ee879fbfb7ab0555708ca298df1a5df2f08428c36e6ab30fa5f252d377287b8da41d912
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD53bbf8d50963fac9c2319bdea2c961d69
SHA11f9df882717dba0ae50815d831b5b99f7383d1eb
SHA256f45b9b5b32f52039c513694fe9635c2d12c165b939dd0902bf52b20827247eb8
SHA512ec8a087df5724184cfdd34760661077f260fa6e0c7e1979709ed38b651cec081a85c86d2a4bcf7d393a0742ad3d4893a55156f1166c297f078c949cf3e30230a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\8f9c83ed-bb4f-4dc1-b6f0-636c00af5159
Filesize659B
MD5295aead7d1bb165208975d445c8bd15f
SHA1d2c689583c9b4a8b7f8f3c23b404dcf0cf2a5494
SHA256b4e1dc10f8307c8d7a8a2887c0273bd9340f094a8f54af7b8732f74058d307e3
SHA512873b292ed5730781a199129a2069f417b4f45221a24c2b59529829cb642ef59bbed9cd2dc9fd1334d8cc080b175ab2838c9d9d3674caa5489c4e398f1ad99735
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\f01d6409-e002-4cae-af6a-8d537da57ff8
Filesize982B
MD53f93b9b7cb633da17555c6b9bcd3eff1
SHA19d7d82054fb3a008d79146dde7f9cf89c91bfb0e
SHA25693fed6b75d05654f4ea9e70b751a02d3367383facc81d4ff04e709ad2b6cb8a9
SHA5123f780e3a4c7478131ada7469a66999d6c13b4f758fcdff44605761ad175d90dd0f23669aaa0dd3d4fae532770d6b79149cf196156ade50707480d71e3ab4513b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD5d7622f78418e15e34ed6db4605bb50e0
SHA17ed6b35748980f28f61c81dfecaa151a8228f906
SHA256748841e2fc42def588940e027f5625c0b883a52570614c7eaeb610fd7a1579f3
SHA51296a969da68b33d2b5cb85a4b565027c010555cd628af2c563b09e3b7a6f96b22a7ab90e931ece0a3a002a33783baf84443131931ba1e044320f283234a53f9b9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5a765ad194e80e5a65aa41568c3da7cfc
SHA19487fda1ed89fb5193ef81301eb28ce5a732d53d
SHA256eaefe9414403d6c652c35859424493fd06c1ec3b2f4576eb574f6211f7fb221b
SHA5121f43200167ad3e7e1b44d17883187f3cc1039eefb39e9b0d5a6b526262c04e8d29d61eadebf036bf063e665c22a4c7008aa7ac7951d3ad1f12c9d19a13f24097
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD5df6f5f2a3e7213865fb687b327f35383
SHA1ccc09d70b21903c715513a393b5d2af95cf169a1
SHA256f0906ed53339393044f2c2c72b7bd0d76ce87950dd85770700c7e0c6f9859c4e
SHA5125143fb907ab69cd761202a0babdee21c50782abbdcf01dc41de4310e5130492a30a66b545802dd84b8f9f6fbb6d2f88ae1cea9cab25e6aa1e652df7879551183