d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
Size

3.1MB
MD5

d4c54ce93995dbd6e25e0b36bd9f52e1
SHA1

e5b24d0ae296e4dbf749f5d27d77d6906f8b7cff
SHA256

d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6
SHA512

8fff30ecfcf4317ccd091fa2b6ac3f8792076f47d95843cadbe062a3dfe1b4e5f21d65f1c4b4ac740d78df1c07e0008cf26ccef72b9599b9c66c926d31c1adf0
SSDEEP

98304:Uue9ePEhefj0b4j1YYqyQIEV+JJq7VFQOxTdhyJmk:Xe9ePPf31x4/7VFPEv

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/4292-347-0x00000000002A0000-0x0000000000D8C000-memory.dmp	autoit_exe
behavioral1/memory/4292-356-0x00000000002A0000-0x0000000000D8C000-memory.dmp	autoit_exe
behavioral1/memory/4292-357-0x00000000002A0000-0x0000000000D8C000-memory.dmp	autoit_exe
behavioral1/memory/4292-383-0x00000000002A0000-0x0000000000D8C000-memory.dmp	autoit_exe
behavioral1/memory/4292-1219-0x00000000002A0000-0x0000000000D8C000-memory.dmp	autoit_exe
behavioral1/memory/4292-1752-0x00000000002A0000-0x0000000000D8C000-memory.dmp	autoit_exe
behavioral1/memory/4292-2497-0x00000000002A0000-0x0000000000D8C000-memory.dmp	autoit_exe
behavioral1/memory/4292-2504-0x00000000002A0000-0x0000000000D8C000-memory.dmp	autoit_exe
behavioral1/memory/4292-2507-0x00000000002A0000-0x0000000000D8C000-memory.dmp	autoit_exe
behavioral1/memory/4292-2508-0x00000000002A0000-0x0000000000D8C000-memory.dmp	autoit_exe
behavioral1/memory/4292-2509-0x00000000002A0000-0x0000000000D8C000-memory.dmp	autoit_exe
behavioral1/memory/4292-2510-0x00000000002A0000-0x0000000000D8C000-memory.dmp	autoit_exe
behavioral1/memory/4292-2511-0x00000000002A0000-0x0000000000D8C000-memory.dmp	autoit_exe
behavioral1/memory/4292-2517-0x00000000002A0000-0x0000000000D8C000-memory.dmp	autoit_exe
behavioral1/memory/4292-2518-0x00000000002A0000-0x0000000000D8C000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	firefox.exe
Token: SeDebugPrivilege	4436	firefox.exe
Token: SeDebugPrivilege	4436	firefox.exe
Token: SeDebugPrivilege	4436	firefox.exe
Token: SeDebugPrivilege	4436	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
4436	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 2440	4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe	85
PID 4292 wrote to memory of 2440	4292	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe	85
PID 2440 wrote to memory of 4436	2440	firefox.exe	87
PID 2440 wrote to memory of 4436	2440	firefox.exe	87
PID 2440 wrote to memory of 4436	2440	firefox.exe	87
PID 2440 wrote to memory of 4436	2440	firefox.exe	87
PID 2440 wrote to memory of 4436	2440	firefox.exe	87
PID 2440 wrote to memory of 4436	2440	firefox.exe	87
PID 2440 wrote to memory of 4436	2440	firefox.exe	87
PID 2440 wrote to memory of 4436	2440	firefox.exe	87
PID 2440 wrote to memory of 4436	2440	firefox.exe	87
PID 2440 wrote to memory of 4436	2440	firefox.exe	87
PID 2440 wrote to memory of 4436	2440	firefox.exe	87
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4576	4436	firefox.exe	88
PID 4436 wrote to memory of 4912	4436	firefox.exe	89
PID 4436 wrote to memory of 4912	4436	firefox.exe	89
PID 4436 wrote to memory of 4912	4436	firefox.exe	89
PID 4436 wrote to memory of 4912	4436	firefox.exe	89
PID 4436 wrote to memory of 4912	4436	firefox.exe	89
PID 4436 wrote to memory of 4912	4436	firefox.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
"C:\Users\Admin\AppData\Local\Temp\d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b46575c4-a328-4fe8-be23-80713d0b1ebc} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" gpu
      4⤵
      PID:4576
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3606b490-5ee4-49c9-b793-f1244f77eddf} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" socket
      4⤵
      PID:4912
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2668 -childID 1 -isForBrowser -prefsHandle 2732 -prefMapHandle 3104 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5186e788-b535-4c73-9e11-9a9007975592} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" tab
      4⤵
      PID:4276
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3656 -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 3592 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed59b10c-4c42-4cdc-86ba-5b54fba6857a} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" tab
      4⤵
      PID:464
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4436 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4464 -prefMapHandle 4456 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbbe106e-3e89-4f06-aab6-ffb27186b070} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" utility
      4⤵
      Checks processor information in registry
      PID:4740
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 3 -isForBrowser -prefsHandle 5356 -prefMapHandle 5384 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {134750a5-3fd7-4049-9c4d-313a7f907fd0} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" tab
      4⤵
      PID:1308
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 4 -isForBrowser -prefsHandle 5520 -prefMapHandle 5524 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f255035b-2df3-4e02-bd18-ef97f5936271} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" tab
      4⤵
      PID:468
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5800 -childID 5 -isForBrowser -prefsHandle 5712 -prefMapHandle 5716 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {097b9783-7cdf-4102-b023-6f5058539106} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" tab
      4⤵
      PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\erhtqml9.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
3210129a31c90c726fa2995681ae9fec

SHA1
4505ff9f706dcfd6fd76979b92cbe3c64c8e6885

SHA256
8b379f541fff92fe4a747960648f911890df8063a4c51fbca6b07b625a9119af

SHA512
16847e060d901d2828ecde64f960b5d791c0f8f05c689fa7318a9a97f703b1ec410fab6fc2a0063e9484b6d482956b8e4b9aef0c157a806466d3d67e64a9f04c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\erhtqml9.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
d32c34766ed0056f6f4c55b239333f31

SHA1
b2c7970045908c8fe0ea1dc35658ec5cdab03bff

SHA256
685f82b5ddc3a5913b4f2b17cd095cfe51abee5989282b6a377e01256880380f

SHA512
b627b1b3a2148fc2cbacbbadd6c5d15b0904e0ae0959526de7c81a6e9dd637e584e998282ec04bcd49b688b707f1fabca0bf165e6cd44594d7ec2d79c062d1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\erhtqml9.default-release\AlternateServices.bin

Filesize
11KB

MD5
cfda24c88a864804d9ba472195ac58e1

SHA1
aa07c0cb5b5eadc2682e54e8463e627b823ebf35

SHA256
3120be321da04b859aa48858bff090f5142055cc54e1e81e94f204edc5e123e7

SHA512
52fb54a1749541a13ab33b0840939d9c18e2e45b2484db4afacdf891062191d21a7fe23eaa9bf8da147a72b747ab1aa205caf8db81bb93849a6f93b9dfe2c205

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\erhtqml9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
038f86a1ec75dc7890267679980b9d99

SHA1
abfc4058bff6453b94cb85119a213f0d986e6de5

SHA256
b448e2a581a7217842f595630fb94c934e4142622007d97a4bd0bb9cd4e5192f

SHA512
797976ed6cc3eaaf11c86dd31930f233b632c8101489e0c19e2bb1c218c4734aa1297104e75f7c231e84657db3862cc05b67a8cdff623377ba8db830b70aa132

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\erhtqml9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
5349ffdbd87ed5967421926c7d684d7d

SHA1
dfd6d5f814187070cbe8c3900177a6335a6b90ca

SHA256
b6f9c66e58edf410412f951dceb5b64ef287e6c179ba1a8d0a3cc323b25aa278

SHA512
df42c97bed28c39cfdf95331df2c159877ebed1580c74eefe43a6c7b8ec55a509dd5fe81a4dd69f2bca9faba71c7fa79cd1eb8c4ef54d3ed5e623b681055f4fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\erhtqml9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
d53bbf31b0c2c9fb32d13268e33b3539

SHA1
bc1e07161d24fec897dd8f84c335e414668ada6e

SHA256
f1f7af47ae2f2f499647cff604a3607690f6b802cc4d6568a2a7685474809a9f

SHA512
0f09dfe9b8ae0b7b57310da53cfd62db40ccff946d5eb08b2479761cea968007fd2e96395aa006717a15606106875eb323668fed9612074482978773fceb401a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\erhtqml9.default-release\datareporting\glean\pending_pings\0a49c7e1-50f3-464c-98c6-7c41cbe66c38

Filesize
26KB

MD5
9777e6984bef2fb1f4928a4dc0dc693b

SHA1
908835124128719a4995b26a600f36cf89ea4261

SHA256
11b71f3ca1dbaaa2e9429270cbd24b1b40f5cf6f90d868caebc18feee936f3f4

SHA512
ae1d2bdeb84b53dc6d1dcdcbd3a64b38f13e39bc6b4e53ae0a05fdc9e434f42a81d3133f1a6570e89ebf65fe233dc44b3c01372445721504b281b4f93f1fc3a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\erhtqml9.default-release\datareporting\glean\pending_pings\2e3b92f8-13c9-494e-9714-e56cde89c9c1

Filesize
671B

MD5
581833fcfa87a4f542d372a6f6122987

SHA1
c0107ce9e052df2ea5f71437b5a9bc214cc3411a

SHA256
ecfbe13e5bdd55977c993ea5eeff80a5ca22e95ca286fab6c667bdd39b602438

SHA512
28f90e60c1c5eb93546bda260caa79982ba22922265ca12f03f723747a2245549093a84e1db700068e634c1a7f05f63fc5980ad05acfab3b3497c20e229be65f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\erhtqml9.default-release\datareporting\glean\pending_pings\6baa4a9d-690f-48b8-a928-ff0c5fe4360a

Filesize
982B

MD5
3fd83fa0e9e40a06bc65810fdaee7dc2

SHA1
3599d747fa7bd2bcc1ebe951da17e459bf4c3a43

SHA256
8b71f91fcd9adc59396964bba725e492ecb18fc405b0c770c1ab3be310329fda

SHA512
5b8a0a2eda259a02edf6c2299ac311ca75c25f05cc0e171aec9f6989f21f80debbe532258271fc1d3f79d0d3f04bae0fad188a02fa4900b6c28fb171ad749ec0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\erhtqml9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\erhtqml9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\erhtqml9.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\erhtqml9.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\erhtqml9.default-release\prefs-1.js

Filesize
12KB

MD5
304c2fa3f28cf3c800f21442912de137

SHA1
73e45f9840017355cc595152949638cfb65f78fa

SHA256
b327ff2bb09421966851169c9bec67a33acbf15e86c898fe28c2ec02f2c91c8a

SHA512
7d235ed43641a86faa9dd61cd908ffc82d042df4537c2961b3e488263232558948a824e3206e16a1d8c2eb3d8056d13ded71498c15ccea2654306c8bbcb13abe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\erhtqml9.default-release\prefs-1.js

Filesize
16KB

MD5
88d02f1de5367c85fbc5966197950498

SHA1
930d087bf0d2dc29d6d9fc00ea06644912ba63fc

SHA256
b94ea2de932b4796a5934759f834b5890bff97e50ae651e5e3228f7c0afdeec6

SHA512
6c1ba9728fac2bb537961cbb9abc88d53d3ee6e37b688c4383df8fc27d79dd39acf8bdb56d093c8d706747f6b7563923801bd51c0b5aaa30b75c809c5363605e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\erhtqml9.default-release\prefs.js

Filesize
10KB

MD5
13b7f4cc3bbb6e59743866fffc41c672

SHA1
bc5aa488c5294d383f65b63af52bf8a3c073e328

SHA256
c3ee313ad5006686703650cf6f78d1b5d7c2457217431d19db7f22d151bd0bce

SHA512
d3b9ccfb73a1301a376477abcfc84eff97f3096441eec54136c153e0138a205f2f9430c63f6a7c86d2bd98f106f185c9404c3c6183c1588cc5a584212c737b10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\erhtqml9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.2MB

MD5
aba02d5b02437dc7944832bdd9a07e8a

SHA1
b26efc692eb30a4a1109474e3c95a1b56556c880

SHA256
ed4efae4f239fc456ceeffc7ff061e46e979833f175f859d76721550feb9bd34

SHA512
7979bed4408282c49291842158d4ffaeff809168379a67aa22ec6d4924287a99a9a0b6cb319f0aa192278ddea346be2ea4317405d5c6bf5c4db4ed346b01d439

Download Submit
memory/4292-1752-0x00000000002A0000-0x0000000000D8C000-memory.dmp

Filesize
10.9MB

Download
memory/4292-2497-0x00000000002A0000-0x0000000000D8C000-memory.dmp

Filesize
10.9MB

Download
memory/4292-356-0x00000000002A0000-0x0000000000D8C000-memory.dmp

Filesize
10.9MB

Download
memory/4292-383-0x00000000002A0000-0x0000000000D8C000-memory.dmp

Filesize
10.9MB

Download
memory/4292-347-0x00000000002A0000-0x0000000000D8C000-memory.dmp

Filesize
10.9MB

Download
memory/4292-0-0x00000000002A0000-0x0000000000D8C000-memory.dmp

Filesize
10.9MB

Download
memory/4292-2-0x0000000077262000-0x0000000077263000-memory.dmp

Filesize
4KB

Download
memory/4292-1-0x00000000FF7B0000-0x00000000FFB81000-memory.dmp

Filesize
3.8MB

Download
memory/4292-357-0x00000000002A0000-0x0000000000D8C000-memory.dmp

Filesize
10.9MB

Download
memory/4292-1219-0x00000000002A0000-0x0000000000D8C000-memory.dmp

Filesize
10.9MB

Download
memory/4292-362-0x00000000FF7B0000-0x00000000FFB81000-memory.dmp

Filesize
3.8MB

Download
memory/4292-2504-0x00000000002A0000-0x0000000000D8C000-memory.dmp

Filesize
10.9MB

Download
memory/4292-2507-0x00000000002A0000-0x0000000000D8C000-memory.dmp

Filesize
10.9MB

Download
memory/4292-2508-0x00000000002A0000-0x0000000000D8C000-memory.dmp

Filesize
10.9MB

Download
memory/4292-2509-0x00000000002A0000-0x0000000000D8C000-memory.dmp

Filesize
10.9MB

Download
memory/4292-2510-0x00000000002A0000-0x0000000000D8C000-memory.dmp

Filesize
10.9MB

Download
memory/4292-2511-0x00000000002A0000-0x0000000000D8C000-memory.dmp

Filesize
10.9MB

Download
memory/4292-2517-0x00000000002A0000-0x0000000000D8C000-memory.dmp

Filesize
10.9MB

Download
memory/4292-2518-0x00000000002A0000-0x0000000000D8C000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads