01481b9a862936fbc090bda4033f22d7ffa5a7bfe5dc32f47c7794332b34eec4

Analysis

max time kernel
42s
max time network
81s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
16-06-2024 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

web.dll
Size

18.7MB
MD5

88fd7dbf04bcf75123d02009aea3f7f7
SHA1

cecf16bdad71e54afc941179ea2b7438a04efa1d
SHA256

01481b9a862936fbc090bda4033f22d7ffa5a7bfe5dc32f47c7794332b34eec4
SHA512

2c6298b5adf91b51f0042d48e0846f5b196d52a588fd4fc577bf19ec26ad8e547382279a15f8bf131b08b0d7c140534aff25f82d5e8998818b812e72c9493917
SSDEEP

393216:hqA/D2IIyzg8DolBo6i0KoI6Di42sC1/syU3DXNs6hq8:hqcaZyV0fC1JOpjhq8

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\INF\netsstpa.PNF svchost.exe
File created C:\Windows\INF\netrasa.PNF svchost.exe

description	ioc	process
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
628

pid
4
4
4
4
4
628

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	4932	svchost.exe
Token: SeCreatePagefilePrivilege	4932	svchost.exe
Token: SeLoadDriverPrivilege	4932	svchost.exe
Token: SeLoadDriverPrivilege	4932	svchost.exe
Token: SeLoadDriverPrivilege	4932	svchost.exe
Token: SeLoadDriverPrivilege	4932	svchost.exe
Token: SeLoadDriverPrivilege	4932	svchost.exe
Token: SeLoadDriverPrivilege	4932	svchost.exe
Token: SeLoadDriverPrivilege	4932	svchost.exe
Token: SeLoadDriverPrivilege	4932	svchost.exe
Token: SeLoadDriverPrivilege	4932	svchost.exe
Token: SeLoadDriverPrivilege	4932	svchost.exe
Token: SeLoadDriverPrivilege	4932	svchost.exe
Token: SeLoadDriverPrivilege	4932	svchost.exe
Token: SeLoadDriverPrivilege	4932	svchost.exe
Token: SeLoadDriverPrivilege	4932	svchost.exe
Token: SeLoadDriverPrivilege	4932	svchost.exe
Token: SeLoadDriverPrivilege	4932	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

regsvr32.exefirefox.exe

pid process

5004 regsvr32.exe
2436 firefox.exe

pid	process
5004	regsvr32.exe
2436	firefox.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

regsvr32.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3364 wrote to memory of 5004	3364	regsvr32.exe	regsvr32.exe
PID 3364 wrote to memory of 5004	3364	regsvr32.exe	regsvr32.exe
PID 3364 wrote to memory of 5004	3364	regsvr32.exe	regsvr32.exe
PID 3612 wrote to memory of 2436	3612	firefox.exe	firefox.exe
PID 3612 wrote to memory of 2436	3612	firefox.exe	firefox.exe
PID 3612 wrote to memory of 2436	3612	firefox.exe	firefox.exe
PID 3612 wrote to memory of 2436	3612	firefox.exe	firefox.exe
PID 3612 wrote to memory of 2436	3612	firefox.exe	firefox.exe
PID 3612 wrote to memory of 2436	3612	firefox.exe	firefox.exe
PID 3612 wrote to memory of 2436	3612	firefox.exe	firefox.exe
PID 3612 wrote to memory of 2436	3612	firefox.exe	firefox.exe
PID 3612 wrote to memory of 2436	3612	firefox.exe	firefox.exe
PID 3612 wrote to memory of 2436	3612	firefox.exe	firefox.exe
PID 3612 wrote to memory of 2436	3612	firefox.exe	firefox.exe
PID 2436 wrote to memory of 4248	2436	firefox.exe	firefox.exe
PID 2436 wrote to memory of 4248	2436	firefox.exe	firefox.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\web.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\web.dll
2⤵
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4980

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:1636

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
PID:308

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:4812

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:2788

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:5072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1564

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4932

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3912

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3612

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.0.176966165\1362662665" -parentBuildID 20221007134813 -prefsHandle 1692 -prefMapHandle 1688 -prefsLen 20935 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f371beb-e8a3-4075-9554-a6fcd9593346} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 1780 193ad3d8e58 gpu
3⤵
PID:4248

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.1.2137708235\998169874" -parentBuildID 20221007134813 -prefsHandle 2120 -prefMapHandle 2116 -prefsLen 21016 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58510f74-8b5e-47dc-b7d7-e54192e7a697} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 2132 193acee3258 socket
3⤵
PID:4408

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.2.1736755647\1430469093" -childID 1 -isForBrowser -prefsHandle 2916 -prefMapHandle 2912 -prefsLen 21054 -prefMapSize 233414 -jsInitHandle 996 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee374432-160b-4503-adbf-1d1e865f95f3} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 2928 193b0faad58 tab
3⤵
PID:4192

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.3.1914603361\443382581" -childID 2 -isForBrowser -prefsHandle 3580 -prefMapHandle 3576 -prefsLen 26212 -prefMapSize 233414 -jsInitHandle 996 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26e4489f-26ec-45c5-a9e9-0396cef5ac0b} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 3592 193a1e64e58 tab
3⤵
PID:504

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.4.331078627\616103879" -childID 3 -isForBrowser -prefsHandle 4160 -prefMapHandle 4172 -prefsLen 26271 -prefMapSize 233414 -jsInitHandle 996 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b17cfb9-8e33-4e99-8160-b049fba596e4} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 4184 193b24e8558 tab
3⤵
PID:1100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.5.1734165418\770087558" -childID 4 -isForBrowser -prefsHandle 4816 -prefMapHandle 4416 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 996 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38b19542-6b32-4da1-9e70-0afea20204d1} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 4764 193b3685d58 tab
3⤵
PID:680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.6.2011712554\2065342356" -childID 5 -isForBrowser -prefsHandle 5016 -prefMapHandle 5020 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 996 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca5e5c50-e491-4c71-a80b-c7961adfa6af} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 4748 193b3687858 tab
3⤵
PID:3388

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.7.379677055\423455807" -childID 6 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 996 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b06a99de-e757-498c-ae82-1afab561eef4} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 5180 193b3687558 tab
3⤵
PID:1328

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.8.1406643876\243017361" -childID 7 -isForBrowser -prefsHandle 4592 -prefMapHandle 2520 -prefsLen 26433 -prefMapSize 233414 -jsInitHandle 996 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d9c572f-0ed2-40a4-8616-a81358d95da0} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 5044 193b0f65158 tab
3⤵
PID:5652

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.9.650593350\1413471234" -parentBuildID 20221007134813 -prefsHandle 5636 -prefMapHandle 5576 -prefsLen 26433 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13f10604-8da5-4566-9e89-72b60756c266} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 5628 193b0f66c58 rdd
3⤵
PID:5692

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.10.291044975\602859191" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5544 -prefMapHandle 4816 -prefsLen 26433 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {219f0001-1394-47bd-a04c-4685158f530b} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 5692 193b0f67258 utility
3⤵
PID:5708

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s fdPHost
1⤵
PID:1720

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" shwebsvc.dll,AddNetPlaceRunDll
1⤵
PID:5288

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp
Filesize
25KB

MD5
cd180616a29579dd5cec2d1ac8f0f92a

SHA1
bab38163b45bc0b8a4ff192127a37fd289f44471

SHA256
c043df7d68ce7d01099b28dcbda761265039073d8f5bce3ae80d4ac96d9a4651

SHA512
a4787dc41dc988ecaebc0b6254666b29d7cb6ad638af1bb13f881ad33ce3dcdbd9447dba2281a4cb0ad792f9fd4351fe00ff8573c557facd11abfa279ff9e92f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
55bc7a08a2995d09d9c99cf95ba1778c

SHA1
becc40d5e4fb33c84ab7f5a845b7ed44cea5635a

SHA256
c934e22ab2a0bb45b42ffc3c0223fb64384870a4b2d27d628c44b4f8db62270e

SHA512
641baee7d42b11713bb692b6b0615b2b7ae7f90770c487fbfe76f4a1063296b26b57f2e05b2a14d18ea98ae2c9b8b7346f8cf620aec0fe8c16cb41b7ac02937c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\52d8633b-2481-4c41-bd29-912c2c8bd0fe
Filesize
10KB

MD5
ca8183b60cc23b898be8d2f6dfd0692b

SHA1
14a832ed90c55c3cdeba9a50e78658c68bd8ec3b

SHA256
d28f2df9da341d01acff40a91d982d07a20f768f0af5c3efb4c6faf3d37b5e94

SHA512
a67824ddaef7a0779d224d8272558628691c72f55fcb8ea4345dcd1052d6a063673c8b72d1f39ee9a00ad371f3fae8dac6f8c0285bb79cc957bd97989bf90d4f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\7177df3b-e61a-4ee8-b7a5-ea04cf2d792a
Filesize
669B

MD5
84f94013fe18c07b37b65bd983e5cdf9

SHA1
2fbaf014bf7b6b50b5b8ad7d4ba97573032ba5bb

SHA256
7f18f0b3cefaffaac1933113efc7000c219eabd1c8222ce811916281525b3a0c

SHA512
ceff729e30726954feb3d3ca50f75bc2ae04e84908d8afca567df532805e6237b3f562964d4ccda310cc48b020fcbfff59bfbb75d335d670917c4377e08222ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js
Filesize
6KB

MD5
09cbcb5e2d7a5a24f81802969e55ad85

SHA1
042fab59851e8f163e76904a98da3d2e82c80386

SHA256
1a95643c1834d9fa28ccf84c5d51071ef9d165d21342c476bdfba35c8824eaad

SHA512
3848ca7043e77c9ede28481b9ff2f4ec16f6da014aed65b1c12c225267dd210d6f135610f0b9383f141d14a165e4baa3bc89447db880068f4e8dc587bd0b8ee8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js
Filesize
6KB

MD5
b7955362c7cb2276fa1b2a90d5167dbc

SHA1
fdb1763b744e5e2187629e808e9f0597acc1859f

SHA256
d08eddf3b8f6870838079a10a25e28957cc787035683b1b5b0bbdfaa6ed38057

SHA512
5af3e90e4840ee68b3a9114cf8d74409f4049bf9b77e859a6141853f0b9a49e37f56103180d3e0b4eedf4cbf3f18dc5a55d008020ec2a1ca0e7413c00f1c1d32

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js
Filesize
6KB

MD5
8158ed2679c58a8fe066ca761a391abf

SHA1
d12749f614a5a2b21146e115d38c77de37b51b22

SHA256
45d58198ed60ed03cba0a96bd3c462091b6f0d8ef67a06eb4de5d0b7f3345dfa

SHA512
9dd6e3f8e1281dc11df68bc073a88e889ce4e0e62a6e89d861fae6c4550bd44f6c05c84c560e0f8498d579daebbf30cab173cd9b44549bd009f8d25ed58587ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js
Filesize
6KB

MD5
5deafbbaf869ea43f2ec9c8d6289f8b0

SHA1
b58bf80037acc7673cc261015b265bc13f0371a4

SHA256
5c2453e0a749b98313cce2da7b491993523d5672cecf34d50d4e66c481c1af49

SHA512
24e00bb4b6f09b4cfdc53e42daebdf3f4acb02737387bab20d8fafb82dd648d679304f5c2e233b99a9ac705ca6d9540f6edf419feeac91abf71270f1044e9ab4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionCheckpoints.json
Filesize
181B

MD5
2d87ba02e79c11351c1d478b06ca9b29

SHA1
4b0fb1927ca869256e9e2e2d480c3feb8e67e6f1

SHA256
16b7be97c92e0b75b9f8a3c22e90177941c7e6e3fbb97c8d46432554429f3524

SHA512
be7e128c140a88348c3676afc49a143227c013056007406c66a3cae16aae170543ca8a0749136702411f502f2c933891d7dcdde0db81c5733415c818f1668185

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
01d9d0cc56c5ccc8e6f3e9505c5de575

SHA1
87b3424e1e150fdddd56d068b6c99dc4ec4d2c5a

SHA256
c97c000a3dce5b8188930e97dd6bd2d05856b1fddc074103812c040032da0607

SHA512
0025579289697ee51dfd76bd629139968e7e1b4eddaea3af7f40de9ca9675821e3f02b88b0fc4e9f2c0ff758758c156bf48d2fa20ba8be92d62c235d6997b681

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore.jsonlz4
Filesize
3KB

MD5
7d47cc7bcd2a7bcc6a8d581fc9b9971c

SHA1
14e5a4b07be1fb4656d202396d4e400e07e5a051

SHA256
41fd4fe0d173cc93efd8b1757e36ad62c440c46e914bf479ee4a54b13ddc9b1f

SHA512
b7a86ee93db5ad9b0b868b4854fd4c4052060092c54979cd91d935478bd997226ce3074792f05faf55e361b60e028cc2a2cb143867a57327f9282dda6f2cba46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
c1b7b7d4a2fb049947fd07af1250c59a

SHA1
93f38035b497d6108aaafab35369e1700b281344

SHA256
9c58ecc80390539cd6c977d072ac0167520a5552a4f1706248427ba7a0f3bfd6

SHA512
e0f944a63e8640e850b13e0a8a89ed59378ba8e50cc577528cd7d02bea7dac0525232551620cdc869d303732fa6066f113ced0c0b08b3d12cef19d56c2988353

Download Submit
C:\Windows\INF\netrasa.PNF
Filesize
22KB

MD5
80648b43d233468718d717d10187b68d

SHA1
a1736e8f0e408ce705722ce097d1adb24ebffc45

SHA256
8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

SHA512
eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

Download Submit
C:\Windows\INF\netsstpa.PNF
Filesize
6KB

MD5
01e21456e8000bab92907eec3b3aeea9

SHA1
39b34fe438352f7b095e24c89968fca48b8ce11c

SHA256
35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f

SHA512
9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec

Download Submit