53285fb142e48bd1a568509c8997067370ac4578b3c92d8c3bc75ecdebc2915f

General

Target

Akira.exe
Size

5.1MB
MD5

47feab24e4a7a088fcac9a7067cbf318
SHA1

bbe0dcbe7eb3d0fa19b4afb5edff51b7066ec45d
SHA256

53285fb142e48bd1a568509c8997067370ac4578b3c92d8c3bc75ecdebc2915f
SHA512

6b3b0e289d06839cfd32327dfa1795368601a789c3dc2a0db9f0cce01001a28a584d5c26ce4e46e9002626a1f3ba318e038578e86f00cff489956aace8b419aa
SSDEEP

98304:KxNeg5VPsVXSfJHbM+A+PoudLZ1uRhkuoxa4kReiX2+jli:TgTZhHbFddNZ1kroxacUbBi

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Akira.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Akira.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Akira.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Akira.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Akira.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Akira.exe

Themida packer 25 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2476-121-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-122-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-123-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-124-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-125-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-126-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-127-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-128-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-131-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-132-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-133-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-135-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-139-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-144-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-150-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-206-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-491-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-550-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-596-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-642-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-684-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-733-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-771-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-827-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida
behavioral1/memory/2476-869-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Akira.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Akira.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

Akira.exe

pid process

2476 Akira.exe
2476 Akira.exe
2476 Akira.exe
2476 Akira.exe
2476 Akira.exe
2476 Akira.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Akira.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 10 IoCs

Processes:

Akira.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\discord-997338449747120159	Akira.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\discord-997338449747120159\ = "URL:Run game 997338449747120159 protocol"	Akira.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\discord-997338449747120159\DefaultIcon	Akira.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\discord-997338449747120159\shell	Akira.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\discord-997338449747120159\shell\open	Akira.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\discord-997338449747120159\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Akira.exe"	Akira.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\discord-997338449747120159\URL Protocol	Akira.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\discord-997338449747120159\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Akira.exe"	Akira.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\discord-997338449747120159\shell\open\command	Akira.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

Akira.exe

pid	process
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe
2476	Akira.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Akira.exe

pid process

2476 Akira.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

firefox.exe

description	pid	process
Token: SeDebugPrivilege	4440	firefox.exe
Token: SeDebugPrivilege	4440	firefox.exe
Token: SeDebugPrivilege	4440	firefox.exe
Token: SeDebugPrivilege	4440	firefox.exe
Token: SeDebugPrivilege	4440	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4440 firefox.exe
4440 firefox.exe
4440 firefox.exe
4440 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4440 firefox.exe
4440 firefox.exe
4440 firefox.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Akira.exefirefox.exe

pid process

2476 Akira.exe
4440 firefox.exe

pid	process
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe

pid	process
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Akira.execmd.exefirefox.exefirefox.exe

description	pid	process	target process
PID 2476 wrote to memory of 3692	2476	Akira.exe	cmd.exe
PID 2476 wrote to memory of 3692	2476	Akira.exe	cmd.exe
PID 3692 wrote to memory of 3908	3692	cmd.exe	certutil.exe
PID 3692 wrote to memory of 3908	3692	cmd.exe	certutil.exe
PID 3692 wrote to memory of 5012	3692	cmd.exe	find.exe
PID 3692 wrote to memory of 5012	3692	cmd.exe	find.exe
PID 3692 wrote to memory of 5104	3692	cmd.exe	find.exe
PID 3692 wrote to memory of 5104	3692	cmd.exe	find.exe
PID 3524 wrote to memory of 4440	3524	firefox.exe	firefox.exe
PID 3524 wrote to memory of 4440	3524	firefox.exe	firefox.exe
PID 3524 wrote to memory of 4440	3524	firefox.exe	firefox.exe
PID 3524 wrote to memory of 4440	3524	firefox.exe	firefox.exe
PID 3524 wrote to memory of 4440	3524	firefox.exe	firefox.exe
PID 3524 wrote to memory of 4440	3524	firefox.exe	firefox.exe
PID 3524 wrote to memory of 4440	3524	firefox.exe	firefox.exe
PID 3524 wrote to memory of 4440	3524	firefox.exe	firefox.exe
PID 3524 wrote to memory of 4440	3524	firefox.exe	firefox.exe
PID 3524 wrote to memory of 4440	3524	firefox.exe	firefox.exe
PID 3524 wrote to memory of 4440	3524	firefox.exe	firefox.exe
PID 4440 wrote to memory of 1204	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 1204	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe
PID 4440 wrote to memory of 3864	4440	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Akira.exe
"C:\Users\Admin\AppData\Local\Temp\Akira.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Akira.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
2⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Akira.exe" MD5
3⤵
PID:3908

C:\Windows\system32\find.exe
find /i /v "certutil"
3⤵
PID:5104

C:\Windows\system32\find.exe
find /i /v "md5"
3⤵
PID:5012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3524

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4440

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4440.0.1909457609\1740463739" -parentBuildID 20221007134813 -prefsHandle 1668 -prefMapHandle 1660 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e3e2df0-7df3-41c9-ba7b-99e02d9a62b1} 4440 "\\.\pipe\gecko-crash-server-pipe.4440" 1748 21497f06858 gpu
3⤵
PID:1204

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4440.1.585161038\61733791" -parentBuildID 20221007134813 -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {333a0cea-53c4-4e26-9209-d397cf22c89a} 4440 "\\.\pipe\gecko-crash-server-pipe.4440" 2104 21484472258 socket
3⤵
PID:3864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4440.2.1865253751\1502404209" -childID 1 -isForBrowser -prefsHandle 2660 -prefMapHandle 2600 -prefsLen 21052 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a00cb542-39fd-4e5f-971a-cdf857f298fe} 4440 "\\.\pipe\gecko-crash-server-pipe.4440" 3024 2149ad0b458 tab
3⤵
PID:5064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4440.3.2130334689\1180757859" -childID 2 -isForBrowser -prefsHandle 3512 -prefMapHandle 3508 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6130e59f-5824-4f83-8f26-ef6f61178a76} 4440 "\\.\pipe\gecko-crash-server-pipe.4440" 3516 21484460758 tab
3⤵
PID:3192

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4440.4.187407011\25456123" -childID 3 -isForBrowser -prefsHandle 4324 -prefMapHandle 4320 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3afe07d3-50c7-4528-94a2-464c58b75109} 4440 "\\.\pipe\gecko-crash-server-pipe.4440" 4336 2149caf4558 tab
3⤵
PID:648

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4440.5.1650669756\2087005035" -childID 4 -isForBrowser -prefsHandle 4816 -prefMapHandle 4696 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9afab2f1-03ea-49c3-b65e-8214c71a4cfb} 4440 "\\.\pipe\gecko-crash-server-pipe.4440" 4852 2149d51ba58 tab
3⤵
PID:404

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4440.6.256623963\1021146051" -childID 5 -isForBrowser -prefsHandle 4900 -prefMapHandle 4904 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce8a0be2-d6a2-47ac-9587-919c102be2a5} 4440 "\\.\pipe\gecko-crash-server-pipe.4440" 4852 2149d55de58 tab
3⤵
PID:2020

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4440.7.1525889654\513416248" -childID 6 -isForBrowser -prefsHandle 5136 -prefMapHandle 5140 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54fe7e7c-6bdc-4e14-8caa-fb9b23f09aa4} 4440 "\\.\pipe\gecko-crash-server-pipe.4440" 4936 2149d55cc58 tab
3⤵
PID:2612

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4440.8.1075119003\2129823319" -childID 7 -isForBrowser -prefsHandle 5296 -prefMapHandle 5300 -prefsLen 26984 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68d00ec3-5a63-45b3-be94-8952ef33ac9b} 4440 "\\.\pipe\gecko-crash-server-pipe.4440" 4976 2149963fa58 tab
3⤵
PID:1008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\activity-stream.discovery_stream.json.tmp
Filesize
149KB

MD5
ee6d34e3e7e5292dedb28fd087b0a216

SHA1
135159a7bc0b29dc924bf0bae5f3f374bf660c5f

SHA256
3ad902de5ee7122d0ababedb747168d216f50c7a3179290206139d119c38683b

SHA512
3ad813d3528dba37572a3623258cc7f088b0222aa8d1bc7495c8697e91cd3d1f0a517eb2c040ca937f6d4e771c78091eb2d59f00ca30e9dfb390da56a7c40c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\prefs.js
Filesize
6KB

MD5
fc03769491e92557713bff75b3dcae44

SHA1
a4f4687575dba8a950a014c93d8f9f086a2b68d6

SHA256
3e943e423e8dd73d3afd2444234e9c1ca4eebd430da878f5bcc15e2141da7375

SHA512
8e2266f0af8f7833397b36b31482a43a4bd798693e069f8aeb823d12b767bcdac3aed772ce10b8907fca777436e4efc39ecb5172e81d2672f1165a2427b709b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
59d2839bfc7a39a4a929b6e035cce491

SHA1
99ff817e04826cec80495a77e0950a56e1f6c664

SHA256
a8f373105b8fefce1c2ab4cffd0af10188b3f508fa821916a2ae3639f554be90

SHA512
c19c6ee614f227402e7458967c8a433188d97f7d2de0c379f7894988e108e73a072f60ab63a87fc417a6f5365f7ee543c74371b2cb89737c5ab5c350677fbe18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
f57043e6290be991e787494c224afb76

SHA1
4b0c6ed27b122e639f4bdead42cb30f31a651c3b

SHA256
6e90856a297390c971d60ed3dfeb8c2071fe96603cd1cd7ebe18b1f1c06e31e5

SHA512
1666449ad233fec40078f8eac4ccdd77b894e1ccd517e870903e18f5cfebb8de5766e4a506fc687209cbb3b0187986e13d19f92025316e14ba3856bc9030d1e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
e71e1ccec560e8b6c5fda8fea55a9fda

SHA1
43882e71f978d4d08b086290559b200c556a77a2

SHA256
4ca4dc8083f7eebc2626a16bd45e2d31792050c30c0bd8711027dfc4816f5c00

SHA512
26c0489769ecab0756e08d35d8228c4ab7c34daecadd9f6cea285bcdc553646320daae300d3c47156691e7fb6e7206ad0305880d6445a4f466547b9e01c5d6d3

Download Submit
memory/2476-131-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-491-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-133-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-135-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-139-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-144-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-150-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-121-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-128-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-206-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-127-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-126-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-125-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-132-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-550-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-596-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-642-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-684-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-733-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-771-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-827-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-869-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-124-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-123-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download
memory/2476-122-0x00007FF7903B0000-0x00007FF790F55000-memory.dmp

Filesize
11.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads