730c80fbd03ad0dee1a018a681fdc6a06732698507b74b5c7f90f24c2c414509

Analysis

max time kernel
236s
max time network
251s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2023 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0EqdhRtlUd.exe
Size

79.3MB
MD5

ee204f2fa5ecdf11fa4b45f641fcd833
SHA1

e95005bcc416b0fc48e3e6f37c190f0a4346fb4f
SHA256

730c80fbd03ad0dee1a018a681fdc6a06732698507b74b5c7f90f24c2c414509
SHA512

9893f86978b1c73ee8b0ffd35caa459ecffd38a81664b7cdf3d5791ac8a184cb917b54ed79c33bdc1c379fed244ca51fafd7ea71741e70b4bdbd6a13fd8cbf7a
SSDEEP

786432:H7UgV/aq4CF6bomcfp8CerF/P1Q6nEL/t2zT/Ly/V5jiVa+:br/T6cB8VRtQ6EL/t2zTQ5p+

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
5988	0EqdhRtlUd.exe
5876	0EqdhRtlUd.exe
5648	0EqdhRtlUd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2472	4120	WerFault.exe	80
2692	5988	WerFault.exe	116
1516	5876	WerFault.exe	121
1928	5648	WerFault.exe	130

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\0EqdhRtlUd.exe:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4300	firefox.exe
Token: SeDebugPrivilege	4300	firefox.exe
Token: SeDebugPrivilege	4300	firefox.exe
Token: SeDebugPrivilege	4300	firefox.exe
Token: SeDebugPrivilege	4300	firefox.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe
4300	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 4300	4628	firefox.exe	97
PID 4628 wrote to memory of 4300	4628	firefox.exe	97
PID 4628 wrote to memory of 4300	4628	firefox.exe	97
PID 4628 wrote to memory of 4300	4628	firefox.exe	97
PID 4628 wrote to memory of 4300	4628	firefox.exe	97
PID 4628 wrote to memory of 4300	4628	firefox.exe	97
PID 4628 wrote to memory of 4300	4628	firefox.exe	97
PID 4628 wrote to memory of 4300	4628	firefox.exe	97
PID 4628 wrote to memory of 4300	4628	firefox.exe	97
PID 4628 wrote to memory of 4300	4628	firefox.exe	97
PID 4628 wrote to memory of 4300	4628	firefox.exe	97
PID 4300 wrote to memory of 1960	4300	firefox.exe	98
PID 4300 wrote to memory of 1960	4300	firefox.exe	98
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 4424	4300	firefox.exe	99
PID 4300 wrote to memory of 1844	4300	firefox.exe	100
PID 4300 wrote to memory of 1844	4300	firefox.exe	100
PID 4300 wrote to memory of 1844	4300	firefox.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0EqdhRtlUd.exe
"C:\Users\Admin\AppData\Local\Temp\0EqdhRtlUd.exe"
1⤵
PID:4120
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4120 -s 856
  2⤵
  - Program crash
  PID:2472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4120 -ip 4120
1⤵
PID:1232

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4300.0.337784973\836446603" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55d70ec0-4d1d-405b-859e-4c8dd5020604} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" 1964 203f80d7e58 gpu
    3⤵
    PID:1960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4300.1.1881607429\707613280" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {192235ac-5edb-4b44-b7da-5e7ba9bcb7cf} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" 2364 203f7ffc358 socket
    3⤵
    PID:4424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4300.2.1539319713\741852674" -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 3164 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3039a2d2-3c73-462a-b40b-84c43feae4d6} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" 3024 203fbfad958 tab
    3⤵
    PID:1844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4300.3.672163324\1679723446" -childID 2 -isForBrowser -prefsHandle 3604 -prefMapHandle 3600 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95a14dec-d01a-4248-94e5-d75c57e9d74d} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" 3612 203fa7c7858 tab
    3⤵
    PID:920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4300.4.2145227989\1134519498" -childID 3 -isForBrowser -prefsHandle 4168 -prefMapHandle 4196 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {723d6106-f6ed-4811-8c20-64d2a5e55aa4} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" 4208 203fabc1c58 tab
    3⤵
    PID:4276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4300.5.370644245\1695599459" -childID 4 -isForBrowser -prefsHandle 5020 -prefMapHandle 5036 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e6febfb-f448-412a-ac56-004fa5eb1ac7} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" 5024 203eb66ca58 tab
    3⤵
    PID:4492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4300.7.402120522\1207556040" -childID 6 -isForBrowser -prefsHandle 5360 -prefMapHandle 5364 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {110c2825-143e-40b6-bf83-03c7c4122cab} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" 5352 203fe4da858 tab
    3⤵
    PID:2948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4300.6.2354186\1346048900" -childID 5 -isForBrowser -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {802c7c99-3a2e-47f9-aa23-3d7aabc131cc} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" 5164 203fe4d9f58 tab
    3⤵
    PID:3424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4300.8.320385119\1775630212" -childID 7 -isForBrowser -prefsHandle 5400 -prefMapHandle 5392 -prefsLen 26842 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68d96792-d4f2-4c0a-aad0-04841e67b451} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" 3572 203fbf70058 tab
    3⤵
    PID:700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4300.9.688286925\2120381066" -childID 8 -isForBrowser -prefsHandle 10036 -prefMapHandle 10048 -prefsLen 26842 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bd6a7e2-7726-461e-8804-8ee87b97ec4a} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" 10000 203fef1ee58 tab
    3⤵
    PID:4896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4300.10.2072533115\322247211" -childID 9 -isForBrowser -prefsHandle 10048 -prefMapHandle 9980 -prefsLen 27017 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c75fc2be-22ad-40d7-b728-9a96d0bd632f} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" 5392 20400eb2458 tab
    3⤵
    PID:2952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4300.12.1988163694\1836783470" -childID 11 -isForBrowser -prefsHandle 9684 -prefMapHandle 9680 -prefsLen 27017 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48df9c33-5976-4c94-bba0-243e3b62963a} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" 9692 20400eb4b58 tab
    3⤵
    PID:376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4300.11.578101148\1247481996" -childID 10 -isForBrowser -prefsHandle 8152 -prefMapHandle 8148 -prefsLen 27017 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {964c3266-a5cd-4d5d-b9e7-ecb991509db8} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" 8160 20400eb3358 tab
    3⤵
    PID:4868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4300.15.1594002292\482355183" -childID 14 -isForBrowser -prefsHandle 9680 -prefMapHandle 9604 -prefsLen 27017 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62db265b-2f43-4371-95dd-75ccbc801a08} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" 9392 20401ffae58 tab
    3⤵
    PID:5288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4300.14.1708161245\288941601" -childID 13 -isForBrowser -prefsHandle 8108 -prefMapHandle 8112 -prefsLen 27017 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {349bf523-28be-4a6c-a1cc-39d1a2ef0f5b} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" 8028 20401163458 tab
    3⤵
    PID:5280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4300.13.1720593487\321120555" -childID 12 -isForBrowser -prefsHandle 8120 -prefMapHandle 8124 -prefsLen 27017 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f11c3586-b94d-4b09-85fa-da8cbe9abad5} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" 10048 203fef1d658 tab
    3⤵
    PID:5256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4300.16.520595688\2129965365" -childID 15 -isForBrowser -prefsHandle 9080 -prefMapHandle 8916 -prefsLen 27017 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f46e0a00-f843-4bee-9961-877770fbd4ba} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" 8952 204025aeb58 tab
    3⤵
    PID:5820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4300.17.484303980\1578907393" -childID 16 -isForBrowser -prefsHandle 4212 -prefMapHandle 9240 -prefsLen 27249 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {726c83b9-200d-4aff-b9af-76d246c13f7e} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" 8092 203ff632358 tab
    3⤵
    PID:1244
- - C:\Users\Admin\Downloads\0EqdhRtlUd.exe
    "C:\Users\Admin\Downloads\0EqdhRtlUd.exe"
    3⤵
    - Executes dropped EXE
    PID:5988
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 5988 -s 860
      4⤵
      Program crash
      PID:2692
- - C:\Users\Admin\Downloads\0EqdhRtlUd.exe
    "C:\Users\Admin\Downloads\0EqdhRtlUd.exe"
    3⤵
    - Executes dropped EXE
    PID:5876
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 5876 -s 832
      4⤵
      Program crash
      PID:1516
- - C:\Users\Admin\Downloads\0EqdhRtlUd.exe
    "C:\Users\Admin\Downloads\0EqdhRtlUd.exe"
    3⤵
    - Executes dropped EXE
    PID:5648
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 5648 -s 864
      4⤵
      Program crash
      PID:1928

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 5988 -ip 5988
1⤵
PID:5480

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 5876 -ip 5876
1⤵
PID:4476

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:220

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 5648 -ip 5648
1⤵
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vjiou3c0.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
b7d3609ada57d6d5621c6b95effe7a53

SHA1
ff1e7d6061a6000032ec5dd1292c94c681a8878c

SHA256
a1fcef76cab081c8ffa8b4caf08ab7d205238416aa2eaa870d17330968f9adaa

SHA512
a8d45ee4910f57845fc7e2a874261d9e591a98d6fccd0781ef26ac8a834150a38052fd25d247a98ffa6d56001e7493cca96573116ce94d1bbbca9c89a17718f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\prefs-1.js

Filesize
6KB

MD5
8990b0eaf9296bebd66928395d5c4470

SHA1
f688568b0d05d80f6ba7e39555247cc8aa94696d

SHA256
c2ea75d20a8cad4e1df50c008cc0c419adffa6ecac115c682aa02c30cf0b8ef1

SHA512
01438055809f07054c5ec7c4655f5a085bae78c1c0a8e0bfe34a7eeb5d90a8177c5e32c1ed40a13dd6b62c495bc9d030eea193d8fad4e1a670f2eae1eff63f91

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
747065e821c3e728d6f3fdf074f25c5f

SHA1
66be144028fff9540e3d5d604795a93ead948d37

SHA256
cdc2b5d760c315cb8f1c03dcf9e958aa4337b069999d2387e43d9ec79fca1f41

SHA512
ad68d718a7b2d824b0cbd0dc22541c2e200733255a3a49fa96a8bea058df50b423ac11fce7011e60ce962e86691290b32165cef3cad60a24af28cf568ddbccc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
366ad2cd8f19f68f2fe619bf8a28e767

SHA1
0afb00fa03c890254a464df8267cd83821592810

SHA256
730ec3a03c13dd3488ec9e046b0fef34abad1ddb5b0f59a88fad2d0e80c69219

SHA512
fca6e3baf6d37d19358f149410b6c5b3d06733dac8035cb8578f96e025ed1439a517b51eee4393a9fd30d10190b2cb120697053e1f6a010f10ae320d89eaeb07

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
63f17b324385f66a68a08e2378f8bc95

SHA1
a00ad8a267188eee4038ba5e6a2c101d55f94e30

SHA256
82a0fae2f43a9b7fc10f2f2a72ca7a3fe13ec75520bd5c8d824131501e8bd21b

SHA512
6ccc4c3e3a06d86aa9d812a8191b1b4cbb720e9533619bec51f3a922027ff837df7c7ecd974c72713e939a4fb55b7fca597ff9dc71609b2153443b71b5e1a960

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
6a1b9d35ca49bbed9f1527e56a7b943d

SHA1
4beb5499ece0a0327406530c968c9918b9ac6be6

SHA256
09859d6187f219a40b17f4308536b85f352281ef8043d75c5805c78a02548574

SHA512
659ccad5ca95d808331c209cfa88876b20f33484aa046829274833c7cb1777c4a10e9a2eff82079392da3e1e1073f0e800fb81dfbb47fe906257a755d47413cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
1275e3ced873a8e3e966c50e9d294bb9

SHA1
a3de6f20d6afcd5d441a696c0b299f39f8d71896

SHA256
f90f8167ff213a4f4b97fa9b736a26c6703fac357373da06a6a787bde34ce993

SHA512
32486bcb706a59fd9027f6f38a1163647f0f8aef3263dc37e953b8804e3d226dbe7fb961057484b26e9195c9da61a87d01ee5e76dfef479390dd203674cc1d69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
06200c8244ef8a4914341d60552a1aee

SHA1
46f33429023a43a75de568de2f67cead445b9a2d

SHA256
c8614abe3e8b701f852adc265c1729dd811b8a824897ec9699495bcc77539bbc

SHA512
e9a0ca3b08a0b2a0c698e67f56cf197ca75d25d3223e4cb5be09870feef90daa390577f4042ccfb60da9c5a94b122d113de86be64bcccced26239500d299df65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
a1debf7a163544ffeb7e538314399bfa

SHA1
1769cc05df51f06eef70f0d13c8bde0f062e3b73

SHA256
e3e9817d8630a3e71dfdf0be864de3024eece42e04dfadc532a6583371d7cf62

SHA512
522cf16bbe5ac44b54752382d89d68f69f0813709db00e4e72839ca7ac00a7d0b1f7272dcebdbebc9c638f06645a1647e6c33c6bc2d2110f6c7ca129cf272415

Download Submit
C:\Users\Admin\Downloads\0EqdhRtlUd.Q0U7HgRT.exe.part

Filesize
79.3MB

MD5
ee204f2fa5ecdf11fa4b45f641fcd833

SHA1
e95005bcc416b0fc48e3e6f37c190f0a4346fb4f

SHA256
730c80fbd03ad0dee1a018a681fdc6a06732698507b74b5c7f90f24c2c414509

SHA512
9893f86978b1c73ee8b0ffd35caa459ecffd38a81664b7cdf3d5791ac8a184cb917b54ed79c33bdc1c379fed244ca51fafd7ea71741e70b4bdbd6a13fd8cbf7a

Download Submit
C:\Users\Admin\Downloads\0EqdhRtlUd.exe

Filesize
79.3MB

MD5
ee204f2fa5ecdf11fa4b45f641fcd833

SHA1
e95005bcc416b0fc48e3e6f37c190f0a4346fb4f

SHA256
730c80fbd03ad0dee1a018a681fdc6a06732698507b74b5c7f90f24c2c414509

SHA512
9893f86978b1c73ee8b0ffd35caa459ecffd38a81664b7cdf3d5791ac8a184cb917b54ed79c33bdc1c379fed244ca51fafd7ea71741e70b4bdbd6a13fd8cbf7a

Download Submit
C:\Users\Admin\Downloads\0EqdhRtlUd.exe

Filesize
79.3MB

MD5
ee204f2fa5ecdf11fa4b45f641fcd833

SHA1
e95005bcc416b0fc48e3e6f37c190f0a4346fb4f

SHA256
730c80fbd03ad0dee1a018a681fdc6a06732698507b74b5c7f90f24c2c414509

SHA512
9893f86978b1c73ee8b0ffd35caa459ecffd38a81664b7cdf3d5791ac8a184cb917b54ed79c33bdc1c379fed244ca51fafd7ea71741e70b4bdbd6a13fd8cbf7a

Download Submit
C:\Users\Admin\Downloads\0EqdhRtlUd.exe

Filesize
79.3MB

MD5
ee204f2fa5ecdf11fa4b45f641fcd833

SHA1
e95005bcc416b0fc48e3e6f37c190f0a4346fb4f

SHA256
730c80fbd03ad0dee1a018a681fdc6a06732698507b74b5c7f90f24c2c414509

SHA512
9893f86978b1c73ee8b0ffd35caa459ecffd38a81664b7cdf3d5791ac8a184cb917b54ed79c33bdc1c379fed244ca51fafd7ea71741e70b4bdbd6a13fd8cbf7a

Download Submit
C:\Users\Admin\Downloads\0EqdhRtlUd.exe

Filesize
79.3MB

MD5
ee204f2fa5ecdf11fa4b45f641fcd833

SHA1
e95005bcc416b0fc48e3e6f37c190f0a4346fb4f

SHA256
730c80fbd03ad0dee1a018a681fdc6a06732698507b74b5c7f90f24c2c414509

SHA512
9893f86978b1c73ee8b0ffd35caa459ecffd38a81664b7cdf3d5791ac8a184cb917b54ed79c33bdc1c379fed244ca51fafd7ea71741e70b4bdbd6a13fd8cbf7a

Download Submit
memory/4120-6-0x00007FF616DA0000-0x00007FF6176CC000-memory.dmp

Filesize
9.2MB

Download
memory/4120-22-0x00007FF616DA0000-0x00007FF6176CC000-memory.dmp

Filesize
9.2MB

Download
memory/4120-7-0x00000175137D0000-0x00000175137D9000-memory.dmp

Filesize
36KB

Download
memory/4120-16-0x0000017515130000-0x0000017515143000-memory.dmp

Filesize
76KB

Download
memory/4120-19-0x00000175137E0000-0x00000175137ED000-memory.dmp

Filesize
52KB

Download
memory/4120-0-0x0000000180000000-0x0000000180A22000-memory.dmp

Filesize
10.1MB

Download
memory/4120-10-0x0000017538800000-0x0000017538914000-memory.dmp

Filesize
1.1MB

Download
memory/4120-13-0x0000017538920000-0x00000175389C2000-memory.dmp

Filesize
648KB

Download
memory/4120-3-0x00000175137F0000-0x0000017513816000-memory.dmp

Filesize
152KB

Download
memory/5648-560-0x00007FF62BF70000-0x00007FF62C89C000-memory.dmp

Filesize
9.2MB

Download
memory/5648-588-0x00007FF62BF70000-0x00007FF62C89C000-memory.dmp

Filesize
9.2MB

Download
memory/5876-514-0x00007FF78BDF0000-0x00007FF78C71C000-memory.dmp

Filesize
9.2MB

Download
memory/5876-530-0x00007FF78BDF0000-0x00007FF78C71C000-memory.dmp

Filesize
9.2MB

Download
memory/5988-481-0x00007FF745BE0000-0x00007FF74650C000-memory.dmp

Filesize
9.2MB

Download
memory/5988-455-0x00007FF745BE0000-0x00007FF74650C000-memory.dmp

Filesize
9.2MB

Download