Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-06-2024 13:03
Behavioral task
behavioral1
Sample
unpacked_nyxia external.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
unpacked_nyxia external.exe
Resource
win10v2004-20240508-en
General
-
Target
unpacked_nyxia external.exe
-
Size
9.0MB
-
MD5
344f9089ce3473e3663fed11c26030e6
-
SHA1
8b717176121901ee47630226e29c73bbfa0fbbbb
-
SHA256
da76319054ad7b1c8fc699e3c76a502fa3f8bef7e163246fc458c4b85e0a9791
-
SHA512
b9659452acc18c26ae196d214cf9e7f5ab5e7de9fc2527b3df1de1923bf54e936eb86f57b753dace1ab8a07a82d9ff9713a6739dd50c3466ac32a68cd365bd7b
-
SSDEEP
98304:8OHkDlYCYqhMDF1pTVEypn0l2sD8ypGOV0sPuvpsSIaM50tZjlBtB4I:8RYpqkTVEsnuBVnPEsL6jPA
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/216-0-0x00007FF7010C0000-0x00007FF7019C3000-memory.dmp themida behavioral2/memory/216-14-0x00007FF7010C0000-0x00007FF7019C3000-memory.dmp themida -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Modifies registry class 2 IoCs
Processes:
taskmgr.exefirefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 3044 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskmgr.exefirefox.exedescription pid process Token: SeDebugPrivilege 3044 taskmgr.exe Token: SeSystemProfilePrivilege 3044 taskmgr.exe Token: SeCreateGlobalPrivilege 3044 taskmgr.exe Token: SeDebugPrivilege 1460 firefox.exe Token: SeDebugPrivilege 1460 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exefirefox.exepid process 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 1460 firefox.exe 1460 firefox.exe 1460 firefox.exe 1460 firefox.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 1460 firefox.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 1460 firefox.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exefirefox.exepid process 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 1460 firefox.exe 1460 firefox.exe 1460 firefox.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 3044 taskmgr.exe 1460 firefox.exe 3044 taskmgr.exe 1460 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 1460 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 1304 wrote to memory of 1460 1304 firefox.exe firefox.exe PID 1304 wrote to memory of 1460 1304 firefox.exe firefox.exe PID 1304 wrote to memory of 1460 1304 firefox.exe firefox.exe PID 1304 wrote to memory of 1460 1304 firefox.exe firefox.exe PID 1304 wrote to memory of 1460 1304 firefox.exe firefox.exe PID 1304 wrote to memory of 1460 1304 firefox.exe firefox.exe PID 1304 wrote to memory of 1460 1304 firefox.exe firefox.exe PID 1304 wrote to memory of 1460 1304 firefox.exe firefox.exe PID 1304 wrote to memory of 1460 1304 firefox.exe firefox.exe PID 1304 wrote to memory of 1460 1304 firefox.exe firefox.exe PID 1304 wrote to memory of 1460 1304 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 2524 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 3940 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 3940 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 3940 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 3940 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 3940 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 3940 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 3940 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 3940 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 3940 1460 firefox.exe firefox.exe PID 1460 wrote to memory of 3940 1460 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\unpacked_nyxia external.exe"C:\Users\Admin\AppData\Local\Temp\unpacked_nyxia external.exe"1⤵PID:216
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3044
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4880
-
C:\Windows\System32\cwwwvr.exe"C:\Windows\System32\cwwwvr.exe"1⤵PID:4612
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.0.1618279138\1995101521" -parentBuildID 20230214051806 -prefsHandle 1776 -prefMapHandle 1768 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {83874f03-3d5f-491f-9bdb-19863959a989} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 1868 1be66822e58 gpu3⤵PID:2524
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.1.1931682563\1678739816" -parentBuildID 20230214051806 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16c067bc-2ae0-4ce9-8399-8be15ec0af0a} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 2436 1be59a8a558 socket3⤵PID:3940
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.2.1845451549\208478995" -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 2972 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1212 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f184afe2-c424-406a-b71a-d285f86ff6b9} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 2988 1be691fa358 tab3⤵PID:1508
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.3.2102059623\220229722" -childID 2 -isForBrowser -prefsHandle 3676 -prefMapHandle 3672 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1212 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb4ebc52-c126-410f-afc8-148df1314fbe} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 3688 1be6b2fb658 tab3⤵PID:1992
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.4.598180449\890486150" -childID 3 -isForBrowser -prefsHandle 5324 -prefMapHandle 5348 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1212 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac06749d-8708-421e-ad6a-4bbfefa135a1} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 5316 1be59a81c58 tab3⤵PID:772
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.5.773538758\1349275086" -childID 4 -isForBrowser -prefsHandle 5308 -prefMapHandle 5304 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1212 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91538610-234c-4a87-a09f-c9700bb5a099} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 5352 1be6d267b58 tab3⤵PID:668
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.6.849896036\314512441" -childID 5 -isForBrowser -prefsHandle 5696 -prefMapHandle 5704 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1212 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4376c2c1-e5b0-4ba5-9662-663942e18850} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 5468 1be6e849d58 tab3⤵PID:776
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.7.1315622181\369309634" -childID 6 -isForBrowser -prefsHandle 6036 -prefMapHandle 6004 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1212 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d730604-8d48-46d7-8d92-ddd0adfa9aea} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 5988 1be6f817758 tab3⤵PID:5360
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.8.432312358\1425516546" -parentBuildID 20230214051806 -prefsHandle 6340 -prefMapHandle 6336 -prefsLen 27697 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef79670e-c7f8-4242-8f8d-9f587dbf8b31} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 6328 1be7022f358 rdd3⤵PID:5816
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.9.1298753175\1158212471" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 6352 -prefMapHandle 6348 -prefsLen 27697 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f6188ba-c021-48ca-954c-7032959f8be8} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 6360 1be7022ed58 utility3⤵PID:5824
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.10.1902932865\1831675887" -childID 7 -isForBrowser -prefsHandle 6688 -prefMapHandle 6644 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1212 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {414e36c3-e725-466f-bd7e-9bfb928d81a0} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 6708 1be70489058 tab3⤵PID:5932
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.11.618048745\110735992" -childID 8 -isForBrowser -prefsHandle 6844 -prefMapHandle 6848 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1212 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81e925c5-f088-4ef2-ace5-a64aad6807b1} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 6832 1be70489958 tab3⤵PID:5940
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.12.1087155778\1034340124" -childID 9 -isForBrowser -prefsHandle 9272 -prefMapHandle 9276 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1212 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a1aa05b-6cdb-4f6c-b9ae-4d49df3a696f} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 10616 1be69152e58 tab3⤵PID:5860
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.13.905353234\1328801006" -childID 10 -isForBrowser -prefsHandle 10580 -prefMapHandle 10584 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1212 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a92be190-c552-4bc8-b5b3-cfda97a59d9a} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 10576 1be65824058 tab3⤵PID:5876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp
Filesize30KB
MD5ca1b1d624e53b11b79f73ea62b9a630d
SHA13f950fd5cae61781b711d8af6382505fc5fda237
SHA2567f081c3c6947a24ebefa41a535cf3c15d6f4dc95078c5c71828e1e33f1f94924
SHA512fd23540fffa846707b72d196fc5c0523991096e93cd114820f9e6734d7bd06e0513822ce6a4bfda7c9afc4d4e379871518bd825bbd0b322e1f322f654fd7ac39
-
Filesize
15KB
MD5b41020485dd72007dc5f7d9f0b7743ae
SHA15c98124701eb61810143cb9257d4d7dbf3fa4b34
SHA2562e09bccce0f0b181ac6a5f85f37115a9da3852be60723c9077c6a70c5292f882
SHA512431b00df62ae2cc2bb1d9e07106b4b63e5bc7fd4ab7a92564ca7da6f9175e932c6f231b7b40432173a17642ef05ce819f20ca96a7943257721b079b3b35ab374
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263
Filesize13KB
MD5799977b715bf2e910364ee4306d181f9
SHA1483d5b3cf8f427fca053f32fe9211c51d23e3ee5
SHA256003914ce614d50c9f3583a8f9fa1ef2cf64a5729494d7556f96b4bea7af44cf3
SHA512d6719043bcfa824e38f3028c880763e99bdbdc2832fa9044a7fcd8fd0f5cc6d530adfe0263fa2abe122109b83ffd965a0af325782100b5792b5b762986ff8527
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD56e1dd3b254cc3ba54724fba7a72e482e
SHA132b3de9fdcedf90bf8764db9836f92c3d49f6ce4
SHA256f1e939d8bd17733c1124c805cee7394e8b580c950c289fbe71cf4ebcccbdc8d8
SHA512003bf4c8d096c1ba87cbe1789aa5d427169de7f733f636788e354b6807f7ffd9afea2d36f28337870faaab177dd98d17ef4ce747c5ef1743051ec78bb5922d88
-
Filesize
9KB
MD500da74decc3322f7bae24787b2f97eb5
SHA1d84423c0fd5afc6b6349371b32d7aa4116373c6b
SHA256a07f0df5480c2fec504033108b5b69b6a4ec113a69ed5deca4b772971dd613e3
SHA512b25fcac385cad3bfc651817837253654b8b5a709b684d474f4b18d9e53cf0bfacce517d4c6d13072f74639f03aa056b223d760f5b9c519fb31590890b54b3459
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD57aa96de8048526d39d9d9a9f60adbca2
SHA1653ddda84e3eb74c7f52c6128eabdc9f583af4a4
SHA2563e6cc18513468ab0323a223f6f344bce287457c1ac036c1b4fd2b7d04629bcbc
SHA5124ce5ea7be287f3f3ae5291c033a544b12330f13f7c581808f493995a88d602dba14a77400e603a147a12ff61cfa2c049467eb4ba02c38b363d3dbf9ea043dccd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5cb72f171572bb08af28f2d57e0bd1384
SHA168767f87787bcfc6ddd3441e21c284e7874c5d1b
SHA256a7ce3f789cb25b417f94ea72c6920c41a767571837a514eed93cd873e02ce434
SHA5124c80b051b5c1114c3ce21946d5e3878021f1cbc7beb0dd06006c5ae27bd478d5dcabdaab263df524606fb889a79fc7330090646f6860f2566b3a8b0a0ba70ec1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5faba4ef6697889bb782ba3ed9fa4a657
SHA16d5c8f5b13d02351584998eb1df2955250f79890
SHA256d67e4d98ff250089e29b13dfe9cdbc54f6f5324ea5718b7fbe0f74110b740258
SHA512d1b2aac3ff12eb077a600ab5c8a3038d43752fe1b444ec3f774a538d889d8469eeed1ef83f01e38377857ab4dd7a5f61b5a58db6a518aa0d4b5d8e66232ac4a5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD503d00727fc17f5fc32eabefc84cafd19
SHA1b74fd51878d42f3a8b351e8c85def0f30a85f509
SHA256c4700134b17017830da18d91154a7c29129a92c4ceb2161d0a6d20cc9275db5a
SHA5129fe1a161ee6e36259da6d05b7c490049ed5ac5616549d7481aa837a61c6516c67921c629c3dc782ab179c5ff6054ed6394f7613454404e4d4bb2be2044bc03d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5f497a6882bea63ad7c3e9a58fbffe954
SHA1a65b515d72a2b5e71dcbf0b9be6fdeba4ad81c32
SHA256f445fff96ae707e0eed3bad565817df776f45ff82465f5a6adafab582e9a065b
SHA512d1d8d7a0b3e06686795486d2d6bde1d6baa00438c6ae1e939225a7046a35f3763d68bf3547b9253cb75c90a7f30514837c8ae1bcfad620f6d74543e9f583ee0e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize2KB
MD5498dc09b73716563be2cc9ba36734812
SHA1a21c00b08e879849dc76da3fa835d4151a00d725
SHA2561bb25345b8a2db87536f59f01d07372ff76caac7c7cf718c88330f4c96660adb
SHA51266c832215124cfb176d04777b5f78fca4a368f10043d1ef56d6a112b3948d4f876d4cacfd4aced466352e0626e155ff4ea171aa147360bef58016e300119bcd3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5d21f7457c41e0fa8a31b4e7cb0a1ecce
SHA159b44b834b9bdfd190cc224f7f766e2ee31de9e9
SHA256070af4db420713ff3554551e72ae7ea370d1ba8dab912380b14b266e30df3270
SHA512d5fd0defd5118dedbd63005014e3787fb560da9019e9a7fe18a271bba29dd1fafa357d1a210fee5b893db57854f9516a1a1233d820fd5342bb1f4cc8d5d1e9f4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\storage\default\https+++www.virustotal.com\cache\morgue\251\{33bbb7c1-12ee-43ce-9040-b8c35a9b4ffb}.final
Filesize47KB
MD5121e79cc5fbb7ee61a78e3446d3edb9c
SHA166b66e421a106f2f664647159a1e76d2060d8e14
SHA25602a7e906c91be6096280f1f8625776d7d29ca23642ba63203f1fbb0bc6bf600a
SHA512f6bfa4eafe160d42714f63867910d7c7a632c1f96b8996c65d4b1f3ce62e22ca38ba07abe2dff5f16b204ad552bd734a9445486d9f8a048e1332ba767067a5ed
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize192KB
MD5cbfc586854ed4bd21d1ac07a78134b21
SHA16671507dfce4c4ee0cd9d9eba6c26a843fa86e4b
SHA2563792c17d38b53d145ffad4e9c04121b280df47b99dea15b54a65affbc0984e47
SHA5120afca716c13c183c54987cd780765492791c8a9518867b9fed19a440887e4bcb67f2164e7e4438aa7c718dfd846fc89fe380ba9ea55d1fd50a1497d4ee09d5ad