9e871595e30e5d22e58325d8c069cb48612ae07689dff680228af33911e55a27

Resubmissions

15-03-2024 14:40

240315-r127esba6z 7

15-03-2024 14:33

240315-rw21vsda32 7

15-03-2024 14:30

240315-rvhktsah3x 3

Analysis

max time kernel
111s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VIRUS DO NOT OPEN.rar
Size

13.5MB
MD5

d78c6d4e78955a325452674d32bc7be6
SHA1

3d27759d5ba0f1067ca62e7c9ce061db1017681f
SHA256

9e871595e30e5d22e58325d8c069cb48612ae07689dff680228af33911e55a27
SHA512

7b6f5b4397ede6026193604505bca1d03b765f6d79d9d2f816a665b175371f3d7f12b82c62b3b4999d325bab4d6822fe3037cf61dd770e88208a881b425ece7e
SSDEEP

393216:LJFSF15WwTui+xUn1n24bYdhvNeltrNaD:LJFjyuin2zb1OpNC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1784	Latzerus.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
113	discord.com
116	discord.com
118	discord.com
178	discord.com
198	discord.com
224	discord.com
271	discord.com
111	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
928	powershell.exe
928	powershell.exe
2088	powershell.exe
2088	powershell.exe
928	powershell.exe
2088	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
2128	powershell.exe
2128	powershell.exe
2128	powershell.exe
3312	7zFM.exe
3312	7zFM.exe
3312	7zFM.exe
3312	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3312	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3312	7zFM.exe
Token: 35	3312	7zFM.exe
Token: SeSecurityPrivilege	3312	7zFM.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeIncreaseQuotaPrivilege	2088	powershell.exe
Token: SeSecurityPrivilege	2088	powershell.exe
Token: SeTakeOwnershipPrivilege	2088	powershell.exe
Token: SeLoadDriverPrivilege	2088	powershell.exe
Token: SeSystemProfilePrivilege	2088	powershell.exe
Token: SeSystemtimePrivilege	2088	powershell.exe
Token: SeProfSingleProcessPrivilege	2088	powershell.exe
Token: SeIncBasePriorityPrivilege	2088	powershell.exe
Token: SeCreatePagefilePrivilege	2088	powershell.exe
Token: SeBackupPrivilege	2088	powershell.exe
Token: SeRestorePrivilege	2088	powershell.exe
Token: SeShutdownPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeSystemEnvironmentPrivilege	2088	powershell.exe
Token: SeRemoteShutdownPrivilege	2088	powershell.exe
Token: SeUndockPrivilege	2088	powershell.exe
Token: SeManageVolumePrivilege	2088	powershell.exe
Token: 33	2088	powershell.exe
Token: 34	2088	powershell.exe
Token: 35	2088	powershell.exe
Token: 36	2088	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeIncreaseQuotaPrivilege	1988	powershell.exe
Token: SeSecurityPrivilege	1988	powershell.exe
Token: SeTakeOwnershipPrivilege	1988	powershell.exe
Token: SeLoadDriverPrivilege	1988	powershell.exe
Token: SeSystemProfilePrivilege	1988	powershell.exe
Token: SeSystemtimePrivilege	1988	powershell.exe
Token: SeProfSingleProcessPrivilege	1988	powershell.exe
Token: SeIncBasePriorityPrivilege	1988	powershell.exe
Token: SeCreatePagefilePrivilege	1988	powershell.exe
Token: SeBackupPrivilege	1988	powershell.exe
Token: SeRestorePrivilege	1988	powershell.exe
Token: SeShutdownPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeSystemEnvironmentPrivilege	1988	powershell.exe
Token: SeRemoteShutdownPrivilege	1988	powershell.exe
Token: SeUndockPrivilege	1988	powershell.exe
Token: SeManageVolumePrivilege	1988	powershell.exe
Token: 33	1988	powershell.exe
Token: 34	1988	powershell.exe
Token: 35	1988	powershell.exe
Token: 36	1988	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1956	firefox.exe
Token: SeDebugPrivilege	1956	firefox.exe
Token: SeIncreaseQuotaPrivilege	2128	powershell.exe
Token: SeSecurityPrivilege	2128	powershell.exe
Token: SeTakeOwnershipPrivilege	2128	powershell.exe
Token: SeLoadDriverPrivilege	2128	powershell.exe
Token: SeSystemProfilePrivilege	2128	powershell.exe
Token: SeSystemtimePrivilege	2128	powershell.exe
Token: SeProfSingleProcessPrivilege	2128	powershell.exe
Token: SeIncBasePriorityPrivilege	2128	powershell.exe
Token: SeCreatePagefilePrivilege	2128	powershell.exe
Token: SeBackupPrivilege	2128	powershell.exe
Token: SeRestorePrivilege	2128	powershell.exe
Token: SeShutdownPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3312	7zFM.exe
3312	7zFM.exe
1956	firefox.exe
1956	firefox.exe
1956	firefox.exe
1956	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1956	firefox.exe
1956	firefox.exe
1956	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1956	firefox.exe
1956	firefox.exe
1956	firefox.exe
1956	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 3312	3996	cmd.exe	90
PID 3996 wrote to memory of 3312	3996	cmd.exe	90
PID 3312 wrote to memory of 1784	3312	7zFM.exe	104
PID 3312 wrote to memory of 1784	3312	7zFM.exe	104
PID 1784 wrote to memory of 4040	1784	Latzerus.exe	106
PID 1784 wrote to memory of 4040	1784	Latzerus.exe	106
PID 4040 wrote to memory of 648	4040	cmd.exe	108
PID 4040 wrote to memory of 648	4040	cmd.exe	108
PID 1784 wrote to memory of 928	1784	Latzerus.exe	109
PID 1784 wrote to memory of 928	1784	Latzerus.exe	109
PID 1784 wrote to memory of 3588	1784	Latzerus.exe	110
PID 1784 wrote to memory of 3588	1784	Latzerus.exe	110
PID 1784 wrote to memory of 2088	1784	Latzerus.exe	111
PID 1784 wrote to memory of 2088	1784	Latzerus.exe	111
PID 928 wrote to memory of 5076	928	powershell.exe	113
PID 928 wrote to memory of 5076	928	powershell.exe	113
PID 5076 wrote to memory of 4068	5076	csc.exe	114
PID 5076 wrote to memory of 4068	5076	csc.exe	114
PID 1784 wrote to memory of 1988	1784	Latzerus.exe	116
PID 1784 wrote to memory of 1988	1784	Latzerus.exe	116
PID 3732 wrote to memory of 1956	3732	firefox.exe	119
PID 3732 wrote to memory of 1956	3732	firefox.exe	119
PID 3732 wrote to memory of 1956	3732	firefox.exe	119
PID 3732 wrote to memory of 1956	3732	firefox.exe	119
PID 3732 wrote to memory of 1956	3732	firefox.exe	119
PID 3732 wrote to memory of 1956	3732	firefox.exe	119
PID 3732 wrote to memory of 1956	3732	firefox.exe	119
PID 3732 wrote to memory of 1956	3732	firefox.exe	119
PID 3732 wrote to memory of 1956	3732	firefox.exe	119
PID 3732 wrote to memory of 1956	3732	firefox.exe	119
PID 3732 wrote to memory of 1956	3732	firefox.exe	119
PID 1956 wrote to memory of 3020	1956	firefox.exe	120
PID 1956 wrote to memory of 3020	1956	firefox.exe	120
PID 1784 wrote to memory of 2128	1784	Latzerus.exe	121
PID 1784 wrote to memory of 2128	1784	Latzerus.exe	121
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123
PID 1956 wrote to memory of 644	1956	firefox.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\VIRUS DO NOT OPEN.rar"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\VIRUS DO NOT OPEN.rar"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Users\Admin\AppData\Local\Temp\7zO0FC0E8A7\Latzerus.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0FC0E8A7\Latzerus.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "chcp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4040
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c "Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport(\"Kernel32.dll\")] public static extern IntPtr GetConsoleWindow(); [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow); ' $consolePtr = [Console.Window]::GetConsoleWindow() #0 hide [Console.Window]::ShowWindow($consolePtr, 0) "
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:928
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bah11ruo\bah11ruo.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5076
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1306.tmp" "c:\Users\Admin\AppData\Local\Temp\bah11ruo\CSCEEA43496173D4CFCB19D43B0C316ACBD.TMP"
        6⤵
        
        PID:4068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c ""undefined\VBoxManage.exe" list vms --long"
      4⤵
      PID:3588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2128

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.0.490364772\1434098820" -parentBuildID 20221007134813 -prefsHandle 1916 -prefMapHandle 1912 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {43d26c58-d51c-4a3e-8475-82f3aa2a59f0} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 1996 1a2d59f6758 gpu
    3⤵
    PID:3020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.1.853474829\717069087" -parentBuildID 20221007134813 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {403e3aee-6faa-476d-8189-0d1811cd9367} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 2396 1a2d5530458 socket
    3⤵
    - Checks processor information in registry
    PID:644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.2.1619168938\122685884" -childID 1 -isForBrowser -prefsHandle 3128 -prefMapHandle 2992 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac8328ac-cf46-4f3c-97dd-1d16244caae3} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 3092 1a2d9ba5d58 tab
    3⤵
    PID:388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.3.1551249132\683370330" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3564 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76ce19cf-7393-41c7-bb1c-7565ce3927a5} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 3580 1a2c915ec58 tab
    3⤵
    PID:5228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.4.1601085155\1492367626" -childID 3 -isForBrowser -prefsHandle 4620 -prefMapHandle 4616 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4401238-6736-4732-8f11-94c090d5b143} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 4628 1a2db811a58 tab
    3⤵
    PID:5620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.5.1740220808\1151528924" -childID 4 -isForBrowser -prefsHandle 5028 -prefMapHandle 5020 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6d34565-b22f-4064-ad4c-5f7799020aee} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 5000 1a2dbf2fb58 tab
    3⤵
    PID:6016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.6.462612075\1409558013" -childID 5 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30132647-2d39-4cc3-b436-71d3e07bccfe} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 5152 1a2dbf2ce58 tab
    3⤵
    PID:6036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.7.506286983\2009836360" -childID 6 -isForBrowser -prefsHandle 5372 -prefMapHandle 5376 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {017e8c16-0f6b-4576-86a7-0872486d329d} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 5364 1a2dbf2e358 tab
    3⤵
    PID:6044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.8.212551353\1716201941" -childID 7 -isForBrowser -prefsHandle 5940 -prefMapHandle 5936 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70f7da62-07e7-4a0d-9574-db59e9e686c6} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 5948 1a2dd7f4858 tab
    3⤵
    PID:5532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.9.2079915645\1697323025" -childID 8 -isForBrowser -prefsHandle 6108 -prefMapHandle 4636 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18b40d42-4823-4f13-9433-ce6c1e2612ec} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 1680 1a2de00d258 tab
    3⤵
    PID:5980

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x498
1⤵
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
8519ebbbf9b7580d21f174a622d3c4f8

SHA1
6cd9bf31c44f271d85ee85af644cd291b1913811

SHA256
ee9c6de04938242b8497064f32a8c6bdb70a2e29e8604326b5e515b3cf792743

SHA512
aff270d42547fe08f38bf04dd9220f4d5cb08d2cf0338e0a3c55b73cc89f4c9ff680d279aa55ffda1399a3ec9366c0d85972b10a4a78a85f07a638441993ac07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0FC0E8A7\Latzerus.exe

Filesize
7.4MB

MD5
13c78d7920c5ff73432f5f3a46b23b39

SHA1
79d2122d52f7b7c561c6eac13f961fb08b5ed091

SHA256
b4b13ad4426d73e96849dbe12a1f2d2e56668ec07ca0b251bcb3685eea15dea6

SHA512
6b62c06c561fd5055399acdf04fbe3e9972bb0890de5954230e2f5391ea4ff4650e096c62b33242e4798a7fab33c5f30f7e564b9b855b9561807713c93ac3dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0FC0E8A7\Latzerus.exe

Filesize
10.1MB

MD5
0cbee47157ed1d437aa3c19df19c2a2c

SHA1
94d95c07b0b9100d528340b9903e4c9c14349b43

SHA256
f6b44ff9fd9ce1fd6fc258c43659d2f7b1f7b48e3816ea7644bd8b65af57fc71

SHA512
a06fe19b5dc8560a8201cf0e4db6e2e8b6f42b9ddbc5fffc709f3331ddd1e8f6df8136b0ec9d6789f4cfc26efced7a3094ecdc123b9223b2118c43dbe3393f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0FC0E8A7\Latzerus.exe

Filesize
10.9MB

MD5
7927762e26fb387595b31c452c7597d9

SHA1
e51c971f37999ce2d23d4bf90b9906809d4b18d2

SHA256
11c1905beb1affde0a26962506c0ccf0a25bb79b7c39f98e4302a3782b74ecaf

SHA512
ace08bb16b1b3e6cf1acf38db908fc227c52e27b34d2238302cda1affc7f82bdbc93ef65d0aa16f18020b409b8f9589e5079a9b34b54e88e8df19181eefe6781

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1306.tmp

Filesize
1KB

MD5
1e1ff56a917459813eb98f0f69d88c5e

SHA1
e26932691a3ca3096282835896bb5e08da6e4782

SHA256
4fab0a5b005e5d7872c98b176606bf151dd662e9bfa19924c7cbc1fbdd767512

SHA512
0eef9ab0774f009cbf28c44965b7cd1d9252c4cff641a6eb0585d7e8a73575e51d32995f0f356ad6f3d7319c2df3ffc0eba760faced498722133a70768352cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tgnet0g3.s42.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bah11ruo\bah11ruo.dll

Filesize
3KB

MD5
1cf5a1bfd8079618b3cd70f8ad355fe6

SHA1
00149f4b85cd80f5f4f1874db2bf68f646674eb3

SHA256
a9250298a16fd3e848e0c6fdb45fa71602d20891057336351e216ccc1f95a0db

SHA512
d4a50a835cbfe0c02e537cd2e99adbe87e5f236da4b1b98b8ef446931d771cb53c7441ba2c13f6ab0d6315dd0988a0ce694167160c889ee1a1d0f1d66e63e91d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
5ce7d7a0b22288ad90ba0a53ad439632

SHA1
6dffee7a04b67b5654faefa791df81c0f50e111f

SHA256
51118fd12937ae98124f55ab86ccdb0e8f24613c1ff27232352f46bcbaf5b34e

SHA512
ec7a2fe217d52d10b56637b35b546920ad0fa3c59fd7e7b8c72b0053facd58597cbf260d7a8d9024e2a9b15934a19a2099b2d857e60848ed5f8327d09f202bbb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\datareporting\glean\pending_pings\776fccff-4595-4a58-8f1d-724e8a9b80da

Filesize
11KB

MD5
29377cdd2153dff385a527b8395f0cd8

SHA1
faaccc0d4eeb219def5a44da4b3b7f5e814beccc

SHA256
c3831f9eff5f52a8cc0b75bd1490096f3a10614cc6d6753a5b0976b469c7b0fb

SHA512
f1b75b2270a77ec5655d4bc3856f66e50efa8963eed23d965f3631cdcfce9d33cd0b27b4bbf3c8402e4e5c13f348248c6bf6fa7497b0835aa66a8fc83405e54a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\datareporting\glean\pending_pings\7b5e6641-747a-4d1a-a4f6-a6b5470b3c1a

Filesize
746B

MD5
efb7b2d47edeb18aa00e40c76f270a2c

SHA1
df325df7bb9a945bdb5db9b18c733a626a803558

SHA256
47f2a93cc31252e7868d32654d7a25690916c1215179d19517f0043378d3a206

SHA512
822659a81e5a08c5047e7daab683228c9aaab38b2c0ecb478b1f9dc7db453fb991b90e098d2ec79968ac7a85d16e21b210e3866b8dfa7bf83c6ef55ce678793d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\prefs-1.js

Filesize
6KB

MD5
d1581173a43da44815f292b296b22b9c

SHA1
55c2a3d6a1277bd57da473c7f5b8ef02ff2d1015

SHA256
68336681874f214661ec971744c95f2872f1a09c1af3291a649b7b05193c7dd6

SHA512
a33a206582da50b62eb2609b6072c13950f8b5751b08bf5561830684d591d368bdefefc9cb527b4b09be7fef33c46839d11fa6ddec28e0a8701622b125e1e1d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\prefs-1.js

Filesize
6KB

MD5
f8ccf90a78a2d291a59587910b0658d5

SHA1
db7b52dd3d40725af37002372ba567905331a98d

SHA256
73dac2b067456a48cc9bcca713cd06bc6e416ea143ab405de7c2b9526d6a97b1

SHA512
e08ade904f5f7eaf4e573ad1b00e3038fea86c4a739a3b3e1635e88fbe3b816ab1b5c8417d37cf80af9a59d7b2bd55035dc8baf4aeb200d4b3ce50537ee38c8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
78cfc487d43307598442e3cd0d63b6ed

SHA1
6346d20b885dfdf6893f8c0ac236daf1fde7bf69

SHA256
05064fe9bc5c9aa39eb5ff5cd094b64408fc93b7ce32ca3c5c7f5141ec46bfd6

SHA512
501ae286f92c799b9e23f9d570492aff49fa4a374fe05be84f678d2e9bf461d0fbae6592c73e7131d4513304742e2cd82af5b17fae44390fb79709de8237a928

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
25KB

MD5
4f267fa805f60dd2c36928728cab388c

SHA1
9e1b3dbc40dd4b1529a0580586ad74f24ed86b86

SHA256
8d5d3cdd6936ea6dbc51a2f53039e7468988988b82ef86a0be81d8dd9c38e51d

SHA512
1fd276797b4a8f80df9fc80fb87ba24c33cebac39487ccaf72960fe01dc00e678c54639962ff7c8a92f0ec28d8e864df14db069a1fde4d0825edff8c75b642d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
56937e9dba773c6f2ebbf59afdf8059a

SHA1
f0ae65789bfc793ee68563ef8b0000cdd3d773fb

SHA256
1887375d771eb2ed948088864ff1380da39f7230371f7d759ad22b392289b929

SHA512
503a6024f014d822f6aea70cd3b6fd9988452e8770481a72e254e2b09e69d4132b72093178a54c38070c99bef5c5427dae325bfbf687b4f80afb5fec27814168

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
25KB

MD5
7cb20fd636ec0e83c12db3b82a55f305

SHA1
8d2b15852fd921089cea5eefe0b27c1fe3c31538

SHA256
61de12bbc0992d50e766fc4b6f48c46cd28684e809d0f9da22185c856dd53e3d

SHA512
e236c9e879dfcf2bd66a825e310f67b1cbba5daa6bb84c2265d2dd24208b967a1769434299d5fd089799608fb9047d044635177c63f35d04372095c350a24c8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\sessionstore.jsonlz4

Filesize
25KB

MD5
e8667fc0ac12df8670421b163cf05649

SHA1
28790ff33e77a4b9e684a6530bf982edde7d300b

SHA256
4ba01aa6791fc02dc96070c95109a2705553e41bdb87067ad47f78ec895eafe6

SHA512
128895d86c4229fe2e430574fe0c22f16ff52d0045d6a581a10dcc6404628ec5dd894817d704c6c9dc7bd410ab008f04e58e6a33aa4f27ea1368820dc79af8f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bah11ruo\CSCEEA43496173D4CFCB19D43B0C316ACBD.TMP

Filesize
652B

MD5
d6fe8f4242003b78b97be2e1534899db

SHA1
7b729edc0eafa18be64bf4862b7cad38d8209b98

SHA256
ce6a6c3b28012d458c43fffd4e7721a8ec25c7c2359445ee2b1f84c9b3172ee3

SHA512
2b231209214b8b6544b0f5398b35aee210096e71a7475db32c5318ab43e2f6cbfc68513bc8eaf3404766238d6a8ee58841f295fbf1aeb79bea9cd0c22c047de4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bah11ruo\bah11ruo.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bah11ruo\bah11ruo.cmdline

Filesize
369B

MD5
680ca6c579143e57e5f96f9e6d55b71c

SHA1
f3b6b830917c035649dcaba7df9295175bd0e930

SHA256
10f0fcfe0cbaf117e6b719b8fdc9f2b5d2b006711cd7770d0d907260f2868460

SHA512
589a6e6453c03c182cdba5ee127a0dc0de860d405dee650e539f088400e9f8cbaeafe9ddca6198fc44b8c76cc4f59b6979b274e5bc3304ecbab16fb7c660ff1b

Download Submit
memory/928-41-0x00000196BFB40000-0x00000196BFB50000-memory.dmp

Filesize
64KB

Download
memory/928-61-0x00007FF8487D0000-0x00007FF849291000-memory.dmp

Filesize
10.8MB

Download
memory/928-56-0x00000196BFB50000-0x00000196BFB58000-memory.dmp

Filesize
32KB

Download
memory/928-38-0x00007FF8487D0000-0x00007FF849291000-memory.dmp

Filesize
10.8MB

Download
memory/928-39-0x00000196BFB40000-0x00000196BFB50000-memory.dmp

Filesize
64KB

Download
memory/928-26-0x00000196BFBE0000-0x00000196BFC02000-memory.dmp

Filesize
136KB

Download
memory/1988-84-0x000001D37B120000-0x000001D37B130000-memory.dmp

Filesize
64KB

Download
memory/1988-73-0x000001D37B120000-0x000001D37B130000-memory.dmp

Filesize
64KB

Download
memory/1988-71-0x00007FF848680000-0x00007FF849141000-memory.dmp

Filesize
10.8MB

Download
memory/1988-72-0x000001D37B120000-0x000001D37B130000-memory.dmp

Filesize
64KB

Download
memory/1988-88-0x00007FF848680000-0x00007FF849141000-memory.dmp

Filesize
10.8MB

Download
memory/2088-69-0x00007FF8487D0000-0x00007FF849291000-memory.dmp

Filesize
10.8MB

Download
memory/2088-27-0x00007FF8487D0000-0x00007FF849291000-memory.dmp

Filesize
10.8MB

Download
memory/2088-43-0x00000157B1800000-0x00000157B1876000-memory.dmp

Filesize
472KB

Download
memory/2088-33-0x00000157987E0000-0x00000157987F0000-memory.dmp

Filesize
64KB

Download
memory/2088-40-0x00000157987E0000-0x00000157987F0000-memory.dmp

Filesize
64KB

Download
memory/2088-65-0x00000157B1780000-0x00000157B17A4000-memory.dmp

Filesize
144KB

Download
memory/2088-64-0x00000157B1780000-0x00000157B17AA000-memory.dmp

Filesize
168KB

Download
memory/2088-42-0x00000157B1730000-0x00000157B1774000-memory.dmp

Filesize
272KB

Download
memory/2128-167-0x000002CEBB5C0000-0x000002CEBB5D0000-memory.dmp

Filesize
64KB

Download
memory/2128-179-0x00007FF847100000-0x00007FF847BC1000-memory.dmp

Filesize
10.8MB

Download
memory/2128-96-0x00007FF847100000-0x00007FF847BC1000-memory.dmp

Filesize
10.8MB

Download
memory/2128-98-0x000002CEBB5C0000-0x000002CEBB5D0000-memory.dmp

Filesize
64KB

Download
memory/2128-97-0x000002CEBB5C0000-0x000002CEBB5D0000-memory.dmp

Filesize
64KB

Download