Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12-08-2024 17:46
Static task
static1
Behavioral task
behavioral1
Sample
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe
Resource
win7-20240708-en
General
-
Target
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe
-
Size
1.8MB
-
MD5
0400d0f91db9d1a2cb7806b94b23be8a
-
SHA1
ec696470fcffb473ebdb5586d00a86bebb38be2c
-
SHA256
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a
-
SHA512
4053c07ff80f6d9044f241b9848071ed039a5df9472144f3a0da235fec6eb83871a6bd8b859a347205934ddc531c9cb83aa746aa1d439ff39d68ab9a5af2164a
-
SSDEEP
49152:kS87XHVA4tnIh2erdVvXLHezW0gzq29VV:kS8D1AMnI5f/qzW0gzN
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeb62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 4 IoCs
Processes:
explorti.exef59fb8a3da.exeb422d466ac.exe0087e13cb4.exepid process 2788 explorti.exe 1956 f59fb8a3da.exe 2732 b422d466ac.exe 1668 0087e13cb4.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine explorti.exe -
Loads dropped DLL 5 IoCs
Processes:
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exeexplorti.exepid process 1876 b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe 2788 explorti.exe 2788 explorti.exe 2788 explorti.exe 2788 explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\f59fb8a3da.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\f59fb8a3da.exe" explorti.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1792-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/1792-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/1792-51-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/1792-53-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/1792-50-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/1792-46-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exeexplorti.exepid process 1876 b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe 2788 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
f59fb8a3da.exeb422d466ac.exedescription pid process target process PID 1956 set thread context of 1792 1956 f59fb8a3da.exe RegAsm.exe PID 2732 set thread context of 1960 2732 b422d466ac.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exedescription ioc process File created C:\Windows\Tasks\explorti.job b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exeb422d466ac.exeRegAsm.exe0087e13cb4.exeb62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exeexplorti.exef59fb8a3da.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b422d466ac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0087e13cb4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f59fb8a3da.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exeexplorti.exepid process 1876 b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe 2788 explorti.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 1896 firefox.exe Token: SeDebugPrivilege 1896 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exeRegAsm.exefirefox.exepid process 1876 b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1896 firefox.exe 1896 firefox.exe 1896 firefox.exe 1896 firefox.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1896 firefox.exe 1896 firefox.exe 1896 firefox.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe 1792 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exeexplorti.exef59fb8a3da.exeb422d466ac.exeRegAsm.exefirefox.exedescription pid process target process PID 1876 wrote to memory of 2788 1876 b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe explorti.exe PID 1876 wrote to memory of 2788 1876 b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe explorti.exe PID 1876 wrote to memory of 2788 1876 b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe explorti.exe PID 1876 wrote to memory of 2788 1876 b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe explorti.exe PID 2788 wrote to memory of 1956 2788 explorti.exe f59fb8a3da.exe PID 2788 wrote to memory of 1956 2788 explorti.exe f59fb8a3da.exe PID 2788 wrote to memory of 1956 2788 explorti.exe f59fb8a3da.exe PID 2788 wrote to memory of 1956 2788 explorti.exe f59fb8a3da.exe PID 1956 wrote to memory of 2912 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 2912 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 2912 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 2912 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 2912 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 2912 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 2912 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 2060 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 2060 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 2060 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 2060 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 2060 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 2060 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 2060 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 1792 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 1792 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 1792 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 1792 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 1792 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 1792 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 1792 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 1792 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 1792 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 1792 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 1792 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 1792 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 1792 1956 f59fb8a3da.exe RegAsm.exe PID 1956 wrote to memory of 1792 1956 f59fb8a3da.exe RegAsm.exe PID 2788 wrote to memory of 2732 2788 explorti.exe b422d466ac.exe PID 2788 wrote to memory of 2732 2788 explorti.exe b422d466ac.exe PID 2788 wrote to memory of 2732 2788 explorti.exe b422d466ac.exe PID 2788 wrote to memory of 2732 2788 explorti.exe b422d466ac.exe PID 2732 wrote to memory of 1960 2732 b422d466ac.exe RegAsm.exe PID 2732 wrote to memory of 1960 2732 b422d466ac.exe RegAsm.exe PID 2732 wrote to memory of 1960 2732 b422d466ac.exe RegAsm.exe PID 2732 wrote to memory of 1960 2732 b422d466ac.exe RegAsm.exe PID 2732 wrote to memory of 1960 2732 b422d466ac.exe RegAsm.exe PID 2732 wrote to memory of 1960 2732 b422d466ac.exe RegAsm.exe PID 2732 wrote to memory of 1960 2732 b422d466ac.exe RegAsm.exe PID 2732 wrote to memory of 1960 2732 b422d466ac.exe RegAsm.exe PID 2732 wrote to memory of 1960 2732 b422d466ac.exe RegAsm.exe PID 2732 wrote to memory of 1960 2732 b422d466ac.exe RegAsm.exe PID 2732 wrote to memory of 1960 2732 b422d466ac.exe RegAsm.exe PID 2732 wrote to memory of 1960 2732 b422d466ac.exe RegAsm.exe PID 2732 wrote to memory of 1960 2732 b422d466ac.exe RegAsm.exe PID 2788 wrote to memory of 1668 2788 explorti.exe 0087e13cb4.exe PID 2788 wrote to memory of 1668 2788 explorti.exe 0087e13cb4.exe PID 2788 wrote to memory of 1668 2788 explorti.exe 0087e13cb4.exe PID 2788 wrote to memory of 1668 2788 explorti.exe 0087e13cb4.exe PID 1792 wrote to memory of 2244 1792 RegAsm.exe firefox.exe PID 1792 wrote to memory of 2244 1792 RegAsm.exe firefox.exe PID 1792 wrote to memory of 2244 1792 RegAsm.exe firefox.exe PID 1792 wrote to memory of 2244 1792 RegAsm.exe firefox.exe PID 2244 wrote to memory of 1896 2244 firefox.exe firefox.exe PID 2244 wrote to memory of 1896 2244 firefox.exe firefox.exe PID 2244 wrote to memory of 1896 2244 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe"C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2912
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2060
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1896 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.0.1246222308\1291865308" -parentBuildID 20221007134813 -prefsHandle 1096 -prefMapHandle 1088 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b5df902-4523-41ac-a7bd-287e2837ab48} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 1336 a0d3058 gpu7⤵PID:932
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.1.616028843\656757552" -parentBuildID 20221007134813 -prefsHandle 1524 -prefMapHandle 1520 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6d012c2-eaf7-4706-bc9a-06e7e8e45096} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 1536 44eb858 socket7⤵PID:484
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.2.1092571437\1662041967" -childID 1 -isForBrowser -prefsHandle 1948 -prefMapHandle 1944 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6022221-06ec-417e-aed6-996d83883305} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 1960 a067558 tab7⤵PID:1000
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.3.764834578\1957664143" -childID 2 -isForBrowser -prefsHandle 2692 -prefMapHandle 2688 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4e5a537-dfb4-4845-b639-c1fcc9b892ab} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 2704 e62758 tab7⤵PID:1388
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.4.204586148\2098956651" -childID 3 -isForBrowser -prefsHandle 3224 -prefMapHandle 3824 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af80698c-f298-4f46-bced-bf1ee113a0fe} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 3840 20416258 tab7⤵PID:288
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.5.2116743070\1796795313" -childID 4 -isForBrowser -prefsHandle 3940 -prefMapHandle 3944 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff4479a5-78c2-4016-aa43-b7800a0004a9} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 3928 20418958 tab7⤵PID:1784
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.6.1439140262\1536199988" -childID 5 -isForBrowser -prefsHandle 4116 -prefMapHandle 4120 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2671467e-b2c0-4268-a921-2a3a49f18983} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 4104 20418c58 tab7⤵PID:2212
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.7.1284299835\2018169493" -childID 6 -isForBrowser -prefsHandle 3984 -prefMapHandle 3964 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52373499-fa72-4c9c-bbd6-f378da39bf12} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 3224 1ad8f358 tab7⤵PID:1860
-
C:\Users\Admin\1000037002\b422d466ac.exe"C:\Users\Admin\1000037002\b422d466ac.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\1000038001\0087e13cb4.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\0087e13cb4.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1668
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5fff78902d667ae5d4d5e6eca47703322
SHA1aee23060c9cd8dad8afa9227d5f03b89fb18357f
SHA256a823ed8e9c412d6d62fa3ad5742054f38b81175dca7604439a8ed06abd55a8aa
SHA512ecf897f6885f71b4af40a85ed29ddc800f32f056d299357c7c50c62a8d670583592ecaea5bbcb9e6c2ca6d9dfcadfab81dc159e8e5d060ddd4fb918367e80176
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\activity-stream.discovery_stream.json.tmp
Filesize43KB
MD5fb0898054494fb4142c850677e864268
SHA1f8b101b9fe418a4257591b9a19825192f077da92
SHA256607ba4ecf1cb9ae507602888d167a1ff9b15059c61fdcd72258ad24081446eed
SHA5126d56896e989596ebe319945d6dae2317ec860e527275fff119c8d4a44974544a7bc1b61e97792ca3590632c7bc227edd42704c02df1db7e8aacc3569f2d2a43d
-
Filesize
1.8MB
MD50400d0f91db9d1a2cb7806b94b23be8a
SHA1ec696470fcffb473ebdb5586d00a86bebb38be2c
SHA256b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a
SHA5124053c07ff80f6d9044f241b9848071ed039a5df9472144f3a0da235fec6eb83871a6bd8b859a347205934ddc531c9cb83aa746aa1d439ff39d68ab9a5af2164a
-
Filesize
1.2MB
MD571dbe4bb236cc85e0eca13bbbeddc3be
SHA1134f1402299e1e3ddaad05989875725cfbe71763
SHA25665ef9eb886fbf27227211f2e8d9a5266adbe3206e00835b1b9018ea79c4816a2
SHA512c208e1ceda249822b608ab23c58d17202d1b4d0be2d451398b0b0f20eae0ce15fadd5e943047048d133dfb53107a2a710673c7e0d7baead559e305cf3381f86d
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD559a7e52f7cbf7bd111baa86bad04c79c
SHA1a3e0eb43c3f9315d8a5398263011c520b3d3debc
SHA256a6bd1cefd7b7b2b29c53e3c3ade9507aa9be6ffb495825cfa793a9f292b22023
SHA5124fef97c410baa6de052639d074a3c3fbafa6ebe9754e6ec061e045ba43715995986c99085a43e52bbc1aabaa2de2732d6b91310bd0fa5848d60e590edabfda62
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\pending_pings\3c78d822-d566-4ccc-886f-929d1550b605
Filesize745B
MD5e6ca94d9540235c8214edc1de6f89df8
SHA1a7524ed1beac8721a275e31a55e0ba88c0b2d19e
SHA256d37222f52a0b57ac045b1782c5d73e8216701022d3e2d7d8afebc66d4545bc63
SHA512cead98697571b0405e9957371f044e1c48645da69824535ea8fa297425b6537600e03285b742798d4d49aeb73d0e7b828784c240d50f713913f09dfdacdf3677
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\pending_pings\3fb753b9-1a6b-410c-a164-1de035d9904d
Filesize11KB
MD5d3d94e7552ecf7c5875c3937f7955097
SHA1fa07d13d53cb64bdee3e8824fc564ee544f41e47
SHA256e6a94d4f84bb0f8f07e6ce2251805d46eb86c78e9a45e4c738d2cbf1e254cadb
SHA5124d6f6cfc04203e3e9dbe9f482d29b27f173795396d0cd930ab1df835f5041a9bd06732c645e7c9b380ac2d3d80ce73a6c2c7074e7942ac1658f3ea5e2809e806
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD57e8f9be8cee0d565b537b631fb0fdd67
SHA125189cb40e9adb331eb763d305289ad15d6a5fda
SHA2561010b098d9ba44be4cda0b4e9f3beded4b5c4797797539280340dd9f3007e122
SHA51249d09dff8e45cc504c04cb702838099c00bf6290f52a3fca21b1b64e94f876106b582de65795f8e870371ad6417eb711d70b29b98cb7b0ba9a0723794050fe87
-
Filesize
6KB
MD5a18d90a0bb2f7a86bb417d0f3804d5d3
SHA118a9b90caa19f32abe226e4d13b787ea18b86b75
SHA256f9e904f6cf30a0d5de9e22a25bd6455ee325debb159c9ab878269f3ab2c77b7f
SHA5128ba14aeae99afd043627dcc7adcebcb1fec0a72d2821e77c63456455e6f947db3337228254f4ffb90f7bf4fba7340f94c586fa037afa49675255b262718b0b07
-
Filesize
6KB
MD55c3c1ef3b332e079bfa2f07714ced4ab
SHA17c900dd3b59296fb6135d7f3937e68dfda61e18a
SHA2563ac16fca9fa999da5dca893490c86613d9a980923900eef8621720fde1beaedf
SHA512a9d1569c4b02e7c9a806b4da04dc3dbf3c9aeb9e20974e099c37512e50eccbb51ec7827de278f3631331e37d7daa6a0a1c242eee05384eff2cc7600a0328d1a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5694034c363c4c4635a87af25b64af7a3
SHA195a877bae246eac5ecc4d2d8e8cfd3e7e646c59d
SHA2560c130101eea64bd1ae470b6c6de469c2c8c450b222e18dcfc2c7262ab51c58cc
SHA5122b42bb09b40b1374760f4ea2e84cd9799b378c892f5775773b595eef3b8a89e8f5cf0cd9bfc5c6b6c2828f352a01aaaa0044230c5785eb7062c4ec14b2c91f9e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5ad433daea64ba9329d6552451e240f44
SHA15f5087e5a2ea95f1b89b35d70808891d974d6c9d
SHA2564ec6eca8436fcd2bc46e56ea57205ea8a20b25550dcfed6f2b29a0a4ad2c9c79
SHA51201aa30a9a07306ccc7688a9a6d9cd1c880c99e8af07d7332f83e5c0809399d70dbe971ac2a3e4c7df2887af413fe13a97d9eb8be49a4fe9f5395e071b50028d8