Resubmissions
24-06-2024 12:38
240624-pt9xkssdkh 1024-06-2024 12:27
240624-pmqv5asaqa 1024-06-2024 12:25
240624-pl5b5avhmk 124-06-2024 12:08
240624-pbaprsvdlr 8Analysis
-
max time kernel
42s -
max time network
43s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
24-06-2024 12:25
Static task
static1
Behavioral task
behavioral1
Sample
right-arrow.xml
Resource
win10-20240404-en
Errors
General
-
Target
right-arrow.xml
-
Size
942B
-
MD5
082515300dff3450faa8780515be7d49
-
SHA1
5c26504a54ba6d7c9dd2b4eeb3c2b4232a4af9b1
-
SHA256
a95a3d988edb17d894e845c6b4055e59ed773bd2d7e10bdea43a9de3bb498100
-
SHA512
c35a439b2a0232336c821c6bb883936b71d92ef58b1698b605069577fa81bfb444a6b1c40084d6b6585ca4f961b5e3a5bb5fa8c39988dd17a53ebbcef326abc6
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Processes:
IEXPLORE.EXEiexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3309706490" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114801" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114801" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3309927943" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008184d0691bc89b45943f8497c1abf5c70000000002000000000010660000000100002000000087e9b12f64b630d7445eb978fff0f0ad47a2b14efc77e116d628df77b377fb71000000000e8000000002000020000000812b676c5a9fa6305b65ced5c5067d2e5e42ab90b8626bed5f3e428f75ac855a200000002c934060b6b61cdca6c81da901663859043b555c56884702bf912b63ccb3512840000000207d698a03717f5cd507e66252da1f506cbf308adbbe7f137d64531a54260114e146cb4a6526990645ad04f4174eeb51efebb8d4c1b5ec5def33557c2b7d3a9d iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0b195c531c6da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114801" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 607d92c531c6da01 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3309927943" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008184d0691bc89b45943f8497c1abf5c700000000020000000000106600000001000020000000421108623828b3c2f515ef20dccc7f6b163a8caf1037e362eb49d5b530c81a37000000000e80000000020000200000009a82c30d73a3dd12faffafa9fccb752c4ac305d25340802d8968c545fc6f1cfb200000006f979fa0812e2de0eab4d26c95bae26d111b72cb3790277488248b181fef797640000000a1c39563457e2ce122a9c1cd73e1f9984c25636569fe38d072c19bb46b084c182256652aa4898f3bb5ced8a3ad8986c13980a4abec3459de55bc5b71fa5a8277 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F080383B-3224-11EF-A993-6EF3773CDC0A} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114801" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3309706490" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings firefox.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 4252 firefox.exe Token: SeDebugPrivilege 4252 firefox.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
iexplore.exefirefox.exepid process 1116 iexplore.exe 4252 firefox.exe 4252 firefox.exe 4252 firefox.exe 4252 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 4252 firefox.exe 4252 firefox.exe 4252 firefox.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
iexplore.exeIEXPLORE.EXEfirefox.exeLogonUI.exepid process 1116 iexplore.exe 1116 iexplore.exe 424 IEXPLORE.EXE 424 IEXPLORE.EXE 424 IEXPLORE.EXE 424 IEXPLORE.EXE 4252 firefox.exe 2280 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
MSOXMLED.EXEiexplore.exefirefox.exefirefox.exedescription pid process target process PID 164 wrote to memory of 1116 164 MSOXMLED.EXE iexplore.exe PID 164 wrote to memory of 1116 164 MSOXMLED.EXE iexplore.exe PID 1116 wrote to memory of 424 1116 iexplore.exe IEXPLORE.EXE PID 1116 wrote to memory of 424 1116 iexplore.exe IEXPLORE.EXE PID 1116 wrote to memory of 424 1116 iexplore.exe IEXPLORE.EXE PID 1772 wrote to memory of 4252 1772 firefox.exe firefox.exe PID 1772 wrote to memory of 4252 1772 firefox.exe firefox.exe PID 1772 wrote to memory of 4252 1772 firefox.exe firefox.exe PID 1772 wrote to memory of 4252 1772 firefox.exe firefox.exe PID 1772 wrote to memory of 4252 1772 firefox.exe firefox.exe PID 1772 wrote to memory of 4252 1772 firefox.exe firefox.exe PID 1772 wrote to memory of 4252 1772 firefox.exe firefox.exe PID 1772 wrote to memory of 4252 1772 firefox.exe firefox.exe PID 1772 wrote to memory of 4252 1772 firefox.exe firefox.exe PID 1772 wrote to memory of 4252 1772 firefox.exe firefox.exe PID 1772 wrote to memory of 4252 1772 firefox.exe firefox.exe PID 4252 wrote to memory of 60 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 60 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe PID 4252 wrote to memory of 2132 4252 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\right-arrow.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:164 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\right-arrow.xml2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1116 CREDAT:82945 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:424
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4252.0.1054478420\1124804240" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {23e07361-630e-42d6-9bf2-29268d60c7da} 4252 "\\.\pipe\gecko-crash-server-pipe.4252" 1796 28ba2cead58 gpu3⤵PID:60
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4252.1.1158699927\1824999929" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87d36195-3a76-4bf2-8426-6e2b7e1328ae} 4252 "\\.\pipe\gecko-crash-server-pipe.4252" 2152 28b97c70458 socket3⤵PID:2132
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4252.2.2112309129\1533503041" -childID 1 -isForBrowser -prefsHandle 2840 -prefMapHandle 2692 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94038bf2-5be4-4400-9b6e-59d705c962f3} 4252 "\\.\pipe\gecko-crash-server-pipe.4252" 3024 28ba6fa0458 tab3⤵PID:4588
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4252.3.235729933\436869210" -childID 2 -isForBrowser -prefsHandle 3508 -prefMapHandle 3504 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d5d1e79-436c-4a44-bc4a-276ae5793bc3} 4252 "\\.\pipe\gecko-crash-server-pipe.4252" 3488 28b97c5f258 tab3⤵PID:2492
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4252.4.1723300149\701384088" -childID 3 -isForBrowser -prefsHandle 4328 -prefMapHandle 3780 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e72f77cf-38d8-4456-8ab3-0dc851288696} 4252 "\\.\pipe\gecko-crash-server-pipe.4252" 4336 28ba8d7ea58 tab3⤵PID:4344
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4252.5.934747232\1901634182" -childID 4 -isForBrowser -prefsHandle 4912 -prefMapHandle 4880 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3924e66e-b2f7-4a89-861b-9a1457c7a934} 4252 "\\.\pipe\gecko-crash-server-pipe.4252" 4924 28ba8685858 tab3⤵PID:2248
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4252.6.294181499\423523544" -childID 5 -isForBrowser -prefsHandle 5076 -prefMapHandle 5080 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f3895a1-5867-4e41-a9d6-876b5234c12f} 4252 "\\.\pipe\gecko-crash-server-pipe.4252" 5064 28ba9539f58 tab3⤵PID:5024
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4252.7.117640317\2143118486" -childID 6 -isForBrowser -prefsHandle 5276 -prefMapHandle 5280 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14c70c3c-74f9-4823-a29d-90710afb87c1} 4252 "\\.\pipe\gecko-crash-server-pipe.4252" 4924 28ba9538758 tab3⤵PID:1704
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aed855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD506f5f3f6abfa0faa19dac83b5346ccb5
SHA128c8b2b412b44c21726132ce9f51aa9e2207f328
SHA2561f08ea567a623c9f9015efd9b209b823cd5bce6d474256440ffceb4f5ccffd8e
SHA512dd94f4ddc9e6cd90f1f4ae6c9175d16a6687329b2d1b928d24510229001a5539966b5ac1685d527606084a2cadc1ea856d14209c2e61b7434a699a293ebba448
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD58a5a62c74b206c905de1a00c29753c19
SHA1188417437a3195db3d2a852f6beb62e524f7d00e
SHA25660aff1bad9444c3883945bd225846667ef9dfcd4731455802740a1f1f53f7d3f
SHA51248b799f9ff51279120f781520ed8bd9786f0b4962e2589784d6d51e7e710aee4122f194a7777ab2da8b91fef29f8406c233ac19309160c93945ec6f07694305e
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5ca644aec2bb3fb9abae96325f8868e82
SHA130a05301022e61dab5e87dbae5a801b84480791d
SHA2564264c16c5422b44da443495aac1c04aeeeacb35d0574c1b8539ad7d5e4a0ecf4
SHA512d8949780803e4d8f580e92815ee37f370580f98f21eadb4f5ec3bdb67dff993c1fc5ca2089d2f10d16dcbcdeb026897c2221cda9167ffde79fa2bc1f9a924883
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\004d0617-f08a-44dc-9647-7f83ca73f0c8
Filesize9KB
MD5b4d207886d776e78dd12578d27b128d2
SHA11e921a0bd33415910e37d983ebee1635a3da2ef2
SHA256d4800b050e5c65bcad2defe13c19bc3012ef172be8898af72a76ec557eea11ef
SHA51258ee3ea27c5a9ce8dd2053e02e66ae3548c15460cbc22935fdc3fd7440e9448c8edf029fdc980a7baa52d0bf9851193cecb27a27d48e298cf506a967b7c15063
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\f4f5884d-01d0-4c03-aa4e-afc684ec2238
Filesize746B
MD5d593f2018cee75e045f84c2088bac8a0
SHA1d9cf01a7b492ca45bfa665295e06cb7ff06b7fe2
SHA2561442175078c5960768b81978fa777deff795ca33bf5d846717c52d3e0c73fb51
SHA5125eeebf40f5d49199a914a30546559e1fd12b56b1556a16231656a888a44b9119961f424067d9863758a17e864a621e4057fdf0e7f02fdac536e54628a73e92ea
-
Filesize
6KB
MD583b3b98827797640fdc37bb180622bbe
SHA10d22b992ec53bb0543657794ea5b317094b401b9
SHA25653efdebd7e248bbddcb019bb6d53260e3b37dfb2db0d0fd5f22b6f0547015d88
SHA512dc259e6308848dadfbfe6be56c8b5168b61b4197b9b28fe76324e1963930ebbdeb174f50185b8a435a7f7ddee48e0121e5164c565f03bed308e19bf00c0714f5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD596b495a39ea1896ba37f9721f4272a89
SHA15c74734903077040d3dc91df2e240fd920d8d70c
SHA256257cef0a866c703f9610e0adddf45a82bee4c10446062722af975ac1ddaa0ebd
SHA512a1a8c6646626c305350edf53381fc585ea6342b6cecf39bc04f63dd6812ab0bbe065a2d1032c637b8eab4f585426d564eb449322917ef70db4a3f9f23c4128fa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore.jsonlz4
Filesize855B
MD52d06e69f9488724a57b2f9e918a5df09
SHA1e288a9c23e70727027bf57c3a264bc60d0137258
SHA256ec0a267a7e44defdcc4f4f2182e2064dd26462cd60c9135e5424c3b1646aefd8
SHA512c3fcc80b1dd1aa03c488f729f8a872cd576d90c03ffbc7655aab0e7e31ec11f3331cb85cfed9bdba134e841e56a49a39a3776142a24ebf07d4aa909a2a4d4710
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD50d0013d9708d9fef539adc917f5b87f6
SHA15e071e6b4d8abf007c8bb78ee948caf5bb0439e1
SHA256f416d29cdbaa66b7d04483831d2a593a735316fafb643414a12df78da0ab054b
SHA512851e9965a0fed9e0f5195ce655635cf13687d18678e4a9df807ab22cbc53c02cd2006fd65d93cd80b2a06d709e59122ea9933ba5cec551c6d51f5e9b4c175388