7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
Size

3.1MB
MD5

3fbf8e562fc9bd7e1aaee9cc8e0a46d6
SHA1

c905f30afdccc6d7a35ff94bc3312fd6aa699a86
SHA256

7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6
SHA512

799ee93198e9da8185b01bd9afbe75385212ea58ae4672fc3c7912af6db5d808c1866960ce900647ed0b72a7ad65cb408f00ccc163253d8304de4a5946cbd743
SSDEEP

98304:LHDgQwTph20Uef2xNfa7Xz7AeRspYup2:LsQwTph2xeONfSzDUYup

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2104-344-0x0000000000AA0000-0x0000000001589000-memory.dmp	autoit_exe
behavioral1/memory/2104-355-0x0000000000AA0000-0x0000000001589000-memory.dmp	autoit_exe
behavioral1/memory/2104-356-0x0000000000AA0000-0x0000000001589000-memory.dmp	autoit_exe
behavioral1/memory/2104-419-0x0000000000AA0000-0x0000000001589000-memory.dmp	autoit_exe
behavioral1/memory/2104-1298-0x0000000000AA0000-0x0000000001589000-memory.dmp	autoit_exe
behavioral1/memory/2104-2384-0x0000000000AA0000-0x0000000001589000-memory.dmp	autoit_exe
behavioral1/memory/2104-2462-0x0000000000AA0000-0x0000000001589000-memory.dmp	autoit_exe
behavioral1/memory/2104-2469-0x0000000000AA0000-0x0000000001589000-memory.dmp	autoit_exe
behavioral1/memory/2104-2470-0x0000000000AA0000-0x0000000001589000-memory.dmp	autoit_exe
behavioral1/memory/2104-2471-0x0000000000AA0000-0x0000000001589000-memory.dmp	autoit_exe
behavioral1/memory/2104-2472-0x0000000000AA0000-0x0000000001589000-memory.dmp	autoit_exe
behavioral1/memory/2104-2473-0x0000000000AA0000-0x0000000001589000-memory.dmp	autoit_exe
behavioral1/memory/2104-2474-0x0000000000AA0000-0x0000000001589000-memory.dmp	autoit_exe
behavioral1/memory/2104-2481-0x0000000000AA0000-0x0000000001589000-memory.dmp	autoit_exe
behavioral1/memory/2104-2482-0x0000000000AA0000-0x0000000001589000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3384	firefox.exe
Token: SeDebugPrivilege	3384	firefox.exe
Token: SeDebugPrivilege	3384	firefox.exe
Token: SeDebugPrivilege	3384	firefox.exe
Token: SeDebugPrivilege	3384	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 1976	2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe	86
PID 2104 wrote to memory of 1976	2104	7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe	86
PID 1976 wrote to memory of 3384	1976	firefox.exe	88
PID 1976 wrote to memory of 3384	1976	firefox.exe	88
PID 1976 wrote to memory of 3384	1976	firefox.exe	88
PID 1976 wrote to memory of 3384	1976	firefox.exe	88
PID 1976 wrote to memory of 3384	1976	firefox.exe	88
PID 1976 wrote to memory of 3384	1976	firefox.exe	88
PID 1976 wrote to memory of 3384	1976	firefox.exe	88
PID 1976 wrote to memory of 3384	1976	firefox.exe	88
PID 1976 wrote to memory of 3384	1976	firefox.exe	88
PID 1976 wrote to memory of 3384	1976	firefox.exe	88
PID 1976 wrote to memory of 3384	1976	firefox.exe	88
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 1520	3384	firefox.exe	89
PID 3384 wrote to memory of 2624	3384	firefox.exe	90
PID 3384 wrote to memory of 2624	3384	firefox.exe	90
PID 3384 wrote to memory of 2624	3384	firefox.exe	90
PID 3384 wrote to memory of 2624	3384	firefox.exe	90
PID 3384 wrote to memory of 2624	3384	firefox.exe	90
PID 3384 wrote to memory of 2624	3384	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe
"C:\Users\Admin\AppData\Local\Temp\7016e51b381e388a9c40161b54de1a10cf649cd5fedd759f86c87c9df74be8f6.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3384
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c9a0939-3ee7-4b0f-9944-ca2b5fc3234d} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" gpu
      4⤵
      PID:1520
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f9509c0-b3d9-428e-85e4-2633820e60e2} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" socket
      4⤵
      PID:2624
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3132 -childID 1 -isForBrowser -prefsHandle 3144 -prefMapHandle 2992 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5647ae78-7e77-4812-930a-ad4c4a7f8dd2} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" tab
      4⤵
      PID:5064
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3768 -childID 2 -isForBrowser -prefsHandle 3552 -prefMapHandle 2880 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fb076e5-7a71-49ec-a33c-e8ade7e74fe8} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" tab
      4⤵
      PID:1824
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4720 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4708 -prefMapHandle 4700 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f1d2d5d-fb46-4902-a30b-cbf691091df6} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" utility
      4⤵
      Checks processor information in registry
      PID:448
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5328 -childID 3 -isForBrowser -prefsHandle 5360 -prefMapHandle 5348 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9b53587-7d83-4589-ae3e-67d591b54a9d} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" tab
      4⤵
      PID:4484
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 4 -isForBrowser -prefsHandle 5484 -prefMapHandle 5488 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {707002d9-2dfe-4c5f-87de-55a5284f59c6} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" tab
      4⤵
      PID:4132
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5796 -childID 5 -isForBrowser -prefsHandle 5716 -prefMapHandle 5724 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f362eb3-70e2-4395-a659-9b2ba9fd332d} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" tab
      4⤵
      PID:2668
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6248 -childID 6 -isForBrowser -prefsHandle 6252 -prefMapHandle 6264 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c40ff3c5-0728-4cff-868b-80efae4e983d} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" tab
      4⤵
      PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5utpapi8.default-release\activity-stream.discovery_stream.json

Filesize
23KB

MD5
be61de713e7a0cd29079bbe75b34e6ec

SHA1
5883202e1d8cd2dcfaf9c1c673fe2d8db23409f2

SHA256
2c1fa964ca4635c57f8d689544ee5f168588229750d0f05f1888a6da84f227ae

SHA512
0204713c208b6f8ec35f1a31d7ba8450a86c8004d24d96c4054d4dd25ff7c8b912cde21abccab6168115610708745a4e3f6666f8d2d0d5cc19133e375d627be1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5utpapi8.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
d5721a5cff0570fdd44eda375fa2936b

SHA1
d4f8fa40450e2f5d20440fe51e2a4dd5d0d3e172

SHA256
85a8b61b9a5e7ca71fc4174d7d031fa21242a1f7780bffc2eb57e398a9a884f7

SHA512
ec259bd9ea21ba829cb7f9dfcbfcfcb0d7cca37cc02c9c039c0cad2a9ffbdad1144e475e1850a752ad7aae5800907b40dd9481c9730afe5dcde098fc25260ec2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5utpapi8.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

Filesize
13KB

MD5
c56a600a771a8823c0fb50b95780f180

SHA1
01f6892192aead6b8dc40aa04c7512dba5dd81c1

SHA256
0c549bc9418727dda6b81c496b7a8a34049947c6de9b74f36aa5081d5f5d55a7

SHA512
add5b31dd98c646038258b39be4a9ebe20c46a473e969899f63dfb4b7bb22e431fd995b8ec0a6942690764bd77d922250d7a17f7e41bfe39e5d83373fba53926

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

Filesize
10KB

MD5
161833532caed81bda8cc684140c5c6f

SHA1
fad42e53a22963a93d81bd294649928f9064ac4e

SHA256
15ddced6b9136f2356be627d03b203a81a0663aaf7b9b2f2e413dd8e93e83f26

SHA512
4f282a0845870c00c96a4c7e4b315657341e7ab290354b875fc760737f834e02f75356a94bf421a5b74a7a072de45463e9f8ad35bf9ccbd1d379ee0bc9917ed2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
55a700778692620c16302545d7de2b1b

SHA1
0c6605aa10a6c8ab4d6438f31f26df9245556147

SHA256
14eec3e634c1bd64ea58f5c66ee4360044272c703322f3ac35fb2cd64a544d87

SHA512
742460764153417c17ec3dca315b622a57d5864069086496b551b2372fc360ab7ab05d207adebaee56b87233cf72e80b7a74446838778f32d0eaba0661734f02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
ea3b8b1e941bf24ddda83f9511969356

SHA1
db6fc2be0684f83e0334787a8733811ebf272438

SHA256
b0d3c18cd3966c7668fa30a2e4c61dbfd4c96fd8fb72d1140366702fd57cd8c9

SHA512
474b6871825292df1db2fc39f82a5f92e3c27caf6cbffc1820d28a0f0ec678933d226267557fe2ed6b6e8a06dd43f5dcc9351882bb5f2806e52e76e48d835b9b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
c84aac45c194a1755a408bbbc1c9d961

SHA1
b75b48d82023e86dc5cac817af69fbe64879e465

SHA256
374ab905d1320ec9e7eab437cbc4e6ed2fd730fa05052324dc3042b917ae5d50

SHA512
d7c19afa0e034ab414a3e1780359d10726d64ae708c95f6cc11a9b9b0290e078462016015cda0614c2cb1103dbb3edda98603d6c2405dd368a5e5e96a0e5b492

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
cd1895f506b5fcc0b96c4a311547a867

SHA1
39aa9e04c82a66dea7cebff4470c6dad73cc3b2c

SHA256
6c2f067c5fb5895e66f9f3f7d7ade1a6fbea186782a29cba7015d150829d2e75

SHA512
c70582b24d12c0d39f2b7cef40b40337c512df66041851bc290f9a20240c922c72d1d7392fb1206d4ed5fe7577ae2c113ebd19ac15cbdb4cd83c1c75127d6c6e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\16c6ddbd-1ab6-45de-add2-5c051736613b

Filesize
671B

MD5
b3f7ea3e8902932e97e22b910b6abcd4

SHA1
205d24678edf14ef9ebf7a07e53c048ac328393c

SHA256
a185dedfd01ad9e3629fb2ac2e611e6654ff2d8c7958bc2a80311d2c6ba42091

SHA512
8b1e5219c63aef246e8da886772c99f1b8455eaad48eb43aa84d10d70cad72c5c2c7b140a47386fea7c8de4520fa06d77dc15d7e7058a95ebdbf98ee2ad7cf1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\1fc6106c-6569-4ae9-8655-24899d273fa9

Filesize
26KB

MD5
976fe4b2c74c3356ec46cddbd0a59402

SHA1
78e5644fb603247eda92cae9ddfa34a03adf35f0

SHA256
f9e81bd72eb74e94c8cecf6a4168904467c4954057ee6adb27373c4334a5e038

SHA512
3804f141eb399652468b9c15880855caea314e3b9e454d9976aa1cc9a74384c49cc526abd0d61be7c47a6c9bbdc94322e679c983c583480fbed21553ff20e3dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\330e363b-1174-48ec-bc0b-a68348cf83d3

Filesize
982B

MD5
f3c5c38552e5fea288278cfd23046ced

SHA1
610cccd584b3e0afd3ae5997a60d9c2dfc5b75f6

SHA256
7de09085d5fa41b97623e422a79228db781ef6fb71606116cffbe58d7d1d15f7

SHA512
0a0cbd89379d898942ed1117d7a5bd5326353435b455a7e71b06643447cd36236622aaca341e577ae3524571d0ec80bb33f1ac773145d88a157862364e187082

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs-1.js

Filesize
12KB

MD5
230103e08eb02b4890064ddcfae3fa2a

SHA1
5fbf5a012abaf33e7a120fc63ea9e4b4eafee724

SHA256
fefe15538dafbd8c18017b26283730501e3b1a9f8d0e5eb73fbdbb308687cdef

SHA512
894c879ae71c75bb149422e1160a93cdd17179b62bb2d61ddad7146e7d11425da08a1c0b64813d8d1c98b0dd138db160fc7cba392150243eeee614534020d989

Download Submit
memory/2104-1298-0x0000000000AA0000-0x0000000001589000-memory.dmp

Filesize
10.9MB

Download
memory/2104-2462-0x0000000000AA0000-0x0000000001589000-memory.dmp

Filesize
10.9MB

Download
memory/2104-361-0x00000000FEAB0000-0x00000000FEE81000-memory.dmp

Filesize
3.8MB

Download
memory/2104-2384-0x0000000000AA0000-0x0000000001589000-memory.dmp

Filesize
10.9MB

Download
memory/2104-2-0x0000000077402000-0x0000000077403000-memory.dmp

Filesize
4KB

Download
memory/2104-1-0x00000000FEAB0000-0x00000000FEE81000-memory.dmp

Filesize
3.8MB

Download
memory/2104-355-0x0000000000AA0000-0x0000000001589000-memory.dmp

Filesize
10.9MB

Download
memory/2104-356-0x0000000000AA0000-0x0000000001589000-memory.dmp

Filesize
10.9MB

Download
memory/2104-344-0x0000000000AA0000-0x0000000001589000-memory.dmp

Filesize
10.9MB

Download
memory/2104-0-0x0000000000AA0000-0x0000000001589000-memory.dmp

Filesize
10.9MB

Download
memory/2104-419-0x0000000000AA0000-0x0000000001589000-memory.dmp

Filesize
10.9MB

Download
memory/2104-2469-0x0000000000AA0000-0x0000000001589000-memory.dmp

Filesize
10.9MB

Download
memory/2104-2470-0x0000000000AA0000-0x0000000001589000-memory.dmp

Filesize
10.9MB

Download
memory/2104-2471-0x0000000000AA0000-0x0000000001589000-memory.dmp

Filesize
10.9MB

Download
memory/2104-2472-0x0000000000AA0000-0x0000000001589000-memory.dmp

Filesize
10.9MB

Download
memory/2104-2473-0x0000000000AA0000-0x0000000001589000-memory.dmp

Filesize
10.9MB

Download
memory/2104-2474-0x0000000000AA0000-0x0000000001589000-memory.dmp

Filesize
10.9MB

Download
memory/2104-2481-0x0000000000AA0000-0x0000000001589000-memory.dmp

Filesize
10.9MB

Download
memory/2104-2482-0x0000000000AA0000-0x0000000001589000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads