Analysis
-
max time kernel
647s -
max time network
656s -
platform
windows10-1703_x64 -
resource
win10-20230703-de -
resource tags
arch:x64arch:x86image:win10-20230703-delocale:de-deos:windows10-1703-x64systemwindows -
submitted
16/08/2023, 10:13
Behavioral task
behavioral1
Sample
test.exe
Resource
win10-20230703-de
Errors
General
-
Target
test.exe
-
Size
3.1MB
-
MD5
eecdbc78d76691a6be6cecc14a09968e
-
SHA1
01cbea73481a01dfcbf5e84abb060d2915e4684c
-
SHA256
781ecb1f7366bf4ae82fc447898d1ec82f49a48787dff6b0bfb9a0f69e85c354
-
SHA512
1460dea51eef202616ce842586e3c0e4b561cdaf8cdc974a2a5a2cb5c6a0d64e4e592f0c2803aa8dfba9392f07d41573802fad5bc8a48c6cf1b8651cc1d849c6
-
SSDEEP
49152:GHl592AYawl1WPOl6NVtRkJ0xEEmxR16cbRi+oGdhTHHB72eh2NT:GH/92AYawl1WPOl6NVLkJ0xEEgR16w
Malware Config
Extracted
quasar
1.0
Office
7.tcp.eu.ngrok.io:11273
f66b5493-61eb-4d81-92bf-7cdd5011ca71
-
encryption_key
5C8FA74B508E07066B897AA659A1D34132B54635
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
1
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/4968-117-0x0000000000B00000-0x0000000000E24000-memory.dmp family_quasar -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings firefox.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 test.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e test.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 208 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 4968 test.exe Token: SeDebugPrivilege 208 firefox.exe Token: SeDebugPrivilege 208 firefox.exe Token: SeDebugPrivilege 4936 firefox.exe Token: SeDebugPrivilege 4936 firefox.exe Token: SeDebugPrivilege 4936 firefox.exe Token: SeDebugPrivilege 4936 firefox.exe Token: SeDebugPrivilege 4936 firefox.exe Token: SeShutdownPrivilege 1256 shutdown.exe Token: SeRemoteShutdownPrivilege 1256 shutdown.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 4936 firefox.exe 4936 firefox.exe 4936 firefox.exe 4936 firefox.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 208 firefox.exe 208 firefox.exe 208 firefox.exe 4936 firefox.exe 4936 firefox.exe 4936 firefox.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 208 firefox.exe 4936 firefox.exe 208 EXCEL.EXE 208 EXCEL.EXE 208 EXCEL.EXE 208 EXCEL.EXE 208 EXCEL.EXE 208 EXCEL.EXE 208 EXCEL.EXE 208 EXCEL.EXE 208 EXCEL.EXE 208 EXCEL.EXE 208 EXCEL.EXE 208 EXCEL.EXE 208 EXCEL.EXE 2952 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1336 wrote to memory of 208 1336 firefox.exe 73 PID 1336 wrote to memory of 208 1336 firefox.exe 73 PID 1336 wrote to memory of 208 1336 firefox.exe 73 PID 1336 wrote to memory of 208 1336 firefox.exe 73 PID 1336 wrote to memory of 208 1336 firefox.exe 73 PID 1336 wrote to memory of 208 1336 firefox.exe 73 PID 1336 wrote to memory of 208 1336 firefox.exe 73 PID 1336 wrote to memory of 208 1336 firefox.exe 73 PID 1336 wrote to memory of 208 1336 firefox.exe 73 PID 1336 wrote to memory of 208 1336 firefox.exe 73 PID 1336 wrote to memory of 208 1336 firefox.exe 73 PID 208 wrote to memory of 1756 208 firefox.exe 74 PID 208 wrote to memory of 1756 208 firefox.exe 74 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 3488 208 firefox.exe 75 PID 208 wrote to memory of 4460 208 firefox.exe 76 PID 208 wrote to memory of 4460 208 firefox.exe 76 PID 208 wrote to memory of 4460 208 firefox.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:4968 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /s /t 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.0.1769095693\525875252" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1676 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {afd20bd9-0c85-48aa-b6cd-f58a7227f202} 208 "\\.\pipe\gecko-crash-server-pipe.208" 1764 2528e0d6858 gpu3⤵PID:1756
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.1.1194289044\294948057" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 21017 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c952efa5-ec74-4451-9429-043bcab51eb9} 208 "\\.\pipe\gecko-crash-server-pipe.208" 2120 2528dc30e58 socket3⤵PID:3488
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.2.1503346409\210400" -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 3048 -prefsLen 21055 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbb5d6aa-fda0-4847-8ee7-2dcd4f3a375f} 208 "\\.\pipe\gecko-crash-server-pipe.208" 3024 252922ec858 tab3⤵PID:4460
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.3.367339332\2099748522" -childID 2 -isForBrowser -prefsHandle 3444 -prefMapHandle 3428 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1084ca98-c997-423c-ac63-0b573753ee14} 208 "\\.\pipe\gecko-crash-server-pipe.208" 3452 25290b37358 tab3⤵PID:1720
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.4.162576551\1317084216" -childID 3 -isForBrowser -prefsHandle 3604 -prefMapHandle 3600 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3dfdd95-195a-4c0c-aecd-79e23ef93ad6} 208 "\\.\pipe\gecko-crash-server-pipe.208" 3772 25283161c58 tab3⤵PID:364
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.5.162110592\1421143292" -childID 4 -isForBrowser -prefsHandle 4628 -prefMapHandle 4656 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3b687b3-21b6-49a2-85fd-bbbf3babd4b1} 208 "\\.\pipe\gecko-crash-server-pipe.208" 4716 25290b37c58 tab3⤵PID:4320
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.7.570236312\1121716462" -childID 6 -isForBrowser -prefsHandle 5068 -prefMapHandle 5072 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0892161b-3f1f-49ec-a13d-2b4ad03ae819} 208 "\\.\pipe\gecko-crash-server-pipe.208" 4716 252946ca358 tab3⤵PID:2312
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.6.101298466\1734529498" -childID 5 -isForBrowser -prefsHandle 4876 -prefMapHandle 4880 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c30d79a2-0769-4e76-8144-e04810e15fb1} 208 "\\.\pipe\gecko-crash-server-pipe.208" 4868 252946cb858 tab3⤵PID:2744
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:2440
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4936 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4936.0.1413823450\1891986387" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1676 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6dc0b0c4-f414-4e89-bdf9-f8079d1b1c7d} 4936 "\\.\pipe\gecko-crash-server-pipe.4936" 1764 17b146d6558 gpu3⤵PID:3236
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4936.1.511606937\2011904631" -parentBuildID 20221007134813 -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 21017 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {552b8e95-0eb9-4ce4-965d-deeb7897decc} 4936 "\\.\pipe\gecko-crash-server-pipe.4936" 2120 17b0956f858 socket3⤵PID:4792
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4936.2.1028359774\1704020351" -childID 1 -isForBrowser -prefsHandle 3232 -prefMapHandle 3248 -prefsLen 21055 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ce420ae-1339-45ad-aeb5-68bcbae3172a} 4936 "\\.\pipe\gecko-crash-server-pipe.4936" 2792 17b185d0558 tab3⤵PID:4696
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4936.3.434948343\1253193167" -childID 2 -isForBrowser -prefsHandle 1004 -prefMapHandle 972 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {80ee9c82-294d-4983-b5fc-6d0205481d50} 4936 "\\.\pipe\gecko-crash-server-pipe.4936" 3780 17b09562b58 tab3⤵PID:3376
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4936.4.1300884846\426975889" -childID 3 -isForBrowser -prefsHandle 4296 -prefMapHandle 4288 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5224694c-a39c-4af6-8da6-a27457ba11a6} 4936 "\\.\pipe\gecko-crash-server-pipe.4936" 4312 17b1a79f258 tab3⤵PID:1244
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4936.5.1449651103\1629294679" -childID 4 -isForBrowser -prefsHandle 4708 -prefMapHandle 4744 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d390c0eb-b126-49de-a3f6-da88b4c88946} 4936 "\\.\pipe\gecko-crash-server-pipe.4936" 4724 17b197be458 tab3⤵PID:860
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4936.6.1920493624\2040117799" -childID 5 -isForBrowser -prefsHandle 4972 -prefMapHandle 4976 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {051436a1-cd42-4049-a001-ea2a0396c1f4} 4936 "\\.\pipe\gecko-crash-server-pipe.4936" 4964 17b197bf358 tab3⤵PID:2320
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4936.7.1105210350\1699018455" -childID 6 -isForBrowser -prefsHandle 4688 -prefMapHandle 4648 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {30d72dcb-7649-4110-a482-354d138ed5be} 4936 "\\.\pipe\gecko-crash-server-pipe.4936" 4852 17b1a79fe58 tab3⤵PID:2780
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4656
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Desktop\SubmitStep.xlt"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:208
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aed855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\activity-stream.discovery_stream.json
Filesize150KB
MD5fcf5c7d2400f1bee48933205a70fef1a
SHA1b7fdc6a64188edc9ebb67c02d8d46e13799d0da5
SHA2569356caed9848ff6f5beb42402b04beb83238c13212efd5e507b8cdd7a8162084
SHA512c83fb559a023027435683e189116455ddf33152aaa3de968a53a8ab5fec6ca374c2fe0bb6caed51c50c78bdc171e188b98b2827882df9bc5a6713f058681f095
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\activity-stream.discovery_stream.json.tmp
Filesize150KB
MD5fcf5c7d2400f1bee48933205a70fef1a
SHA1b7fdc6a64188edc9ebb67c02d8d46e13799d0da5
SHA2569356caed9848ff6f5beb42402b04beb83238c13212efd5e507b8cdd7a8162084
SHA512c83fb559a023027435683e189116455ddf33152aaa3de968a53a8ab5fec6ca374c2fe0bb6caed51c50c78bdc171e188b98b2827882df9bc5a6713f058681f095
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\cache2\entries\118BB2BA245AAA64B01692DF29396B97E11FC1A0
Filesize14KB
MD5cb075adfcb82f3ae4c195e690068166d
SHA186a06b70b04e659793023acba29141df7355a232
SHA256d1b9677e52ea062883619acfa84b2f6f30a1a996a2ce57e69430f36389930c8f
SHA51230e574ea1d25c23c1fad91516fefe893624c0adc39c620c4e991203af25032a4fe0f936ffd10e607d134da396b8b439c21fa8eec9e0642ae1e123dc05a13fd37
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495
Filesize9KB
MD5f86cfa7ff661197e3981ce19574758fc
SHA18b6cf87908d88975d1cbba435d11268ed1772a62
SHA2565596b869a647830766fcc5874a565c70590a2fc80ebd8d50e4cb37055a88fcb2
SHA51274d64e426cc2bca45628d85ecb3a49a503043cecc4c329750a89a197da3b0d14a7da3c7019fb301508c60a92be000d33fb1ab42763be62970d4757a4b5405dc8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
Filesize9KB
MD57bfd85d0318421ea730ce9d3bc60029b
SHA1561d94d3adb89a9d6d32d26ea7a8b183e36a78d2
SHA25681a86ea7ef3a9005a5d74c3bd7bbee91ee12273f267f37168cef77eb03877d00
SHA512baf824823fd8d92c17af051431028ac44c44462d8d9c960643b3e31f5c8141af5d19a949825cb62f58ae16c7b7210bd3d589e4cabf24b50d8ca0c61fe69397ac
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\startupCache\scriptCache-child.bin
Filesize464KB
MD5b1c0b3951a7abee30fb0ab72941beba3
SHA13d996cedee1d6eb87d144f8e220d41740978247e
SHA25641edcec5320de0978c90cc2563ad07fd3e1e39b00be164ec27a299885b71299f
SHA512dc2f9b4b5e4a81d9537d47372763b7570e8dee1b25e80131548ad816c8823424e9e2e298975932ea2d36e680922312cab5e65ee6c5715ba078a4c28d11b8829f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\startupCache\urlCache.bin
Filesize2KB
MD51fa3d6b00e8aa8f8d55f611abf82093b
SHA14ada2cc332923850d06972a2abf1108e89c54af8
SHA256e9d208c0c02474d49986a3304ce9f9183e6632ae3cd23250a148c774a2863c87
SHA5123d741ae0d7a713e1d00faabd83b5e86289cdfb14d28e430f2b235b8780a4a7fb45bbb91ef1068a8fa3a1af17fb27a589eaf6019989f5a0541af0cca8550680af
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
257B
MD527766d11f17795d46a68795d9531d594
SHA125f5021b53f0adb8909f0f7f5903af44f1ebdd03
SHA256bb334b5073915f8a77a66f1bf9f59cc6cd95b88bcdba37a7959961d278663a18
SHA5125ba19a04d579864b6cad1c2f45cd1f67350bb86814516dfd2596691eb5a4b35b81cc9f9a1c421915d7e8e0295ef9c2909202e1e0786a10e1de9c5e88c618c729
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\datareporting\glean\db\data.safe.bin
Filesize182B
MD563b1bb87284efe954e1c3ae390e7ee44
SHA175b297779e1e2a8009276dd8df4507eb57e4e179
SHA256b017ee25a7f5c09eb4bf359ca721d67e6e9d9f95f8ce6f741d47f33bde6ef73a
SHA512f7768cbd7dd80408bd270e5a0dc47df588850203546bbc405adb0b096d00d45010d0fb64d8a6c050c83d81bd313094036f3d3af2916f1328f3899d76fad04895
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\datareporting\glean\db\data.safe.bin
Filesize182B
MD563b1bb87284efe954e1c3ae390e7ee44
SHA175b297779e1e2a8009276dd8df4507eb57e4e179
SHA256b017ee25a7f5c09eb4bf359ca721d67e6e9d9f95f8ce6f741d47f33bde6ef73a
SHA512f7768cbd7dd80408bd270e5a0dc47df588850203546bbc405adb0b096d00d45010d0fb64d8a6c050c83d81bd313094036f3d3af2916f1328f3899d76fad04895
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\datareporting\session-state.json
Filesize161B
MD5b3975ccb085e6bd4bff124807f1f6ad3
SHA15ff9352c6a2275046c0b0da22d4284800def2ea0
SHA25661a603d24e4ddb9d2d7a7b404c5b14896c84fa2b88f0bc7a848f864c545296ce
SHA51263df8d9a6af8d7ca3407ec1ff87956bf324f403acf6309fa6eadd5c40937358970376d06842210d268c30659740272fa0a55f1bbec242fcb23559cd5c23b6ad8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
6KB
MD55523a610bbfb66c2d4a58c3f28732937
SHA12362dc6457f6413ad8180eab35e9fcb440321577
SHA256e287895ddcdcf9fb2d808e200022058b0692bd68b58f6a5f3aa5b0cbbe5d7f27
SHA512ed7a14608eab78a9c5eb29671dc03d5a1b1cbd73075258d90497e56aec2784d3b8e0104c74af1ab83539d657957e89e1ce6d4a95a092281ce140d7a8dd654d3d
-
Filesize
7KB
MD543cc207942adcef7c5ea07d3a031d484
SHA1bdae079e547ee878c22592b42ec5ab8b7c58f4a0
SHA2561ea2c42c9924ae0c2594c8b260dd981987956ce49443d5c1b148aeaed9a05b9f
SHA512c59fbb9963757657c96ba6dd1822312da423809947f6d2eb87183df7b16e6c656224c6dc37c30dbee3207b60ed505e3fbda2faeeeb5c05375cc71cdfb293bd10
-
Filesize
7KB
MD5c2d4e250cd7a6aa834c5cb69b6301e86
SHA166c2103b8538e9d34712b0acaea3e8af9ab2a604
SHA2564b59ebc97555ee0cec0531ad192ef99add527fc5fcf92371acae095f051eda2d
SHA51272625eaa4eb8152396769fccfe12027c42f572b290d5b0cfd8db181a78a56aec87117735e507be154d6d8ed206418a946611e86eab3e307e94d48f5032810a7f
-
Filesize
7KB
MD5e292e07c0aaceac299f0bd98a1d004fa
SHA1c9548323533467bdffdd5424f2163e22406c5136
SHA2563e4339804c6c75b467d00d74972eb7cbc9f272497948fcd4838d33bda85dc994
SHA512efc7c8e65eb8217d6327a8636c887ade2aa8025f65b64cbf25eb2b22165b9a79791f2d2a71fcbd88b3a50da8b9d25a643c49bf52c5ce144a2fd3138a4aad130b
-
Filesize
7KB
MD5185fd0ed8fd796bb50f98518b59cc789
SHA1b2e4dba350ab3a2579d323ec843b04a078e0dea9
SHA2563637f7e85787c701d474d47f7db663440a00d30dcaaa9ce32d64f0ea29931ed8
SHA5126ae3f29c24e9ec5d185fd62830480488abd1e2dc8228cdc0aed6fffb03da6614026ee2447c36ec7db58c0d87bb79de85e7ceb3b6d563640f1426205ed44441cc
-
Filesize
6KB
MD500e76249f8a1a2f8f6950eaf87cf6b89
SHA1a51dd0545f26a746196cb650a4f0aaaf605d7c96
SHA256873c86032dc0ee33cd660cba82f6fde8634baff80f79588e1725ee75116f5add
SHA5124f8c2125910b73423bbb53a780a211e3055b074cb7ac9e88fe74db6bc8ab253322fd96f2474ac2835be4957bf0084e9543b062e4738ca6764b4888a832bfb9cd
-
Filesize
64KB
MD549397db0486dc59d607907a086f40c9b
SHA108742ce9db9569062def08e99eea8470702feb7d
SHA256890033ea279f13478e655150a823a5f84176d2f8f2ec3724dc61dfec775707c4
SHA512fc8dad1ae2215cd96c41bb3e683670bb9138467677da46c19d1e58972775842a995b70123c22ea1efb659d043f5116d0c9dca422035a6646b35f81033c9f5f53
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionCheckpoints.json
Filesize288B
MD5e08ef355498ae2c73e75f5a7e60eada5
SHA1c98b5ab80782513f6e72d95ab070e1ed7626c576
SHA256d1a98a30522d1bf882574df5ed2793bba5c4fdf0381788babea0846f6946745c
SHA512a0550e83ecd1cf632b4e54bf43744ee9f7c0a8dfcf9a043e018c00d4ca0bba606cfcaaa469b204e7c9dffec1f79b91e16cd4f1c94ff512c45d3dd25b7174e859
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionCheckpoints.json.tmp
Filesize122B
MD599601438ae1349b653fcd00278943f90
SHA18958d05e9362f6f0f3b616f7bfd0aeb5d37967c9
SHA25672d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a
SHA512ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionCheckpoints.json.tmp
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionCheckpoints.json.tmp
Filesize259B
MD5c8dc58eff0c029d381a67f5dca34a913
SHA13576807e793473bcbd3cf7d664b83948e3ec8f2d
SHA2564c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17
SHA512b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionCheckpoints.json.tmp
Filesize53B
MD5ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5b2d25afc20aa49453935561f6fef77a7
SHA1bbc3cf3f2cf1421b845afd057e158db9ef049f5b
SHA256d6a171589f38f5c71ff6a1a6c4f059b3b8ca19312d152ec12e3529b3f31f34b5
SHA512eba9cd88576ca33bc06d53df958d10949174b4c5c3ee84b252f95006881f5e5ca5e1d6daa3ef73ae189f31c2ed81f5efde1073159c0323b35cd7e0ea9afd5959
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionstore.jsonlz4
Filesize883B
MD569aacfde0de086e3f7b7ea6bcce1107a
SHA1b584397321dff457f51190d18f3188b2a3a365ec
SHA256ce6c214f924092216ecf61125c432db71c5a9770d210940a3f2313326322df5e
SHA5128f2ef8e138f1babaf01f6cf7964fd6b07716716100c7fdb1c637ea973b7fc7ca084defd7bad1fdd0166f97696280f744349ef2a3e21adcfd6294a8f9798f3ade
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionstore.jsonlz4
Filesize883B
MD569aacfde0de086e3f7b7ea6bcce1107a
SHA1b584397321dff457f51190d18f3188b2a3a365ec
SHA256ce6c214f924092216ecf61125c432db71c5a9770d210940a3f2313326322df5e
SHA5128f2ef8e138f1babaf01f6cf7964fd6b07716716100c7fdb1c637ea973b7fc7ca084defd7bad1fdd0166f97696280f744349ef2a3e21adcfd6294a8f9798f3ade
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionstore.jsonlz4
Filesize853B
MD54c3b19090d9a45dee42f414bd9caa046
SHA14e1e62aa13a26844498611af5c9f18f5bb70fe5d
SHA256553cccf12d43365fdd55c6d7d2a57179ccb32bc5369de62cabbe559b033b9362
SHA512274301b0e635cf5535e4a41ae9233c3b874c42fe9cf52691e1a8475a608b2981485d940d84f33fee773a20d0e1e72c5815c204d2241566cea4509bddd0c76ff9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
Filesize48KB
MD5bc599f77a10c3966af802ed338fe4dd9
SHA14cd4db1484b716ce6cd0761fe782390f1c954352
SHA256c1feabd5bf4c9860dabbbbf48150d22ee71ed35115ebd1223306a2e4b3906401
SHA5127d922be7406851d3bb84478e78136dac2409086fb072383240d1de0c08b4ad524be653d0bfa220e52ebfd4b5839b0c43f3b40e5a444fd393ddc28851a92dcd6e
-
Filesize
120B
MD505e1ddb4298be4c948c3ae839859c3e9
SHA1ea9195602eeed8d06644026809e07b3ad29335e5
SHA2561c2c5d5211674c3c8473e0589085499471399e53e9a85d7dd3b075fef6cbb6be
SHA5123177b48cd0c877821419d7e5eb247a4c899bc37258994f22257ceaafefb316e6f5959faae02e380e432d7752f0218d45d56d6878c1e751d201d9fdb3ff98612e