Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12-08-2024 04:03
Static task
static1
Behavioral task
behavioral1
Sample
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe
Resource
win10v2004-20240802-en
General
-
Target
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe
-
Size
1.8MB
-
MD5
5b496c08c6603286a74edf4f17a1f7e5
-
SHA1
343311b9d583bde7ed9039731036fe7fd31cc701
-
SHA256
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5
-
SHA512
b2f80db9884dafc865f351bcbba774a342e10127ff3d720691d4f347a73ed1edab6e76d76f10e0b99e0d2a667675f5a2f5cb756b8d4240f21c75ed9ba1aa9c93
-
SSDEEP
49152:Z1/YQEbR60x6+yuS8I5FF/Yb8hsS0VDu7Q0L4XcjOk5Q0EGDYF:ZCz16iyupAFhY4hZ030LtjZN
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 4 IoCs
Processes:
explorti.exe01da7b0673.exec8bae7c7d9.exe2130c6cde2.exepid process 2696 explorti.exe 1924 01da7b0673.exe 2836 c8bae7c7d9.exe 2280 2130c6cde2.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine explorti.exe -
Loads dropped DLL 5 IoCs
Processes:
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exeexplorti.exepid process 2688 ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe 2696 explorti.exe 2696 explorti.exe 2696 explorti.exe 2696 explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\01da7b0673.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\01da7b0673.exe" explorti.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2976-50-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2976-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2976-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2976-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2976-53-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2976-52-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exeexplorti.exepid process 2688 ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe 2696 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
01da7b0673.exec8bae7c7d9.exedescription pid process target process PID 1924 set thread context of 2976 1924 01da7b0673.exe RegAsm.exe PID 2836 set thread context of 2816 2836 c8bae7c7d9.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exedescription ioc process File created C:\Windows\Tasks\explorti.job ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exe2130c6cde2.execcc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exeexplorti.exe01da7b0673.exeRegAsm.exec8bae7c7d9.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2130c6cde2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 01da7b0673.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c8bae7c7d9.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exeexplorti.exepid process 2688 ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe 2696 explorti.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 1620 firefox.exe Token: SeDebugPrivilege 1620 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exeRegAsm.exefirefox.exepid process 2688 ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe 2976 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exeexplorti.exe01da7b0673.exec8bae7c7d9.exeRegAsm.exefirefox.exedescription pid process target process PID 2688 wrote to memory of 2696 2688 ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe explorti.exe PID 2688 wrote to memory of 2696 2688 ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe explorti.exe PID 2688 wrote to memory of 2696 2688 ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe explorti.exe PID 2688 wrote to memory of 2696 2688 ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe explorti.exe PID 2696 wrote to memory of 1924 2696 explorti.exe 01da7b0673.exe PID 2696 wrote to memory of 1924 2696 explorti.exe 01da7b0673.exe PID 2696 wrote to memory of 1924 2696 explorti.exe 01da7b0673.exe PID 2696 wrote to memory of 1924 2696 explorti.exe 01da7b0673.exe PID 1924 wrote to memory of 2036 1924 01da7b0673.exe RegAsm.exe PID 1924 wrote to memory of 2036 1924 01da7b0673.exe RegAsm.exe PID 1924 wrote to memory of 2036 1924 01da7b0673.exe RegAsm.exe PID 1924 wrote to memory of 2036 1924 01da7b0673.exe RegAsm.exe PID 1924 wrote to memory of 2036 1924 01da7b0673.exe RegAsm.exe PID 1924 wrote to memory of 2036 1924 01da7b0673.exe RegAsm.exe PID 1924 wrote to memory of 2036 1924 01da7b0673.exe RegAsm.exe PID 1924 wrote to memory of 2976 1924 01da7b0673.exe RegAsm.exe PID 1924 wrote to memory of 2976 1924 01da7b0673.exe RegAsm.exe PID 1924 wrote to memory of 2976 1924 01da7b0673.exe RegAsm.exe PID 1924 wrote to memory of 2976 1924 01da7b0673.exe RegAsm.exe PID 1924 wrote to memory of 2976 1924 01da7b0673.exe RegAsm.exe PID 1924 wrote to memory of 2976 1924 01da7b0673.exe RegAsm.exe PID 1924 wrote to memory of 2976 1924 01da7b0673.exe RegAsm.exe PID 1924 wrote to memory of 2976 1924 01da7b0673.exe RegAsm.exe PID 1924 wrote to memory of 2976 1924 01da7b0673.exe RegAsm.exe PID 1924 wrote to memory of 2976 1924 01da7b0673.exe RegAsm.exe PID 1924 wrote to memory of 2976 1924 01da7b0673.exe RegAsm.exe PID 1924 wrote to memory of 2976 1924 01da7b0673.exe RegAsm.exe PID 1924 wrote to memory of 2976 1924 01da7b0673.exe RegAsm.exe PID 1924 wrote to memory of 2976 1924 01da7b0673.exe RegAsm.exe PID 2696 wrote to memory of 2836 2696 explorti.exe c8bae7c7d9.exe PID 2696 wrote to memory of 2836 2696 explorti.exe c8bae7c7d9.exe PID 2696 wrote to memory of 2836 2696 explorti.exe c8bae7c7d9.exe PID 2696 wrote to memory of 2836 2696 explorti.exe c8bae7c7d9.exe PID 2836 wrote to memory of 2816 2836 c8bae7c7d9.exe RegAsm.exe PID 2836 wrote to memory of 2816 2836 c8bae7c7d9.exe RegAsm.exe PID 2836 wrote to memory of 2816 2836 c8bae7c7d9.exe RegAsm.exe PID 2836 wrote to memory of 2816 2836 c8bae7c7d9.exe RegAsm.exe PID 2836 wrote to memory of 2816 2836 c8bae7c7d9.exe RegAsm.exe PID 2836 wrote to memory of 2816 2836 c8bae7c7d9.exe RegAsm.exe PID 2836 wrote to memory of 2816 2836 c8bae7c7d9.exe RegAsm.exe PID 2836 wrote to memory of 2816 2836 c8bae7c7d9.exe RegAsm.exe PID 2836 wrote to memory of 2816 2836 c8bae7c7d9.exe RegAsm.exe PID 2836 wrote to memory of 2816 2836 c8bae7c7d9.exe RegAsm.exe PID 2836 wrote to memory of 2816 2836 c8bae7c7d9.exe RegAsm.exe PID 2836 wrote to memory of 2816 2836 c8bae7c7d9.exe RegAsm.exe PID 2836 wrote to memory of 2816 2836 c8bae7c7d9.exe RegAsm.exe PID 2696 wrote to memory of 2280 2696 explorti.exe 2130c6cde2.exe PID 2696 wrote to memory of 2280 2696 explorti.exe 2130c6cde2.exe PID 2696 wrote to memory of 2280 2696 explorti.exe 2130c6cde2.exe PID 2696 wrote to memory of 2280 2696 explorti.exe 2130c6cde2.exe PID 2976 wrote to memory of 316 2976 RegAsm.exe firefox.exe PID 2976 wrote to memory of 316 2976 RegAsm.exe firefox.exe PID 2976 wrote to memory of 316 2976 RegAsm.exe firefox.exe PID 2976 wrote to memory of 316 2976 RegAsm.exe firefox.exe PID 316 wrote to memory of 1620 316 firefox.exe firefox.exe PID 316 wrote to memory of 1620 316 firefox.exe firefox.exe PID 316 wrote to memory of 1620 316 firefox.exe firefox.exe PID 316 wrote to memory of 1620 316 firefox.exe firefox.exe PID 316 wrote to memory of 1620 316 firefox.exe firefox.exe PID 316 wrote to memory of 1620 316 firefox.exe firefox.exe PID 316 wrote to memory of 1620 316 firefox.exe firefox.exe PID 316 wrote to memory of 1620 316 firefox.exe firefox.exe PID 316 wrote to memory of 1620 316 firefox.exe firefox.exe PID 316 wrote to memory of 1620 316 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe"C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\01da7b0673.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2036
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1620 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1620.0.796266999\1113311062" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1204 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd7fa836-2f2a-4263-89ea-e2ef623315ef} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" 1276 11fd7658 gpu7⤵PID:108
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1620.1.1596750276\387409377" -parentBuildID 20221007134813 -prefsHandle 1480 -prefMapHandle 1476 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03974675-63f2-4542-92eb-79e5d57c8c27} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" 1492 e71b58 socket7⤵PID:900
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1620.2.2069229849\18071864" -childID 1 -isForBrowser -prefsHandle 2096 -prefMapHandle 2092 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {490e294f-7670-4a1d-9fdc-ec71753b2464} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" 2108 1a5c1f58 tab7⤵PID:1900
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1620.3.690410611\67766793" -childID 2 -isForBrowser -prefsHandle 2912 -prefMapHandle 2908 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f4840aa-58f9-495a-a078-a98a06f78aba} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" 2924 e64558 tab7⤵PID:876
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1620.4.778487694\2051957342" -childID 3 -isForBrowser -prefsHandle 3716 -prefMapHandle 3652 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {692e1639-bfd2-4cdb-aa35-4ad1ec6ad536} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" 3740 1e7dc958 tab7⤵PID:1852
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1620.5.1335845706\1054436888" -childID 4 -isForBrowser -prefsHandle 3948 -prefMapHandle 3944 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {15906148-f66f-49b2-b059-48c7be1c35e5} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" 3960 205ddb58 tab7⤵PID:1952
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1620.6.946791545\15143673" -childID 5 -isForBrowser -prefsHandle 3932 -prefMapHandle 3972 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57edeb9e-cc1d-4c2f-9f0c-525b3cfbcdba} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" 3920 1eac5e58 tab7⤵PID:2452
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1620.7.1742673122\660696567" -childID 6 -isForBrowser -prefsHandle 4364 -prefMapHandle 4332 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07631edc-5d00-45f6-9d9f-f23c2c0213c5} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" 4372 228ed258 tab7⤵PID:3008
-
C:\Users\Admin\1000037002\c8bae7c7d9.exe"C:\Users\Admin\1000037002\c8bae7c7d9.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\1000038001\2130c6cde2.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\2130c6cde2.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2280
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5c05fd08043fd1dc414300a92bc73e1fc
SHA19d3c8c2a2bd2881606dc2a826aad65f63a332853
SHA256531cbb2c4dbaaea781ad6798ce36c7ce254c8f88a892dc42ee0aaed205e1a73d
SHA51243f00dbf42c84002b4ab46b907953c1236407cdb55001d01ac193a87e3fab9ecacdf4bbac7d2a02297a41f4e62a2a37b93c2e8b559e791c5484791f2faa1d065
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\activity-stream.discovery_stream.json.tmp
Filesize49KB
MD55054d2249341e7d081de0280f640eb82
SHA1ef91fe6ab986e434da30923a027787e1d4f696be
SHA2566bf005a6788be6f6a5cad51f21fe8413660bf6fef6411bb02149acc4aa50c638
SHA512b3b9e2e55be2941b0493c0d927a108b69ea6942719d75ebc584ce2b7f5aef15685e7a6220e533687558deb968337e57d85bb8351ce519354e29b97282acabef1
-
Filesize
1.2MB
MD5f5f1e8f743ec3d40dbe97e0e67e14861
SHA114b889a8602eb0d8c05f4bd415977c99fce99b90
SHA256a3c814c3833951d016c68679e2f8902cc1ba30d8acbb14a64aa3a58e3f23d51d
SHA512cc23bf8b3588fc68e2641c813c2ce1eaa7aa8d123071def3f88fc679abaaffed0d22fdb7e36e3d782170b69e62f0e4585a30f591d328d5c83039b997d8a30732
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD502d678e1deef81c74499ed2a17c2cf3f
SHA131ae116ea0f75ed2e58c12d585ad3a4b1506246a
SHA25664b1c40affedc9c5c5c8a41d3282dd65429713d8f16db0f41e58012e1a174302
SHA51228abb861ed86836b949f94e4ce750b01db71d86848d1d0dd3bc2d02042cd310289ac57f5930e025d4000c8c6381a6e5a2eb11b001ff2fbd8afe9ab586e81e687
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\pending_pings\c6adca2a-0941-4904-87a7-51ec7b52a892
Filesize745B
MD5a940108687c2cc38c1fbc2ce568e54b8
SHA167ad8e81684c931fc7e3b29707649920de0235eb
SHA2563d69b42b5d02e3d69159b67478949ff4074ad7b3589424e72bf98a66d364e930
SHA5123b6693464b50d8e4c647ffdcf9ebb11a8a51b035117bc14419f92a0c4cd0e07a5ea2853c2c25f0c4e1980a3b85881041751548e399c017693da832edf46ec300
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\pending_pings\d6d782f2-890a-4497-b144-86ac14250382
Filesize12KB
MD5cc6556d5b55db9dbc2478e6cbf12701c
SHA100b0f85a33ac37d84a09ec07fcb1947d9329999d
SHA25636376d4cb9114e044920b4fbdc3afd0bad6b58676f5f49250c95b9e43405634c
SHA512ea43203f389a9620969855f89cc4c860aa549ddd8c602bb2a1683eb397bd878ecf22d8255022f03683f2eeb5538e614fe50791939642663bd46777558c2ce03e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD5aa1fc5fcabc9ed67404fc9cb0e2dc6d2
SHA135e7debd9f3e9b0c5a767fa55fe8f7a2ad080847
SHA256c2f088ce63806acee7c70395ed69b64c72216c570d855fcf7df7f1a43ca0a43a
SHA512df8df91e84a56e388cd427742eb3eb05eb5c96f4f732c554c5e75010f7f7ae4f21e7dc65817ba9f5296128cffe0b664f14760bb9601e6d93fff61ae38c50221e
-
Filesize
7KB
MD5b4d0ea2a7539105059cb3b509b4f55c8
SHA170849597e67e871648b4b9a0a8650a452fc4a09c
SHA2561a4aed8fda2709b823323e5f0690560e1f61b3b7b6170de60ddf533dc9ec5b63
SHA5122c952dbb55fedcd6f83bb07e325a945085bf6449eeeec0e567716cbc0380e96fd00c98b2622dc9d586de1f1b21f70df3ce309025ce32dc492737af8058041688
-
Filesize
6KB
MD594a05b39e2f0c90faf8d3c2a135f07c7
SHA157a6aac5cbff7dafe295b6ccbd5ffdd9b9b59516
SHA256e096f35f606560dd5990eb3ae5cddf60ba8802f0ee270db459c0210bb1b26f7f
SHA512080e07300d416012570af5086aa4b67c5455e5fd764a70c24c3fd51d7ac1430da3558d828a31e8cc740b8132ba97c2e47f39c29c19a9dc43beb123cea2b9f7a5
-
Filesize
6KB
MD50237baed058ccfce3dc31bd359b6a942
SHA112b4a18637ec194f2503ff017ebc7e9e49de7116
SHA2561e318cc66d397f0a0c57551225308bf646c61c715a3f5c9601d1405eb69cebcb
SHA512eaeee3ffec21968de11ee6f45b63b8658c672e68386dd4780f5a9d510db5c9bd01bba9d9969b7f0e36ef7338dcd4548747513c08d3d1a311253f4eb04634fdf0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD571f9cd62f910b6d9fd7f46db2f410970
SHA1d013dcd926449e3140977388e95a67d991031896
SHA256339a74f0a6eabb80bb2bdc8f13f67c62fefb0acda6ffc4a791ca4478ad846e76
SHA512bd0c97f76d05893b037f5b31e1d93ed3b5586e2b6493c1e65b27492abb7a21b1dff312a7a4e61c8b9fc303cb88f9d397f447a14f273a5b5e637a784e2fe1521b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD53b40b9b0c1a99aef1e1923c59c0e5260
SHA11496bac793d4c14fcdf3517c41bb47d5ff02f3bc
SHA256df7ed4d508da08d2bc0dcee88772f063ce74fa4bb7a129c3c92d7101f2641f10
SHA512cb81ef3a057a6c98ca7cb637d03eaa12ec6985becc02e02450f4469cbe2d794dffeec31989895b9007c4017f70ee5dc65b21a8e6f2c587f6e43c3d06c083451f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize200KB
MD5a3ffcdff2b763e1aef3cffb7cc5902f4
SHA182e5f6b589dd483d2529d6100d6ab6714d927ba7
SHA256333e15f1b4f292feacd2ad0ae312d2b2082c124b3fa9cae98791fc629f5b7b62
SHA512c77eb83fba8bf81c1d8b319483c421e0602a0d5c4704890b1ac78cc542362e804e8f56e94111dce8ee0085090f068ee9bae19629db492130e512f97bd809a4a7
-
Filesize
1.8MB
MD55b496c08c6603286a74edf4f17a1f7e5
SHA1343311b9d583bde7ed9039731036fe7fd31cc701
SHA256ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5
SHA512b2f80db9884dafc865f351bcbba774a342e10127ff3d720691d4f347a73ed1edab6e76d76f10e0b99e0d2a667675f5a2f5cb756b8d4240f21c75ed9ba1aa9c93