2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e

General

Target

smthng_xuinya
Size

5B
MD5

4842e206e4cfff2954901467ad54169e
SHA1

80c9820ff2efe8aa3d361df7011ae6eee35ec4f0
SHA256

2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e
SHA512

ff537b1808fcb03cfb52f768fbd7e7bd66baf6a8558ee5b8f2a02f629e021aa88a1df7a8750bae1f04f3b9d86da56f0bdcba2fdbc81d366da6c97eb76ecb6cba

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 8015cad1b5bfd901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0ED26181-2BA9-11EE-8D5B-CEA1BEF6F4E2} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003d000000900300001d020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Modifies registry class 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

pid process

1628 rundll32.exe
1700 rundll32.exe
864 rundll32.exe
960 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 1368 firefox.exe
Token: SeDebugPrivilege 1368 firefox.exe
Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

iexplore.exefirefox.exe

pid process

2156 iexplore.exe
2156 iexplore.exe
2156 iexplore.exe
1368 firefox.exe
1368 firefox.exe
1368 firefox.exe
1368 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1368 firefox.exe
1368 firefox.exe
1368 firefox.exe

pid	process
1628	rundll32.exe
1700	rundll32.exe
864	rundll32.exe
960	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1368	firefox.exe
Token: SeDebugPrivilege	1368	firefox.exe

pid	process
2156	iexplore.exe
2156	iexplore.exe
2156	iexplore.exe
1368	firefox.exe
1368	firefox.exe
1368	firefox.exe
1368	firefox.exe

pid	process
1368	firefox.exe
1368	firefox.exe
1368	firefox.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXEWORDPAD.EXEmspaint.exe

pid	process
2292	AcroRd32.exe
2292	AcroRd32.exe
2156	iexplore.exe
2156	iexplore.exe
400	IEXPLORE.EXE
400	IEXPLORE.EXE
1152	WORDPAD.EXE
1152	WORDPAD.EXE
1152	WORDPAD.EXE
1152	WORDPAD.EXE
1152	WORDPAD.EXE
2252	mspaint.exe
2252	mspaint.exe
2252	mspaint.exe
2252	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exeiexplore.exerundll32.exerundll32.exerundll32.exefirefox.exefirefox.exe

description	pid	process	target process
PID 1628 wrote to memory of 2292	1628	rundll32.exe	AcroRd32.exe
PID 1628 wrote to memory of 2292	1628	rundll32.exe	AcroRd32.exe
PID 1628 wrote to memory of 2292	1628	rundll32.exe	AcroRd32.exe
PID 1628 wrote to memory of 2292	1628	rundll32.exe	AcroRd32.exe
PID 2352 wrote to memory of 2156	2352	rundll32.exe	iexplore.exe
PID 2352 wrote to memory of 2156	2352	rundll32.exe	iexplore.exe
PID 2352 wrote to memory of 2156	2352	rundll32.exe	iexplore.exe
PID 2156 wrote to memory of 400	2156	iexplore.exe	IEXPLORE.EXE
PID 2156 wrote to memory of 400	2156	iexplore.exe	IEXPLORE.EXE
PID 2156 wrote to memory of 400	2156	iexplore.exe	IEXPLORE.EXE
PID 2156 wrote to memory of 400	2156	iexplore.exe	IEXPLORE.EXE
PID 2156 wrote to memory of 1700	2156	iexplore.exe	rundll32.exe
PID 2156 wrote to memory of 1700	2156	iexplore.exe	rundll32.exe
PID 2156 wrote to memory of 1700	2156	iexplore.exe	rundll32.exe
PID 1700 wrote to memory of 1152	1700	rundll32.exe	WORDPAD.EXE
PID 1700 wrote to memory of 1152	1700	rundll32.exe	WORDPAD.EXE
PID 1700 wrote to memory of 1152	1700	rundll32.exe	WORDPAD.EXE
PID 864 wrote to memory of 2252	864	rundll32.exe	mspaint.exe
PID 864 wrote to memory of 2252	864	rundll32.exe	mspaint.exe
PID 864 wrote to memory of 2252	864	rundll32.exe	mspaint.exe
PID 960 wrote to memory of 2336	960	rundll32.exe	firefox.exe
PID 960 wrote to memory of 2336	960	rundll32.exe	firefox.exe
PID 960 wrote to memory of 2336	960	rundll32.exe	firefox.exe
PID 2336 wrote to memory of 1368	2336	firefox.exe	firefox.exe
PID 2336 wrote to memory of 1368	2336	firefox.exe	firefox.exe
PID 2336 wrote to memory of 1368	2336	firefox.exe	firefox.exe
PID 2336 wrote to memory of 1368	2336	firefox.exe	firefox.exe
PID 2336 wrote to memory of 1368	2336	firefox.exe	firefox.exe
PID 2336 wrote to memory of 1368	2336	firefox.exe	firefox.exe
PID 2336 wrote to memory of 1368	2336	firefox.exe	firefox.exe
PID 2336 wrote to memory of 1368	2336	firefox.exe	firefox.exe
PID 2336 wrote to memory of 1368	2336	firefox.exe	firefox.exe
PID 2336 wrote to memory of 1368	2336	firefox.exe	firefox.exe
PID 2336 wrote to memory of 1368	2336	firefox.exe	firefox.exe
PID 2336 wrote to memory of 1368	2336	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2800	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2800	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2800	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 2304	1368	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\smthng_xuinya
1⤵
PID:3024

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2280

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\smthng_xuinya
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1628

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\smthng_xuinya"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2292

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\smthng_xuinya
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\smthng_xuinya
2⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:400

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\smthng_xuinya
3⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1700

C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\Admin\AppData\Local\Temp\smthng_xuinya"
4⤵
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\smthng_xuinya
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\smthng_xuinya"
2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2252

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\smthng_xuinya
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\smthng_xuinya"
2⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\smthng_xuinya
3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.0.1372526501\279383905" -parentBuildID 20221007134813 -prefsHandle 1248 -prefMapHandle 1216 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfff3357-e0cb-4e37-862c-a3cc3a76df90} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 1368 44d6758 gpu
4⤵
PID:2800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.1.1877350252\781478950" -parentBuildID 20221007134813 -prefsHandle 1528 -prefMapHandle 1524 -prefsLen 21799 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa19cfbb-2766-4f25-bd0c-4e8e56a07563} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 1556 41ecd58 socket
4⤵
PID:2304

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.2.1600726033\800519935" -childID 1 -isForBrowser -prefsHandle 2216 -prefMapHandle 2212 -prefsLen 21837 -prefMapSize 232675 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cb4487b-86aa-45a8-9f9d-2c68f6e2976a} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 2228 19bea558 tab
4⤵
PID:536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.3.480930514\695247543" -childID 2 -isForBrowser -prefsHandle 2468 -prefMapHandle 2464 -prefsLen 26482 -prefMapSize 232675 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a73a325-c0cd-4eba-a913-4521658c32e4} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 2480 1b844e58 tab
4⤵
PID:1524

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.4.555608180\505584064" -childID 3 -isForBrowser -prefsHandle 3744 -prefMapHandle 1028 -prefsLen 26716 -prefMapSize 232675 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0c7c9b1-e71d-4d12-b25b-6884f0488b48} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 3680 1e142558 tab
4⤵
PID:1800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.5.1939225448\1330237695" -childID 4 -isForBrowser -prefsHandle 3848 -prefMapHandle 3852 -prefsLen 26716 -prefMapSize 232675 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7215c9dc-e06f-4898-a572-0553662d994f} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 3836 1e144058 tab
4⤵
PID:1876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.6.530821634\1855972597" -childID 5 -isForBrowser -prefsHandle 4024 -prefMapHandle 4028 -prefsLen 26716 -prefMapSize 232675 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6917bc65-2860-4b22-9c52-6797b674cc80} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 4012 1e145e58 tab
4⤵
PID:2776

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zf65wlcn.default-release\activity-stream.discovery_stream.json.tmp
Filesize
149KB

MD5
35d52a8f474079386a26aa0fce888a0b

SHA1
a0aa03d3400bcc8175fe1eb1ec192a7290e0baef

SHA256
d3b403ae38b82f03bae0abedfb32e220e9414cef585108406a00399b7040dae9

SHA512
9598d359b4f445c58cc8fece5131f7f21254d41d3fbe2d8514eee17e498363f2470aa3ace36140510f27a502ffaa4e450be424eb47f0b2131f092f9a843e2a3a

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
172ca058110599c5f3e4c19c6a5d2891

SHA1
8220a5e98647c2bd3876a2cfeaba6d6da93f7304

SHA256
1020ff08789c970aeaf91b37a83cc6b9da275f139b1e5a6e0a653a382f89f54a

SHA512
87a7bce4692ffbfba91145b2b2b1db1831a4f65b7485f13c9acec98729661167a2c0f14d4e4200d08d9e89f799dafd227c879da8fc9d557857276e275325bd55

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1152-81-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/2252-87-0x000007FEF57D0000-0x000007FEF581C000-memory.dmp

Filesize
304KB

Download
memory/2252-88-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2252-89-0x000007FEF57D0000-0x000007FEF581C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads