55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
08/08/2024, 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
Size

3.1MB
MD5

238fdbd7023be1504decb5e1faa4e47c
SHA1

a8fa01acdf1f707a67da2d11bacc8f826e5edc47
SHA256

55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504
SHA512

96f74b830737b3df74db4a912bdf3345484012a2a74017ed3b273a0352156fb9d1b856d5489af68e80bd8ebb73b5e10c1655d348114b100a09ece2c5cafcec58
SSDEEP

49152:I+649zXss7UgfhB9wxQ+gXCIXSCPiVNDDSmfxc0x8Lay3uyi073xT:bzz8i5+xBUXpKVbfxc46x

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/240-377-0x00000000004C0000-0x0000000000F9D000-memory.dmp	autoit_exe
behavioral2/memory/240-388-0x00000000004C0000-0x0000000000F9D000-memory.dmp	autoit_exe
behavioral2/memory/240-389-0x00000000004C0000-0x0000000000F9D000-memory.dmp	autoit_exe
behavioral2/memory/240-591-0x00000000004C0000-0x0000000000F9D000-memory.dmp	autoit_exe
behavioral2/memory/240-1489-0x00000000004C0000-0x0000000000F9D000-memory.dmp	autoit_exe
behavioral2/memory/240-1877-0x00000000004C0000-0x0000000000F9D000-memory.dmp	autoit_exe
behavioral2/memory/240-2571-0x00000000004C0000-0x0000000000F9D000-memory.dmp	autoit_exe
behavioral2/memory/240-2577-0x00000000004C0000-0x0000000000F9D000-memory.dmp	autoit_exe
behavioral2/memory/240-2580-0x00000000004C0000-0x0000000000F9D000-memory.dmp	autoit_exe
behavioral2/memory/240-2581-0x00000000004C0000-0x0000000000F9D000-memory.dmp	autoit_exe
behavioral2/memory/240-2582-0x00000000004C0000-0x0000000000F9D000-memory.dmp	autoit_exe
behavioral2/memory/240-2583-0x00000000004C0000-0x0000000000F9D000-memory.dmp	autoit_exe
behavioral2/memory/240-2584-0x00000000004C0000-0x0000000000F9D000-memory.dmp	autoit_exe
behavioral2/memory/240-2590-0x00000000004C0000-0x0000000000F9D000-memory.dmp	autoit_exe
behavioral2/memory/240-2591-0x00000000004C0000-0x0000000000F9D000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4552	firefox.exe
Token: SeDebugPrivilege	4552	firefox.exe
Token: SeDebugPrivilege	4552	firefox.exe
Token: SeDebugPrivilege	4552	firefox.exe
Token: SeDebugPrivilege	4552	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe
4552	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 240 wrote to memory of 1880	240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe	83
PID 240 wrote to memory of 1880	240	55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe	83
PID 1880 wrote to memory of 4552	1880	firefox.exe	86
PID 1880 wrote to memory of 4552	1880	firefox.exe	86
PID 1880 wrote to memory of 4552	1880	firefox.exe	86
PID 1880 wrote to memory of 4552	1880	firefox.exe	86
PID 1880 wrote to memory of 4552	1880	firefox.exe	86
PID 1880 wrote to memory of 4552	1880	firefox.exe	86
PID 1880 wrote to memory of 4552	1880	firefox.exe	86
PID 1880 wrote to memory of 4552	1880	firefox.exe	86
PID 1880 wrote to memory of 4552	1880	firefox.exe	86
PID 1880 wrote to memory of 4552	1880	firefox.exe	86
PID 1880 wrote to memory of 4552	1880	firefox.exe	86
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2836	4552	firefox.exe	87
PID 4552 wrote to memory of 2816	4552	firefox.exe	88
PID 4552 wrote to memory of 2816	4552	firefox.exe	88
PID 4552 wrote to memory of 2816	4552	firefox.exe	88
PID 4552 wrote to memory of 2816	4552	firefox.exe	88
PID 4552 wrote to memory of 2816	4552	firefox.exe	88
PID 4552 wrote to memory of 2816	4552	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe
"C:\Users\Admin\AppData\Local\Temp\55e775c717eb8360aacd9f6985f50d49159362fa32600cc3cc204462bb464504.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:240
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1936 -parentBuildID 20240401114208 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d0cbd90-6479-4efc-897e-2c9331a00567} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" gpu
      4⤵
      PID:2836
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {486d519f-5034-401f-ae40-7c50976a30de} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" socket
      4⤵
      PID:2816
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1424 -childID 1 -isForBrowser -prefsHandle 2524 -prefMapHandle 3004 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62272b7f-4ab7-450f-9317-583f204fc522} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" tab
      4⤵
      PID:3624
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3984 -childID 2 -isForBrowser -prefsHandle 3216 -prefMapHandle 3256 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a444f1d-0696-4604-82cc-f9592741a3b5} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" tab
      4⤵
      PID:1384
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4776 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4836 -prefMapHandle 4832 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b402eec7-8264-4265-be2a-f57d1982e266} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" utility
      4⤵
      Checks processor information in registry
      PID:784
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 3 -isForBrowser -prefsHandle 5428 -prefMapHandle 5416 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea2bee4c-4967-4a01-b468-8dba9c45fd3b} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" tab
      4⤵
      PID:1308
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 4 -isForBrowser -prefsHandle 5560 -prefMapHandle 4808 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ba07c25-75e3-4a95-9ff9-d5e84206eadd} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" tab
      4⤵
      PID:3352
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5776 -childID 5 -isForBrowser -prefsHandle 5784 -prefMapHandle 5792 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59258c19-42a0-4c7c-8090-813e93e3ca3b} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" tab
      4⤵
      PID:3944
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6224 -childID 6 -isForBrowser -prefsHandle 6208 -prefMapHandle 6252 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48318596-59cc-44af-ba86-3f53aeeacb70} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" tab
      4⤵
      PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\adahrqhl.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
d926b284bc8b6185368f7668418dc4f9

SHA1
43212878389f5fab7f071cedfa51cd91546305a8

SHA256
a4c23016eea99642af16a76c105133d183859d0124cb3568d399e20854443a05

SHA512
905d0724d5dd5349359cc2674d4009862929dc6b8ecac8c2565dd892c1fb1ad8d29524941592c9943bde0afbac7bdcb02de3d43c4982f5a71d7aeed3ae5a6126

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\adahrqhl.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

Filesize
13KB

MD5
f18d4149dca8b68ff05ac47b047e0c24

SHA1
e47c3a4d00bbd0282ecdf360b36a226b5fbb2190

SHA256
221dda3755761f2983b0e82727f6a740ea084cfa8a5e2faba9a65f903d6ef263

SHA512
62dba421b734a2b4db6814d2607575bb721f06596a4916399bd13fee1ef4ed5e5f24ea5496aba99acbd73995e419aa30ec8171ce570f0581564eddb6a1c2b57e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\AlternateServices.bin

Filesize
10KB

MD5
de2731a2784954c5eb27634fb9d4e634

SHA1
de6b1dc3bc454758df5b10d3c94da9cf55612af4

SHA256
e7fe0a26cdfefc017d8731f9384165b8974a62b50013c0f0b01ec01f76230a27

SHA512
6e011f56af7af9c1a4b681c45afdac72463d4be7f2c3e2e637ed91b735001c11c474ad0bc4d6a98ce49c413814474c598d82c52cf93dd18cd8f2121358c802d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
b141c23f443bcfe6d08cc712671e772c

SHA1
a67b22149f185c70e45dde4eaeb85c0c33e0bd71

SHA256
e9889bf7fe391508f5285de2a15d79b5002c13c2b0daccf260a2f72525e5fec9

SHA512
b9721894fbb431bc3a6115f69af7bbaa9ba1583011132fac5b580dc041e07448042b2f7e0a79665285e9d790aaad34e53a0395f7fdcc0afa0a9a2cd4df1b6675

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
7811dbb4fed337d6db5e10cde3b65b33

SHA1
805515e9a3c40e945263db48fbaae2fcacb3aa39

SHA256
aa20d0683f82808c9fb217b498a8c4296dfe1d52d25fd9f4996591a522ed14e7

SHA512
1311dcdd450003c69cc74b4c402e737b46210fd8ac243e3631e1e8f33a88776cd195be973ec660d93bd84273628bd0319d2962647a713c80e8d1adb99de90919

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\02d44711-0d6c-4eae-bfb8-f42332970a07

Filesize
671B

MD5
5c73bfa6bcdfedcc5d34b91d355a1e5c

SHA1
5e48a0cb5814d1a9563fc605669ddb0f9dce1dc4

SHA256
c481d768884cc12eeb3bd0d1de58c4eb342fc870e4a81e67032c1a2d4e8af68c

SHA512
39117930b1170176281c42ec5dff88217a96164f9dddaf9b495b422330a035b90de3b4ff652c414964abc34803530514732973fc382c1c745189f802edd9e9ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\54c0e472-17e9-407d-b08c-1d60537ce92b

Filesize
982B

MD5
bd5c4a7bfe0d18d1384ea2855e7ca7bb

SHA1
2baa41a5dad1af850732d1c73d2bf9a54cb49808

SHA256
39f32a50c89f294133cc2ae6c6f71c4c7e883171e5064c4e637456a5ab757ba7

SHA512
9b3c93b7d4a91ca2b6762d858e0a66e0e97119b6d735a41c5f33ec99c5226c4abf5a0c002a808758658b9cd63f10f16665be465ab80f63fa91252ea24173c198

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\f9c24191-94c5-4504-9e97-7e18a1c0c956

Filesize
25KB

MD5
68ea97c1808d8096db40d2cf55f29ab0

SHA1
1e26c1950ef53bdab11c56f25979e3918b4a9a55

SHA256
c1bab6fca345e5fd46de1009e1431e5a4d6279faa3140ebb0b101ec9c5c6a757

SHA512
2f3d227f12185193441cb4166e0fc6dc069ab8999eb8f93c64a4cc469e868b686929dedcdfd2eb74e4bca8e96d3f827b018c8edbb2d72844a35d762e7f2b1324

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs.js

Filesize
11KB

MD5
bb086cfe1e1f6b303c45b047a792a484

SHA1
76fec88fdd714f61f3be185c42718694c1970223

SHA256
5c7a3f14a4e55254ffeda6f2c6d29e7bd0332de97444556e1c7005fc28994922

SHA512
3cafdd967c5cfe492f2fa8500761b915acfe216d96e9a628b22980ebcfb8832d9939cf2eeb7c8e2c8ba443e5fd775759d0dc0a0531c8429b1214652764c20b57

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs.js

Filesize
12KB

MD5
5e06e7ae7784ff1ccc34590e539cfd5e

SHA1
b71025fc8a9a7f1724705d8bba2624dbdbb69133

SHA256
ca4569d41201f51d90016e50a5625321be83dcbfb3feeb9630a980979988df92

SHA512
57c4ea8db0d354ed33e6e43dafb8308af0c071082ac105c4c3608aa2e1be1fc216b1e184b64aa08410d2f99322d5e871bac2da1162647409eb2398550b48c0df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs.js

Filesize
11KB

MD5
074ae5947316ecefadf820be7534afd7

SHA1
7cc1cfd86a39b2212f242d868d30ea2517c7fc57

SHA256
d8b56b621a59d54a86c38f5a22f023c3a57dace8329a5ab95afb808ea93f35fc

SHA512
4316e1015490668c01bfd858ffa511df56637436c775fbafaacfc8fb2c644a26630e18e0917294b66ce04c3c706e3cc6c02e3e7b18439c1a7d3ffe69529d237f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.1MB

MD5
b2d75f964bd1d7c9a4f2982125060111

SHA1
aa19d50fac35888e7d56d43742e3981c431eee61

SHA256
8dd1ae3704c7ee2fa9b97e0d0fb979575ab87bf7934e8becc59b23db2f115ff3

SHA512
b8ba6b179ac5898ae0c8c4f88bb921312e56d7d0af24ff4c5ee9f99fffde3795542d5d15bbf5584aeb7e4a654d49a0b22c2557d3a7cc89f47f60f96961fd5dc2

Download Submit
memory/240-1877-0x00000000004C0000-0x0000000000F9D000-memory.dmp

Filesize
10.9MB

Download
memory/240-2571-0x00000000004C0000-0x0000000000F9D000-memory.dmp

Filesize
10.9MB

Download
memory/240-388-0x00000000004C0000-0x0000000000F9D000-memory.dmp

Filesize
10.9MB

Download
memory/240-394-0x00000000FF970000-0x00000000FFD41000-memory.dmp

Filesize
3.8MB

Download
memory/240-377-0x00000000004C0000-0x0000000000F9D000-memory.dmp

Filesize
10.9MB

Download
memory/240-591-0x00000000004C0000-0x0000000000F9D000-memory.dmp

Filesize
10.9MB

Download
memory/240-2-0x00000000770B4000-0x00000000770B5000-memory.dmp

Filesize
4KB

Download
memory/240-1-0x00000000FF970000-0x00000000FFD41000-memory.dmp

Filesize
3.8MB

Download
memory/240-389-0x00000000004C0000-0x0000000000F9D000-memory.dmp

Filesize
10.9MB

Download
memory/240-1489-0x00000000004C0000-0x0000000000F9D000-memory.dmp

Filesize
10.9MB

Download
memory/240-0-0x00000000004C0000-0x0000000000F9D000-memory.dmp

Filesize
10.9MB

Download
memory/240-2577-0x00000000004C0000-0x0000000000F9D000-memory.dmp

Filesize
10.9MB

Download
memory/240-2580-0x00000000004C0000-0x0000000000F9D000-memory.dmp

Filesize
10.9MB

Download
memory/240-2581-0x00000000004C0000-0x0000000000F9D000-memory.dmp

Filesize
10.9MB

Download
memory/240-2582-0x00000000004C0000-0x0000000000F9D000-memory.dmp

Filesize
10.9MB

Download
memory/240-2583-0x00000000004C0000-0x0000000000F9D000-memory.dmp

Filesize
10.9MB

Download
memory/240-2584-0x00000000004C0000-0x0000000000F9D000-memory.dmp

Filesize
10.9MB

Download
memory/240-2590-0x00000000004C0000-0x0000000000F9D000-memory.dmp

Filesize
10.9MB

Download
memory/240-2591-0x00000000004C0000-0x0000000000F9D000-memory.dmp

Filesize
10.9MB

Download