b08d00a9eba33a30059541904152d59655c7354316966fdd58090aae59958dd3

Resubmissions

24-03-2023 19:59

230324-yqwp8aha65 9

24-03-2023 19:53

230324-yl46ssbb7w 9

Analysis

max time kernel
211s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Growpai.dll
Size

4.8MB
MD5

7f3c2aed44eb710ed0f624f3d4bb665e
SHA1

8389c33e975681201900eab75b4d8d34fca52000
SHA256

b08d00a9eba33a30059541904152d59655c7354316966fdd58090aae59958dd3
SHA512

82fa8eefb4d9086bab8995d4586f73022f4e90170b1f758909f2c6d564c82f35e12fcda6aa1b514c0ea2d21ef356376a1229aae71217a591194eb3b015c7c115
SSDEEP

98304:4FSydiu3WTYUHPFH7DKIE0hTBs4hQl2aRa5pi8SS0B71pi:40RxTBHPJDKPqBs4CR2ES0Bi

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rundll32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/4424-133-0x00007FFBB1DC0000-0x00007FFBB2A32000-memory.dmp	themida
behavioral1/memory/4424-134-0x00007FFBB1DC0000-0x00007FFBB2A32000-memory.dmp	themida
behavioral1/memory/4424-135-0x00007FFBB1DC0000-0x00007FFBB2A32000-memory.dmp	themida
behavioral1/memory/4424-136-0x00007FFBB1DC0000-0x00007FFBB2A32000-memory.dmp	themida
behavioral1/memory/4424-137-0x00007FFBB1DC0000-0x00007FFBB2A32000-memory.dmp	themida
behavioral1/memory/4424-138-0x00007FFBB1DC0000-0x00007FFBB2A32000-memory.dmp	themida
behavioral1/memory/4424-139-0x00007FFBB1DC0000-0x00007FFBB2A32000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

rundll32.exe

pid process

4424 rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

pid	process
4424	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

4552 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskmgr.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	4552	taskmgr.exe
Token: SeSystemProfilePrivilege	4552	taskmgr.exe
Token: SeCreateGlobalPrivilege	4552	taskmgr.exe
Token: SeDebugPrivilege	3192	firefox.exe
Token: SeDebugPrivilege	3192	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exefirefox.exe

pid	process
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
3192	firefox.exe
4552	taskmgr.exe
4552	taskmgr.exe
3192	firefox.exe
3192	firefox.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
3192	firefox.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exefirefox.exe

pid	process
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
3192	firefox.exe
4552	taskmgr.exe
4552	taskmgr.exe
3192	firefox.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
3192	firefox.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe
4552	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

firefox.exe

pid process

3192 firefox.exe
3192 firefox.exe
3192 firefox.exe
3192 firefox.exe

pid	process
3192	firefox.exe
3192	firefox.exe
3192	firefox.exe
3192	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4388 wrote to memory of 3192	4388	firefox.exe	firefox.exe
PID 4388 wrote to memory of 3192	4388	firefox.exe	firefox.exe
PID 4388 wrote to memory of 3192	4388	firefox.exe	firefox.exe
PID 4388 wrote to memory of 3192	4388	firefox.exe	firefox.exe
PID 4388 wrote to memory of 3192	4388	firefox.exe	firefox.exe
PID 4388 wrote to memory of 3192	4388	firefox.exe	firefox.exe
PID 4388 wrote to memory of 3192	4388	firefox.exe	firefox.exe
PID 4388 wrote to memory of 3192	4388	firefox.exe	firefox.exe
PID 4388 wrote to memory of 3192	4388	firefox.exe	firefox.exe
PID 4388 wrote to memory of 3192	4388	firefox.exe	firefox.exe
PID 4388 wrote to memory of 3192	4388	firefox.exe	firefox.exe
PID 3192 wrote to memory of 1336	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 1336	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 3324	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 4228	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 4228	3192	firefox.exe	firefox.exe
PID 3192 wrote to memory of 4228	3192	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Growpai.dll,#1
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4424

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4552

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4388

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3192

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.0.577598440\1289194570" -parentBuildID 20221007134813 -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e545274b-5939-43bc-b4bb-b5f0b9aad092} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 1928 198b8207258 gpu
3⤵
PID:1336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.1.503064677\2007880014" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {367aeab7-5794-4cc2-b6d8-2aa6ef407bc1} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 2316 198aa272858 socket
3⤵
PID:3324

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.2.303910877\2137716187" -childID 1 -isForBrowser -prefsHandle 3432 -prefMapHandle 3428 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6787e6a-54e7-4370-ba3d-d2df9e4214c6} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 2976 198ba736558 tab
3⤵
PID:4228

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.3.446339555\845135144" -childID 2 -isForBrowser -prefsHandle 3584 -prefMapHandle 2988 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {767b6134-5a4d-442b-a303-91511c13fe16} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 2476 198aa272258 tab
3⤵
PID:3184

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.4.1357451420\1751440462" -childID 3 -isForBrowser -prefsHandle 3832 -prefMapHandle 3828 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bac83a72-47ed-450f-a7b5-cc6ade643fac} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 3840 198bb13ae58 tab
3⤵
PID:1400

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.5.1869329396\1986082924" -childID 4 -isForBrowser -prefsHandle 4796 -prefMapHandle 3960 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a610a4f9-4344-43fa-9af3-f026e178dbc6} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 4824 198bd47a258 tab
3⤵
PID:1640

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.6.1725981703\1629813967" -childID 5 -isForBrowser -prefsHandle 4812 -prefMapHandle 4808 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6164b7df-4738-4c57-8727-1fe47a2e0e6e} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 4956 198bd47bd58 tab
3⤵
PID:5060

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.7.2085970736\994706022" -childID 6 -isForBrowser -prefsHandle 5176 -prefMapHandle 5248 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3af9bbee-0283-4a7c-89db-c1be7eac9cd6} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 5264 198bd47ab58 tab
3⤵
PID:4116

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.8.873048461\1738486905" -childID 7 -isForBrowser -prefsHandle 5076 -prefMapHandle 5716 -prefsLen 26939 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6f8df5f-dd5a-49b7-8076-acebde88f38b} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 5728 198beb04758 tab
3⤵
PID:656

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.9.2060757027\1180699031" -childID 8 -isForBrowser -prefsHandle 2956 -prefMapHandle 3592 -prefsLen 27250 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66e19ea1-1b9c-43a3-8a9c-66406aba545f} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 3048 198b9efaa58 tab
3⤵
PID:2212

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.10.506342495\521941666" -childID 9 -isForBrowser -prefsHandle 5528 -prefMapHandle 5532 -prefsLen 27250 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de4a5ff1-7274-418e-8c21-501138373096} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 4868 198aa26c158 tab
3⤵
PID:5076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\entries\D5594A2648EECD01993B5C42919BA64ADBF56052
Filesize
14KB

MD5
713705404036b4125d113b1e146e83e8

SHA1
c3eca8c17e53fece55e43bc3ef35b24d81bfe69a

SHA256
eaf63da7d837f80b1a6527f198f94ef4d3218bdd38d3afaf583710a463fe5a52

SHA512
431a6a9a292c78a8d0c045e45c8d6e427ba024a589ae5c50b14fb338e37374ce85439b38e5ea2cc19e89a5a788f1cea3edd93905f65271191a81f4d78dc602d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js
Filesize
6KB

MD5
41ed73104b96ea8836aa762869563b24

SHA1
46b2c7ffcd2f4c5306800464cabc8463ad485d13

SHA256
a50290a277b52648be9f4281000cfb773f102800ab1d1c273f69857c0da8eee4

SHA512
ad94a6e3eac3dafa817e306cb1bd88527bd2fa19d5afd3f422b4deef92030e1d6ce4cd44d132c529c8ca67c5f7c300f01d18ae71961fd82260f4effa4ce2a994

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js
Filesize
6KB

MD5
c1f3fcd92f26aab5eca9ed470c083d15

SHA1
aacdb096e6552163799cf06a74ee27e9180773c2

SHA256
9c45e3afc6be1d4c1ad45e55ec51a77a3e4bd5f49a4aec15b08ef1998047ba4f

SHA512
e14ddd2b1db74b671607614a34c614f89ab177e31e52a56aa3867bf08ecaef0ed47c5a375bd467b90b5a010e5ddcbc87c12c39e4520108332fdb2c7792bc1894

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js
Filesize
6KB

MD5
6a5947c0db0c95e75fc93c423fe9cb2e

SHA1
9e723cebce547974eb3c4875434c9c8a164205b1

SHA256
94a5d687dee1263206289879cfc54d05160049e7e645134078f543788c3e25e0

SHA512
3edbd066c8e4e3a0fd9726854d22d8135836361617b73d50bedaae0038849997a2e3fab1d5ba6d1a9b226915e29474dc8063fa32c91a7f36a8dfb09e2f43abd9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js
Filesize
6KB

MD5
faf53eeab1e358a3cb645c647363deb7

SHA1
6c68e9c7f81af897c30f1ecec64124195e749455

SHA256
198585bcbf041cccead8e295b610ab62343d5b628268e0649137ce3665981dbe

SHA512
fe5a295163d804db47b8a6226246d0437b6df343cf7fa947670bb59da27a4c362f30e0a4c287e2cb243bb3f94115828fba219c9c736a7dd58d7232a23477da92

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js
Filesize
8KB

MD5
f46ede8d3d2ff75e3992782391d97a42

SHA1
a9a24fccb009b021e08bfb3df6747cb19a887a7f

SHA256
f06390d1435cb19c75722167e4fb565d77a59e26126a46b7910bf510ba2e7c8d

SHA512
38c2eaabb4abec7463411a90f392565f8842c7071202e9ad8535dcbc3bfd44d3cbeb89ff0e583988f4a5571cd9752429908a89357cc4f8cfa22cf8378f8e6b6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js
Filesize
7KB

MD5
ce3ae653eb9a0ffa5daf51a1b69dc0f3

SHA1
aa8963ffef7e3111d3a3e95b6f1f3469265a22a2

SHA256
8113a7d11a375e3f4c28e68109eb6a4e7da40dd7ea881e273abb967df330abd4

SHA512
d8fa2d3a4da9a29d58539cc9aec118eb9ccaa6dc5deaef53557eedd7c82dcfbcc84d59edfe56339475afeec45b37639fe5c3d5d5fc964ecd0d8a986d69f59192

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs.js
Filesize
6KB

MD5
fcd5f37e5e4066f7cffe8eb106b6ce19

SHA1
b0a1c4d3d5c96271429fb09cb71055d177c13402

SHA256
38dbdb91f24f8e138803d71d0f7e4758fbb78e7f657208325fe30a501e225c67

SHA512
afdf7697bc784c3c85f30a8a1e4caa32459cf7f19c1ffacde04f62f089218ff1899ffe69fc465677d719546c8f91bea0d04807b13d58096f79aeba8eef0a0a15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
89336144152967bc5de38c8afc021d87

SHA1
41ec33bc5578b3f63a492c23798a83eb3c652d0b

SHA256
bddb5a5a530d4e5386da3e1a21feb82fa3be939cbc39e9c65753f1499dde91b5

SHA512
5d55be39b9dd77c405e746f09356fb310f0b0e125d0ba4f0575df1d0155cc41f080232586d2f14f5d5102e13e1c2ed240d459590f17a783d79d75b8bc03f4192

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
84f351d437027d038cf058dc9c1b3f86

SHA1
0533165f2e0e7e7a5b0b948c31bd15d03a50e76b

SHA256
0301690aa02ff5a3b0fcc58faf8a4a8f093005d3e1d95e0c67fe8384a06e5679

SHA512
83b150f2daec8eb08de4b9cd2a1894c8996dcf8cf1f4a93c0a1f053d5938fa0c7e91fa61ed35b6bc173479e3af244ef6f169e51ac7f7dbe98323c4388f8c617b

Download Submit
memory/4424-133-0x00007FFBB1DC0000-0x00007FFBB2A32000-memory.dmp

Filesize
12.4MB

Download
memory/4424-139-0x00007FFBB1DC0000-0x00007FFBB2A32000-memory.dmp

Filesize
12.4MB

Download
memory/4424-138-0x00007FFBB1DC0000-0x00007FFBB2A32000-memory.dmp

Filesize
12.4MB

Download
memory/4424-137-0x00007FFBB1DC0000-0x00007FFBB2A32000-memory.dmp

Filesize
12.4MB

Download
memory/4424-136-0x00007FFBB1DC0000-0x00007FFBB2A32000-memory.dmp

Filesize
12.4MB

Download
memory/4424-135-0x00007FFBB1DC0000-0x00007FFBB2A32000-memory.dmp

Filesize
12.4MB

Download
memory/4424-134-0x00007FFBB1DC0000-0x00007FFBB2A32000-memory.dmp

Filesize
12.4MB

Download
memory/4552-140-0x0000023D1A210000-0x0000023D1A211000-memory.dmp

Filesize
4KB

Download
memory/4552-152-0x0000023D1A210000-0x0000023D1A211000-memory.dmp

Filesize
4KB

Download
memory/4552-151-0x0000023D1A210000-0x0000023D1A211000-memory.dmp

Filesize
4KB

Download
memory/4552-150-0x0000023D1A210000-0x0000023D1A211000-memory.dmp

Filesize
4KB

Download
memory/4552-149-0x0000023D1A210000-0x0000023D1A211000-memory.dmp

Filesize
4KB

Download
memory/4552-148-0x0000023D1A210000-0x0000023D1A211000-memory.dmp

Filesize
4KB

Download
memory/4552-147-0x0000023D1A210000-0x0000023D1A211000-memory.dmp

Filesize
4KB

Download
memory/4552-146-0x0000023D1A210000-0x0000023D1A211000-memory.dmp

Filesize
4KB

Download
memory/4552-142-0x0000023D1A210000-0x0000023D1A211000-memory.dmp

Filesize
4KB

Download
memory/4552-141-0x0000023D1A210000-0x0000023D1A211000-memory.dmp

Filesize
4KB

Download