Analysis
-
max time kernel
248s -
max time network
279s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
06-07-2024 17:39
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win10-20240611-en
General
-
Target
setup.exe
-
Size
584KB
-
MD5
d514bd9fff9f7ccb2180d3ac7ce0e32f
-
SHA1
ab6c7a7f24e7c4f673a3ae67dff2d3507cd52eb0
-
SHA256
3ca04ad50b4f41756bf91bce1162e408a7da7b6b5cca4331d3fcb51e8009fc6f
-
SHA512
fe7c6e0eeae066cebafae70a26c1e83effb8ae60a626fed39717e04b7528e1353a6a8c8c8686fe616c21ea813e89462102e071dc25c2001b2747196997109cdf
-
SSDEEP
12288:NZv/eN/Kg1YdGG1TFTzTXcN3CNIb88WsNMP5F1k:NZHeImItf7W3CNIb88WsNMhF
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/1592-2-0x000000001B7E0000-0x000000001B86C000-memory.dmp family_redline -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat SearchProtocolHost.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File opened for modification C:\Windows\Debug\ESE.TXT SearchIndexer.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.gif = "1" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb23ede4cbcfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.raw = "1" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f8d8a2f9cbcfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mod\UserChoice SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice\Hash = "gn0F5WqCqyI=" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.MOD = "1" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.bmp = "1" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2ts\UserChoice\Hash = "M95HC0pZGxs=" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice\Hash = "LMXtguhTrmw=" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice\ProgId = "AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice\Hash = "y7v418Cmx+M=" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice\Hash = "1x0Ooix5fpk=" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.jpg = "1" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d6d4fe3cbcfda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000629f8e5cbcfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice\Hash = "Prr8ScDWTLI=" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.pdf = "1" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.HTM\UserChoice\Hash = "FFeTbYSKKr4=" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS SearchProtocolHost.exe -
Modifies registry class 31 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" firefox.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} firefox.exe Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" firefox.exe Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" firefox.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings firefox.exe Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 firefox.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell firefox.exe Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" firefox.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 firefox.exe Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000400000005000000030000000200000000000000ffffffff firefox.exe Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 firefox.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU firefox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance firefox.exe Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" firefox.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags firefox.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg firefox.exe Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" firefox.exe Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" firefox.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell firefox.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 firefox.exe Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff firefox.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell firefox.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance firefox.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 firefox.exe Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" firefox.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 firefox.exe Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 firefox.exe Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" firefox.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\latest-x64.7z:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1592 setup.exe Token: SeBackupPrivilege 1592 setup.exe Token: SeSecurityPrivilege 1592 setup.exe Token: SeSecurityPrivilege 1592 setup.exe Token: SeSecurityPrivilege 1592 setup.exe Token: SeSecurityPrivilege 1592 setup.exe Token: SeBackupPrivilege 1592 setup.exe Token: SeSecurityPrivilege 1592 setup.exe Token: SeSecurityPrivilege 1592 setup.exe Token: SeSecurityPrivilege 1592 setup.exe Token: SeSecurityPrivilege 1592 setup.exe Token: SeDebugPrivilege 196 taskmgr.exe Token: SeSystemProfilePrivilege 196 taskmgr.exe Token: SeCreateGlobalPrivilege 196 taskmgr.exe Token: SeBackupPrivilege 1592 setup.exe Token: SeSecurityPrivilege 1592 setup.exe Token: SeSecurityPrivilege 1592 setup.exe Token: SeSecurityPrivilege 1592 setup.exe Token: SeSecurityPrivilege 1592 setup.exe Token: SeBackupPrivilege 1592 setup.exe Token: SeSecurityPrivilege 1592 setup.exe Token: SeSecurityPrivilege 1592 setup.exe Token: SeSecurityPrivilege 1592 setup.exe Token: SeSecurityPrivilege 1592 setup.exe Token: 33 196 taskmgr.exe Token: SeIncBasePriorityPrivilege 196 taskmgr.exe Token: 33 2768 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2768 SearchIndexer.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 4456 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe 196 taskmgr.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2768 wrote to memory of 4852 2768 SearchIndexer.exe 78 PID 2768 wrote to memory of 4852 2768 SearchIndexer.exe 78 PID 2768 wrote to memory of 3848 2768 SearchIndexer.exe 79 PID 2768 wrote to memory of 3848 2768 SearchIndexer.exe 79 PID 64 wrote to memory of 4456 64 firefox.exe 83 PID 64 wrote to memory of 4456 64 firefox.exe 83 PID 64 wrote to memory of 4456 64 firefox.exe 83 PID 64 wrote to memory of 4456 64 firefox.exe 83 PID 64 wrote to memory of 4456 64 firefox.exe 83 PID 64 wrote to memory of 4456 64 firefox.exe 83 PID 64 wrote to memory of 4456 64 firefox.exe 83 PID 64 wrote to memory of 4456 64 firefox.exe 83 PID 64 wrote to memory of 4456 64 firefox.exe 83 PID 64 wrote to memory of 4456 64 firefox.exe 83 PID 64 wrote to memory of 4456 64 firefox.exe 83 PID 4456 wrote to memory of 1768 4456 firefox.exe 84 PID 4456 wrote to memory of 1768 4456 firefox.exe 84 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 PID 4456 wrote to memory of 328 4456 firefox.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:196
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3364
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4852
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 684 688 696 8192 6922⤵
- Modifies data under HKEY_USERS
PID:3848
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 684 688 696 8192 6922⤵PID:4356
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.0.54333381\860364394" -parentBuildID 20221007134813 -prefsHandle 1348 -prefMapHandle 1336 -prefsLen 20845 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {84a3d17f-3f62-4d48-8299-a5e39a7fc157} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 1412 17923104858 gpu3⤵PID:1768
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.1.615283032\764605898" -parentBuildID 20221007134813 -prefsHandle 2552 -prefMapHandle 2548 -prefsLen 20926 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01f2f488-e88b-46cc-b88c-c333e49ca81f} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 2564 17916e72558 socket3⤵PID:328
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.2.702987592\1908524043" -childID 1 -isForBrowser -prefsHandle 2880 -prefMapHandle 2876 -prefsLen 21029 -prefMapSize 233444 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1664592-6360-40ee-ab15-64b46c1a6f7b} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 2856 17925ff5758 tab3⤵PID:4188
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.3.1419169631\1323436497" -childID 2 -isForBrowser -prefsHandle 3484 -prefMapHandle 3472 -prefsLen 26214 -prefMapSize 233444 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {343fd5d9-4ddf-4dae-bc71-442e0fbeff44} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 3496 17926e58e58 tab3⤵PID:2756
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.4.501326920\390299804" -childID 3 -isForBrowser -prefsHandle 4156 -prefMapHandle 4152 -prefsLen 26349 -prefMapSize 233444 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63132fae-37d0-4916-a84a-786847e12b1d} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 4168 17927cb6258 tab3⤵PID:4352
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.5.1917211897\1865538562" -childID 4 -isForBrowser -prefsHandle 4524 -prefMapHandle 4528 -prefsLen 26354 -prefMapSize 233444 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7cee4ae-dc72-4c85-b3d2-e5d7fa83bfc3} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 4844 1792852a258 tab3⤵PID:3240
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.6.1410779660\721861218" -childID 5 -isForBrowser -prefsHandle 4948 -prefMapHandle 4952 -prefsLen 26354 -prefMapSize 233444 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0df1d012-26a9-4fde-8ac1-720e020232fe} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 4944 1792852b458 tab3⤵PID:3192
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.7.945451999\312559577" -childID 6 -isForBrowser -prefsHandle 5136 -prefMapHandle 5140 -prefsLen 26354 -prefMapSize 233444 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c50e0c66-cbf9-4042-9900-d86eb18a3f2b} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 5124 1792852ba58 tab3⤵PID:5016
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.8.37912494\1350282710" -childID 7 -isForBrowser -prefsHandle 1892 -prefMapHandle 5464 -prefsLen 26354 -prefMapSize 233444 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4f4faba-b9c4-4221-8e82-bd76a835b669} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 5524 17922361358 tab3⤵PID:1908
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.9.1384098459\757091360" -childID 8 -isForBrowser -prefsHandle 9580 -prefMapHandle 9568 -prefsLen 26608 -prefMapSize 233444 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {73c3681f-cde6-48f2-a9dc-3a07f486b880} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 9700 1792a05fb58 tab3⤵PID:4908
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.10.1522672919\1909330852" -childID 9 -isForBrowser -prefsHandle 9560 -prefMapHandle 9536 -prefsLen 26608 -prefMapSize 233444 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {611bc405-c943-4ba5-9d69-779be4331dfd} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 9420 1792a1c0b58 tab3⤵PID:1340
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.11.221245229\1957846456" -childID 10 -isForBrowser -prefsHandle 9436 -prefMapHandle 9372 -prefsLen 26608 -prefMapSize 233444 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {08f3a74c-3219-470c-b243-1ee5b0598650} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 9504 1792a1c0858 tab3⤵PID:1872
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.12.1851451058\974169414" -childID 11 -isForBrowser -prefsHandle 9380 -prefMapHandle 9376 -prefsLen 26608 -prefMapSize 233444 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d839e899-8dd2-44be-81f4-84b27aa78942} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 9392 1792a1e5058 tab3⤵PID:2920
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.13.676557344\1358710551" -childID 12 -isForBrowser -prefsHandle 9620 -prefMapHandle 1856 -prefsLen 26913 -prefMapSize 233444 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {73ab181e-e2cf-49e3-9e94-b4cd346cb235} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 5396 17922361f58 tab3⤵PID:5440
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.14.1986800447\450002996" -childID 13 -isForBrowser -prefsHandle 9780 -prefMapHandle 9180 -prefsLen 26913 -prefMapSize 233444 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a402789a-e385-4665-867a-57bd960c9355} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 4544 17928c7b858 tab3⤵PID:5888
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.15.387560930\1856545510" -childID 14 -isForBrowser -prefsHandle 5316 -prefMapHandle 8396 -prefsLen 26913 -prefMapSize 233444 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33eaa7c2-eea1-4ab5-ab73-cd41b93aab60} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 8452 179295d6058 tab3⤵PID:4760
-
-
C:\Users\Admin\Downloads\setup.exe"C:\Users\Admin\Downloads\setup.exe"3⤵PID:2524
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5f62df3c6890148b7b91eaf4a2c158879
SHA138c58aef696230e5d53fab0a3ad3008c4f1a8e0d
SHA256064285fbec6daac5c4d08331eb5581e633ffed3e63f90fd95c45a03dd53f699d
SHA512f8788e1a9706cb4966e41d740f25acc095c0b81442969474a32a0e98769c57fda961d25ed63a792522335d651a501e6ad1f0799c76790c599922926aa4324556
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD54bd1f2524ef26f167562a9dd83beeb98
SHA1a9e4333107f6074b46978676a1a2a9ada13d2590
SHA256fc2a3f8b1d5d0fd888dd2bf05b96568109e16fefa6fe46007508306abd45ff96
SHA51283cca187cf539b487b45bb2c5e3f9e7dab0e057b882369378d3ef1fe530a9e786d55a55c9117c6153fd3c7f22287f8f022ff2ae3d36e8f5c0d80a31cf5a0d03d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\C79080D6B96DE2577C1D688BA27AD43D8D789F0D
Filesize18KB
MD5809536a8ae3e1caa3c887d6a35ca740f
SHA1b7801f10897ce605c84c3a0d6f0a6bb661604fe7
SHA25603e0c3b3a33b08af5378e2cee2f449ebb032be237a55574a00f95654c05b7486
SHA512626d4b0802b68db8c9cdfd57939b0b56d876ce8f90edb82806eb2e4104c3e8d53e82372f1dd2757bbb5370ff52408b18a3f93ec32e331543ebbefb8e94d4b290
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize7KB
MD5c460716b62456449360b23cf5663f275
SHA106573a83d88286153066bae7062cc9300e567d92
SHA2560ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5826341e1f7318803e550b3abfb518e14
SHA1444b719bfe3eb17206bdec8d31af1d2458671d78
SHA256a3f3cc0c2ab90022495e758819411efebd0fc7c43d746e1c73b0ce18e2d363fa
SHA5123a5984294ab9dccd0baf86d59566f49e0637e5f2cacba440cb6fd0d4e193d20ec7f71b1232b3a596928084d0c310a1a1f8855f36457f6f96c6010c17d0997064
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\4104454f-e104-4a14-894c-6cd04c8568e4
Filesize746B
MD53a657057864b3f8cec59445e4cf61696
SHA1773c77f6c73dcd6e69a72d93ca91620a85a95e6d
SHA256471aa5419c9355c9f3eeb2c5cac0643c9ea7004ff985720a346b1b4e6e05863d
SHA5120749fc96c650916d232b098fe1f18b3bd87c8b2f88798e27ffc86c25e73be07556c60a5f69e2f2e5ba031200c1ff0547c44fd3408b30f206551bbff312b312e9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\de35faa2-4893-4531-9b71-25a5d325a330
Filesize11KB
MD5ce55d352e33db89cfcac3f53cf79ff59
SHA16946d1b88c5feb39afb98180611eb1e03b1a17d0
SHA256f3ae51c939ed32dd407bf90a5c77d9b7d52986cd489513fc2e9a5737fca1dfb0
SHA512c28f0a69af5ecf0ce75aa4166214433be53d0f3f6422d08458721fd3d27f66fec51f036cf2913adb7675c827f2748c8ab896e082d315fdf9740ca416f48c1f9d
-
Filesize
6KB
MD514af3819c879daa73187363b42d26926
SHA1e71a7c0751eb9749057b47046b0dadab1d68f402
SHA2560624967842d594857b7b0bc361998cd65ec88f3fb34cd0cbe8fd9bfd9e26030b
SHA512ac9031aac2f200b3716eeddffeb10556398bdfa4d6078ab74a968ba08b2af80bb0139854848987cc107d9241c2df3eadae87b361a1460f0ff9408068209d64d6
-
Filesize
6KB
MD59472bbeb3c424a43086ca3003d16e581
SHA1737eeb6933bddd769f8f932d466f5e5b0e3e85fd
SHA256e9b554f61984d5ab201160ccf93274092581220338e81bc8fbc625cb2ac31588
SHA5126ccf889a7b93052f789f633199897c90ce0044d5233b43f71db2fbf1c82f41a325993915f8ed3c55833abc4dbb133ce041e37fccdf0c7c58d9c4636b116805e9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD547ca4f688012724d39fb1a0bd5d71420
SHA1b4b32782669c947e44143ea77d0a0a9c5d0d2275
SHA256d7cfa80efd2fed2a26193d25c550f4e8f93db47ac43363de8e22b463388e37fb
SHA51252e025dc46048a582f13a121d8892759d078878dae99c5f273134e08ca2db38d0d31bc4164bb0e42a43a9291682e54d0808079da45bbf5bcbafe640bd681b01f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5a18b5d3d295bc7e5bcb887add7ffc72b
SHA15508dd98152b2e14730c422f4ec3d516d34ec535
SHA256a8cd270b2d027bd33e85d9e2c4828b2f2e477ea8c7053a81ca49d606b4295e47
SHA51286d6400dc1dd35319b41d07c69703f32a2c0f8c1d23fe1e9c1b1204cf85aefab92b2fcf259a36bde1ca8e7a09339a3c008333306f876f4faeeeb6f934c8f2566
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD595c10f00c374ed8770787b786aee967d
SHA118724a816dbc666eadeadf55aa47347070f36732
SHA256506468ad4c3538bfe444c2267c34fac0a45c4105a9173839a6c11ec2094c7513
SHA51270d32d2f3b156daa2896a15c7998dd4d3b2354149b6285453eeb4b961367d0c80290ed6610148e72aaf6765430aed631129296c9f31b3417be22953f7726f25b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5c3d9885ed7e90e510d5cab960284eae9
SHA11dfef380707968c793cfc5154916b26c45e81844
SHA256aac6be0be1d719d3117d41abd363b02c74c93f9d2ddcf5314a224bec94db5c18
SHA512738067926a8d11e2d3c29016eec3a1b27068b2e399f88a3acac9736fe34db11908e3bef9ac7bab2beb65aa81d22d92aab6571654473d49235ddf256b17b1f3b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD5d85836a6df33fe65668710c04e567d2c
SHA11757ea2ed75fcf78862e9643645b201e1c611560
SHA2564b307403357ce7d091781924d9bb97fe281552f1b8dea1604dc79f3465f81b1e
SHA512ae0d576b9f7ad099e46476fc863970f3a0791fd6fa4d472ab36c29ae241fa96e44351e82a5bf41f6679aae4191b81ff00b8a759206668bea37713669d585935c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
Filesize2KB
MD5d505d25f9bb9ae1d0a7d3953b438d4f8
SHA18f631e778ae489404159fbddcd0736172e18ad11
SHA2564d9fbe4f476afbf98eb45e68af2365b67416d02076ffe124c8620845968c7bc6
SHA512e04966025f6df5913b9b3d34bd8028004e1d52a30d2d96062c09d6cdf6cb76bba2a30a6b6dbaf6f00146829d9058148ce94d1c3906f952d4e02751360d63d262
-
Filesize
278KB
MD5adc1be79065a9a8f212be9d7bcef2ef4
SHA1ee24d1a31288e4d308634cb5af6251e32fba8c4f
SHA2562ea41158b61647dc95aefa204acf601aa924e5a6227e1857bef5b2b59dc65668
SHA512993644f25bc10fb9a04f9e6a6ab0958feeb888f7dba0a38f18fb3a324330bbd7998a320dd82dda6c6c0c8d7754c332cac2cdfa6ac74ec4c6ccaba9c25f77a528
-
Filesize
72KB
MD5a761f967991aebe5144c77407ab7970e
SHA1be809d819119e1aab35e5c543eba93ae0bfd05fa
SHA256f5d4edeaf4630e630de34676c3d0119080ee9fbaceb6b35e4892b8d19bb5ec47
SHA512f429521413ec66123583e7e75eaf88bf8447cbb661967b5eb55f6bbc9c515ac1cb73bb7ba0a66ddae1ab2bc44ded8ac2962fb134a98c66dedbde95a7634f5879
-
Filesize
584KB
MD5d514bd9fff9f7ccb2180d3ac7ce0e32f
SHA1ab6c7a7f24e7c4f673a3ae67dff2d3507cd52eb0
SHA2563ca04ad50b4f41756bf91bce1162e408a7da7b6b5cca4331d3fcb51e8009fc6f
SHA512fe7c6e0eeae066cebafae70a26c1e83effb8ae60a626fed39717e04b7528e1353a6a8c8c8686fe616c21ea813e89462102e071dc25c2001b2747196997109cdf
-
Filesize
47KB
MD533283aba67f95c2610a1b3dca12064f7
SHA119b4771469e3b8b0d02e5cdff1e3984a0d67e495
SHA256370943a107203d68454cdb1b7d9dd46430b7587a7e487aea8d43fb40adbbb771
SHA5124cbdd69030aba5d77cbcfaff8f8073237603d7db6713877f87f0e0e68f8d59ed30b7e545a3f39a98d9aa6a39f8b78ef342e991f4e7f4b6322b66c6dc77962900