Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-08-2024 06:31
Static task
static1
Behavioral task
behavioral1
Sample
b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe
Resource
win10v2004-20240802-en
General
-
Target
b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe
-
Size
1.8MB
-
MD5
f8348bd316750a70f9c1f56eb9d4c700
-
SHA1
5166b30fc5b622863e4edb83ef13905dff6e5295
-
SHA256
b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b
-
SHA512
1495d3e0961447ca074a61e493b14d03cdcbebfafd95ec29ad55721556a52457186801cf42597f1aa4a04400dd56ade7d151ec926301c6a0df9d55b3e25ee0ef
-
SSDEEP
49152:Lj4rgB1bGh5MikKCHGvjRnK606KOeLZjgwVy1DuO:LjweJKMikclnfHtwV
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exece459c4bc6.exe2f60e7fe05.exea80d610d1a.exeexplorti.exeexplorti.exeexplorti.exepid process 2280 explorti.exe 1468 ce459c4bc6.exe 868 2f60e7fe05.exe 3012 a80d610d1a.exe 4052 explorti.exe 5404 explorti.exe 1584 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\ce459c4bc6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\ce459c4bc6.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2704-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/2704-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/2704-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 2464 b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe 2280 explorti.exe 4052 explorti.exe 5404 explorti.exe 1584 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ce459c4bc6.exe2f60e7fe05.exedescription pid process target process PID 1468 set thread context of 2704 1468 ce459c4bc6.exe RegAsm.exe PID 868 set thread context of 4736 868 2f60e7fe05.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exedescription ioc process File created C:\Windows\Tasks\explorti.job b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exeexplorti.exece459c4bc6.exeRegAsm.exe2f60e7fe05.exeRegAsm.exea80d610d1a.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ce459c4bc6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2f60e7fe05.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a80d610d1a.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 2464 b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe 2464 b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe 2280 explorti.exe 2280 explorti.exe 4052 explorti.exe 4052 explorti.exe 5404 explorti.exe 5404 explorti.exe 1584 explorti.exe 1584 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 768 firefox.exe Token: SeDebugPrivilege 768 firefox.exe Token: SeDebugPrivilege 768 firefox.exe Token: SeDebugPrivilege 768 firefox.exe Token: SeDebugPrivilege 768 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 768 firefox.exe 768 firefox.exe 768 firefox.exe 768 firefox.exe 2704 RegAsm.exe 768 firefox.exe 768 firefox.exe 768 firefox.exe 768 firefox.exe 768 firefox.exe 768 firefox.exe 768 firefox.exe 768 firefox.exe 768 firefox.exe 768 firefox.exe 768 firefox.exe 768 firefox.exe 768 firefox.exe 768 firefox.exe 768 firefox.exe 768 firefox.exe 768 firefox.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exepid process 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 768 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exeexplorti.exece459c4bc6.exe2f60e7fe05.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 2464 wrote to memory of 2280 2464 b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe explorti.exe PID 2464 wrote to memory of 2280 2464 b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe explorti.exe PID 2464 wrote to memory of 2280 2464 b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe explorti.exe PID 2280 wrote to memory of 1468 2280 explorti.exe ce459c4bc6.exe PID 2280 wrote to memory of 1468 2280 explorti.exe ce459c4bc6.exe PID 2280 wrote to memory of 1468 2280 explorti.exe ce459c4bc6.exe PID 1468 wrote to memory of 2704 1468 ce459c4bc6.exe RegAsm.exe PID 1468 wrote to memory of 2704 1468 ce459c4bc6.exe RegAsm.exe PID 1468 wrote to memory of 2704 1468 ce459c4bc6.exe RegAsm.exe PID 1468 wrote to memory of 2704 1468 ce459c4bc6.exe RegAsm.exe PID 1468 wrote to memory of 2704 1468 ce459c4bc6.exe RegAsm.exe PID 1468 wrote to memory of 2704 1468 ce459c4bc6.exe RegAsm.exe PID 1468 wrote to memory of 2704 1468 ce459c4bc6.exe RegAsm.exe PID 1468 wrote to memory of 2704 1468 ce459c4bc6.exe RegAsm.exe PID 1468 wrote to memory of 2704 1468 ce459c4bc6.exe RegAsm.exe PID 1468 wrote to memory of 2704 1468 ce459c4bc6.exe RegAsm.exe PID 2280 wrote to memory of 868 2280 explorti.exe 2f60e7fe05.exe PID 2280 wrote to memory of 868 2280 explorti.exe 2f60e7fe05.exe PID 2280 wrote to memory of 868 2280 explorti.exe 2f60e7fe05.exe PID 868 wrote to memory of 3280 868 2f60e7fe05.exe RegAsm.exe PID 868 wrote to memory of 3280 868 2f60e7fe05.exe RegAsm.exe PID 868 wrote to memory of 3280 868 2f60e7fe05.exe RegAsm.exe PID 868 wrote to memory of 4636 868 2f60e7fe05.exe RegAsm.exe PID 868 wrote to memory of 4636 868 2f60e7fe05.exe RegAsm.exe PID 868 wrote to memory of 4636 868 2f60e7fe05.exe RegAsm.exe PID 868 wrote to memory of 1604 868 2f60e7fe05.exe RegAsm.exe PID 868 wrote to memory of 1604 868 2f60e7fe05.exe RegAsm.exe PID 868 wrote to memory of 1604 868 2f60e7fe05.exe RegAsm.exe PID 868 wrote to memory of 4736 868 2f60e7fe05.exe RegAsm.exe PID 868 wrote to memory of 4736 868 2f60e7fe05.exe RegAsm.exe PID 868 wrote to memory of 4736 868 2f60e7fe05.exe RegAsm.exe PID 868 wrote to memory of 4736 868 2f60e7fe05.exe RegAsm.exe PID 868 wrote to memory of 4736 868 2f60e7fe05.exe RegAsm.exe PID 868 wrote to memory of 4736 868 2f60e7fe05.exe RegAsm.exe PID 868 wrote to memory of 4736 868 2f60e7fe05.exe RegAsm.exe PID 868 wrote to memory of 4736 868 2f60e7fe05.exe RegAsm.exe PID 868 wrote to memory of 4736 868 2f60e7fe05.exe RegAsm.exe PID 2280 wrote to memory of 3012 2280 explorti.exe a80d610d1a.exe PID 2280 wrote to memory of 3012 2280 explorti.exe a80d610d1a.exe PID 2280 wrote to memory of 3012 2280 explorti.exe a80d610d1a.exe PID 2704 wrote to memory of 1464 2704 RegAsm.exe firefox.exe PID 2704 wrote to memory of 1464 2704 RegAsm.exe firefox.exe PID 1464 wrote to memory of 768 1464 firefox.exe firefox.exe PID 1464 wrote to memory of 768 1464 firefox.exe firefox.exe PID 1464 wrote to memory of 768 1464 firefox.exe firefox.exe PID 1464 wrote to memory of 768 1464 firefox.exe firefox.exe PID 1464 wrote to memory of 768 1464 firefox.exe firefox.exe PID 1464 wrote to memory of 768 1464 firefox.exe firefox.exe PID 1464 wrote to memory of 768 1464 firefox.exe firefox.exe PID 1464 wrote to memory of 768 1464 firefox.exe firefox.exe PID 1464 wrote to memory of 768 1464 firefox.exe firefox.exe PID 1464 wrote to memory of 768 1464 firefox.exe firefox.exe PID 1464 wrote to memory of 768 1464 firefox.exe firefox.exe PID 768 wrote to memory of 3412 768 firefox.exe firefox.exe PID 768 wrote to memory of 3412 768 firefox.exe firefox.exe PID 768 wrote to memory of 3412 768 firefox.exe firefox.exe PID 768 wrote to memory of 3412 768 firefox.exe firefox.exe PID 768 wrote to memory of 3412 768 firefox.exe firefox.exe PID 768 wrote to memory of 3412 768 firefox.exe firefox.exe PID 768 wrote to memory of 3412 768 firefox.exe firefox.exe PID 768 wrote to memory of 3412 768 firefox.exe firefox.exe PID 768 wrote to memory of 3412 768 firefox.exe firefox.exe PID 768 wrote to memory of 3412 768 firefox.exe firefox.exe PID 768 wrote to memory of 3412 768 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe"C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\1000036001\ce459c4bc6.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\ce459c4bc6.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e8a2995-24ef-4278-96d5-223a45b0bd72} 768 "\\.\pipe\gecko-crash-server-pipe.768" gpu7⤵PID:3412
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {851a5bc1-1289-43ad-aeef-92b9deb5a818} 768 "\\.\pipe\gecko-crash-server-pipe.768" socket7⤵PID:2844
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3148 -childID 1 -isForBrowser -prefsHandle 3064 -prefMapHandle 3088 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4db98f4-65e0-48b0-a8f3-fb253852eddb} 768 "\\.\pipe\gecko-crash-server-pipe.768" tab7⤵PID:3260
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3884 -childID 2 -isForBrowser -prefsHandle 3876 -prefMapHandle 3872 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {423ca0fd-142b-40b9-a981-e66543354900} 768 "\\.\pipe\gecko-crash-server-pipe.768" tab7⤵PID:4740
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4888 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4720 -prefMapHandle 4808 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef3eaa98-001d-48cc-9265-8c6a706c1175} 768 "\\.\pipe\gecko-crash-server-pipe.768" utility7⤵
- Checks processor information in registry
PID:2800 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 3 -isForBrowser -prefsHandle 5580 -prefMapHandle 5568 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b32b092-a662-4098-a696-d2949f17d12d} 768 "\\.\pipe\gecko-crash-server-pipe.768" tab7⤵PID:4920
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5624 -childID 4 -isForBrowser -prefsHandle 5840 -prefMapHandle 5580 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c0d13c3-33d8-4a54-9940-84ffacf1447e} 768 "\\.\pipe\gecko-crash-server-pipe.768" tab7⤵PID:1848
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6064 -childID 5 -isForBrowser -prefsHandle 5980 -prefMapHandle 5984 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4937cd3-93e5-43d2-a7e4-aaac64117164} 768 "\\.\pipe\gecko-crash-server-pipe.768" tab7⤵PID:4176
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6172 -childID 6 -isForBrowser -prefsHandle 6180 -prefMapHandle 6184 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ef9ad01-27ad-4b3e-86a2-b736b63239e7} 768 "\\.\pipe\gecko-crash-server-pipe.768" tab7⤵PID:2396
-
C:\Users\Admin\1000037002\2f60e7fe05.exe"C:\Users\Admin\1000037002\2f60e7fe05.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3280
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4636
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:1604
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\1000038001\a80d610d1a.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\a80d610d1a.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3012
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4052
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5404
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1584
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5c4e52e6c6a04afe8e1a0edb8fb8236a2
SHA1e3d70bab8a8882ed26a5e5d206b50862a32a0112
SHA256a4fcfe7074b0d307133c98530614d6de7f5e0fd27a64a00f30f7933583b63fa6
SHA5123e89f085dd83274db01305ef8b66c481e202ba889125ae5d7f74aa09359f782557950d9d357cc54bf23a10e239e5b5760000ca2012f3b833e6481c6750d73478
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\activity-stream.discovery_stream.json
Filesize41KB
MD5c10a4782681868c7ff870e9c3b9b7713
SHA117c4865ba91291de8ec5ca50f0e49901df7825fa
SHA25696e17683989d7eb483d3e3dc05f17342fd65e725aaf2ccce13601c46ebf7eddf
SHA5121065d895f2950b2fff334f812bb70b17574909155a158fcf9d454ff69d7adafc3111d1ffc777b9d4a6d525b615f46860703a01f7b30cb529759aeb407b3a13ea
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD515dd135905bd72d93434d06d98e3fdbe
SHA13a4514cbb8fcded7e368bb1afaaad0f4665d660b
SHA2566d0ca7d9846d06d33b5bcad3b55fe32a36966ad6c12f2dd89144060f1fdf12d2
SHA5125f3cbfa7cb562da480ef054dc3138419c7916bbaa8485ccb83ee8683b6f6b0d87eb99f67385da08be2b97a6164f667d945a4ed2b04cce0b50ea0f0a0a1a464f3
-
Filesize
1.8MB
MD5f8348bd316750a70f9c1f56eb9d4c700
SHA15166b30fc5b622863e4edb83ef13905dff6e5295
SHA256b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b
SHA5121495d3e0961447ca074a61e493b14d03cdcbebfafd95ec29ad55721556a52457186801cf42597f1aa4a04400dd56ade7d151ec926301c6a0df9d55b3e25ee0ef
-
Filesize
1.2MB
MD50cd9988143ed0889f0ec75b9ce302cc1
SHA1a85827b7497b66554f2f8bf86d044afec100eed0
SHA256f40952c3693d14eb42a3785136841e3f3fd2f6f0336272e09860a7b93db1e59d
SHA512715ae0560d5540494ef0e12e9750ad5e864aafc341584c660406c2158e881d38831d4a72d0a6300c634804a2d49e9bb8abd18ee3e9c6d587e029cd9da26fabb6
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin
Filesize10KB
MD5b7677e8447e0570307bbaaf2a997d679
SHA1fc863155c44b484d14e9df1146abd096af4348c2
SHA256a43cf93cd9126e36ca71b3b85463c922f76e59af84365bfea51dfde43f874d24
SHA512f08a45fb4296511d1451624158452d7a01c45c740f3ff6a0a20aadd7a0c3ffa65cff67beca97555d44b56052d3ec87486d62ad003acafd0ce1d69fffe3588dbb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5eab136bf974827cd5675dd3e25b2a029
SHA1fc414b26bcc65cabb05d68a7cab0aa7a60123a36
SHA256cce3d2d208808676fd2e5bb424a68e7f33912917dee73336c1ef34b67f8c26de
SHA512054dcb9abc0228832ac3e707336ca22dadf0f6f052b6549f3a3077475349c5328bdaf34fd2d703cfb9c987da7a9afbd10d860cbe169a74a1a8af44cea232d94d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD568ef8bc227a4be86621c7e18c7a97251
SHA1bf0ca1eb9ffe2fc16d7b0237915f0933ea7b85db
SHA2561c8041cd22858ad8b75a2374743744c64c62febf2111f3d0236c9d8477fef488
SHA512e06ff42b2f61214fff67ed6cd9ccc51ec7008131fc0e758d1ac1bafc4d247f8cd577ffa31b37b7353a408ba627856871e5e482f889af7104c755bc68e059187f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5975d07e246737e51a3f45730f24f7dd6
SHA1cb59295ae9d53f8fc5d06075d39c62ac4bc9e170
SHA2563ed602c385f12c60fe4f5c32484f29ee8cf4762ade5a8c36c3f2b3294b648db9
SHA512f8f079ee40a967ef8d686981e6f62b72e6a7a083963dea0cb3e544701d6678ce7d16385d21d9c6027a248c648287569ceba662b1ba285d9e724eb8e5c827da1d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\1778c38a-1903-41f3-b890-7f1eca894774
Filesize982B
MD5d4d441b19d98362cc5ea64623d0a5be9
SHA1327961c0942a4fa3a02e6c6d2d9c993bf3f2071e
SHA256277b9aca1736d4cdb712930746cfe2d83896db5a71d456f4feee0213dc8d3c3a
SHA5125f91f0c7e2c77ff38dbe3a371e642d3aabb9a078ef8cc3274b8d2d80cba5bfc892c8ac0b6a6d3a1e4db0e29765e9d0605236c9ffd5dfd94a1487c625e0e8e9bb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\1847afb5-be48-44f2-b727-7f2995f8768b
Filesize27KB
MD5a3192142b750560878c646384f93f576
SHA1ed3adbbe4d2261a566f9a6987fa82c69b256343a
SHA2563f64d0c4096fedf3f0deecc2eb5b70ac68e831eb6122af113d0644a87bf7c9c2
SHA512f94ea0bda28036e42c7108106db694eb0d586bf4fb3199d46f39b4f3e068ff7e5960424a38c308d203da4b6eedb7f363c71a75ae78a7ec1f20016c08864f3718
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\fb20e9a9-1863-49d8-9da3-6fc82c45a3e6
Filesize671B
MD5a0f6a08e08edcf560e95e91f4c04cb09
SHA1230fbe332662512a3c11b46288ffa8a389bf730c
SHA256fb20534ff410e42e183250a9c52554197d7b9868904be3efe7093a8180cf9adc
SHA512f1f70abe428b52273a5e36661e6ba6a1e027d01553901bbebb071092e66777fb14821d6100c93dc4d167be2d2ffb90c926b457243489b38dcd13488915f9eb04
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD5dfd9f763b9c3f9381bd2113a2c19cb2f
SHA14710212f5e6071d4f7b0033a7a2446e3714dccdf
SHA25614c8e7af34a79f6563a17598715e58695689698067936659aa3d1b27e3cf172b
SHA51281ff1bd8f831b04ed2a2ef85155db48eb95ff5d8845fedff57d22faf80816b96ecbc0c9365571e6a04c5d222b97672607e59e865c243cf9cc2dc0072468896c2
-
Filesize
11KB
MD58c347ad989aaad864c9ab3a954eedbf7
SHA14114617cf63440e4804e0ac0f4428b93018476c3
SHA25677a20fae480ae389193419eb23dafb4682418907fbabc8102d8bfd4efc6a7236
SHA512a4630e912a64b189ac9decf4daecbfbda40b1338f193399683d0d92f1c836ab1ba0668ab69d9214f79ce87d529ad6bfc06a02eb85c9cc6c948b5a42645bdd85c
-
Filesize
11KB
MD547765b81c58279c4afaca3c6ad9b79a5
SHA15b79e8353706fbd6067a7f2e9b51c68ec7bf1d28
SHA256d57a4dee0a01c64144296b0531a0d60238d420a5d4d2a25aa74633d9ff4afe5e
SHA512192070bdab6fc62002ba0d08c7d147ce214f5ea92d8df28308eb8974f2727c15661e253f0424e9e07b4be71fea6d9b2baf89276763d427a01c0d77b73f6353e8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD5ab72d39480bdcfabd8464d4f52d3f849
SHA1feb02b4991461bd1351c77d3b814a95738b3a809
SHA256e249c5c8a9bde846388984df76487f34f4a412dc05c267126cae91b489e1e5c2
SHA51200e0a85f1f5ca7e0ce639df9f120a1c852996c553306aa974bf6427ff9f415f60458f55ddcf5dc1c68a6c084f2fded2a296e527462dbe281af9f4d888c78d389