Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12-08-2024 17:22
Static task
static1
Behavioral task
behavioral1
Sample
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe
Resource
win10v2004-20240802-en
General
-
Target
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe
-
Size
1.9MB
-
MD5
a8963ee5ca072f13559f19a434575162
-
SHA1
5cf8ff672194be0b1cc4de3d199bb42f0fbcc944
-
SHA256
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6
-
SHA512
9476a7ba19be415888a513970eb55e86e1455246d614e5523972526721a6599a64eb68597a1ff699a939c20f1936157b38b7a12311e8b5cbdea450a71854f877
-
SSDEEP
49152:Gqufc9qFxZWNLfTOUiVOi8coqOLhzWRGn:GqufcwDZWJQEqO96U
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 4 IoCs
Processes:
explorti.exe8a527b58d9.exed3efe039e9.exede9334a9ef.exepid process 2804 explorti.exe 572 8a527b58d9.exe 2836 d3efe039e9.exe 2392 de9334a9ef.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine explorti.exe -
Loads dropped DLL 5 IoCs
Processes:
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exeexplorti.exepid process 1488 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe 2804 explorti.exe 2804 explorti.exe 2804 explorti.exe 2804 explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\8a527b58d9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\8a527b58d9.exe" explorti.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2728-46-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2728-50-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2728-54-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2728-53-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2728-48-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2728-56-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exeexplorti.exepid process 1488 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe 2804 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
8a527b58d9.exed3efe039e9.exedescription pid process target process PID 572 set thread context of 2728 572 8a527b58d9.exe RegAsm.exe PID 2836 set thread context of 1464 2836 d3efe039e9.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exedescription ioc process File created C:\Windows\Tasks\explorti.job 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
explorti.exe8a527b58d9.exeRegAsm.exed3efe039e9.exeRegAsm.exede9334a9ef.exe0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a527b58d9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d3efe039e9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de9334a9ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exeexplorti.exepid process 1488 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe 2804 explorti.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 1044 firefox.exe Token: SeDebugPrivilege 1044 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exeRegAsm.exefirefox.exepid process 1488 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 1044 firefox.exe 1044 firefox.exe 1044 firefox.exe 1044 firefox.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 1044 firefox.exe 1044 firefox.exe 1044 firefox.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exeexplorti.exe8a527b58d9.exed3efe039e9.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 1488 wrote to memory of 2804 1488 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe explorti.exe PID 1488 wrote to memory of 2804 1488 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe explorti.exe PID 1488 wrote to memory of 2804 1488 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe explorti.exe PID 1488 wrote to memory of 2804 1488 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe explorti.exe PID 2804 wrote to memory of 572 2804 explorti.exe 8a527b58d9.exe PID 2804 wrote to memory of 572 2804 explorti.exe 8a527b58d9.exe PID 2804 wrote to memory of 572 2804 explorti.exe 8a527b58d9.exe PID 2804 wrote to memory of 572 2804 explorti.exe 8a527b58d9.exe PID 572 wrote to memory of 2728 572 8a527b58d9.exe RegAsm.exe PID 572 wrote to memory of 2728 572 8a527b58d9.exe RegAsm.exe PID 572 wrote to memory of 2728 572 8a527b58d9.exe RegAsm.exe PID 572 wrote to memory of 2728 572 8a527b58d9.exe RegAsm.exe PID 572 wrote to memory of 2728 572 8a527b58d9.exe RegAsm.exe PID 572 wrote to memory of 2728 572 8a527b58d9.exe RegAsm.exe PID 572 wrote to memory of 2728 572 8a527b58d9.exe RegAsm.exe PID 572 wrote to memory of 2728 572 8a527b58d9.exe RegAsm.exe PID 572 wrote to memory of 2728 572 8a527b58d9.exe RegAsm.exe PID 572 wrote to memory of 2728 572 8a527b58d9.exe RegAsm.exe PID 572 wrote to memory of 2728 572 8a527b58d9.exe RegAsm.exe PID 572 wrote to memory of 2728 572 8a527b58d9.exe RegAsm.exe PID 572 wrote to memory of 2728 572 8a527b58d9.exe RegAsm.exe PID 572 wrote to memory of 2728 572 8a527b58d9.exe RegAsm.exe PID 2804 wrote to memory of 2836 2804 explorti.exe d3efe039e9.exe PID 2804 wrote to memory of 2836 2804 explorti.exe d3efe039e9.exe PID 2804 wrote to memory of 2836 2804 explorti.exe d3efe039e9.exe PID 2804 wrote to memory of 2836 2804 explorti.exe d3efe039e9.exe PID 2836 wrote to memory of 1464 2836 d3efe039e9.exe RegAsm.exe PID 2836 wrote to memory of 1464 2836 d3efe039e9.exe RegAsm.exe PID 2836 wrote to memory of 1464 2836 d3efe039e9.exe RegAsm.exe PID 2836 wrote to memory of 1464 2836 d3efe039e9.exe RegAsm.exe PID 2836 wrote to memory of 1464 2836 d3efe039e9.exe RegAsm.exe PID 2836 wrote to memory of 1464 2836 d3efe039e9.exe RegAsm.exe PID 2836 wrote to memory of 1464 2836 d3efe039e9.exe RegAsm.exe PID 2836 wrote to memory of 1464 2836 d3efe039e9.exe RegAsm.exe PID 2836 wrote to memory of 1464 2836 d3efe039e9.exe RegAsm.exe PID 2836 wrote to memory of 1464 2836 d3efe039e9.exe RegAsm.exe PID 2836 wrote to memory of 1464 2836 d3efe039e9.exe RegAsm.exe PID 2836 wrote to memory of 1464 2836 d3efe039e9.exe RegAsm.exe PID 2836 wrote to memory of 1464 2836 d3efe039e9.exe RegAsm.exe PID 2804 wrote to memory of 2392 2804 explorti.exe de9334a9ef.exe PID 2804 wrote to memory of 2392 2804 explorti.exe de9334a9ef.exe PID 2804 wrote to memory of 2392 2804 explorti.exe de9334a9ef.exe PID 2804 wrote to memory of 2392 2804 explorti.exe de9334a9ef.exe PID 2728 wrote to memory of 1812 2728 RegAsm.exe firefox.exe PID 2728 wrote to memory of 1812 2728 RegAsm.exe firefox.exe PID 2728 wrote to memory of 1812 2728 RegAsm.exe firefox.exe PID 2728 wrote to memory of 1812 2728 RegAsm.exe firefox.exe PID 1812 wrote to memory of 1044 1812 firefox.exe firefox.exe PID 1812 wrote to memory of 1044 1812 firefox.exe firefox.exe PID 1812 wrote to memory of 1044 1812 firefox.exe firefox.exe PID 1812 wrote to memory of 1044 1812 firefox.exe firefox.exe PID 1812 wrote to memory of 1044 1812 firefox.exe firefox.exe PID 1812 wrote to memory of 1044 1812 firefox.exe firefox.exe PID 1812 wrote to memory of 1044 1812 firefox.exe firefox.exe PID 1812 wrote to memory of 1044 1812 firefox.exe firefox.exe PID 1812 wrote to memory of 1044 1812 firefox.exe firefox.exe PID 1812 wrote to memory of 1044 1812 firefox.exe firefox.exe PID 1812 wrote to memory of 1044 1812 firefox.exe firefox.exe PID 1812 wrote to memory of 1044 1812 firefox.exe firefox.exe PID 1044 wrote to memory of 1704 1044 firefox.exe firefox.exe PID 1044 wrote to memory of 1704 1044 firefox.exe firefox.exe PID 1044 wrote to memory of 1704 1044 firefox.exe firefox.exe PID 1044 wrote to memory of 2520 1044 firefox.exe firefox.exe PID 1044 wrote to memory of 2520 1044 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe"C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.0.9265799\1344171379" -parentBuildID 20221007134813 -prefsHandle 1252 -prefMapHandle 1232 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0bd0e1a-a576-4702-afc2-4b4223d277be} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 1364 fedd558 gpu7⤵PID:1704
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.1.411113490\1513952049" -parentBuildID 20221007134813 -prefsHandle 1532 -prefMapHandle 1528 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5efc165-5426-47e2-8de7-e1b777999d27} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 1544 eceb558 socket7⤵PID:2520
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.2.1945659457\892370061" -childID 1 -isForBrowser -prefsHandle 2084 -prefMapHandle 2080 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d20c0b9-b502-4460-b0f7-29be4bf6656a} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 2096 1a493958 tab7⤵PID:904
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.3.1326034224\1781863811" -childID 2 -isForBrowser -prefsHandle 2880 -prefMapHandle 2876 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7df132c2-9c3a-4732-91f4-b18e8ee03d76} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 2892 e6a458 tab7⤵PID:2192
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.4.1411214870\2120150909" -childID 3 -isForBrowser -prefsHandle 3864 -prefMapHandle 3860 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa560bdc-298e-4c0d-b799-0c27d1ecb67d} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 3876 1ff64d58 tab7⤵PID:1788
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.5.1962333114\1852508815" -childID 4 -isForBrowser -prefsHandle 3988 -prefMapHandle 3992 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6649f61b-a3ca-411a-bdd8-360b1627f464} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 3976 20e69758 tab7⤵PID:2168
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.6.861636520\843849148" -childID 5 -isForBrowser -prefsHandle 4192 -prefMapHandle 4196 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {61130462-718e-45f9-b0fd-97f621d20b16} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 4180 20e69458 tab7⤵PID:2588
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.7.360924537\612027751" -childID 6 -isForBrowser -prefsHandle 3828 -prefMapHandle 4216 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5944bf74-f33d-4b63-b45b-15d39e67aade} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 3992 1b36b358 tab7⤵PID:2128
-
C:\Users\Admin\1000037002\d3efe039e9.exe"C:\Users\Admin\1000037002\d3efe039e9.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\1000038001\de9334a9ef.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\de9334a9ef.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2392
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5264c7b385f725f6d1ec540e66a34889e
SHA10d792dccf1d140874b6816d2764ae2dc7d041d5d
SHA2566f8bb2f210e76d0fb8bd0995c574f59eb9f212126b44eda9763462acede9f1c1
SHA512b48c9d003291d0373da6f7e57772c70790496accf22ba180837d4b32d0e6da38300088a239a23cfc2faa41bf4e39e65e341fe33c251385de93830b978df3fb90
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\activity-stream.discovery_stream.json.tmp
Filesize43KB
MD59313515d96b4946086fcd6b3d7520133
SHA1d10bc923e87f12fdaee55a676e31b7977bff8b30
SHA25624b1b1bad6bc42720df22de163af4560279e2fb11c944051b373c9c6d8302e2b
SHA512b4839fcc033e75c2f290d9c3742361a434998fbbec369c5cac6e08eab8df860bc44c3c32afd37db355c7687045b003512dfd76c6883f1aec8ab102eb2928b16c
-
Filesize
1.9MB
MD5a8963ee5ca072f13559f19a434575162
SHA15cf8ff672194be0b1cc4de3d199bb42f0fbcc944
SHA2560fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6
SHA5129476a7ba19be415888a513970eb55e86e1455246d614e5523972526721a6599a64eb68597a1ff699a939c20f1936157b38b7a12311e8b5cbdea450a71854f877
-
Filesize
1.2MB
MD5a9d08832d00dd0c9dc7f78f8d00fa67a
SHA1b636ea5c2d14de4dd4139d0aae7240a9e1120456
SHA256215d9ba94d29bc1a536420be578c066908b13e8fbefeadaede15b9ed72b562c1
SHA51221fdef0123e1f048da2e7f25da6eff97712ebd16d789d7e8e4933ea0341f94d581ab04c227266998cbb9845b3af98dc1cfd4c9e6881d5229e493405a559aa08c
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD53baa4c8bf40b39ac6b7a34f961a0381e
SHA149db31380820529db1535e0fdd1e257ffd72ceb1
SHA25650896ba696dd99218741ec595db42828d13511fd9462a3c1181b7da62167c88a
SHA5122b3e7449b65a7a781119d0a002ec675ccd2b215f1c469960d20251b37132fd07068d9d609b8d3ef28d1fe5709bc133ba501d55df8de648aa11311fc78210c5af
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\0356ccce-ef11-48e4-892e-55b2415e8f8c
Filesize12KB
MD51fba29645e34c7ff3d36c2492f3a6771
SHA134757c20efb0473f2e1ce37f16ad81895be0d090
SHA256b5a802986be0923e8f35b97473f343af36cf55ee23cabd1cd9722c67e632e2ff
SHA51246c41bb59fda6c9999d01371587259373be1e8895daf22850c56cebfee7045ec0402c8f4a606284fb4956e3964be23f2fe81037b18bb15785255c96d35996957
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\ce212d95-f81d-4b9d-9077-267f1200ab59
Filesize745B
MD53f34ac28fbe906b34941ef15e7e8e2a1
SHA1fd3e9994b74427f0e7b1bad2d18fee0c7c3a4915
SHA256cc3bbb7b9a3e96dcc1f2796722336b41ee4c183dc575d47bdf46610bdcbd29d9
SHA512998c0e9051debbea0ed087bd98764d3ca22cc2c7e7f906235da939372ecbb1ee5c0992a6e4c21da29f20c05360a4169b6ee55068a13e4daa3ef034662c261c5f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5c639e9b849f34fa098d320a2b88f2599
SHA14e3a4006d356d18feda819f163e68b2037c8949c
SHA2561d6ec38f4a3c5097125bb2b47369bd99370c05fc5d3e7f25f4dffa97d781f24b
SHA512d2118b145d66ccd2eb8d87d6512062252d2e15ac9701f57341fc640099c3c9352c4ef4bda88dc8bc5c60fcce7fb89cd85c2f43219e866d2389c3029ab58e9558
-
Filesize
7KB
MD568052b0ef5732bbea9a1fb1af0c313ac
SHA12dbd07e9763967fda34e79fe01a86f917820aabe
SHA256d36f1770154151ed1d17c1ddedff52229090f9fbaad6666ff0cbab03559e26d8
SHA512b9686c63428ca078523ad0e0874a663b8870e5c3b079a34c8aecf179a7e3aece85392a62b146e49fed55e7cb2199ae27c0d76e74707f357597c84bc3519fddf8
-
Filesize
7KB
MD58d7c16e4f51d19eddc7a2bb7e23ec9f8
SHA167f22be5597f376b15d9168b94f5ddbd3ac31c0c
SHA256ab8de1bd9e7302a8e02a566324f31340254e827bbf639d0e7d6b150b095e8428
SHA512b3b14f4a6632bd758b736549ce70f75e7ad65eb2c0368610afc0ee8b35c1246003152b334683a42446de7415606f390034558cabc4f8061898bd7974e1c74592
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD52c9f91f1c800019d3bdaafd8a782a76d
SHA1c7c4345c13e46117117467cecf71d9b96543ca59
SHA256f17fc397b0c66cd2df5adbffe1d6b053faf89c0e191a3d7c2e131c8d55138b16
SHA512d79818baaa75105c4eb12a68c8cd631ab7d1a235fd3530452e3483fd62e5ac6f1f13ee416ffc1b67cb7194190a5ac4b47b2760568126e65466ebdd7d7386eacc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD53dc733f51b6c47c0e57ae7035b9abacf
SHA1d4c28a6f9d4bae9e297440a46726a2cb3e2504ba
SHA256aafa700fb884f14becaf86a0eb9df79dfa15885b2ebe11cabe5f48a3a5d9e0e1
SHA512e02670f6fa626a21ad150e0e0e589ba9f1f7a1fb921dc28f4117dc0a30a337b9c9b165dd0a30da864fe4dbdf130372e846648792a0bcf5aad4e8d28118101067