c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
Size

3.1MB
MD5

8fafe7f30697a37760bd5e7c8af6cc04
SHA1

d2e6ea8811b095f84f837bc819f6138507ad4070
SHA256

c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a
SHA512

2d145a60f3d9959224d94178eb685a13cb00f815ec9ca306f231a7c740b0e73a6b965886da11c65e5c3a6b813e9a3f8da06857f857e753f43160bc0657f2afd8
SSDEEP

49152:V0HsYSFbiGpaf60xTLKouAq2pRLHmWuRR1fQk2kwD0w/W4W:VNlex605vq2PzzMXrrSW4W

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/4668-371-0x0000000000530000-0x0000000001015000-memory.dmp	autoit_exe
behavioral1/memory/4668-382-0x0000000000530000-0x0000000001015000-memory.dmp	autoit_exe
behavioral1/memory/4668-383-0x0000000000530000-0x0000000001015000-memory.dmp	autoit_exe
behavioral1/memory/4668-517-0x0000000000530000-0x0000000001015000-memory.dmp	autoit_exe
behavioral1/memory/4668-1319-0x0000000000530000-0x0000000001015000-memory.dmp	autoit_exe
behavioral1/memory/4668-2495-0x0000000000530000-0x0000000001015000-memory.dmp	autoit_exe
behavioral1/memory/4668-2498-0x0000000000530000-0x0000000001015000-memory.dmp	autoit_exe
behavioral1/memory/4668-2505-0x0000000000530000-0x0000000001015000-memory.dmp	autoit_exe
behavioral1/memory/4668-2506-0x0000000000530000-0x0000000001015000-memory.dmp	autoit_exe
behavioral1/memory/4668-2507-0x0000000000530000-0x0000000001015000-memory.dmp	autoit_exe
behavioral1/memory/4668-2508-0x0000000000530000-0x0000000001015000-memory.dmp	autoit_exe
behavioral1/memory/4668-2509-0x0000000000530000-0x0000000001015000-memory.dmp	autoit_exe
behavioral1/memory/4668-2510-0x0000000000530000-0x0000000001015000-memory.dmp	autoit_exe
behavioral1/memory/4668-2516-0x0000000000530000-0x0000000001015000-memory.dmp	autoit_exe
behavioral1/memory/4668-2517-0x0000000000530000-0x0000000001015000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3788	firefox.exe
Token: SeDebugPrivilege	3788	firefox.exe
Token: SeDebugPrivilege	3788	firefox.exe
Token: SeDebugPrivilege	3788	firefox.exe
Token: SeDebugPrivilege	3788	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
3788	firefox.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
3788	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 2928	4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe	90
PID 4668 wrote to memory of 2928	4668	c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe	90
PID 2928 wrote to memory of 3788	2928	firefox.exe	92
PID 2928 wrote to memory of 3788	2928	firefox.exe	92
PID 2928 wrote to memory of 3788	2928	firefox.exe	92
PID 2928 wrote to memory of 3788	2928	firefox.exe	92
PID 2928 wrote to memory of 3788	2928	firefox.exe	92
PID 2928 wrote to memory of 3788	2928	firefox.exe	92
PID 2928 wrote to memory of 3788	2928	firefox.exe	92
PID 2928 wrote to memory of 3788	2928	firefox.exe	92
PID 2928 wrote to memory of 3788	2928	firefox.exe	92
PID 2928 wrote to memory of 3788	2928	firefox.exe	92
PID 2928 wrote to memory of 3788	2928	firefox.exe	92
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4704	3788	firefox.exe	93
PID 3788 wrote to memory of 4484	3788	firefox.exe	94
PID 3788 wrote to memory of 4484	3788	firefox.exe	94
PID 3788 wrote to memory of 4484	3788	firefox.exe	94
PID 3788 wrote to memory of 4484	3788	firefox.exe	94
PID 3788 wrote to memory of 4484	3788	firefox.exe	94
PID 3788 wrote to memory of 4484	3788	firefox.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe
"C:\Users\Admin\AppData\Local\Temp\c6ac7f49caefba145a20281ddd359bcb645a95a4328e1dedb63548edbcb9227a.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3788
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e515791e-4306-4b5a-83af-ff00d8053060} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" gpu
      4⤵
      PID:4704
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cce9e9b5-e534-4874-b814-fc3499dd4185} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" socket
      4⤵
      PID:4484
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3256 -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 3236 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ba8c99b-96e4-4db4-aa46-245a327fb756} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" tab
      4⤵
      PID:1796
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3980 -childID 2 -isForBrowser -prefsHandle 3972 -prefMapHandle 3968 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb7f65cb-d6aa-4b44-8efa-1aaea62c90d1} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" tab
      4⤵
      PID:3736
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4892 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4864 -prefMapHandle 4816 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {feab4769-1ab7-4428-9d07-d011d7cfc406} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" utility
      4⤵
      Checks processor information in registry
      PID:2376
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5264 -childID 3 -isForBrowser -prefsHandle 5256 -prefMapHandle 5240 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {588ece6d-f972-4437-9942-fc52df30ac81} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" tab
      4⤵
      PID:5752
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 4 -isForBrowser -prefsHandle 5488 -prefMapHandle 5484 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4821b29a-d807-4189-b1ac-28ca41f07162} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" tab
      4⤵
      PID:5764
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 5 -isForBrowser -prefsHandle 5632 -prefMapHandle 5636 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89774222-ac2b-4937-91c7-25556e039d4b} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" tab
      4⤵
      PID:5784
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6200 -childID 6 -isForBrowser -prefsHandle 6204 -prefMapHandle 6196 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58c71f8f-b37c-48f2-8d57-37c91fd16978} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" tab
      4⤵
      PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\activity-stream.discovery_stream.json

Filesize
33KB

MD5
f7bb363e11af73e30d064869df846fe6

SHA1
0da3d91d896eaa3123d096f72a3da94cfeead1f2

SHA256
4d1fb8a65d68a1dd23725952df972d3680f796e1a948a5a8563421d2268028fb

SHA512
dade058bdade53898e80ae28061f9375429fee96e14b9689e80bb1bdc6edbe3d4eccbe674e38db6e9b5fdbd10ab2dcf45441480d0f1fba5aaebe99acfc039dca

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

Filesize
13KB

MD5
573665e00fbcd6651def39ca9b5af78e

SHA1
9a64d95dcc567fc704ee4784fa13a8a08db5f797

SHA256
f3dc5bdbb1396be2f45d8a9dd3d26baa60130b706a82b49e1100c2dc09dc6b84

SHA512
25f9b960aa8d4b668087805d59871912c57ba0ac62d3e1528c1f8eca85096baa044ed32caaad8cef9d840a547333c3880b8a5cd423314878a53ed6eb43b20bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

Filesize
10KB

MD5
574ce4f1b090f9728adf6f487ca6b69f

SHA1
4d9510a046db37699f7df1b3808c802a70038549

SHA256
1aba092c1cb568d7c36791bbf6ca7c0bc1a4ae33355b2bcf5ad36dfb8dc0df0e

SHA512
70735042df207fd16ad920ef406a38cf5875365b4694a537634d59e238c6b7675cf3b12f20aa5a45f4b617a7dd0f10af1480ac06a507e7d72ab0dcab8f4843d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
4483d7db28acc0fc7f51ceaf386631f3

SHA1
7a7a6667c579b9cbb72418a5c5103934eff30917

SHA256
4e75517fdb6a171b4b648db95621bb449fe30454230b0fefe0674e7f39c16e6a

SHA512
941ce480397c0e4a667b449d9b1d985ca6c3b1bb3db2baa3370cc91805cc7ecf5b4bcb6333292ac7daf17002ca9de2f2856964d0e237508012b055e8d091adf6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
fe60dd3618af74e04f5ab729096adcd8

SHA1
94bec27f5ddca5ff52e1b4b17b94ae24fe6e1fb1

SHA256
98817bae6e70b13e7de26c5c8aef52493f34909dc822756d688592d5d770c4d9

SHA512
1d5eeb8c80759b5ab0dcf1ee6ac15a2d3faf94b4406efd943e390ca48e57c5b7fb61fee38cf947ed5bf54408d78357288434f07d84bab0a25a4d4afbafcb380d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
8cc0f98344b0e1bfaaf7dc14fbc817e5

SHA1
7a123050a0c9415a4b90fa7cccc0bee3873824b5

SHA256
e1086de84d5926011717f2f9e74606fe9186b4a507fd1a7bab5dccc6394fee11

SHA512
617964407cc0d09c029824b1f536d980fe0c00651dea2144e1e3174f7d6304bfe65935f001d47ec9fc9baf875debfe0c43fcd05879ac3127730152c1e2c40128

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
cd19341d3365a08154152dfbd4e07135

SHA1
2402f13ff44aa2e3ed9262432626f87bbcf628d9

SHA256
7831a21b8e37dfbc3015e65253d7ea3e40764dcbc7f19cc6cffbaf46c464224b

SHA512
cb60d1614b33d2d5f4fee7ca21fef84a0218f7ae724a6170bdbc377eacc71576208dfedc630c9b00eed127e49539c45362c31af4ba481aef9ad6a0158d7f6491

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\075cd5a7-620e-4162-9360-3239f96e0178

Filesize
26KB

MD5
0441887ab060a67513060e490f34a223

SHA1
2d558d7a06ba11a27634305e8c1095f6b2c7f9db

SHA256
08b9877f44b98be474a2abfe8e0786eec7a5cbaff000957f19fce888d87c1f69

SHA512
192b100fe567ac459e1ecebb6ac89cd69945a1318b596f0e6f01a176d8b2fbb57673090b6c961148bdc39f265e0f0083101af28eb4649312cccb6cfa565609c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\759a4c0a-00d1-4716-b1a3-692e420d3248

Filesize
671B

MD5
e42d0e965f5c85f6c0702c38701136c8

SHA1
40e17e57cb2eef11abe4e5d1439c02684eacb83f

SHA256
2fde4a2cdb5551818d671ac8fbf8852c2e4313208ad74fef385e06bc82294db5

SHA512
a88de1824be016cc95ccb412814f40d50a18e207dd67bb0c7e066ff94249d27675663f1acdf2c7368102092cee44fa77acbaf3f31d65678bf273cbc96a74fc27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\b710fe45-fd17-40ce-a237-19a66d9ba8cc

Filesize
982B

MD5
5061272c7d5c3ea64e218f0622e02e3e

SHA1
51947e4f346eaccfa96e85c7f2050ea145813015

SHA256
cc34f028ef12c521b087c057bc54e3f645d37bfe9d0ede6548713688b34ed929

SHA512
6b5da11e8554d750e7657c124e47a150bcd61b0cb9e1a4af0122e168d2845a4eeed879d49613df84f4349f66b0bdf0b15152b8ee049180147753ad3a68faba01

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

Filesize
16KB

MD5
f75456edae08afe64cb5e9cc65d0a68c

SHA1
cef86ae16026137307d67084cfe61216a909bc1f

SHA256
cc81c64a3c7333d930e73534928cf8245b6345a8f8cb4307b647941341e60b69

SHA512
ec9594655829303d656de2b876a3bf17b98a2400ef6c87a34531520a51a0a1358f3ebdf61c9884df97021a2ab785fd8756f4087ce0a7c4bb5c61c08df6c3819b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

Filesize
11KB

MD5
323847940839efec0d99d6c306cc390c

SHA1
a1c0305ed6c92629989eb75cf5e9eb2fd7139253

SHA256
851b4ab15428f533edca2a8bb702a0f8fa2a8d586d2074a1168a1694bcaf33b2

SHA512
c95619154517ebff912de4b0490ec136877585311d54574b353b449d9267a13aa435437d8e2311828a76064ad760697582cbe7df54149bb9f6a56c134105944e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

Filesize
13KB

MD5
4a1938752ccf655f1ec1b2df63c23b52

SHA1
e10e2fccd09e02be830fbeace0da2aee10f5c76c

SHA256
a58f338c6a799e9dcd61082fbaa6947d8b7ef08cf1d4bff0062d05186d3f9681

SHA512
9b2a6911afab8cbbcd107e92b88dca1b1140a06fd32973974e332c0a7fbceca1d088230b6408d097db228aee7dc23be48ee0c57874cc0dce0ce916043345322b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js

Filesize
11KB

MD5
b3120cff6deb4e86b4baa2e90bbc8798

SHA1
26b55389025d8b094b0f6e0f80550283dd323ed7

SHA256
abe0dacefe8883377fc33dcbb9d00818bd29f8d6a027b5bd05f7710baf322119

SHA512
dcb7a0be8e060222fe6aa35b667bdb28f337b75a987a90e03317e19b458ed8f3c00f6f397aba8ad893f1766254572662b8372a0990aac0ce6f948de0a7bb47ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.3MB

MD5
30e2b198245556d13e7229c2a906785a

SHA1
0db9106565d0aeaddf2c5f66f82442766c2d8cba

SHA256
45edcedc582269129a90e344650ecaf69ff43414d394e10a7275e672b848a2e1

SHA512
88270e05df3ed0ca129ee6d5e9ab063458ee2fae07dddadd1c5ddda2288d1e3791165a32e6d48450a1060f1407af61dd9f8b394f46f0d045ba33e235640c4a05

Download Submit
memory/4668-2495-0x0000000000530000-0x0000000001015000-memory.dmp

Filesize
10.9MB

Download
memory/4668-2498-0x0000000000530000-0x0000000001015000-memory.dmp

Filesize
10.9MB

Download
memory/4668-517-0x0000000000530000-0x0000000001015000-memory.dmp

Filesize
10.9MB

Download
memory/4668-388-0x00000000FF6D0000-0x00000000FFAA1000-memory.dmp

Filesize
3.8MB

Download
memory/4668-371-0x0000000000530000-0x0000000001015000-memory.dmp

Filesize
10.9MB

Download
memory/4668-0-0x0000000000530000-0x0000000001015000-memory.dmp

Filesize
10.9MB

Download
memory/4668-2-0x00000000772B2000-0x00000000772B3000-memory.dmp

Filesize
4KB

Download
memory/4668-1-0x00000000FF6D0000-0x00000000FFAA1000-memory.dmp

Filesize
3.8MB

Download
memory/4668-382-0x0000000000530000-0x0000000001015000-memory.dmp

Filesize
10.9MB

Download
memory/4668-1319-0x0000000000530000-0x0000000001015000-memory.dmp

Filesize
10.9MB

Download
memory/4668-383-0x0000000000530000-0x0000000001015000-memory.dmp

Filesize
10.9MB

Download
memory/4668-2505-0x0000000000530000-0x0000000001015000-memory.dmp

Filesize
10.9MB

Download
memory/4668-2506-0x0000000000530000-0x0000000001015000-memory.dmp

Filesize
10.9MB

Download
memory/4668-2507-0x0000000000530000-0x0000000001015000-memory.dmp

Filesize
10.9MB

Download
memory/4668-2508-0x0000000000530000-0x0000000001015000-memory.dmp

Filesize
10.9MB

Download
memory/4668-2509-0x0000000000530000-0x0000000001015000-memory.dmp

Filesize
10.9MB

Download
memory/4668-2510-0x0000000000530000-0x0000000001015000-memory.dmp

Filesize
10.9MB

Download
memory/4668-2516-0x0000000000530000-0x0000000001015000-memory.dmp

Filesize
10.9MB

Download
memory/4668-2517-0x0000000000530000-0x0000000001015000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads