d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6

Analysis

max time kernel
150s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240730-en
resource tags

arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system
submitted
02/08/2024, 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
Size

3.1MB
MD5

d4c54ce93995dbd6e25e0b36bd9f52e1
SHA1

e5b24d0ae296e4dbf749f5d27d77d6906f8b7cff
SHA256

d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6
SHA512

8fff30ecfcf4317ccd091fa2b6ac3f8792076f47d95843cadbe062a3dfe1b4e5f21d65f1c4b4ac740d78df1c07e0008cf26ccef72b9599b9c66c926d31c1adf0
SSDEEP

98304:Uue9ePEhefj0b4j1YYqyQIEV+JJq7VFQOxTdhyJmk:Xe9ePPf31x4/7VFPEv

Score

5^/10

discovery

Malware Config

Signatures

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1772-353-0x00000000009C0000-0x00000000014AC000-memory.dmp	autoit_exe
behavioral2/memory/1772-362-0x00000000009C0000-0x00000000014AC000-memory.dmp	autoit_exe
behavioral2/memory/1772-363-0x00000000009C0000-0x00000000014AC000-memory.dmp	autoit_exe
behavioral2/memory/1772-508-0x00000000009C0000-0x00000000014AC000-memory.dmp	autoit_exe
behavioral2/memory/1772-1356-0x00000000009C0000-0x00000000014AC000-memory.dmp	autoit_exe
behavioral2/memory/1772-1546-0x00000000009C0000-0x00000000014AC000-memory.dmp	autoit_exe
behavioral2/memory/1772-2379-0x00000000009C0000-0x00000000014AC000-memory.dmp	autoit_exe
behavioral2/memory/1772-2506-0x00000000009C0000-0x00000000014AC000-memory.dmp	autoit_exe
behavioral2/memory/1772-2509-0x00000000009C0000-0x00000000014AC000-memory.dmp	autoit_exe
behavioral2/memory/1772-2510-0x00000000009C0000-0x00000000014AC000-memory.dmp	autoit_exe
behavioral2/memory/1772-2511-0x00000000009C0000-0x00000000014AC000-memory.dmp	autoit_exe
behavioral2/memory/1772-2512-0x00000000009C0000-0x00000000014AC000-memory.dmp	autoit_exe
behavioral2/memory/1772-2513-0x00000000009C0000-0x00000000014AC000-memory.dmp	autoit_exe
behavioral2/memory/1772-2519-0x00000000009C0000-0x00000000014AC000-memory.dmp	autoit_exe
behavioral2/memory/1772-2520-0x00000000009C0000-0x00000000014AC000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3908	firefox.exe
Token: SeDebugPrivilege	3908	firefox.exe
Token: SeDebugPrivilege	3908	firefox.exe
Token: SeDebugPrivilege	3908	firefox.exe
Token: SeDebugPrivilege	3908	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
3908	firefox.exe
3908	firefox.exe
3908	firefox.exe
3908	firefox.exe
3908	firefox.exe
3908	firefox.exe
3908	firefox.exe
3908	firefox.exe
3908	firefox.exe
3908	firefox.exe
3908	firefox.exe
3908	firefox.exe
3908	firefox.exe
3908	firefox.exe
3908	firefox.exe
3908	firefox.exe
3908	firefox.exe
3908	firefox.exe
3908	firefox.exe
3908	firefox.exe
3908	firefox.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
3908	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 4996	1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe	83
PID 1772 wrote to memory of 4996	1772	d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe	83
PID 4996 wrote to memory of 3908	4996	firefox.exe	86
PID 4996 wrote to memory of 3908	4996	firefox.exe	86
PID 4996 wrote to memory of 3908	4996	firefox.exe	86
PID 4996 wrote to memory of 3908	4996	firefox.exe	86
PID 4996 wrote to memory of 3908	4996	firefox.exe	86
PID 4996 wrote to memory of 3908	4996	firefox.exe	86
PID 4996 wrote to memory of 3908	4996	firefox.exe	86
PID 4996 wrote to memory of 3908	4996	firefox.exe	86
PID 4996 wrote to memory of 3908	4996	firefox.exe	86
PID 4996 wrote to memory of 3908	4996	firefox.exe	86
PID 4996 wrote to memory of 3908	4996	firefox.exe	86
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 1224	3908	firefox.exe	87
PID 3908 wrote to memory of 4832	3908	firefox.exe	88
PID 3908 wrote to memory of 4832	3908	firefox.exe	88
PID 3908 wrote to memory of 4832	3908	firefox.exe	88
PID 3908 wrote to memory of 4832	3908	firefox.exe	88
PID 3908 wrote to memory of 4832	3908	firefox.exe	88
PID 3908 wrote to memory of 4832	3908	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe
"C:\Users\Admin\AppData\Local\Temp\d5332992fa254dae7b44e58b14d99de0efec86a6d5b233268e188525bcc89bd6.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3908
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1764 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfb22ecd-36ce-4d94-8bc3-00ed03113fba} 3908 "\\.\pipe\gecko-crash-server-pipe.3908" gpu
      4⤵
      PID:1224
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46a2526c-d466-4219-af34-c5eb57865a38} 3908 "\\.\pipe\gecko-crash-server-pipe.3908" socket
      4⤵
      PID:4832
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1404 -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 2820 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c4ee4e1-17e0-48d3-a1a4-139e3a775633} 3908 "\\.\pipe\gecko-crash-server-pipe.3908" tab
      4⤵
      PID:1412
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3628 -childID 2 -isForBrowser -prefsHandle 3548 -prefMapHandle 3416 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57f71d23-94ef-47c4-82c6-9f08361b399a} 3908 "\\.\pipe\gecko-crash-server-pipe.3908" tab
      4⤵
      PID:4700
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4544 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4540 -prefMapHandle 4536 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60be3318-2a57-4a9f-8119-2d43f61c35b2} 3908 "\\.\pipe\gecko-crash-server-pipe.3908" utility
      4⤵
      Checks processor information in registry
      PID:2592
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 3 -isForBrowser -prefsHandle 5452 -prefMapHandle 5448 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bde6ece-17b0-4c0b-b4f2-48e90e40d3e6} 3908 "\\.\pipe\gecko-crash-server-pipe.3908" tab
      4⤵
      PID:1932
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5568 -prefMapHandle 5572 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d04552e-ec0b-4f71-935e-25b56846160e} 3908 "\\.\pipe\gecko-crash-server-pipe.3908" tab
      4⤵
      PID:4456
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5548 -childID 5 -isForBrowser -prefsHandle 5872 -prefMapHandle 5868 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d997d847-1f5a-4253-9b5c-ae51659ccfca} 3908 "\\.\pipe\gecko-crash-server-pipe.3908" tab
      4⤵
      PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jruurh6d.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
5dd11e2c98a8a4f5d214404fd868b974

SHA1
d4aacea99610ed94bc1f04b7ae63f27e2069d7e1

SHA256
a462484d2cc87fd7601ca1323a8f51d69e692a30514fb1cd56f3c1442b7a4064

SHA512
1617802894b6595fcf5f213bd8e4a70e05e251ee1c17975292364be8dc90d5c3bebe78cec11dc5f1eaebc22023214e368ffa3cc54c56ca1925da2120639e8252

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jruurh6d.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
f3e2986c37cc73dad382a7554bb174a5

SHA1
dafbaa7c4ccc92bd3787c77802f68253e2939f5d

SHA256
3606ae41d3189a1daa84446a33e540096149b9a5c95a124c926f56cb579d582e

SHA512
070fe64f8a1af9f3694c55b93a56b1655f53166af30111861640e24e7cea93423523ac0becdc6f3f7ee0e0cfd595b3fed29f406bcc6786ed2dfeb4ee37c25bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jruurh6d.default-release\AlternateServices.bin

Filesize
8KB

MD5
a74f3e48bcdc14676b9a2e179b6187d0

SHA1
b00514703781d309ff96eecec0a5e15f64c08f39

SHA256
9d4173ba0fb6a654f43ab637224dba2209da1e0b5b0d47bf9c0f98209930f1e3

SHA512
d258e2c06554c5c3fa5c7de97e54150ab6b5db68e6d9f46692ec4c0170b94bff0edbf2b0335493250576fb9ab3ce408ae04c8d0fcc562a15bd172d6a76581002

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jruurh6d.default-release\AlternateServices.bin

Filesize
11KB

MD5
2348bb475d86d741f596e40c84409b60

SHA1
113a4967aa806e4eb69924e194e1b113f618a3ce

SHA256
ce7671a2384c1fa8e5cb2a1fc09c833c80dbf6343af84c4d7059b5f09b1f606c

SHA512
df1694cc05920738b3496751bb9a5f3e533d06b9a23381c9ac29279e7998ed871310b7e57f5fe0389344aea3471fee72343992692c4053c3c8f66b04fea29936

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jruurh6d.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
94b84a9e96b21b6e6a77957881cde49f

SHA1
fe146158925d645c1aec733b47a15f9db6f0447b

SHA256
6b41853f9a117af3357bd0ff6ee7cdf9342f3190dd69d7fa56a1721dfdeadae1

SHA512
28b5649c3d67b1adef08b684d923f6e6193c7b6ee428dbb4727142e5bc70a4e9b2d6652ff799e48a14cac9c63dce8e89f1649bef9230ed22619e7faac18a33d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jruurh6d.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
c43f585aca8fa87b9cbf92c83d8146e3

SHA1
bae618422680767f9991ba74134456b7194963e3

SHA256
52724acda87da04b731524346200ed7851a988da038002d702b9544835aac40e

SHA512
c4751b8fecd489b6983cbd5850966b1524658cc3f4da4182e483ab472d72c98c91be6c3fc7a60fdb5fba3646fc818b96d68d3d307ccae0219779754c9e297b79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jruurh6d.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
1bc1e90cd097639eb58c41ed6c1923f2

SHA1
181f79813aa662b548fd6f9e78e2568fb6024d70

SHA256
bb285a91383894b668167f55ed1e877a837cdad3407ca6d36afaa0f49cf411c4

SHA512
33d41d8d92e57d0dca5d9736fba74f21477fd2c6642452c2b109244bc91785ba96da7f1bfb8ec6fb033fb07e2919adf4b7c050c68adb3e8ed63ebb521c2c9d4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jruurh6d.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
e454e17683dab4ceb9dfbc93ec8e16ad

SHA1
abdb0008fec0e820f8aa8d7df5952baae3b95e31

SHA256
036f80118f5828e33ab753bc0b598b9180fc4972eb3acbbcf780c79b7da3e252

SHA512
89e7fee92850a2be2ce483bfcf98945208a0f63a0362e500fba038bb65bff1be01b5a547464e431aa25a5d44f69806d7cdc436327417f64274ee8628f987eca9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jruurh6d.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
1224467451d9e5a3c0478816de09d130

SHA1
09fd3fed66ff01cb96fba1798893e1f7884c00e7

SHA256
dc7003c58768b24feeb1ba41b027cd6ca620244e20b2d0f1bd298d375ceddb5f

SHA512
a148ab049be7bdbbf61f1dcd345a21945d97dd6c619ced5494b6d0c946eaa1f63906e8aaa5a7f4c25abbd00345c623d588dd90f67df3f418b9d26cfa385f28e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jruurh6d.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
2b4eca5f3c52d16f3fcf2d046245d151

SHA1
9501ca994fe7e5fcc5589d8387e2ce9133f2943b

SHA256
0a0657bd5890f8bcaeddc3daa924e6de1d7dfffb3eee98a676d856d9ca343e53

SHA512
edd013154d951b9164a8c890fc5da0239a996787f9ee1e1361d2e8d7d56f9c40d35aa8218b6b882637d0de4b40bb6548c6835ce562dbcbc824de583fe011cbef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jruurh6d.default-release\datareporting\glean\pending_pings\707b53a5-3109-4fb8-89af-0f1213c53c9a

Filesize
982B

MD5
57aa29867293d514b5db2cb5e8dc7132

SHA1
2531515446ed85af4fbbd9720635008ddc21be7e

SHA256
6b113fc0a5fedf0de49b9f966e7fedcce46e1c138bc8cee2d5ba46d7e31b9364

SHA512
4acd1af69d6bbfc1875b475149ae4505653e781432988335a85c496868405b468a58d3da0a0e78584e4c67d500d0d12c7b4067fda0dd7651ff8c70a7b3c039d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jruurh6d.default-release\datareporting\glean\pending_pings\d3e1fdcb-72b0-403d-869e-eb1f240b4ffd

Filesize
671B

MD5
ac9c242c617ee98d150c79ca06053c40

SHA1
cff3e45e50f0bf751a527827183c9810ed321fe3

SHA256
40e6c20d1286df0beb7b974e2924ffeaa0b050c16eec5d3ecc3dc0cc938fbba9

SHA512
9dd93cb06e510b2da52e39baed9ab6cfd5b13e23bc59ceefd297b639194f70ae1c709d1e6aa560ddc65d1f3e8dd08e0ea07ff4b2b80cf1299bc12e6c5f42d11c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jruurh6d.default-release\datareporting\glean\pending_pings\e2402e80-61d9-4d06-8c67-2cfb508d5aa1

Filesize
26KB

MD5
3afff9d8cdf82359ed46aa25568b4adc

SHA1
143115e8ba5df483b9d50a40858b5a1074e825fc

SHA256
f30e4897bf8ac9deda467a38384b9348e56f97525d6b5a1a6a65e56feea2c3fa

SHA512
ec635ca8148804e286323e1ad3e3b75d4814043c297afdaf5166ef1d9a14fe77e87b5dafd01e6d5f53678f225e3477bf4fa1e974e33f565e23842e847fe50371

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jruurh6d.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jruurh6d.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jruurh6d.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jruurh6d.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jruurh6d.default-release\prefs-1.js

Filesize
12KB

MD5
58a5965946da84a1d3b879fe386f044c

SHA1
d24338203b4a11170a6cbaf7ca9cafe9b3a2ae20

SHA256
48db013020c665516472f33d55ff8f19cb5fad405b516a5438f142b74b36a30c

SHA512
1052694e339ac11da48ee35efa63c0ba22ceb2553513ec4010680488b32fc01b0b13f7662461451d35e716550e35db84ba1b9335ba00ebb658e4f930f9012617

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jruurh6d.default-release\prefs.js

Filesize
11KB

MD5
b81ec7ba8bcba4a7af11df93fa230d39

SHA1
e5fe4a0ca2b377184858b7964c860c4b2cc07812

SHA256
0f1bdcc8363456c211b46a27198c59305a64d22476dcc0970f5a3b5a5ad55964

SHA512
8bfce4ce0a10450bfd82ad08fae5580d583fb74aa2ec83c40beed7a022083a45f13951e45f3b39e1e0b869c5da5991cf62dac89795f9b01eeabc195947d19807

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jruurh6d.default-release\prefs.js

Filesize
11KB

MD5
5a27bc268b05f174043c7a8043e924b6

SHA1
87f2f9cb7daac094530f0eaf563331022e6059b2

SHA256
681bd9ae93aa23c06406b571d81807823d704418a3cca3a8906692f281b7a313

SHA512
d4b861ff1c3737b191707fac561ac1299163211c547cb2a6c1d0d7546484333516bdf5fbe10fd6d37249ae53a5523d18e2f7f4cc4fd5f432f590a3680835d68e

Download Submit
memory/1772-364-0x00000000FF380000-0x00000000FF751000-memory.dmp

Filesize
3.8MB

Download
memory/1772-1546-0x00000000009C0000-0x00000000014AC000-memory.dmp

Filesize
10.9MB

Download
memory/1772-363-0x00000000009C0000-0x00000000014AC000-memory.dmp

Filesize
10.9MB

Download
memory/1772-508-0x00000000009C0000-0x00000000014AC000-memory.dmp

Filesize
10.9MB

Download
memory/1772-2-0x0000000077244000-0x0000000077245000-memory.dmp

Filesize
4KB

Download
memory/1772-1-0x00000000FF380000-0x00000000FF751000-memory.dmp

Filesize
3.8MB

Download
memory/1772-362-0x00000000009C0000-0x00000000014AC000-memory.dmp

Filesize
10.9MB

Download
memory/1772-353-0x00000000009C0000-0x00000000014AC000-memory.dmp

Filesize
10.9MB

Download
memory/1772-1356-0x00000000009C0000-0x00000000014AC000-memory.dmp

Filesize
10.9MB

Download
memory/1772-0-0x00000000009C0000-0x00000000014AC000-memory.dmp

Filesize
10.9MB

Download
memory/1772-2379-0x00000000009C0000-0x00000000014AC000-memory.dmp

Filesize
10.9MB

Download
memory/1772-2506-0x00000000009C0000-0x00000000014AC000-memory.dmp

Filesize
10.9MB

Download
memory/1772-2509-0x00000000009C0000-0x00000000014AC000-memory.dmp

Filesize
10.9MB

Download
memory/1772-2510-0x00000000009C0000-0x00000000014AC000-memory.dmp

Filesize
10.9MB

Download
memory/1772-2511-0x00000000009C0000-0x00000000014AC000-memory.dmp

Filesize
10.9MB

Download
memory/1772-2512-0x00000000009C0000-0x00000000014AC000-memory.dmp

Filesize
10.9MB

Download
memory/1772-2513-0x00000000009C0000-0x00000000014AC000-memory.dmp

Filesize
10.9MB

Download
memory/1772-2519-0x00000000009C0000-0x00000000014AC000-memory.dmp

Filesize
10.9MB

Download
memory/1772-2520-0x00000000009C0000-0x00000000014AC000-memory.dmp

Filesize
10.9MB

Download