Analysis
-
max time kernel
55s -
max time network
263s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20-07-2024 20:39
Static task
static1
Behavioral task
behavioral1
Sample
amadka.exe
Resource
win7-20240704-en
General
-
Target
amadka.exe
-
Size
1.8MB
-
MD5
a167734f75b512f5fd225cfba47b3511
-
SHA1
aa5b54ac5a624e4c15fb848e519efa4fbd9d4e32
-
SHA256
53083ace2013ee5e0ccfbdc41557a35ba6446d8c999fa5376b16f63197c1bad4
-
SHA512
47b126308f83f371417965887fbf653f9501d7fd637a0eec380c6250e14947774e899ff77650763bf7cd10aa97837b5779ea4ccd6633dbad0cdff0adbec85a90
-
SSDEEP
49152:dryQBe+WLSfY0Zg+V1Lxkj54Sx73b0tT9Y:QQ4RSfYqV1LxkFNeF2
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
default
http://85.28.47.31
-
url_path
/5499d72b3a3e55be.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
amadka.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amadka.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeamadka.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 3 IoCs
Processes:
explorti.exe92d7d68fb7.exego.exepid process 2776 explorti.exe 1716 92d7d68fb7.exe 1984 go.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
amadka.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine amadka.exe Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine explorti.exe -
Loads dropped DLL 5 IoCs
Processes:
amadka.exeexplorti.exepid process 2172 amadka.exe 2776 explorti.exe 2776 explorti.exe 2776 explorti.exe 2776 explorti.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\92d7d68fb7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000015001\\92d7d68fb7.exe" explorti.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000017001\\go.exe" explorti.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
amadka.exeexplorti.exepid process 2172 amadka.exe 2776 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
amadka.exedescription ioc process File created C:\Windows\Tasks\explorti.job amadka.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
amadka.exeexplorti.exechrome.exepid process 2172 amadka.exe 2776 explorti.exe 2984 chrome.exe 2984 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exefirefox.exedescription pid process Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeDebugPrivilege 1960 firefox.exe Token: SeDebugPrivilege 1960 firefox.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe Token: SeShutdownPrivilege 2984 chrome.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
Processes:
amadka.exechrome.exefirefox.exepid process 2172 amadka.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 1960 firefox.exe 1960 firefox.exe 1960 firefox.exe 1960 firefox.exe -
Suspicious use of SendNotifyMessage 35 IoCs
Processes:
chrome.exefirefox.exepid process 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 1960 firefox.exe 1960 firefox.exe 1960 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
92d7d68fb7.exepid process 1716 92d7d68fb7.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
amadka.exeexplorti.exego.execmd.exechrome.exefirefox.exefirefox.exedescription pid process target process PID 2172 wrote to memory of 2776 2172 amadka.exe explorti.exe PID 2172 wrote to memory of 2776 2172 amadka.exe explorti.exe PID 2172 wrote to memory of 2776 2172 amadka.exe explorti.exe PID 2172 wrote to memory of 2776 2172 amadka.exe explorti.exe PID 2776 wrote to memory of 1716 2776 explorti.exe 92d7d68fb7.exe PID 2776 wrote to memory of 1716 2776 explorti.exe 92d7d68fb7.exe PID 2776 wrote to memory of 1716 2776 explorti.exe 92d7d68fb7.exe PID 2776 wrote to memory of 1716 2776 explorti.exe 92d7d68fb7.exe PID 2776 wrote to memory of 1984 2776 explorti.exe go.exe PID 2776 wrote to memory of 1984 2776 explorti.exe go.exe PID 2776 wrote to memory of 1984 2776 explorti.exe go.exe PID 2776 wrote to memory of 1984 2776 explorti.exe go.exe PID 1984 wrote to memory of 2728 1984 go.exe cmd.exe PID 1984 wrote to memory of 2728 1984 go.exe cmd.exe PID 1984 wrote to memory of 2728 1984 go.exe cmd.exe PID 1984 wrote to memory of 2728 1984 go.exe cmd.exe PID 2728 wrote to memory of 2984 2728 cmd.exe chrome.exe PID 2728 wrote to memory of 2984 2728 cmd.exe chrome.exe PID 2728 wrote to memory of 2984 2728 cmd.exe chrome.exe PID 2728 wrote to memory of 2956 2728 cmd.exe firefox.exe PID 2728 wrote to memory of 2956 2728 cmd.exe firefox.exe PID 2728 wrote to memory of 2956 2728 cmd.exe firefox.exe PID 2984 wrote to memory of 3064 2984 chrome.exe chrome.exe PID 2984 wrote to memory of 3064 2984 chrome.exe chrome.exe PID 2984 wrote to memory of 3064 2984 chrome.exe chrome.exe PID 2956 wrote to memory of 1960 2956 firefox.exe firefox.exe PID 2956 wrote to memory of 1960 2956 firefox.exe firefox.exe PID 2956 wrote to memory of 1960 2956 firefox.exe firefox.exe PID 2956 wrote to memory of 1960 2956 firefox.exe firefox.exe PID 2956 wrote to memory of 1960 2956 firefox.exe firefox.exe PID 2956 wrote to memory of 1960 2956 firefox.exe firefox.exe PID 2956 wrote to memory of 1960 2956 firefox.exe firefox.exe PID 2956 wrote to memory of 1960 2956 firefox.exe firefox.exe PID 2956 wrote to memory of 1960 2956 firefox.exe firefox.exe PID 2956 wrote to memory of 1960 2956 firefox.exe firefox.exe PID 2956 wrote to memory of 1960 2956 firefox.exe firefox.exe PID 2956 wrote to memory of 1960 2956 firefox.exe firefox.exe PID 1960 wrote to memory of 2296 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 2296 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 2296 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1800 1960 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\amadka.exe"C:\Users\Admin\AppData\Local\Temp\amadka.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\1000015001\92d7d68fb7.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\92d7d68fb7.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\1000017001\go.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\go.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6539.tmp\653A.tmp\653B.bat C:\Users\Admin\AppData\Local\Temp\1000017001\go.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb489758,0x7fefb489768,0x7fefb4897786⤵PID:3064
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=832,i,15283451314183612700,13868218841774560210,131072 /prefetch:26⤵PID:1964
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=832,i,15283451314183612700,13868218841774560210,131072 /prefetch:86⤵PID:2944
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=832,i,15283451314183612700,13868218841774560210,131072 /prefetch:86⤵PID:1244
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=832,i,15283451314183612700,13868218841774560210,131072 /prefetch:16⤵PID:3044
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2276 --field-trial-handle=832,i,15283451314183612700,13868218841774560210,131072 /prefetch:16⤵PID:1600
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2960 --field-trial-handle=832,i,15283451314183612700,13868218841774560210,131072 /prefetch:16⤵PID:2208
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1412 --field-trial-handle=832,i,15283451314183612700,13868218841774560210,131072 /prefetch:26⤵PID:2472
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1460 --field-trial-handle=832,i,15283451314183612700,13868218841774560210,131072 /prefetch:86⤵PID:3040
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"5⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1960.0.548381427\1789534007" -parentBuildID 20221007134813 -prefsHandle 1164 -prefMapHandle 1156 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e9967d7-210d-4240-a16c-bd437f3504b7} 1960 "\\.\pipe\gecko-crash-server-pipe.1960" 1276 109d2458 gpu7⤵PID:2296
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1960.1.641009817\1015183064" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cb8189e-40fd-4aab-9d31-e47c34361322} 1960 "\\.\pipe\gecko-crash-server-pipe.1960" 1504 10906b58 socket7⤵PID:1800
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1960.2.37385465\1459903816" -childID 1 -isForBrowser -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 720 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c25e3d4c-3b11-4610-b429-e12fc2660da5} 1960 "\\.\pipe\gecko-crash-server-pipe.1960" 2152 1999f158 tab7⤵PID:2712
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1960.3.729258046\771875619" -childID 2 -isForBrowser -prefsHandle 2252 -prefMapHandle 1824 -prefsLen 21852 -prefMapSize 233444 -jsInitHandle 720 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2e00404-f2b9-4072-bc29-b5f65efea560} 1960 "\\.\pipe\gecko-crash-server-pipe.1960" 1852 109d4558 tab7⤵PID:2876
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1960.4.765297234\1792432603" -childID 3 -isForBrowser -prefsHandle 2188 -prefMapHandle 2588 -prefsLen 21852 -prefMapSize 233444 -jsInitHandle 720 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {23943481-5626-402b-9f64-41ca84540c43} 1960 "\\.\pipe\gecko-crash-server-pipe.1960" 1972 1889a258 tab7⤵PID:1648
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1960.5.872390547\1679605054" -childID 4 -isForBrowser -prefsHandle 2800 -prefMapHandle 2804 -prefsLen 21852 -prefMapSize 233444 -jsInitHandle 720 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a555029-728b-4e1a-ac41-28913ab44f30} 1960 "\\.\pipe\gecko-crash-server-pipe.1960" 2788 19aa0f58 tab7⤵PID:1508
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1960.6.1573330651\611182478" -childID 5 -isForBrowser -prefsHandle 3296 -prefMapHandle 3292 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 720 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8adbaa9b-682a-46c8-a14b-e9e7eed7baad} 1960 "\\.\pipe\gecko-crash-server-pipe.1960" 3308 d62858 tab7⤵PID:2732
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\2a4b3ad8-8333-473d-bbd4-52275d51facd.tmp
Filesize5KB
MD5239c292f1a909b8c54fcb63db2453950
SHA1ef0f0457e5dfdde8ecd74b36ff4459e90a317005
SHA256bb422c407821c764b806e8919f120714d597fc10eb5cd02ceb2a39a4751ab4c7
SHA512ff8b7d2e2c6b34639b47c7ece317d14e49e0e50dcc9d100ffa22b4bab6d99aad0acba8a3d53c800abda85781ef2755ebcb5d560afd4d2051abac9ba53cd59225
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
2KB
MD53c679320fb8fad3850938b55731dafbc
SHA1080677e6cd9ebcec72a83ce3fa282cec0c2b8740
SHA256b747a0d7ca52f4745b9f6b22ec9058acc7615f6f251b3e69f0bd5ea3aeee8869
SHA51269012662219d8ab0491e5d258f9ccc7a0b0519779c47f88327dd9787d704d533fe42898dc41b67bfa08a7867671e9dfbfe353bea9635bd054acbdb65d73e8c32
-
Filesize
2KB
MD5c6642950f906bf41b86ab646126c5a9b
SHA13675cec8c1d08740d9e26bb927b6f457244e50a6
SHA256e06ada209a5a1a97de6c0fb1e80d10cf3b91d02b0cd764963fd7cbe5e9b0ef8d
SHA512a1790e50b86ff741d2408f0848ac3a6ea1b672b5df68dab83c0fa5add4447ba17c0a91e692e75aa17ff4dfa2a76c939c3b7229a81607de9c352708345bd4a0ff
-
Filesize
5KB
MD53af51e0db94da69a1bb9ac3e06b77de3
SHA1f4a28a30ddafcd4dfadf08140c7f2c5a5a580ad8
SHA2561196b577bd05b89212c230a2d7ddded224dc0070f00baa6db180214f2de8ec89
SHA51286e7a1884c0978fee24333a28bd0ceb45d7210c3a846023b61d7d543612aac32ad20427f9a5f98a2104c74f8d110c36c24e223954243369a5a9a4aec2703ed79
-
Filesize
5KB
MD5aea8249ad86f839970b5fd792b2aef31
SHA1ea32213e992f3a1d45f53b88ffa4b1d5fe19be27
SHA256fd1fe17026463872009e5730123a51c482b99eded67b4dc1441abc11f2ee225f
SHA5122c807a1af8226df1b53caefa5a99d6922b387f881ad9c5c7cb6d3945805cd77d7e205e2ac72892355f410104eb36a59246d377d96cc283c3dcf200db0c46cb4c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzuz3epu.default-release\activity-stream.discovery_stream.json.tmp
Filesize25KB
MD58fabf302550f3ddb35a814920a4bccdd
SHA1a3bd85729e0ea62c1ebeb59347a3841fa580aa34
SHA256a2ce83a903f1c6212b1e1381e27727c8ba530175692fb97aa7df1fc634783305
SHA512dda05c31b00840cc841ac4569da840026cd66e6da0c1f86d904970fa83e2413cff52b118ad3baa35d7856275003e83c4cb9328db44335e0778357e82513f2a1f
-
Filesize
678KB
MD5d4d2df98497ca423a6d783052fd3f555
SHA11b2f231e54457b70ec4db0dc828e9f65e35271eb
SHA256764371ece8ac91f60d259804944c191eab2462d3468e73a35454d96da518bf02
SHA512cbffc93253cf8cea7af21c2f8a831a5dc6c899192ac0d8981e3c9bd1380b4899c8302f33d55784dd89feb11347ad4eb32c74fc8716258f91c76890e39d35650c
-
Filesize
89KB
MD5955cd70d3448d43ad703bed723a98765
SHA11eeedcadaeffd31059647d7732bca344bad85824
SHA256be764de7facd5475b94742d25f340883d8e69f90226aa3826f683c6a40df7b3a
SHA51270d68fb0f44cb55fdb1b476bfd2388180335b09bcba87541822fafc8dea8fc898c3055d20e0be3b1db98035a54ac1b54cc26c28f45368789417cd9ce59ec68cf
-
Filesize
2KB
MD5de9423d9c334ba3dba7dc874aa7dbc28
SHA1bf38b137b8d780b3d6d62aee03c9d3f73770d638
SHA256a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698
SHA51263f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401
-
Filesize
1.8MB
MD5a167734f75b512f5fd225cfba47b3511
SHA1aa5b54ac5a624e4c15fb848e519efa4fbd9d4e32
SHA25653083ace2013ee5e0ccfbdc41557a35ba6446d8c999fa5376b16f63197c1bad4
SHA51247b126308f83f371417965887fbf653f9501d7fd637a0eec380c6250e14947774e899ff77650763bf7cd10aa97837b5779ea4ccd6633dbad0cdff0adbec85a90
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize7KB
MD5b25353bdc6a04d8c5d43af6e5575e10f
SHA1228d3393e5655f0be4fe1065f9cc225c7e3b038b
SHA2565903258b80cbd54e23f7f63e1b7cd9f7589182f9a33128cc2f5f5e565b165646
SHA51211ee13aa78ed43a46ed0cef9c7da53875e2370005cc4b62f133fd9fc739df5850811cce4af638d742aa36914f98f6137447c6c390240f7afe3800350b603ec68
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD53174009ff185a3b2703863e1924ad8d1
SHA1eecc307337aab73d054be6b94fdb8eeb33b793d3
SHA2569a0340c1f4ce17c8fe61fd76087632a3830ec07d910b1b4f9b90e8b4b0782867
SHA512a6f75f2b16f6805019940120c8f39c90c1df0dc434b0a42f6f097f0c0670764d8ef8171f049e0ef376415b579ca0c02c6dfe5c352107e854ebaba1b8d3616d8b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\datareporting\glean\pending_pings\7d27008d-b086-43ff-9a2f-720e69cdd524
Filesize745B
MD5865531e6cd7a37df68194463b2096de8
SHA11180ac0bd71fd8c173f7e7da4ff049125e95eee2
SHA2569b6f8e6cf0370394d911ab74ebe5c0e51a6ca43887c23375e8296fa465c82640
SHA512877048a58cb5a9bd579c7e5b2f18aae921f8726396870cae29bd898f5d20200f74fc2ab7fb7c6147ad203eb6b2465dbcb4f73c726ef628758a29f597cd3a8e5f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\datareporting\glean\pending_pings\e716d7a2-b5bb-40f0-a223-f5c614c886f7
Filesize11KB
MD5c06e895e9055a9b668827529c0d48578
SHA1fb6d4b7231bc5c79cf68d476ff08f1bd3b6f928a
SHA25673974b24ab7ce3d103241e5e69feed4280248cbfb547c92161b78353023c59ec
SHA512dcff17c71c206f45367bbbc0bb0bfc61e0eef88d993199a6c4383e9c8cd0f20086d793c875b4f5a9e5c3de7586070ca0ad7c5edd13541efcc2d4bace7cf59f5c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD50fec24e86086efb668490300e9bf5ff0
SHA1fe3d0061b86dba4bb4489bc0c8033243160f01da
SHA256ec598db0922e1188be9f2cfb0e515eb4e3c93eb89f914b947bbaa81ebebdfcd8
SHA512a75de1adca06724afb7f63c4e7f261025c82a59800fac92b18f98dc57d7acd67536c73970401159375db6a7424090ebf66382ee8182bcd2e7db816b9b8fee604
-
Filesize
6KB
MD563a8dc060e264b29a576bc902223f2dd
SHA1f752fd0f1c8a4e4192261166dd11184136b43888
SHA2569fd72c5182010bfb9310789eca2ba0c692e3ee207cadc43e312f3ec76188dbee
SHA512092a7f99f88b16b6ddce9dac13aad8f55ab29f79935f766f20372b17126360f7e4ef7dc31de7c68143c15a8fcd37b5eadbc180482b0973c6a3f6507338bdb9b7
-
Filesize
6KB
MD5409be3a11a20a68a35267bf6cba6b24b
SHA1e647aae8035131291582d773ec3beebff748fbb0
SHA256a14ab695ca3f1e64dc2150f50092e908207034c5359b1aa5c3c4505de6c4dcab
SHA512546950c505a099d8668e374cca70d6b83e0f697f0c3099feaa2031a470abf1856e1b2d28f8c059823f158b0477e9d56a2bd4f14ef4ac892cff52c5db9b6c524d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5e59b67bd5462071ae2db4aa857dd6dd0
SHA1268f7274ef0762f01f090b848449fe5039279ba3
SHA256ff8e6237ed8d83aa35a31271267f4db4708795910c77e4ed531c59520d9d9832
SHA512be21274a9f67c9c95418d10dd2931aa95d7f9648043e74bb3cfcce49bad04bf84985484279fbff337cbc9a4c27afa82b3436c4b8b019be0433373eb122f031e3
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e