Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14-08-2024 08:10
Static task
static1
Behavioral task
behavioral1
Sample
f0c81b8c2d9d3804826e6c70a7dc11c0N.exe
Resource
win7-20240708-en
General
-
Target
f0c81b8c2d9d3804826e6c70a7dc11c0N.exe
-
Size
1.8MB
-
MD5
f0c81b8c2d9d3804826e6c70a7dc11c0
-
SHA1
17515f05154788c2c974890c754c5a925b2f54d1
-
SHA256
3b1d6e7f53b18c7b220d7017d996716e071ec4616d15cd117d7fc2d6fac0bdc5
-
SHA512
3807f57b2154f2e29b78c00e11c0c95ef4f9579251804c7f2279aa63f5f36762c4e22f3f9116b11cd11fdaa8575570533fd83f2422a1317f6037560b325d7ab5
-
SSDEEP
24576:QG52P0Ya3guZpMPl2AxWhflnUFoAXZclm3mfrbrMEALW6SSqth5vlJfp2SHkwQDY:QtSgyMPlalnUFoyUngEwW1xTpfaM
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
explorti.exef0c81b8c2d9d3804826e6c70a7dc11c0N.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f0c81b8c2d9d3804826e6c70a7dc11c0N.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
f0c81b8c2d9d3804826e6c70a7dc11c0N.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f0c81b8c2d9d3804826e6c70a7dc11c0N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f0c81b8c2d9d3804826e6c70a7dc11c0N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 4 IoCs
Processes:
explorti.exed93ed97ba7.exee8504f641c.exec842ebd6e0.exepid process 2448 explorti.exe 2612 d93ed97ba7.exe 1324 e8504f641c.exe 2380 c842ebd6e0.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
f0c81b8c2d9d3804826e6c70a7dc11c0N.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine f0c81b8c2d9d3804826e6c70a7dc11c0N.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine explorti.exe -
Loads dropped DLL 5 IoCs
Processes:
f0c81b8c2d9d3804826e6c70a7dc11c0N.exeexplorti.exepid process 1288 f0c81b8c2d9d3804826e6c70a7dc11c0N.exe 2448 explorti.exe 2448 explorti.exe 2448 explorti.exe 2448 explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\d93ed97ba7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\d93ed97ba7.exe" explorti.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2928-50-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2928-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2928-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2928-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2928-51-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2928-53-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
f0c81b8c2d9d3804826e6c70a7dc11c0N.exeexplorti.exepid process 1288 f0c81b8c2d9d3804826e6c70a7dc11c0N.exe 2448 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
d93ed97ba7.exee8504f641c.exedescription pid process target process PID 2612 set thread context of 2928 2612 d93ed97ba7.exe RegAsm.exe PID 1324 set thread context of 1264 1324 e8504f641c.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
f0c81b8c2d9d3804826e6c70a7dc11c0N.exedescription ioc process File created C:\Windows\Tasks\explorti.job f0c81b8c2d9d3804826e6c70a7dc11c0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
explorti.exed93ed97ba7.exeRegAsm.exee8504f641c.exeRegAsm.exec842ebd6e0.exef0c81b8c2d9d3804826e6c70a7dc11c0N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d93ed97ba7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e8504f641c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c842ebd6e0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f0c81b8c2d9d3804826e6c70a7dc11c0N.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f0c81b8c2d9d3804826e6c70a7dc11c0N.exeexplorti.exepid process 1288 f0c81b8c2d9d3804826e6c70a7dc11c0N.exe 2448 explorti.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 2148 firefox.exe Token: SeDebugPrivilege 2148 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
f0c81b8c2d9d3804826e6c70a7dc11c0N.exeRegAsm.exefirefox.exepid process 1288 f0c81b8c2d9d3804826e6c70a7dc11c0N.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2148 firefox.exe 2148 firefox.exe 2148 firefox.exe 2148 firefox.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2148 firefox.exe 2148 firefox.exe 2148 firefox.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe 2928 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f0c81b8c2d9d3804826e6c70a7dc11c0N.exeexplorti.exed93ed97ba7.exee8504f641c.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 1288 wrote to memory of 2448 1288 f0c81b8c2d9d3804826e6c70a7dc11c0N.exe explorti.exe PID 1288 wrote to memory of 2448 1288 f0c81b8c2d9d3804826e6c70a7dc11c0N.exe explorti.exe PID 1288 wrote to memory of 2448 1288 f0c81b8c2d9d3804826e6c70a7dc11c0N.exe explorti.exe PID 1288 wrote to memory of 2448 1288 f0c81b8c2d9d3804826e6c70a7dc11c0N.exe explorti.exe PID 2448 wrote to memory of 2612 2448 explorti.exe d93ed97ba7.exe PID 2448 wrote to memory of 2612 2448 explorti.exe d93ed97ba7.exe PID 2448 wrote to memory of 2612 2448 explorti.exe d93ed97ba7.exe PID 2448 wrote to memory of 2612 2448 explorti.exe d93ed97ba7.exe PID 2612 wrote to memory of 2928 2612 d93ed97ba7.exe RegAsm.exe PID 2612 wrote to memory of 2928 2612 d93ed97ba7.exe RegAsm.exe PID 2612 wrote to memory of 2928 2612 d93ed97ba7.exe RegAsm.exe PID 2612 wrote to memory of 2928 2612 d93ed97ba7.exe RegAsm.exe PID 2612 wrote to memory of 2928 2612 d93ed97ba7.exe RegAsm.exe PID 2612 wrote to memory of 2928 2612 d93ed97ba7.exe RegAsm.exe PID 2612 wrote to memory of 2928 2612 d93ed97ba7.exe RegAsm.exe PID 2612 wrote to memory of 2928 2612 d93ed97ba7.exe RegAsm.exe PID 2612 wrote to memory of 2928 2612 d93ed97ba7.exe RegAsm.exe PID 2612 wrote to memory of 2928 2612 d93ed97ba7.exe RegAsm.exe PID 2612 wrote to memory of 2928 2612 d93ed97ba7.exe RegAsm.exe PID 2612 wrote to memory of 2928 2612 d93ed97ba7.exe RegAsm.exe PID 2612 wrote to memory of 2928 2612 d93ed97ba7.exe RegAsm.exe PID 2612 wrote to memory of 2928 2612 d93ed97ba7.exe RegAsm.exe PID 2448 wrote to memory of 1324 2448 explorti.exe e8504f641c.exe PID 2448 wrote to memory of 1324 2448 explorti.exe e8504f641c.exe PID 2448 wrote to memory of 1324 2448 explorti.exe e8504f641c.exe PID 2448 wrote to memory of 1324 2448 explorti.exe e8504f641c.exe PID 1324 wrote to memory of 1264 1324 e8504f641c.exe RegAsm.exe PID 1324 wrote to memory of 1264 1324 e8504f641c.exe RegAsm.exe PID 1324 wrote to memory of 1264 1324 e8504f641c.exe RegAsm.exe PID 1324 wrote to memory of 1264 1324 e8504f641c.exe RegAsm.exe PID 1324 wrote to memory of 1264 1324 e8504f641c.exe RegAsm.exe PID 1324 wrote to memory of 1264 1324 e8504f641c.exe RegAsm.exe PID 1324 wrote to memory of 1264 1324 e8504f641c.exe RegAsm.exe PID 1324 wrote to memory of 1264 1324 e8504f641c.exe RegAsm.exe PID 1324 wrote to memory of 1264 1324 e8504f641c.exe RegAsm.exe PID 1324 wrote to memory of 1264 1324 e8504f641c.exe RegAsm.exe PID 1324 wrote to memory of 1264 1324 e8504f641c.exe RegAsm.exe PID 1324 wrote to memory of 1264 1324 e8504f641c.exe RegAsm.exe PID 1324 wrote to memory of 1264 1324 e8504f641c.exe RegAsm.exe PID 2448 wrote to memory of 2380 2448 explorti.exe c842ebd6e0.exe PID 2448 wrote to memory of 2380 2448 explorti.exe c842ebd6e0.exe PID 2448 wrote to memory of 2380 2448 explorti.exe c842ebd6e0.exe PID 2448 wrote to memory of 2380 2448 explorti.exe c842ebd6e0.exe PID 2928 wrote to memory of 2592 2928 RegAsm.exe firefox.exe PID 2928 wrote to memory of 2592 2928 RegAsm.exe firefox.exe PID 2928 wrote to memory of 2592 2928 RegAsm.exe firefox.exe PID 2928 wrote to memory of 2592 2928 RegAsm.exe firefox.exe PID 2592 wrote to memory of 2148 2592 firefox.exe firefox.exe PID 2592 wrote to memory of 2148 2592 firefox.exe firefox.exe PID 2592 wrote to memory of 2148 2592 firefox.exe firefox.exe PID 2592 wrote to memory of 2148 2592 firefox.exe firefox.exe PID 2592 wrote to memory of 2148 2592 firefox.exe firefox.exe PID 2592 wrote to memory of 2148 2592 firefox.exe firefox.exe PID 2592 wrote to memory of 2148 2592 firefox.exe firefox.exe PID 2592 wrote to memory of 2148 2592 firefox.exe firefox.exe PID 2592 wrote to memory of 2148 2592 firefox.exe firefox.exe PID 2592 wrote to memory of 2148 2592 firefox.exe firefox.exe PID 2592 wrote to memory of 2148 2592 firefox.exe firefox.exe PID 2592 wrote to memory of 2148 2592 firefox.exe firefox.exe PID 2148 wrote to memory of 880 2148 firefox.exe firefox.exe PID 2148 wrote to memory of 880 2148 firefox.exe firefox.exe PID 2148 wrote to memory of 880 2148 firefox.exe firefox.exe PID 2148 wrote to memory of 1648 2148 firefox.exe firefox.exe PID 2148 wrote to memory of 1648 2148 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe"C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.0.1832647455\1064450107" -parentBuildID 20221007134813 -prefsHandle 1268 -prefMapHandle 1252 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7af2f12f-c8fb-4f25-be1a-b2f8364b5ced} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 1344 13007058 gpu7⤵PID:880
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.1.582703326\1808130173" -parentBuildID 20221007134813 -prefsHandle 1532 -prefMapHandle 1528 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f47b87f-e5e7-42da-a510-4f95e4edb867} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 1544 42eb558 socket7⤵PID:1648
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.2.869826310\167826436" -childID 1 -isForBrowser -prefsHandle 1952 -prefMapHandle 1948 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19b5a899-ed00-42e7-9881-108743dae0bf} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 1964 14d54a58 tab7⤵PID:2200
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.3.241861758\1533543536" -childID 2 -isForBrowser -prefsHandle 2540 -prefMapHandle 2536 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41cb24a6-6bb9-4e44-8092-283b83156df1} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 1716 e6a458 tab7⤵PID:2420
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.4.1876412200\2024881064" -childID 3 -isForBrowser -prefsHandle 3732 -prefMapHandle 3728 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e6d30f2-d057-41fe-94de-ca7c79696ac8} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 3744 1ef59c58 tab7⤵PID:448
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.5.88212847\986315702" -childID 4 -isForBrowser -prefsHandle 3856 -prefMapHandle 3860 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {480caac7-c765-472d-bfaa-cfd7aec9536c} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 3848 1f517258 tab7⤵PID:2676
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.6.121001876\1499746931" -childID 5 -isForBrowser -prefsHandle 4016 -prefMapHandle 4020 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {21f1cc53-56ca-4c31-854b-6682feda4aa8} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 4008 1f519c58 tab7⤵PID:824
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.7.1426908291\900042995" -childID 6 -isForBrowser -prefsHandle 4364 -prefMapHandle 4368 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c67f178-da77-47e6-adf0-1220b1b3a9fc} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 4380 e5ea58 tab7⤵PID:556
-
C:\Users\Admin\1000037002\e8504f641c.exe"C:\Users\Admin\1000037002\e8504f641c.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\1000038001\c842ebd6e0.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\c842ebd6e0.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2380
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207KB
MD5a8d6928ee3efb9ce0d4735bb7fe15d4d
SHA1b7588c0db721613d6d878f57a79055f73a14c607
SHA256955a439d5bd2b53a05e15f9a8cfcd769ce37e035095e2172030810ebfe46b5a0
SHA5121f4d026ace9c9d31a6fcfedebaaed5b508d08dfd080a3e3eb15b86ddb1c89693adaa5e9e4a6edf8d0cd1457cfeb64fab6da3f68bf0f0fd754c34a18bcbf78088
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\activity-stream.discovery_stream.json.tmp
Filesize49KB
MD53f71e2ddeb75af4b3faff1a794242de9
SHA1d5ca83f84148fc64e36e629df14bf09b40318e67
SHA256555b02fbf9d1e44ecb72278794a376e481dcf7c9c83b71bea84741fe6b1bef1f
SHA5126ec2977e32e13619f574873c71e2dba46a0c458af2f8260717ed52a5b2ac9ac75e6d2847fe699aab1a2f9eefd911a0f3c7383d1ab863a16466321a6e50198906
-
Filesize
1.2MB
MD575a2d87eafbefb74dc8bab6fec16cac1
SHA1c3decd95d7e19c4dbd1d7b9e409eeb4861c6f369
SHA2560027e27dcdc31f32e1159f82034ce00169ec7e3b487999d95997c519e0e7d40a
SHA5121b6c9ad97b74f639d26fd6d3af7c218f04ef08b77f6d6a67c05350c2965941472592fc6cc9c878644e686532295a20cc23d95ca5db4b62a86ec440000079c5f4
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5024b5042533f7081429531e3030c562b
SHA103bf5b2a3702e08ae56331d356e20dd121ff45db
SHA2569da9777e4790df54c4788f625a68e9f0c3bccb73cf7c43c20e50ca7e8a07fea2
SHA512c0d3e0f61c427743c603c127094faeb4de60eb0289666d9ac4e3c242754cfb23a99ecfa6ccc7a2787788c050bc3bab5083eb8f2a506881b7ab613d5bd6263e1a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\pending_pings\81a6bdbc-9e3d-4c40-b9e4-af1e4d69d8e4
Filesize12KB
MD592a082e126d323abaa3140e0cd82d45d
SHA1706029c56eb991662daed10069e10fce56f47939
SHA256ccb8ea228ac929336605e91b642d928c9968afd5e9c9422ac76b257958c4bbf7
SHA512081b648f15d06904b392aa3da7bd7141d0fd38f4d76b214aa8421b7fae272030bd4dced418453426d5d593802f6beefe4226a6a06d7523666eff91c5129d2fb1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\pending_pings\d9b545e4-cf08-4ea8-9415-b9f4950527b0
Filesize745B
MD5c011f61a178788b3ad101365c69b30f0
SHA11c481772d15d54de72cefa6fb4027bd6bca7ba64
SHA256e2df2f0e10abf529a135b6e47e0c7099cf05278601de4eaf04add80b74efa848
SHA5124a5092abdd798ca49e79fecbdd6c79182a4cf8900cb1896ae870cdc40bfdca11415ef5be5c98f2c0ec985e198d4e757b3ed5f3d389b9e13fa2e17ec9bbf5f883
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD57858bcbdf23b7f4acc8bc829fb3d36d3
SHA1c90b20a227ec5faa1728974d9ec86be56462d7ad
SHA25695da5e83b355e704b1c0adade313039692e8ff6dedd6b5c07cfb4fe27c82113c
SHA512a6c3feba56383a881c7e627b5843f315b159e2a2743ca82fcabfda60b2d26e2b8fbaf16c5abf2a9b0fc91cd36cd879a25680463093bacfaecebc2c8747e978ea
-
Filesize
7KB
MD5e50cfce541ea774c6d44d61c1c1dd3ea
SHA1de919a7ad32a7f99209bd05df4684f64f2821ca1
SHA256eca9f09884e3f005d26da3a6129e09684b77adeed3b3585d0ba36a2632a1b656
SHA51244aba0b38b807bf3e8c23685d8e73f653f3e7ae15ea205ec75a8d9404efa1ffee74949123b2cdf186c27535bb79f239d1b1134fec234c1fe6dd1bad1001fca67
-
Filesize
6KB
MD571883ecaeae667543f7629d88aab69b0
SHA17672a7e68331bc135d7254edce2ece36bcb03c74
SHA25629b5c73c669272ec973e4dc381a7c919b16e9763f646a12db33c3c9ca222c118
SHA512aa954b40d339096d6794a6c04cca19f7c8e05b73e5bb87ddfd432f0fe5b7589daf34d4dda6a469c107185a345e89ecdae2173f494913febb2d1acc6be1f64a50
-
Filesize
6KB
MD5c2ce246b108b4734ef1888fc12848185
SHA12b61de262fc93022163be6f0be208ec447962686
SHA2560efdf83e572333869ea273757a7b67d3c732a6d38fb18a88d09dbe192f3f337f
SHA512372c78d99e6f51ed842c6e1e00860a5d2899cdb3d53d0fc2f62d06acc5b0af54e2d4aadbb1e84cb4ecc1b0e3ba22b256b9089e5d7aeb532c8e36f63c3de2bfff
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5e851e09a264e029f640030ff14db942f
SHA1d9190bdc47eea4aa5943d0f9da4a22695bdc8b40
SHA2564fa8a49ddac85a5928fba0d92ae9e772ee406640444734c741929862ea786da2
SHA512dfe9b4d6b1af3f2326daf890998b6ad7251bcf5f249d0f3f2de91660ea48e3173119098ab988a95c8afaa32af0e2cbc9aa58d934249990e70e32bd506253d25d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5d173bbe57d5121c2283325d6d107d156
SHA1383346a9df586a18e4e2c7f0c2889a23cf701ea2
SHA256feb9a94ed9cdfe7c6102206c93e1ea4ba18bc2c490ac21985ec89b8ee652f33f
SHA512c5f33fab8c86d36b900a35468b121eff85fef50aec9885ffcdd6c8b05cfd0996b84c2a91e0b3ffe5f8fed14a95800b63b13dc49c7be78d7ea0fbe72f8ad40414
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5ad433daea64ba9329d6552451e240f44
SHA15f5087e5a2ea95f1b89b35d70808891d974d6c9d
SHA2564ec6eca8436fcd2bc46e56ea57205ea8a20b25550dcfed6f2b29a0a4ad2c9c79
SHA51201aa30a9a07306ccc7688a9a6d9cd1c880c99e8af07d7332f83e5c0809399d70dbe971ac2a3e4c7df2887af413fe13a97d9eb8be49a4fe9f5395e071b50028d8
-
Filesize
1.8MB
MD5f0c81b8c2d9d3804826e6c70a7dc11c0
SHA117515f05154788c2c974890c754c5a925b2f54d1
SHA2563b1d6e7f53b18c7b220d7017d996716e071ec4616d15cd117d7fc2d6fac0bdc5
SHA5123807f57b2154f2e29b78c00e11c0c95ef4f9579251804c7f2279aa63f5f36762c4e22f3f9116b11cd11fdaa8575570533fd83f2422a1317f6037560b325d7ab5