Analysis
-
max time kernel
316s -
max time network
326s -
platform
windows7_x64 -
resource
win7-20240419-es -
resource tags
arch:x64arch:x86image:win7-20240419-eslocale:es-esos:windows7-x64systemwindows -
submitted
07-05-2024 14:24
Static task
static1
Behavioral task
behavioral1
Sample
jigsaw.exe
Resource
win7-20240419-es
General
-
Target
jigsaw.exe
-
Size
283KB
-
MD5
2773e3dc59472296cb0024ba7715a64e
-
SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859
-
SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
-
SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
-
SSDEEP
6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX
Malware Config
Signatures
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Renames multiple (1980) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 2896 drpbx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" jigsaw.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.ja_5.5.0.165303.jar drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar.fun drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveNewsletter.dotx.fun drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar.fun drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar.fun drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif.fun drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.ui_1.1.200.v20130626-2037.jar.fun drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ProjectStatusReport.potx.fun drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\9.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\access-bridge-64.jar drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar.fun drpbx.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\gadget.xml drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif.fun drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\back_lrg.png drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\gadget.xml drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml.fun drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar.fun drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\clock.js drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\4.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\gadget.xml drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_ja.jar.fun drpbx.exe File created C:\Program Files\7-Zip\Lang\ca.txt.fun drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\RSSFeeds.js drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar.fun drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml.fun drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar.fun drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\init.js drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml.fun drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv drpbx.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.3.2.jar.fun drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\currency.js drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericon.jpg drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif.fun drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_ja.jar drpbx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings firefox.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2132 firefox.exe Token: SeDebugPrivilege 2132 firefox.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2132 firefox.exe 2132 firefox.exe 2132 firefox.exe 2132 firefox.exe 2896 drpbx.exe 2132 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2132 firefox.exe 2132 firefox.exe 2132 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2492 wrote to memory of 2896 2492 jigsaw.exe 28 PID 2492 wrote to memory of 2896 2492 jigsaw.exe 28 PID 2492 wrote to memory of 2896 2492 jigsaw.exe 28 PID 1068 wrote to memory of 2132 1068 firefox.exe 32 PID 1068 wrote to memory of 2132 1068 firefox.exe 32 PID 1068 wrote to memory of 2132 1068 firefox.exe 32 PID 1068 wrote to memory of 2132 1068 firefox.exe 32 PID 1068 wrote to memory of 2132 1068 firefox.exe 32 PID 1068 wrote to memory of 2132 1068 firefox.exe 32 PID 1068 wrote to memory of 2132 1068 firefox.exe 32 PID 1068 wrote to memory of 2132 1068 firefox.exe 32 PID 1068 wrote to memory of 2132 1068 firefox.exe 32 PID 1068 wrote to memory of 2132 1068 firefox.exe 32 PID 1068 wrote to memory of 2132 1068 firefox.exe 32 PID 1068 wrote to memory of 2132 1068 firefox.exe 32 PID 2132 wrote to memory of 1764 2132 firefox.exe 33 PID 2132 wrote to memory of 1764 2132 firefox.exe 33 PID 2132 wrote to memory of 1764 2132 firefox.exe 33 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1108 2132 firefox.exe 34 PID 2132 wrote to memory of 1232 2132 firefox.exe 35 PID 2132 wrote to memory of 1232 2132 firefox.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:2896
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2132.0.272367135\641889467" -parentBuildID 20221007134813 -prefsHandle 1272 -prefMapHandle 1112 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07971079-730c-4815-bb72-f42d4c1dbbdf} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" 1344 108efa58 gpu3⤵PID:1764
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2132.1.438571863\1899403457" -parentBuildID 20221007134813 -prefsHandle 1532 -prefMapHandle 1528 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d026ca7-412f-4746-a900-c7d35bca9376} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" 1544 f330e58 socket3⤵PID:1108
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2132.2.1602424906\508047948" -childID 1 -isForBrowser -prefsHandle 2216 -prefMapHandle 2212 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c71c75d-c92a-4f32-9b4b-061cc1fdd5fe} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" 2228 1a4a5158 tab3⤵PID:1232
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2132.3.1844329694\471859856" -childID 2 -isForBrowser -prefsHandle 2832 -prefMapHandle 2828 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce65ff36-688b-4073-b086-c086c3d4f8e0} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" 2844 e2e458 tab3⤵PID:2868
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2132.4.1150645732\1151894219" -childID 3 -isForBrowser -prefsHandle 2992 -prefMapHandle 2988 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {84168579-0ba3-4722-8a9c-d9afe214d63f} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" 3004 1ce0b258 tab3⤵PID:2572
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2132.5.846576356\837687997" -childID 4 -isForBrowser -prefsHandle 3780 -prefMapHandle 3784 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {458f9744-7927-464f-bb8c-1053bd9be615} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" 3796 1e6bfb58 tab3⤵PID:736
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2132.6.1692879595\2112804793" -childID 5 -isForBrowser -prefsHandle 3920 -prefMapHandle 3924 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e5a3cfa-be19-49ec-8018-bf5966c86019} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" 3912 1e6bdd58 tab3⤵PID:564
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2132.7.552649636\1439248047" -childID 6 -isForBrowser -prefsHandle 4088 -prefMapHandle 4092 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8828f766-cf1e-403d-b9bf-780f65a86edf} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" 4080 1e6bd158 tab3⤵PID:1660
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2132.8.1796327085\678786896" -childID 7 -isForBrowser -prefsHandle 4448 -prefMapHandle 4444 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebc03f1f-cbff-4510-a1b1-90ccada8dbf7} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" 4460 22ab3558 tab3⤵PID:1836
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2644
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\PushWatch.hta"1⤵
- Modifies Internet Explorer settings
PID:2652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160B
MD5580ee0344b7da2786da6a433a1e84893
SHA160f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e
SHA25698b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513
SHA512356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba
-
Filesize
283KB
MD52773e3dc59472296cb0024ba7715a64e
SHA127d99fbca067f478bb91cdbcb92f13a828b00859
SHA2563ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
SHA5126ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ty9peokp.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD581e167a7f1b6fd71051483b1cb60f591
SHA13dcb21ba0be8ac8c603b3c3512fc48b982238f59
SHA256e88e08f2b7fb0e3173afa0a2f9786c62eac7bb0514151f1e697a316ca8c43125
SHA512436a7f99fd48fd54980565c61add109635a3d1768705c25b9042456e32b6057f330626b9893f74100ecd3b126214bc70c9d64533169e5ed531e10d829d68fe6d
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
16B
MD58ebcc5ca5ac09a09376801ecdd6f3792
SHA181187142b138e0245d5d0bc511f7c46c30df3e14
SHA256619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880
SHA512cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize7KB
MD516c7e4169e502943e1a32fec667f7311
SHA1112d86825f711d5bbb5ffe7570102e9ab2771f04
SHA256548e96165962c6d9034c4b09cd1b28c2c8f6c8a7327bf1d3cbf981759f42f8af
SHA5126f2cf6cf9f722740ef1fa3c1341f4213c57fa478d15a972e7a9c30fbed654ce9290cbcc6552efabeec756a673fb9211617f436fb820e2c78edf8e3d16b9dcbda
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD52ba6f3beb4ddd02b74b3ee9b67934334
SHA140b545cff4d2d1969956597e5bddc346492d6eab
SHA2568da257b7e31b90fe14c3e913295908678b61af98fb4193eac512212abdd8a17d
SHA5121a8f7292949cf96739c81357a2b690b82963f987e969e39e4de403c49ddc621b93c0826b54ff60021e01321d8d065d19132fc0965c237d49cfbbd6ec34999d27
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\datareporting\glean\pending_pings\9347d68f-c599-480a-9c71-35152257cca6
Filesize745B
MD562f50f88a97a4fe91698b33846796cda
SHA1bcac09f3cc8393742518e8934587a607b158385b
SHA256f74fbddb40b7567ba1224c75ff25ba07f557f449daace8bc53fa6e8ad7140347
SHA51294725f41ec2934f071bda40a23b71fee6c258308287d4ebdf86b6035fd1d589e8609c49e64451fbeca35c1a272568d5eb7e32e5557f287ae5115cd34d83e18bc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\datareporting\glean\pending_pings\e6e5a51c-36d7-46b2-ac29-189a32ec2d42
Filesize11KB
MD5846d9ab14c0a4225214950e5975656bb
SHA1cb516fe50b0d1304f1e1c288b3fb5396f4a8d98e
SHA256e2a49f955fa31d361ebdec0ef568784e9a55da4e535fe5f7d8146f0b61ccab9c
SHA512ba2075500c5f33a180507c0f36b3cab98f7c2c30c6beffcb22ddf13b6b5cc763632963b4b60ce2ae6008e30a80ff4b95dc4185c443486b26f09d607eefda561b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5ac67577dd70b5e15d875bf242882dfc0
SHA1d31d50b441630f61fd0f8147d4a12d42b2bef194
SHA256203ad552f8714394e51f3fb230a1c596de88a79e84fd82e6a80caf9583ed6898
SHA51201571fe4d93168af6e6bd83bb298b827f1d9ec7da7178756a70e69cada1c0f6aa798760a06543e070ef4af96bd4e632b8c9ec0a1a44ea11bbca73ff53501bd98
-
Filesize
7KB
MD56a46607b9c96cf58e74c296621cad279
SHA181f09e7d82386bf0206ef1213c8223ffbccb28ea
SHA2561f53b66e4171cb886bd61c76eafdc7703b82825dad056d302d8c7a2512cad544
SHA512cfcc264ea2b9a23e5875c78c494ccf80e4e7ea02648aa3e9620f19256527a6cd27a84050bf364209a9d3cd1e22fd22c4a33678cfbff67f0f960f633cdf957230
-
Filesize
6KB
MD591bbd291d5a3caef848ca06edd2c11a8
SHA1104dd411972cb6109c52a8e90694a2c7b0797146
SHA256504b9bbc99c616c6f7ad1f3a3448997c005f841f6adfa8209e5f14ed27bb1f9c
SHA5128a701b4dbbd7a0955508927c59355f68912f51cbdf154f98bfd07a382006de1d162b8d24f492ecdb965aab6c26308ea4bea8921b1941dd8fb1bfc123c1774195
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD51d6273e19590a9b60a25cc3a11c609ac
SHA1046f70878b8bef8b194a2e91504025ad9aab9279
SHA256473596d08d0345c7b34b185d91b32150cf576511d72d47fde55e2921e996ecb7
SHA512e8847263b188df2ca2611e81814b8f77eb6457cb000ac1d9030113c818da3853187e5c5d60d5d3d6e4e7a6376f7857ce3a4658bf8a467e66b2a1e52ba64c44bc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5e950d032691f83cb50a58863cff74405
SHA10d3302e80e36a6c6f8356f480faf2dea4cb1cd94
SHA2562530b1cb0503e78e63efedd65d7dc755e1089e47494724f9337aad18d81230ab
SHA5126f5de069ada9f7c9400d428a218f2b75ee4274128d8db4da73bd6e828debde0942b720fbe2e4f9620919f9e8fac8638341794a37d8cec88a263f4ba741ed5ccf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5ab746ee2fe41a7e988c653e7302e37c1
SHA179c1e8b0afd2fb6502b7624747fa8c343fd91701
SHA256699b570c972d226f035226a04ddcdfb7044403d14d9fe2d50298ab2675297c84
SHA512297fae1004beccdd4d58653a159081a5c0521edb39980637db294fc14b9c1196f0ca2106a157fc13b33029bb1b565e0241e1da58902ad0d9907c31c1ae4402e2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5def694e12363fbfa0dcf772696f7c5fe
SHA1384af7208d0389f22b6cdb7b4a18ba09a43ba2a2
SHA25605ce340f29a99ed82377da33f464ad76abe9bebf5719ee16336f951e13addfc0
SHA51293c7c319e6d1723e1d90c0918a37b73003acaa987f535eaec7635abee145d51d4eb84448c2725e67d4376a0cd490939e6be7ff05e3170f46fd6c0e51998abaab