047c1126be23db6653f545e6d7313e5dcbd715a799019f7fb31aef68de390f6a

Analysis

max time kernel
135s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2023, 14:29

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

MatrixBaitSwitch.exe
Size

10KB
MD5

e750df4025d4102df507c89efed5f094
SHA1

345eb709185ec61fb061726b0ebc0ebea5efd142
SHA256

047c1126be23db6653f545e6d7313e5dcbd715a799019f7fb31aef68de390f6a
SHA512

651fb4e3e0087673d8b28320ba6b126f31010b5df434d645c21f699de326f9b1b4df87aa963ff7e8adb2a83dd51e10788b67dd8965b290dfe1171da7fe321cc0
SSDEEP

192:QLCJP10fXBe9NdaLix5rupSiP/VunlYJLLLTumTWy5cqLx:QLe96ejdaLiH+3hPLTumSyTL

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	MatrixBaitSwitch.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
4572	hydrogen.exe
5156	hydrogen.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "Cmd"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "Cmd"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "Cmd"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "Cmd"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "Cmd"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "Cmd"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "Cmd"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "Cmd"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "Cmd"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "Cmd"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "Cmd"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "Cmd"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "Cmd"	reg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	hydrogen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\hydrogen.exe:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4552	firefox.exe
Token: SeDebugPrivilege	4552	firefox.exe
Token: 33	4376	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4376	AUDIODG.EXE
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe
Token: SeTakeOwnershipPrivilege	4572	hydrogen.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4572	hydrogen.exe
5156	hydrogen.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 4708	4668	MatrixBaitSwitch.exe	84
PID 4668 wrote to memory of 4708	4668	MatrixBaitSwitch.exe	84
PID 4708 wrote to memory of 3668	4708	cmd.exe	86
PID 4708 wrote to memory of 3668	4708	cmd.exe	86
PID 4708 wrote to memory of 4232	4708	cmd.exe	89
PID 4708 wrote to memory of 4232	4708	cmd.exe	89
PID 4708 wrote to memory of 4588	4708	cmd.exe	90
PID 4708 wrote to memory of 4588	4708	cmd.exe	90
PID 4708 wrote to memory of 2852	4708	cmd.exe	92
PID 4708 wrote to memory of 2852	4708	cmd.exe	92
PID 4708 wrote to memory of 3340	4708	cmd.exe	93
PID 4708 wrote to memory of 3340	4708	cmd.exe	93
PID 4708 wrote to memory of 536	4708	cmd.exe	94
PID 4708 wrote to memory of 536	4708	cmd.exe	94
PID 4708 wrote to memory of 1404	4708	cmd.exe	95
PID 4708 wrote to memory of 1404	4708	cmd.exe	95
PID 4708 wrote to memory of 560	4708	cmd.exe	96
PID 4708 wrote to memory of 560	4708	cmd.exe	96
PID 4708 wrote to memory of 2744	4708	cmd.exe	97
PID 4708 wrote to memory of 2744	4708	cmd.exe	97
PID 4708 wrote to memory of 5116	4708	cmd.exe	98
PID 4708 wrote to memory of 5116	4708	cmd.exe	98
PID 4708 wrote to memory of 3864	4708	cmd.exe	99
PID 4708 wrote to memory of 3864	4708	cmd.exe	99
PID 4708 wrote to memory of 2352	4708	cmd.exe	100
PID 4708 wrote to memory of 2352	4708	cmd.exe	100
PID 4708 wrote to memory of 2600	4708	cmd.exe	101
PID 4708 wrote to memory of 2600	4708	cmd.exe	101
PID 4708 wrote to memory of 3236	4708	cmd.exe	102
PID 4708 wrote to memory of 3236	4708	cmd.exe	102
PID 4708 wrote to memory of 2904	4708	cmd.exe	103
PID 4708 wrote to memory of 2904	4708	cmd.exe	103
PID 4708 wrote to memory of 2436	4708	cmd.exe	104
PID 4708 wrote to memory of 2436	4708	cmd.exe	104
PID 4708 wrote to memory of 2748	4708	cmd.exe	105
PID 4708 wrote to memory of 2748	4708	cmd.exe	105
PID 4708 wrote to memory of 4784	4708	cmd.exe	106
PID 4708 wrote to memory of 4784	4708	cmd.exe	106
PID 4708 wrote to memory of 2340	4708	cmd.exe	107
PID 4708 wrote to memory of 2340	4708	cmd.exe	107
PID 4708 wrote to memory of 4140	4708	cmd.exe	108
PID 4708 wrote to memory of 4140	4708	cmd.exe	108
PID 4708 wrote to memory of 4788	4708	cmd.exe	109
PID 4708 wrote to memory of 4788	4708	cmd.exe	109
PID 4708 wrote to memory of 3948	4708	cmd.exe	110
PID 4708 wrote to memory of 3948	4708	cmd.exe	110
PID 4708 wrote to memory of 2420	4708	cmd.exe	111
PID 4708 wrote to memory of 2420	4708	cmd.exe	111
PID 4708 wrote to memory of 2620	4708	cmd.exe	113
PID 4708 wrote to memory of 2620	4708	cmd.exe	113
PID 4708 wrote to memory of 1200	4708	cmd.exe	114
PID 4708 wrote to memory of 1200	4708	cmd.exe	114
PID 4708 wrote to memory of 3608	4708	cmd.exe	115
PID 4708 wrote to memory of 3608	4708	cmd.exe	115
PID 4708 wrote to memory of 4264	4708	cmd.exe	116
PID 4708 wrote to memory of 4264	4708	cmd.exe	116
PID 4708 wrote to memory of 3376	4708	cmd.exe	117
PID 4708 wrote to memory of 3376	4708	cmd.exe	117
PID 5088 wrote to memory of 4552	5088	firefox.exe	122
PID 5088 wrote to memory of 4552	5088	firefox.exe	122
PID 5088 wrote to memory of 4552	5088	firefox.exe	122
PID 5088 wrote to memory of 4552	5088	firefox.exe	122
PID 5088 wrote to memory of 4552	5088	firefox.exe	122
PID 5088 wrote to memory of 4552	5088	firefox.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MatrixBaitSwitch.exe
"C:\Users\Admin\AppData\Local\Temp\MatrixBaitSwitch.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:3668
- - C:\Windows\system32\reg.exe
    Reg Add "" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    PID:4232
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:4588
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d Cmd /f
    3⤵
    - Adds Run key to start application
    PID:2852
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:3340
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d Cmd /f
    3⤵
    - Adds Run key to start application
    PID:536
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:1404
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d Cmd /f
    3⤵
    - Adds Run key to start application
    PID:560
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:2744
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d Cmd /f
    3⤵
    - Adds Run key to start application
    PID:5116
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:3864
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d Cmd /f
    3⤵
    - Adds Run key to start application
    PID:2352
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:2600
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d Cmd /f
    3⤵
    - Adds Run key to start application
    PID:3236
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:2904
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d Cmd /f
    3⤵
    - Adds Run key to start application
    PID:2436
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:2748
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d Cmd /f
    3⤵
    - Adds Run key to start application
    PID:4784
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:2340
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d Cmd /f
    3⤵
    - Adds Run key to start application
    PID:4140
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:4788
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d Cmd /f
    3⤵
    - Adds Run key to start application
    PID:3948
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:2420
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d Cmd /f
    3⤵
    - Adds Run key to start application
    PID:2620
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:1200
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d Cmd /f
    3⤵
    - Adds Run key to start application
    PID:3608
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:4264
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d Cmd /f
    3⤵
    - Adds Run key to start application
    PID:3376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.0.62244459\312206914" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {24c441f5-bae0-40e8-abe1-ea6dd65cad0c} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 1932 150548fb858 gpu
    3⤵
    PID:2728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.1.1319028220\1602147813" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d48483a4-d91f-4476-921b-161e0aaaf128} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 2332 15047972858 socket
    3⤵
    PID:4440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.2.186662802\165535929" -childID 1 -isForBrowser -prefsHandle 3076 -prefMapHandle 2912 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a09c280-cd4f-4a11-90ed-575eedd5530a} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 3120 1505487a158 tab
    3⤵
    PID:4340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.3.1841787684\64864997" -childID 2 -isForBrowser -prefsHandle 920 -prefMapHandle 1480 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72a6aa82-bd5a-49cc-beca-73e9a381a484} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 1196 15047961c58 tab
    3⤵
    PID:4856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.4.1160673121\1382230362" -childID 3 -isForBrowser -prefsHandle 4032 -prefMapHandle 4024 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a86d9d2-7a7d-49b2-8856-98cc75af67b2} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 4044 1504795b258 tab
    3⤵
    PID:3372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.7.206746332\825949583" -childID 6 -isForBrowser -prefsHandle 5320 -prefMapHandle 5324 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25974a02-a6d4-4049-aa55-e1b2fd34ee74} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5312 1505abb5258 tab
    3⤵
    PID:5260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.6.1520822838\1379660609" -childID 5 -isForBrowser -prefsHandle 5128 -prefMapHandle 5132 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8498be48-7ffc-47ac-bd33-7b37280d451e} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5116 1505abb4658 tab
    3⤵
    PID:5252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.5.1935679748\544255160" -childID 4 -isForBrowser -prefsHandle 4980 -prefMapHandle 4976 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d05dd8c-f01c-451d-9e5a-5946ca09c735} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 4988 1505abb5558 tab
    3⤵
    PID:5244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.8.1457087577\149593050" -childID 7 -isForBrowser -prefsHandle 5972 -prefMapHandle 5968 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {548aae71-d5c3-4133-a1d0-610c62c1b2f5} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5772 1505ab1c958 tab
    3⤵
    PID:3280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.9.330288718\1174164635" -childID 8 -isForBrowser -prefsHandle 5644 -prefMapHandle 5652 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0e7f973-b8f5-40e9-9643-98e33268fa5c} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5588 1505cbdd158 tab
    3⤵
    PID:4972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.10.1549292387\2134709231" -childID 9 -isForBrowser -prefsHandle 3480 -prefMapHandle 3492 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ee649de-09d6-4537-a16c-90a54eb5c6cc} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5148 1505cc53b58 tab
    3⤵
    PID:2292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.11.2056408448\2060044403" -parentBuildID 20221007134813 -prefsHandle 3588 -prefMapHandle 5044 -prefsLen 27195 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {261636c2-3292-4303-91c2-e7d1a3069389} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 3600 1505cb1be58 rdd
    3⤵
    PID:3300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.12.186258807\2039750044" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6260 -prefMapHandle 6256 -prefsLen 27195 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6291d9b8-c636-4e8c-b23b-2fae2eeac1c3} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 6264 1505b00bb58 utility
    3⤵
    PID:1740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.13.756303969\9636454" -childID 10 -isForBrowser -prefsHandle 6464 -prefMapHandle 6468 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e302a4e-6ffe-44e1-890c-664456c2447d} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 6460 15059385b58 tab
    3⤵
    PID:5756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.14.1757779569\1934371483" -childID 11 -isForBrowser -prefsHandle 6596 -prefMapHandle 6600 -prefsLen 27331 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15f8f754-a5fd-4e5c-b914-b63a93b35a27} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 6976 1505d3b8b58 tab
    3⤵
    PID:384
- - C:\Users\Admin\Downloads\hydrogen.exe
    "C:\Users\Admin\Downloads\hydrogen.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.16.2065026558\1627879023" -childID 13 -isForBrowser -prefsHandle 10472 -prefMapHandle 10480 -prefsLen 27371 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e39202e-b5a5-48ba-ae53-72c7bbf1a7aa} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 10484 1505d2c2f58 tab
    3⤵
    PID:3564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.15.981031220\2081715717" -childID 12 -isForBrowser -prefsHandle 6896 -prefMapHandle 6444 -prefsLen 27371 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {585aa62b-f1b7-40b8-b303-e86b44d56a0b} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 6680 1505d2c3858 tab
    3⤵
    PID:5888

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x374 0x370
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5588

C:\Users\Admin\Downloads\hydrogen.exe
"C:\Users\Admin\Downloads\hydrogen.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5156

C:\Users\Admin\Downloads\hydrogen.exe
"C:\Users\Admin\Downloads\hydrogen.exe"
1⤵
PID:5024

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39bd855 /state1:0x41c64e6d
1⤵
PID:5984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\activity-stream.discovery_stream.json.tmp

Filesize
152KB

MD5
a5cc0a712e596d45b1f1e85f17e2bb10

SHA1
9f8e2f5556ee69d34eda366205a820376e2a6966

SHA256
f608843d8ffa0427173f57c72ecc095d40f9b1cb8f5f77e1e61b74730088416a

SHA512
95350d59987c4060fe7a12d20674d56ade362e1df1c9dad0cf29047dc2eb4ded0c939defdc25aa450ffd1feba572108982bbc82c85783004f72d69b318976210

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\cache2\doomed\21613

Filesize
15KB

MD5
5f5ec11be100613df3e9e0b5fa3026c2

SHA1
aa5a571bd36352a6c8113c07498bbb741ebed274

SHA256
50bd99eb9a35e17ceaa22e9aac21339a3871ecb48937d9822f42bef9f8544821

SHA512
fcd9ea2978fd2a264a83bdb61ad3d4c627e1e90c10a37f6b1216f9be256bde8837feed3a2d8421c0818a66230846203cfe2464f6c9854b341981c37107b948de

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\cache2\doomed\22270

Filesize
124KB

MD5
e841ee5f67dc65ccd65dfa6f606bbc20

SHA1
0b1bba742fd5d743c4165ef0754e1158c4606426

SHA256
136518f289823e1ec8fc7e59c0a86d156c52d291cf0c7750c3c73b0089fb0e46

SHA512
bb4a0dbb8b5f4d643d81ab90ef34c6910099ec6f1e084660d256a75de910dfd184d4534d710ea0c5f3766d736f9812b21eaa201f7311b422df85a29490247826

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\cache2\doomed\28087

Filesize
18KB

MD5
189eecdf3e931f521c63ab0d74674a48

SHA1
a57d5d755dfe0da88fb52c0f26fc41d3965b6b48

SHA256
47a63064730b23b606ae594b1ee6fac83f3e8b29f62c0728650dcf1d7095410e

SHA512
84cec9a28b7e531d95e650466041bc90e9e7ea77b9c3dc45b95a7faf0785095bcf175e5b013119014d8f07c7b9a17b951c362c3c64a3f54ec88080ce9d433655

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\cache2\doomed\32498

Filesize
18KB

MD5
da20e89b0235404f5ecc93253f6925fb

SHA1
2d9981ca5dc2a62c41ecbb9124d2ab4c0e44e1b8

SHA256
8510488ef07fb76a30b951df21c76319d6819320269816db1eb310c84ca9a205

SHA512
070482d30be7bca74f71a6cc37dfe4a59040f0c68724212362181a0b200a88e4c14b34cb3f8c0a9ae2bcd7df032df9b65905fc9fa883adff088d6842dc8d2e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.bat

Filesize
1KB

MD5
64535382b78745726f941b110626337a

SHA1
c17db8827762f578b419386f5d37c6f13e3d37ad

SHA256
baf8124867fca2d9577ec0560011afdf264f5033cee712a9521c19bac2af99c7

SHA512
b0c1177dd41159ec101d9206485dd72ab1b61cfa3170aed3539304413961c096911fba7963cb70314f9c58d90e8c5bc2090dec90b2f619fcf069f03f31ea2b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
45B

MD5
67c608f4d120a8221bf953e3e7695cce

SHA1
ddf0b79d4b4610012ee5ec18f5b8fc62f3f56483

SHA256
7f38267f8213e0333f4366c1ccae41ae88b54ff49b51bde49ca6ba5456ba2fef

SHA512
d263cdbc27a46825ef25d987501a70bd4516555ee43072fac6197c3a2d3cf2a8eec5dc668147e769fd66fd9c2f52ba6c53e2a49e2d4d3e3c49789fcc1d8f2fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
101B

MD5
b833d27a27684711a5b242acdd1b2310

SHA1
77a1b7110ace5c380384cc55a45f01a8ff08d337

SHA256
78820162510aaa41f734e5669feec9cb9e10db6d044d1b22586117a9ed741b0d

SHA512
c6a75c4eb6358c32080d4afec6d34297a5ad848f1c660a0b877f9c17e7f64bd18c250ada5e38c18d599d732ddf5aea129319645ab147e92f40fed1ccd77faeeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
157B

MD5
845eb0619a7f4814a91810835e344b76

SHA1
f4b13b7cf05fd33fd254b2ca0ce4c84e011a3c79

SHA256
4a1c8e7f81d995989b159d893250fb0f50dd0976025f695b349faa2082a33b22

SHA512
1a3c4308b5d36a382b44980e70a6da1d13ec422aeb6c264d83abef71de6d03c6a62baff6e284d4116977ddd0bdc670d343a7ffb37f947980f9af9a330d511f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
157B

MD5
845eb0619a7f4814a91810835e344b76

SHA1
f4b13b7cf05fd33fd254b2ca0ce4c84e011a3c79

SHA256
4a1c8e7f81d995989b159d893250fb0f50dd0976025f695b349faa2082a33b22

SHA512
1a3c4308b5d36a382b44980e70a6da1d13ec422aeb6c264d83abef71de6d03c6a62baff6e284d4116977ddd0bdc670d343a7ffb37f947980f9af9a330d511f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
213B

MD5
89590b50e585e7f551b1c31a524b4adb

SHA1
21b0ed586eed39c0d4bc9fc0517bbf5a6d784c91

SHA256
6a1f88024812a13cef803179603f20a2091c1b15ca9edf17f04037b2ad18e2cc

SHA512
099444001776c4ddcf4db31732eea673e3e71825a7038271d00e0d2b8232fd1d193e84d83bacbc5e9e2c8635f4b6a999ccf5923de4642ada882804be8201027c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
213B

MD5
89590b50e585e7f551b1c31a524b4adb

SHA1
21b0ed586eed39c0d4bc9fc0517bbf5a6d784c91

SHA256
6a1f88024812a13cef803179603f20a2091c1b15ca9edf17f04037b2ad18e2cc

SHA512
099444001776c4ddcf4db31732eea673e3e71825a7038271d00e0d2b8232fd1d193e84d83bacbc5e9e2c8635f4b6a999ccf5923de4642ada882804be8201027c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
269B

MD5
99242a84b39ab218362872f63238f293

SHA1
38b677a4248b66600fa367c3b166aa75d9a7dbbf

SHA256
c31af428c3435fe32be74ffd1fc25abfdfa3fcde84252509284af770454f16a9

SHA512
91998dd7216ac33f71eaef172120ffa29f4ffbfebe201d7c7b9e0801d88d8ab8c181ab9d5ec29039c83e535942a612c1d5300c90a9e9f49c766f1afcc27418bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
325B

MD5
ce97aff718857eea637a31adc1f82edf

SHA1
4e597120e053f55dee4913a949e2652aec5c8591

SHA256
027ae7577364e8c336653ea1d982743e25fd44d4c88017d7c79848a1add61084

SHA512
db8a3dcd40c13cdadf2c305a0995ee15d674ee78663abd977628823812554442a0da2325b7a6745880cd17ca3b10f6e92dc8a42e435767257f42a4baa7ebf01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
325B

MD5
ce97aff718857eea637a31adc1f82edf

SHA1
4e597120e053f55dee4913a949e2652aec5c8591

SHA256
027ae7577364e8c336653ea1d982743e25fd44d4c88017d7c79848a1add61084

SHA512
db8a3dcd40c13cdadf2c305a0995ee15d674ee78663abd977628823812554442a0da2325b7a6745880cd17ca3b10f6e92dc8a42e435767257f42a4baa7ebf01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
381B

MD5
d214c11412c5198560ef8c442448e7c5

SHA1
9bcdead4303afd871e4e5e43119a54b68c40565f

SHA256
57600f61882b15471f9f1f20b69d0cfd5456ceab2a6559b406e779d99735e135

SHA512
19c572b551e3101e11e1ea75eaa8d887ca8bfc5ed10a17383a6698c43ec6f3fd7b6a7c0faf6552c5c62e2a62568e8893fb236fa5c547317d4235f6938607179a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
437B

MD5
0a79c904a4557410044335e9498cde99

SHA1
d9e5bb52c6502410a282259051e0a44ef6a29da8

SHA256
2165c342e1539bfb0ae2745e41f8ff38e67df1d7c40c9f7058480f40e013ec57

SHA512
eb18e4bd9acf9db1493ff933c37486cab837e2e68159d27aa1527090a2eda4a310d8193874f5d6f30bcf5724833e8948859473cde9ac9703fbb9c1a01d96f44c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
437B

MD5
0a79c904a4557410044335e9498cde99

SHA1
d9e5bb52c6502410a282259051e0a44ef6a29da8

SHA256
2165c342e1539bfb0ae2745e41f8ff38e67df1d7c40c9f7058480f40e013ec57

SHA512
eb18e4bd9acf9db1493ff933c37486cab837e2e68159d27aa1527090a2eda4a310d8193874f5d6f30bcf5724833e8948859473cde9ac9703fbb9c1a01d96f44c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
493B

MD5
df6331008ec8c536a21a599c31ebdec9

SHA1
0deaaaa95576752af989fe6f85de39e4060a5725

SHA256
6ef34302c5a2ca3e36c58e4a73f7c4829c4cce8b0dffb6a10ca064779e9e052e

SHA512
f6cf008d8caf25afebf4c096fff7e4ac1efd4ce987b48d33fc41fbbc0a98861544944cf0f762dfc7f0f3ae20753813fccb8d5a4a3e2d66b310afb0a60ade16ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
549B

MD5
018cd0376981e9747c7b415bc550d5e8

SHA1
65ae25a392176c77eeb8ea92f9fe05300012210c

SHA256
96e3b7f261b5e62f386c9d15add847a040edb3eb8b1f5e48949defab2ddd1751

SHA512
4b68c5171c0b643ab12f316b7958fa43c669410f5c3f1e6acbfffdcb0344d3af9f27a5ba7bfc111b6667a44c5f04e3f9b2b613b20ecabc8f4fd82e5fa644ba5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
605B

MD5
c325c96bf7d145a135bf1387cbb04921

SHA1
57754ca380f079e697d3e490a827bcebfc0b2275

SHA256
c29882fd681750c10b7e2ad2c146a19b44c603a9e4d2c9ba867d0d099eebb90e

SHA512
2494b4258833376c945415dfdc4cb1eeefc1b3ce48a505356903f679a88018363c1ad4b5fd48229a0414ecf7d31acad5102c6c8a88d5f27d28cfaf0e073057e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
605B

MD5
c325c96bf7d145a135bf1387cbb04921

SHA1
57754ca380f079e697d3e490a827bcebfc0b2275

SHA256
c29882fd681750c10b7e2ad2c146a19b44c603a9e4d2c9ba867d0d099eebb90e

SHA512
2494b4258833376c945415dfdc4cb1eeefc1b3ce48a505356903f679a88018363c1ad4b5fd48229a0414ecf7d31acad5102c6c8a88d5f27d28cfaf0e073057e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
661B

MD5
3c8a013f36f1ade8f1c69ee2cb3a1970

SHA1
a1482903c373e77cc42f1d3d0f74931bd29aed7a

SHA256
7df51428dcd27826464d6c4bfb0f978ff3faa14e07e6279dd66d4f014b00e640

SHA512
c5c25ebfe5fbb93a11137762ad8b47de386a7b1b08170596c5673d359c5ec053460121bb908623193bbcb5c325b1574fd7a3cdf790a608cc2f208607e537acd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
717B

MD5
cf32319e73d6863dbf24f3df48158f57

SHA1
019e8513434b738d51a24d3964bfcbca9e18fa18

SHA256
e2e1b2247174054ec8fa9a124866a7193c12ef332872676fd54e7de10fa4fdd8

SHA512
5dea82ff4e3226193e3472503c98df16e366da55960b22736b638c038696e7ea3a8adbc5e3fc77a8ed4fda5716c7fd9c7527614c890c4f7e01d33af99558285b

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
717B

MD5
cf32319e73d6863dbf24f3df48158f57

SHA1
019e8513434b738d51a24d3964bfcbca9e18fa18

SHA256
e2e1b2247174054ec8fa9a124866a7193c12ef332872676fd54e7de10fa4fdd8

SHA512
5dea82ff4e3226193e3472503c98df16e366da55960b22736b638c038696e7ea3a8adbc5e3fc77a8ed4fda5716c7fd9c7527614c890c4f7e01d33af99558285b

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
773B

MD5
37ff03bab21e65e5a72ea4c5647ac211

SHA1
82489bf3b63c7207731b992e1f55f1dccac1265f

SHA256
021b85a6a73658ec151b4cb6a05c1cafe72ba6fdc54dbb58a64d7c53a4d6d450

SHA512
2dee98b0e28f62da023d65cc0d78165f5ebb61cbb9923997a7433faa5bdf0f4c7ba92879fb8c6bf23f830ac275ebf03ce77247c849a9a071c934a9266804d32f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js

Filesize
7KB

MD5
7851e561fef16d575fe3e29a2d93a2f6

SHA1
83e6724fe75e8ef490eb3e758f92b415a9070430

SHA256
b07d7a17d2c0ee266b232ff312cd8d4a7e35ef81281cf362bcad884c7857e333

SHA512
fdf13c854fe120face3832a69c1e57cccea856a438ba5de4f635ef9a70bad266ced85955c19a4f5756cd7dc44f225e82a022a1940a7c754172421346779421e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js

Filesize
7KB

MD5
3077c244c3bd15f03fb0438f46e00fa9

SHA1
8072dad30ff66f06a4abdf8bc80fd423d16c4234

SHA256
a092db6d2aedef01e3882342834c46b87b698e887ce25fb280fb311066976abf

SHA512
f7f73ae4c8514fb2296bacd7fc354dc1509d14ea6a3a60a0dd7db82388ac374acf8387cafe1fabdb468efa90c1efd65f337903e6f5149b6d21b82cdd7300ce49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js

Filesize
6KB

MD5
e37e069e4b7eff3c5d5995701bba1014

SHA1
58311e3f827368954db0088241e0b5850174ffb5

SHA256
1904ef3e226f661658942e13ef8f0c5422b42ca00321ab7c91c993b66d5ee2e6

SHA512
b3081ff1ec166c0afd4f1a63cb49ff4cd64bd03d49bb13d1759d100831f7c537114e2c94ed20b2649ba6877dadae77ab21ae949a1081150926a4747d4043baa0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js

Filesize
6KB

MD5
91f4d821cf95c3330fa48fbf281953c0

SHA1
88a60452221b62aa98939f0fad6f337b6ff1376c

SHA256
49ba852adc4e2a151730069eb36623c166da26790753ef107bffc5d6b1f96e87

SHA512
e0971a503b0791c41b35aea9238414d3a18f06a021ad05d19782a9b4d7edf4a45fd1caa1cb08bcd25212319181d1949ae35db17467d618f64279e538057bd089

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js

Filesize
7KB

MD5
b84eb2f09956400488b0866a53f20599

SHA1
3d61cff314082accd9ef0ba47df5274496646b7c

SHA256
acf4885466bc651d1c03e673d28827313c008c33429f84d53f8cba9fe6d16237

SHA512
abf66f89a31412b4bc71958597e9008109d6fd2c349f7434602726e24bc8c344e0eaf5c6f5af99fc3c30c07f90b9aa1730344c9745cfbee442c9b33be9fe2af5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js

Filesize
7KB

MD5
2f1f54b48076fa95e3bd22a0803e2803

SHA1
4a599cd8408115c6263fec47ea8466bb70d625ac

SHA256
c6e205e9a91c928bd28d195cbc45b3b867cd627b1997c175bf93fc9222d25790

SHA512
8f32385a6f399cc9257d56f9acb01a7311416433764ed92643a1cab78f044564d22349feb37e0747af6d28fc26db2b00c7d8c59dc84c0153158b4953ae803149

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js

Filesize
7KB

MD5
a996cdfe052f41a3c0692cef3636e5d0

SHA1
ee7cee416f08d6f179e7dfb5c0f871975e596fbf

SHA256
d1668cf00f7132927012b0062a2c98372fa468274fce04d0492ce1e67968bd22

SHA512
0e85c9740ccb0f58d5ac2b74d2ee4b44d00f2680a7590152889af7ab2bfe0c6d62422e90a3afeef1d6530a16924fa586e311eb637c5ca7212f0a37a56330b908

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js

Filesize
6KB

MD5
a591481a83675c926c139bb3a980b09c

SHA1
f6eccb2d9c204b40066237aa9fd4f201b065baa6

SHA256
cb69bbd9993f4616bdd5abed9e4766ab741a37d5c42b6631c687892a532142d3

SHA512
bdc36020e2275fd8ab6f41cd3ba8f4b08a456e0e187be37c383fbb2d4d8958d23ab100ca6ad446da0312144f91b43026e0d6c3708a75efb83b04ec02ca651119

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs.js

Filesize
6KB

MD5
2ca68eec3c1fdbaa1ae996ee759fc3c8

SHA1
54363409a7393613ff528d0488d1cc16796ef2d8

SHA256
4fe10ac0c622a99629804d64c89b59339a12a63ffb0b56132bfe39ec9b25aa1a

SHA512
e2fdc625ee7d3e54c1cca72810eccccc3f493253319dad56693d77904692830302564897d7d9c33b876f645bfcd1a5498be9be81bb18932e3333d00ca3408c12

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
ffa70075238b4bdfd4d35e6ae165d91d

SHA1
e6aa770755933fc4693b2b60da2e6c6d804dddb4

SHA256
d71b2a52623c4a65bdf91bb52b7e3635ea520c043dc936f6fdabf2ec33de4706

SHA512
527ffe576bde9e43269183c0b341366def54e346bcfb3e1cc7518617e58ec717a2000e3f4e5eb9b9383628e8bd94594ffff03d809bf25939ffcc03f0ab41e276

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
5a46abba2166763223079847f5f528b6

SHA1
5707019a0839eb5282a151d6f14de8b715846379

SHA256
1d196d73ff8fb8b7e638175d3653486b28ae99af07e56836eca93559eeda36c9

SHA512
e6529d02c244dd74766cdd14160ae26edead82ca4555cebd290dfefeabca3077b373e30f05443992c101f13000c65fc4a863e25f85ebd6cf4223953f23a25d47

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionstore.jsonlz4

Filesize
10KB

MD5
e294897d8737fab957d2289dec404549

SHA1
8892c71adce46d5c52bf673cbe4478598b98b288

SHA256
3d7c7ca17a939363832d89034a2b7f76145680f21999a116394643a8bbf1b68b

SHA512
70854c385dfbf8d43f1a341e92b5f769470243af7d43496f230852d7aa136dfd5724c34591d3545ac5bda2aea53fc3cf0163561a1ce687f25ff4d73ce8ffe0c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\storage\default\https+++www.youtube.com\cache\morgue\16\{3ed9c755-ac44-4004-97d0-af5b0bf84810}.final

Filesize
3KB

MD5
294cb9ec11649be58720428798bd624d

SHA1
39fa50e9c916a3b2fbf4f4b923fbd7aadae99449

SHA256
a7080acc0f075e53019f61a120267410f4d7a0254cc9f5cba3dc444570b02d43

SHA512
7db61248a95e18786365e21c6c71a6cc3e7ea4de2e9bd3b9e6987838e863ebee8d0dc97e66b0d086bba3ea21255a50aa4cae282fe9d7ea8a5d0b5b09723d6eaf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\storage\default\https+++www.youtube.com\cache\morgue\8\{513d8ce3-cfb7-43c0-af16-815c960c5a08}.final

Filesize
65KB

MD5
ff394f2c08a1ee5aaa44e10728e150a5

SHA1
ab58a7c319b1fe896b6f72c089e4246b8a1160fd

SHA256
010db93a5eaba4aaf7fa2d4b341728beeb4a886ae6ba7790814a2efbffbc44b4

SHA512
a2e6d661e41b32f5ae9dff146b97ba12760c22bdc5ae5133d090c491230f8d94862e18c01d505f70ebb094cc67bc9fc779a7762c631b0a744a4ea135155e0500

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\storage\default\https+++www.youtube.com\idb\3211250388sbwdpsunsohintoatciif.sqlite-wal

Filesize
40KB

MD5
beedb6d48073c58c678eba8fcecfa2ee

SHA1
416e7ce8e82fc1225b66d1d9875c59d40fae9195

SHA256
6c018994d59b6cd0dd2308ba3ee550aef61f8b8eef74a91ee4ae48b9d7761cba

SHA512
4d2023f323f9cd9916a1aeb1a5f9af6df375a9131508e420836cec97caea1d07c68c8955d0216ce145333acb641005864dba8047050e0589aaa66f74266f0b51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\storage\default\https+++www.youtube.com\idb\4241145965yCt7-%iCt7-%r5e9sap1o.sqlite

Filesize
48KB

MD5
920fa913ac58700e80b5d1896e2028ed

SHA1
3498d95c2b656eb8f689c0a505ce51df24dff7b1

SHA256
49bdf3122068e2db973781c15e3466df685bf9822c4f6c8718d24f107fd396e1

SHA512
70fc2f92cf5babf1142b030ca40c6bff24d7eaf76ba09eca270dd46f7a50e183b555d4b5705df089bdba40335ca5da31a545a0d47062caf25e6ecc4e43e6824c

Download Submit
C:\Users\Admin\Downloads\hydrogen.exe

Filesize
128KB

MD5
efdd98ae7ba8aa1a457d6938d554e5bb

SHA1
5adc3d12792396b569bf024676636262bcd9c7ff

SHA256
283f195bad35cac6e9452c2791eaeb90d9cd6d506aa16c6505247e5be74aabf0

SHA512
6c1e6adfcf7416c153b8f57149d232bd3caecda0806369cb00131e0877559953041017a641f910e7360ddeb059e568c4c4bbbbed28ed902f80221a68f1bafae9

Download Submit
C:\Users\Admin\Downloads\hydrogen.exe

Filesize
128KB

MD5
efdd98ae7ba8aa1a457d6938d554e5bb

SHA1
5adc3d12792396b569bf024676636262bcd9c7ff

SHA256
283f195bad35cac6e9452c2791eaeb90d9cd6d506aa16c6505247e5be74aabf0

SHA512
6c1e6adfcf7416c153b8f57149d232bd3caecda0806369cb00131e0877559953041017a641f910e7360ddeb059e568c4c4bbbbed28ed902f80221a68f1bafae9

Download Submit
C:\Users\Admin\Downloads\hydrogen.exe

Filesize
128KB

MD5
efdd98ae7ba8aa1a457d6938d554e5bb

SHA1
5adc3d12792396b569bf024676636262bcd9c7ff

SHA256
283f195bad35cac6e9452c2791eaeb90d9cd6d506aa16c6505247e5be74aabf0

SHA512
6c1e6adfcf7416c153b8f57149d232bd3caecda0806369cb00131e0877559953041017a641f910e7360ddeb059e568c4c4bbbbed28ed902f80221a68f1bafae9

Download Submit
C:\Users\Admin\Downloads\hydrogen.exe

Filesize
128KB

MD5
efdd98ae7ba8aa1a457d6938d554e5bb

SHA1
5adc3d12792396b569bf024676636262bcd9c7ff

SHA256
283f195bad35cac6e9452c2791eaeb90d9cd6d506aa16c6505247e5be74aabf0

SHA512
6c1e6adfcf7416c153b8f57149d232bd3caecda0806369cb00131e0877559953041017a641f910e7360ddeb059e568c4c4bbbbed28ed902f80221a68f1bafae9

Download Submit
C:\Users\Admin\Downloads\hydrogen.exe

Filesize
128KB

MD5
efdd98ae7ba8aa1a457d6938d554e5bb

SHA1
5adc3d12792396b569bf024676636262bcd9c7ff

SHA256
283f195bad35cac6e9452c2791eaeb90d9cd6d506aa16c6505247e5be74aabf0

SHA512
6c1e6adfcf7416c153b8f57149d232bd3caecda0806369cb00131e0877559953041017a641f910e7360ddeb059e568c4c4bbbbed28ed902f80221a68f1bafae9

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
148KB

MD5
442d0cc64cbb99246b04dbd2ab1fe995

SHA1
fa09ee6b4a777307792cbbe80b791922de6a17ff

SHA256
2f588ee52e4610749ba2ade9e467fae8d3d0f63e4832f52316c6ccf4b6c0dd8b

SHA512
80b034cbfa2e118cc07424c9aabd1fe0de149aabf24780b6704b73113fa959b36d44d7aa439054834943799e69bcc4028ad85544414188cc4f90b8d0eedb58ff

Download Submit
memory/4668-133-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads