Resubmissions
24/08/2024, 19:10
240824-xvmgnsvarc 1024/08/2024, 18:56
240824-xlh3wstfpb 423/08/2024, 11:21
240823-nf4mza1bqc 423/08/2024, 11:13
240823-nbkz3azhrc 1023/08/2024, 11:10
240823-m9qsjashrq 422/08/2024, 07:12
240822-h1kgyaxfpj 122/08/2024, 07:06
240822-hxesaaxenm 1022/08/2024, 07:00
240822-hs54nsxdln 1022/08/2024, 06:36
240822-hc93patara 822/08/2024, 06:32
240822-ha293awfnl 1Analysis
-
max time kernel
35s -
max time network
31s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
22/08/2024, 06:36
Static task
static1
Behavioral task
behavioral1
Sample
http45.151.62.96setup.exe.txt
Resource
win10-20240404-en
General
-
Target
http45.151.62.96setup.exe.txt
-
Size
29B
-
MD5
688fe12c2f39d3d739a04e6c89b1b22f
-
SHA1
e2ea25ad47861e77b912026839666d3a99f5c90b
-
SHA256
35e4cca77e38bd9beaf4a33c97a6f2464ca5ff63bbcf59831bd829b4683fda3c
-
SHA512
f56694118d4adee2e0c65fb28c3ef86bc5db032656e2306e02e0f5b19706e260f0505ee97f5068d07ae5149a410a15eccd3ebc758d216a5549d7dc0de52834ac
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 3240 setup.exe 4444 setup.exe 1956 Autoit3.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 32 myexternalip.com -
Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs
Using AutoIT for possible automate script.
pid Process 1956 Autoit3.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3240 set thread context of 4444 3240 setup.exe 84 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\Downloads\setup.exe:Zone.Identifier firefox.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Autoit3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\setup.exe:Zone.Identifier firefox.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2536 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 1956 Autoit3.exe 1956 Autoit3.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeDebugPrivilege 3996 firefox.exe Token: SeDebugPrivilege 3996 firefox.exe Token: SeIncreaseQuotaPrivilege 4928 WMIC.exe Token: SeSecurityPrivilege 4928 WMIC.exe Token: SeTakeOwnershipPrivilege 4928 WMIC.exe Token: SeLoadDriverPrivilege 4928 WMIC.exe Token: SeSystemProfilePrivilege 4928 WMIC.exe Token: SeSystemtimePrivilege 4928 WMIC.exe Token: SeProfSingleProcessPrivilege 4928 WMIC.exe Token: SeIncBasePriorityPrivilege 4928 WMIC.exe Token: SeCreatePagefilePrivilege 4928 WMIC.exe Token: SeBackupPrivilege 4928 WMIC.exe Token: SeRestorePrivilege 4928 WMIC.exe Token: SeShutdownPrivilege 4928 WMIC.exe Token: SeDebugPrivilege 4928 WMIC.exe Token: SeSystemEnvironmentPrivilege 4928 WMIC.exe Token: SeRemoteShutdownPrivilege 4928 WMIC.exe Token: SeUndockPrivilege 4928 WMIC.exe Token: SeManageVolumePrivilege 4928 WMIC.exe Token: SeImpersonatePrivilege 4928 WMIC.exe Token: 33 4928 WMIC.exe Token: 34 4928 WMIC.exe Token: 35 4928 WMIC.exe Token: 36 4928 WMIC.exe Token: SeIncreaseQuotaPrivilege 4928 WMIC.exe Token: SeSecurityPrivilege 4928 WMIC.exe Token: SeTakeOwnershipPrivilege 4928 WMIC.exe Token: SeLoadDriverPrivilege 4928 WMIC.exe Token: SeSystemProfilePrivilege 4928 WMIC.exe Token: SeSystemtimePrivilege 4928 WMIC.exe Token: SeProfSingleProcessPrivilege 4928 WMIC.exe Token: SeIncBasePriorityPrivilege 4928 WMIC.exe Token: SeCreatePagefilePrivilege 4928 WMIC.exe Token: SeBackupPrivilege 4928 WMIC.exe Token: SeRestorePrivilege 4928 WMIC.exe Token: SeShutdownPrivilege 4928 WMIC.exe Token: SeDebugPrivilege 4928 WMIC.exe Token: SeSystemEnvironmentPrivilege 4928 WMIC.exe Token: SeRemoteShutdownPrivilege 4928 WMIC.exe Token: SeUndockPrivilege 4928 WMIC.exe Token: SeManageVolumePrivilege 4928 WMIC.exe Token: SeImpersonatePrivilege 4928 WMIC.exe Token: 33 4928 WMIC.exe Token: 34 4928 WMIC.exe Token: 35 4928 WMIC.exe Token: 36 4928 WMIC.exe Token: SeDebugPrivilege 1560 taskmgr.exe Token: SeSystemProfilePrivilege 1560 taskmgr.exe Token: SeCreateGlobalPrivilege 1560 taskmgr.exe Token: 33 1560 taskmgr.exe Token: SeIncBasePriorityPrivilege 1560 taskmgr.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
pid Process 3996 firefox.exe 3996 firefox.exe 3996 firefox.exe 3996 firefox.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 3996 firefox.exe 3996 firefox.exe 3996 firefox.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3996 firefox.exe 3996 firefox.exe 3996 firefox.exe 3996 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2916 wrote to memory of 3996 2916 firefox.exe 74 PID 2916 wrote to memory of 3996 2916 firefox.exe 74 PID 2916 wrote to memory of 3996 2916 firefox.exe 74 PID 2916 wrote to memory of 3996 2916 firefox.exe 74 PID 2916 wrote to memory of 3996 2916 firefox.exe 74 PID 2916 wrote to memory of 3996 2916 firefox.exe 74 PID 2916 wrote to memory of 3996 2916 firefox.exe 74 PID 2916 wrote to memory of 3996 2916 firefox.exe 74 PID 2916 wrote to memory of 3996 2916 firefox.exe 74 PID 2916 wrote to memory of 3996 2916 firefox.exe 74 PID 2916 wrote to memory of 3996 2916 firefox.exe 74 PID 3996 wrote to memory of 760 3996 firefox.exe 75 PID 3996 wrote to memory of 760 3996 firefox.exe 75 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 32 3996 firefox.exe 76 PID 3996 wrote to memory of 4612 3996 firefox.exe 77 PID 3996 wrote to memory of 4612 3996 firefox.exe 77 PID 3996 wrote to memory of 4612 3996 firefox.exe 77 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\NOTEPAD.EXEC:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.txt1⤵
- Opens file in notepad (likely ransom note)
PID:2536
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3996.0.974040290\1114389451" -parentBuildID 20221007134813 -prefsHandle 1676 -prefMapHandle 1668 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb41fb8f-5404-4c1c-86a0-efcadfd91a77} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" 1764 2a4e03f3e58 gpu3⤵PID:760
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3996.1.1618104587\1181048756" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47f30655-171f-4389-96d0-ec7305111bdf} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" 2120 2a4ce372858 socket3⤵PID:32
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3996.2.866457157\237572596" -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 2836 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {328fdc4a-467b-4e2c-b9f6-1ed5ec51c3d4} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" 2828 2a4e0359e58 tab3⤵PID:4612
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3996.3.1701111360\1343833503" -childID 2 -isForBrowser -prefsHandle 3420 -prefMapHandle 3416 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fff022d-6de4-4460-9609-b1fcc29ca590} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" 3396 2a4ce36b858 tab3⤵PID:424
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3996.4.1023684130\1813810357" -childID 3 -isForBrowser -prefsHandle 4380 -prefMapHandle 4376 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a376385f-d61c-4d6e-9cd2-c554bf9e8c8e} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" 4392 2a4e67cbd58 tab3⤵PID:1788
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3996.5.1573068189\776986783" -childID 4 -isForBrowser -prefsHandle 4940 -prefMapHandle 4944 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41d98163-1508-44c4-ad90-11ac58bc964f} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" 4800 2a4e6f3e258 tab3⤵PID:2712
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3996.6.1373494887\1993526562" -childID 5 -isForBrowser -prefsHandle 5084 -prefMapHandle 5088 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7cf85ae-a2bf-441c-9d1f-9f4f6ee60a9d} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" 5072 2a4e6f9a658 tab3⤵PID:1804
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3996.7.1848729516\1957305340" -childID 6 -isForBrowser -prefsHandle 5280 -prefMapHandle 5284 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c07263ee-493f-4db9-ac67-979a5c0449a3} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" 5272 2a4e6f99458 tab3⤵PID:4192
-
-
C:\Users\Admin\Downloads\setup.exe"C:\Users\Admin\Downloads\setup.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3240 -
C:\Users\Admin\Downloads\setup.exe"C:\Users\Admin\Downloads\setup.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4444 -
\??\c:\temp2\Autoit3.exe"c:\temp2\Autoit3.exe" c:\temp2\script.a3x5⤵
- Executes dropped EXE
- Command and Scripting Interpreter: AutoIT
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1956 -
\??\c:\windows\SysWOW64\cmd.exe"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\fahfccd\khbfecb6⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ComputerSystem get domain7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4928
-
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54B
MD5c8bbad190eaaa9755c8dfb1573984d81
SHA117ad91294403223fde66f687450545a2bad72af5
SHA2567f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac
SHA51205f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5116cc9fc8cf21527f26c1f307154824a
SHA1c054229ed7df629b51974c595bdd6d0c44acab8c
SHA25669a271c5ba7157b1d9c0ece49e60555d0c6063c4b3b82010bdb44a4a93e1d5c9
SHA512ffd6362db34024af39493742e5f29ccb25dc95e5dcad9d26e8aabd9c37d4c6d71a16e1c4a4fd9934bbd799e7347e1479f6453fccec401c4ab98878ff91a0e6b2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\7f0485b5-986a-48fa-842c-179c3127a66e
Filesize746B
MD54cc04678731cf4c2e2c1b5df54a69fe1
SHA1ebcabd215389d1ee160d824f09f79be64527fa3d
SHA256556fb6c1ace03e2c30dd29c770e7e7ee240e40e2a3a172e403bf15191215a6a2
SHA5127bea5523bef7dd92a56bc7eb2bf4813459d85f4e30e09feb93afd6d441c070087cac75872078cd6ad940becbcda7664f8f728441641800678cdf1f5422969179
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\e067924b-1a18-439c-a1a0-14694f3cf48f
Filesize10KB
MD5f1bcf9036a586e55b0d63b0803215fec
SHA1182bef4b51f716566e537c678d223813e6db1ec4
SHA2561fadbcd20c67e6f6b96453cbd41977d7130535129cc68b392b5901a62a8ace9e
SHA5123534e2de573c626cc55d5c88050be8622284bd1b4b7db7f0b739ca5a9c914278cc2b546a6cd9999dd4b688c60691d8c6b1cc0b32f948a85df7d614a01e31d7f0
-
Filesize
6KB
MD5b2311987c96b0c719eb5a430a042d7b0
SHA1a9b613e250d9de21f1a99eaa0a3403b53aea35aa
SHA256328853e53411cdba6f24a617c01b508c593ba0d14ea7be38406394154f04023b
SHA512645dc1045c3bb2dc99d8a4383d5e2a807805d216e055db0e291324f4684b7502040bf06e7260e601f455e296714ea37c485a1ea635b6b3853ef030822866d247
-
Filesize
6KB
MD5d791c2d4f85dda3d4d032472882ac2ad
SHA10734d8a06fccc04ce28ffa7d95e869b14b93aa14
SHA256264084c91abade9793f500ba838a6c802fa7a5206aca113baf079c19630359b3
SHA5129e7c6217d87fb94c57b0ba385f7e228127c33d2eb9dc89ac530bf7278dab691ac22927cd58867599d0bd3e93216c7b6779cb6102b7df5a9cb6e234fc40689cdf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD57070cd68ab059e5e1f4622a3c959c9c7
SHA1263e6bf9ff625e9ed6311cfd8f525bbb98401d2a
SHA2566eddc8a1c9f9394264a3f8dd350a998693fd939bca678d4313bd4e446134a5d5
SHA5128984d7c70eb48f9720faf9aa11ea02f9319e71ce37186074725993ad0c475ee5c4fe7e5feca0e3ef44b9dc7f011e0f9b01addce2666e8cf786cd33051c5c6bdb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5acb98d3d4e718735b97cfa91dc502aeb
SHA1169e52e36b0118c591b2c7c4566f7d24bb48a1fe
SHA256d7f03e1c2f27c7dcae5c28ea3c52ddb1d5c8086870d28206e8afc039d6779ce5
SHA512a8aa54bcc302f0e67fc2d856e540696259ef259dfc9ca8cf59a02a9552f86e004a251129ea53acd0109f6c6e10395003c884bf45a25424a93165b1b25b883227
-
Filesize
12KB
MD524dd4f81a955e938b58be6e6e628140c
SHA1cc82377c85d7b3cab2f503f442cde8b811aed608
SHA256a5f06becbde9cca0b20fb5092537514cd39401670ea93c5eea3c204b1255e8f0
SHA51231ededc1702e56e25f1147787a8dafaa95f9239a5b52e70a0ffa17b695f09d8324d33e8d21ca8a180748aab5b9b1858895535e2dfb776f865ee21ce2f184790f
-
Filesize
2.1MB
MD5fc99ddf185aa553bf30c431cc897c903
SHA172c3ae0ed953a4ed3a5d1d8e3957f530c952f48d
SHA25648860a4eb801109046a591d18809b1ff3e2b658f2a09c6fb36c4948cb88eb939
SHA5120be1916e9f0fa3ff2282bbfc23ac9c5f19c15c17f5e0e6aa68edea3db7b780c53f473d40292f0ed324596996572917dfe584cc2d989773c77ee489b643dd2e46
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
544KB
MD52e861f2d8c1dbb17adfad1553493a14a
SHA177fdca0697900729755386d00fe89240ceb97f7f
SHA256f8a9100f6fe719f091cdb4115b43f53d4b6c11eb51ea667fd57af81556067bcb
SHA51255f571e4a51f10d8c83e9b157685bdadf7d73df2849700cfbfb4aa82314320c84a35b678a6566cf17f2c115f37aaa6bf22c9edfc745517b4493cd68fc4f64cdc