Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 06:39
Static task
static1
Behavioral task
behavioral1
Sample
fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe
Resource
win7-20240708-en
General
-
Target
fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe
-
Size
1.8MB
-
MD5
681684038f5ae0cbb1974d2dd82c345c
-
SHA1
cef63a7eadae08d4e663e5222e70ecdb04ba54de
-
SHA256
fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24
-
SHA512
d9726dfd336e86838fdee5f3588872dd97528e7d33265872c3417f6b98ca4f4e12135de2d9b2a56898f74d25cad73316ffd46451c17c4853ee663bcb2c3a690c
-
SSDEEP
49152:h1EeaZlsY7/Y12f84uo2Zqj1RtvDh2mCz4i:hyvZlsYTYMfBuHZKlG
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
explorti.exefcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 4 IoCs
Processes:
explorti.exed6e34ea08b.exeecc1975702.exee124e926cc.exepid process 1036 explorti.exe 2732 d6e34ea08b.exe 1784 ecc1975702.exe 1752 e124e926cc.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine explorti.exe -
Loads dropped DLL 5 IoCs
Processes:
fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exeexplorti.exepid process 2292 fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe 1036 explorti.exe 1036 explorti.exe 1036 explorti.exe 1036 explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\d6e34ea08b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\d6e34ea08b.exe" explorti.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1992-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/1992-48-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/1992-50-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/1992-51-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/1992-53-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/1992-46-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exeexplorti.exepid process 2292 fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe 1036 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
d6e34ea08b.exeecc1975702.exedescription pid process target process PID 2732 set thread context of 1992 2732 d6e34ea08b.exe RegAsm.exe PID 1784 set thread context of 2380 1784 ecc1975702.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exedescription ioc process File created C:\Windows\Tasks\explorti.job fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
explorti.exed6e34ea08b.exeRegAsm.exeecc1975702.exeRegAsm.exee124e926cc.exefcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d6e34ea08b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecc1975702.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e124e926cc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exeexplorti.exepid process 2292 fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe 1036 explorti.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 2920 firefox.exe Token: SeDebugPrivilege 2920 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exeRegAsm.exefirefox.exepid process 2292 fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 2920 firefox.exe 2920 firefox.exe 2920 firefox.exe 2920 firefox.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 2920 firefox.exe 2920 firefox.exe 2920 firefox.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe 1992 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exeexplorti.exed6e34ea08b.exeecc1975702.exeRegAsm.exefirefox.exedescription pid process target process PID 2292 wrote to memory of 1036 2292 fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe explorti.exe PID 2292 wrote to memory of 1036 2292 fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe explorti.exe PID 2292 wrote to memory of 1036 2292 fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe explorti.exe PID 2292 wrote to memory of 1036 2292 fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe explorti.exe PID 1036 wrote to memory of 2732 1036 explorti.exe d6e34ea08b.exe PID 1036 wrote to memory of 2732 1036 explorti.exe d6e34ea08b.exe PID 1036 wrote to memory of 2732 1036 explorti.exe d6e34ea08b.exe PID 1036 wrote to memory of 2732 1036 explorti.exe d6e34ea08b.exe PID 2732 wrote to memory of 1992 2732 d6e34ea08b.exe RegAsm.exe PID 2732 wrote to memory of 1992 2732 d6e34ea08b.exe RegAsm.exe PID 2732 wrote to memory of 1992 2732 d6e34ea08b.exe RegAsm.exe PID 2732 wrote to memory of 1992 2732 d6e34ea08b.exe RegAsm.exe PID 2732 wrote to memory of 1992 2732 d6e34ea08b.exe RegAsm.exe PID 2732 wrote to memory of 1992 2732 d6e34ea08b.exe RegAsm.exe PID 2732 wrote to memory of 1992 2732 d6e34ea08b.exe RegAsm.exe PID 2732 wrote to memory of 1992 2732 d6e34ea08b.exe RegAsm.exe PID 2732 wrote to memory of 1992 2732 d6e34ea08b.exe RegAsm.exe PID 2732 wrote to memory of 1992 2732 d6e34ea08b.exe RegAsm.exe PID 2732 wrote to memory of 1992 2732 d6e34ea08b.exe RegAsm.exe PID 2732 wrote to memory of 1992 2732 d6e34ea08b.exe RegAsm.exe PID 2732 wrote to memory of 1992 2732 d6e34ea08b.exe RegAsm.exe PID 2732 wrote to memory of 1992 2732 d6e34ea08b.exe RegAsm.exe PID 1036 wrote to memory of 1784 1036 explorti.exe ecc1975702.exe PID 1036 wrote to memory of 1784 1036 explorti.exe ecc1975702.exe PID 1036 wrote to memory of 1784 1036 explorti.exe ecc1975702.exe PID 1036 wrote to memory of 1784 1036 explorti.exe ecc1975702.exe PID 1784 wrote to memory of 2316 1784 ecc1975702.exe RegAsm.exe PID 1784 wrote to memory of 2316 1784 ecc1975702.exe RegAsm.exe PID 1784 wrote to memory of 2316 1784 ecc1975702.exe RegAsm.exe PID 1784 wrote to memory of 2316 1784 ecc1975702.exe RegAsm.exe PID 1784 wrote to memory of 2316 1784 ecc1975702.exe RegAsm.exe PID 1784 wrote to memory of 2316 1784 ecc1975702.exe RegAsm.exe PID 1784 wrote to memory of 2316 1784 ecc1975702.exe RegAsm.exe PID 1784 wrote to memory of 2380 1784 ecc1975702.exe RegAsm.exe PID 1784 wrote to memory of 2380 1784 ecc1975702.exe RegAsm.exe PID 1784 wrote to memory of 2380 1784 ecc1975702.exe RegAsm.exe PID 1784 wrote to memory of 2380 1784 ecc1975702.exe RegAsm.exe PID 1784 wrote to memory of 2380 1784 ecc1975702.exe RegAsm.exe PID 1784 wrote to memory of 2380 1784 ecc1975702.exe RegAsm.exe PID 1784 wrote to memory of 2380 1784 ecc1975702.exe RegAsm.exe PID 1784 wrote to memory of 2380 1784 ecc1975702.exe RegAsm.exe PID 1784 wrote to memory of 2380 1784 ecc1975702.exe RegAsm.exe PID 1784 wrote to memory of 2380 1784 ecc1975702.exe RegAsm.exe PID 1784 wrote to memory of 2380 1784 ecc1975702.exe RegAsm.exe PID 1784 wrote to memory of 2380 1784 ecc1975702.exe RegAsm.exe PID 1784 wrote to memory of 2380 1784 ecc1975702.exe RegAsm.exe PID 1036 wrote to memory of 1752 1036 explorti.exe e124e926cc.exe PID 1036 wrote to memory of 1752 1036 explorti.exe e124e926cc.exe PID 1036 wrote to memory of 1752 1036 explorti.exe e124e926cc.exe PID 1036 wrote to memory of 1752 1036 explorti.exe e124e926cc.exe PID 1992 wrote to memory of 2072 1992 RegAsm.exe firefox.exe PID 1992 wrote to memory of 2072 1992 RegAsm.exe firefox.exe PID 1992 wrote to memory of 2072 1992 RegAsm.exe firefox.exe PID 1992 wrote to memory of 2072 1992 RegAsm.exe firefox.exe PID 2072 wrote to memory of 2920 2072 firefox.exe firefox.exe PID 2072 wrote to memory of 2920 2072 firefox.exe firefox.exe PID 2072 wrote to memory of 2920 2072 firefox.exe firefox.exe PID 2072 wrote to memory of 2920 2072 firefox.exe firefox.exe PID 2072 wrote to memory of 2920 2072 firefox.exe firefox.exe PID 2072 wrote to memory of 2920 2072 firefox.exe firefox.exe PID 2072 wrote to memory of 2920 2072 firefox.exe firefox.exe PID 2072 wrote to memory of 2920 2072 firefox.exe firefox.exe PID 2072 wrote to memory of 2920 2072 firefox.exe firefox.exe PID 2072 wrote to memory of 2920 2072 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe"C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2920 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.0.989326113\1075221403" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1216 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {790340be-cf50-49fa-a214-c78385a050a9} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 1296 120c3258 gpu7⤵PID:1312
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.1.1236831926\521581505" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {561d9664-817e-4324-baee-0b1ee03dbedd} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 1504 d74b58 socket7⤵PID:1088
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.2.175638851\1013856918" -childID 1 -isForBrowser -prefsHandle 1084 -prefMapHandle 1804 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f2684b6-d561-4490-bf27-2c4d09f171a4} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 1712 1a2a0658 tab7⤵PID:2092
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.3.435760471\479381200" -childID 2 -isForBrowser -prefsHandle 2792 -prefMapHandle 2788 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ccc1bab-8c5d-428e-b49b-92a5caa7a89e} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 2804 1cd6b758 tab7⤵PID:852
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.4.2157860\768774040" -childID 3 -isForBrowser -prefsHandle 3928 -prefMapHandle 3916 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {acf61e75-43df-4ac5-a6ca-1595acb62f4d} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 3936 20489758 tab7⤵PID:2368
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.5.305339510\1832860854" -childID 4 -isForBrowser -prefsHandle 4040 -prefMapHandle 4044 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {714c12cd-1e1d-48a7-bb52-cb2a5cd94d98} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 4028 2048a658 tab7⤵PID:2076
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.6.136818635\238945640" -childID 5 -isForBrowser -prefsHandle 4208 -prefMapHandle 4212 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20f45e68-d0bc-4795-a574-459e7a2441ae} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 4196 204f9258 tab7⤵PID:1576
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.7.28051041\883730353" -childID 6 -isForBrowser -prefsHandle 3928 -prefMapHandle 4484 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0eebba89-3231-4bea-bf88-edcec277299a} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 4492 1b2b1258 tab7⤵PID:2200
-
C:\Users\Admin\1000037002\ecc1975702.exe"C:\Users\Admin\1000037002\ecc1975702.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2316
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\1000038001\e124e926cc.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\e124e926cc.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1752
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
330KB
MD59b5ce0aad79aa13bb49dac5c65263ad8
SHA1e0d347799df48b5c1329fca59ec75f219b71c2de
SHA256f4b001e32cc190b798b767b41fa1556a384ee248920b71e8c1bd6e37ec4adb48
SHA512b884bbcb15fd5dfb0e03209c5d697396536b4587190cd9bd0de157cf52152382b6ba90ad90b109a42f2d4f2b88a28585bfd01d42ed709085bb2857f065329dfd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\activity-stream.discovery_stream.json.tmp
Filesize44KB
MD529a1867445d680ae733f60b7bd0e1e7c
SHA1627bed078168176d9cec45109abed9a77591595f
SHA25617e08b3883803fd1c2f3e41b267f23cda513a3eedf1f345f3c12f93871f66b0b
SHA5126eec52c7b3cc0206f0943802b1e77f41ef745de2a08426f590d13cde7936e77317e9a88268b581d653b195bbd378270afedafafa5de3574eb45c441b9777fca3
-
Filesize
1.3MB
MD5980c41e3847ca8442702221633cee6ef
SHA16359f2bdce723290d5e59d75632ee1b34ccbfccb
SHA256b334b35ee113fb34996ea6b19e0989865679c484c4efdc4a78e1f2b72dca3aad
SHA5122f98d724596b5ab1c96dde899fe3de2549271bdd9fdb4ac586b756d41a40bfb9d9343ea845c52a192d12f1836f879736fc39ca3c0dbfc84cb2be6f40f82912fa
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD56649ae75079c7bb4def49376c890f693
SHA18f05279c9c16760733fd559533ac25e214024cf4
SHA2564672611896c3b4d543bcb82fdf68c2eae226bf163e88c07d3c943abcd8c97142
SHA512519992eacee0c976efd6afff7e4a7fe0afa76e514850f70cc04e90666c82ab95952d96cb4a93a99b0e4911966e599c2d8f18f6335e4099310e37807f6443894f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\4b830587-d6da-45fd-a668-dfc609d7c1a6
Filesize745B
MD50c75d2b9ca9318139c5067b8da435711
SHA1016b4e4f203d6dce5c5506b44f45c5b8808864d5
SHA2562d59548537838b3ab113024922261224aec493336ee553521386d922ce75192d
SHA51240788e8699f18449fac6aa623b866416b9dc64f77f20c969745a893bc471462dcbfcb517241856e255babfa9039ce147f0a858577e461fc483169ed60d6b0d9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\da56f159-8a3d-401b-bd22-af81f5e808c2
Filesize11KB
MD5de8494351c48ff79d6171096beab792d
SHA1ba011672b55c8224aae35a7847922fec8f69f94f
SHA25670b34033e2a90e9f4e18a12b2dc19eb0ffd2f0907b4db0b5008a321dec28b062
SHA5125b5fabb0e8b277fbee5098a94e7814953960a1b3ac08e35946c5bfaa01f198120fbd234df99f3ff2116cf0284727c38255c18cfc91919cd8cf2a73002ee517f7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD515c2544ff886376d35bb574bf468f811
SHA1c30f9ff53378a38642a6253408278a0a290a8ab6
SHA256b2f1a0edbc0f32380fc0b27e2a19c8870bad8826549b5718f19b072bec470929
SHA5124c01afa8063285ff3b0b435e1f1564257be060aa737971aa0b242edc0d2b87cc6b9ff98f9df0e6fd0b80f24b8af9a1d65e4d9fbbd9fcd1d928b244f7d0e17eb0
-
Filesize
7KB
MD5a0d83aeecb1851934046b132624aa007
SHA19a5b42d4059db987e71fe3ca68e92a4555d6f1f3
SHA2562e88e9c5e9c1ed7b676b0ddb2b3cdbefeee8545e6fafeb6b6f18e4706069359c
SHA512098ecc37fb995cb03f574d4d4d739882c220ba8f778ac9d908b9043f5c1a3eb5050e2db7d475652d7204e3fb1b92368366274ee701cdbe30674edbd78d3aa691
-
Filesize
7KB
MD5c3629a098ef3729e645ca7866a54848e
SHA1daa8f1c98870aa6ec9c9e9750b13115cab7f8ada
SHA2561ebfec5b4a75183d0a54a4cb1923046556fb0a2835498ca79e0472a2b4eef043
SHA512dca7a9044de7a4ade2a26a9ee96c70b64de0744a8caf950896a5a07997457bd850f820a7f938ce4fe425ae6648823cfa2e078accdd467114bcea9d5613070d46
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5cdbcf79a597f7e5ca0b8a399eb5ed08f
SHA118c418b993d0265844e9b54e6efaea61baf2224c
SHA2561994a9b192d0acf9b95492c7a274f1db1311ad2545a6c8b1360f17463c3cc38a
SHA512b5d552aadf92a60a68dbdedb3b6cf891e4d32f59c18ff1466e0b51ba7f3a6ec4b8fa61dc29b9bdbe304024002af02e99a6fa210b26e4c26ec76ca4be9b586dae
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD50f5d3c05bd3e4c81f23ae92c754d2173
SHA17c6ff5e78023dec7e8710b94637b7d82287bedfe
SHA256369f8b81b27e58073b0fb3e086e54f839f87a090ab6c3ed65646dfa99527a7f4
SHA512c538c62cf93d0fc5568c3bc41fb83d3aa7472ee70f2eb6721f78480560f83ff6763e7fc9586cb19d90cb3e83d2cd4ab5de6b940301cad1d9dfc22a4bdd582aa2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD53dc733f51b6c47c0e57ae7035b9abacf
SHA1d4c28a6f9d4bae9e297440a46726a2cb3e2504ba
SHA256aafa700fb884f14becaf86a0eb9df79dfa15885b2ebe11cabe5f48a3a5d9e0e1
SHA512e02670f6fa626a21ad150e0e0e589ba9f1f7a1fb921dc28f4117dc0a30a337b9c9b165dd0a30da864fe4dbdf130372e846648792a0bcf5aad4e8d28118101067
-
Filesize
1.8MB
MD5681684038f5ae0cbb1974d2dd82c345c
SHA1cef63a7eadae08d4e663e5222e70ecdb04ba54de
SHA256fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24
SHA512d9726dfd336e86838fdee5f3588872dd97528e7d33265872c3417f6b98ca4f4e12135de2d9b2a56898f74d25cad73316ffd46451c17c4853ee663bcb2c3a690c