Analysis
-
max time kernel
451s -
max time network
453s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
09/09/2024, 21:16
General
-
Target
verify-ua.html
-
Size
5KB
-
MD5
bdcd890677a32b056ffd78cd896eff89
-
SHA1
92ab74ed8d40e336c4c33a44435521f377007df8
-
SHA256
1041a83d20c8cb7b9303c65aa563078dc4b10e6db8f3547b74278bc6c0644e98
-
SHA512
3bedc2cec5f892c688811feaacff43845762be06e212510cba9abd9080ffa849c46ca2566722ab3f2c25afda3cb9baaa5e78e1e6c8351ea41eb3add49e75cc01
-
SSDEEP
96:GiOts4fcZxpPsCkHInCnir7NVirCQXqHVoITMF6apE4sW:7Ots5sGnRTirio6+sW
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 26 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Drops file in Windows directory 13 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 23 IoCs
-
Suspicious use of SendNotifyMessage 21 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\verify-ua.html1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3832,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4008 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4396,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4660 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5460,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=5408 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5480,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=5512 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --field-trial-handle=5864,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=5828 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6240,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=6252 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6404,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=6428 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=760,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4748 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=4748,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=6604 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=4988,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=6612 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=4080,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=6636 /prefetch:81⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=5216,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=6780 /prefetch:11⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x154 0x2c81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=6748,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=6536 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=5168,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=6964 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=7100,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=6936 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=7116,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=7176 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=7460,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=7412 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7464,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=7692 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=7608,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=7696 /prefetch:81⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\BadRabbit\[email protected]"C:\Users\Admin\Downloads\BadRabbit\[email protected]"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1119613056 && exit"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1119613056 && exit"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 21:36:003⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 21:36:004⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\1704.tmp"C:\Windows\1704.tmp" \\.\pipe\{78B9FCA7-89FB-4DE5-84FB-88D60049B496}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Downloads\BadRabbit\[email protected]"C:\Users\Admin\Downloads\BadRabbit\[email protected]"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\BadRabbit\[email protected]"C:\Users\Admin\Downloads\BadRabbit\[email protected]"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\BadRabbit\[email protected]"C:\Users\Admin\Downloads\BadRabbit\[email protected]"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\BadRabbit\[email protected]"C:\Users\Admin\Downloads\BadRabbit\[email protected]"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --field-trial-handle=7140,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=7992 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --field-trial-handle=5668,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=5416 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=7316,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=8040 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=5108,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=5744 /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Walliant.zip\ska2pwej.aeh.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Walliant.zip\ska2pwej.aeh.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-ETHBI.tmp\ska2pwej.aeh.tmp"C:\Users\Admin\AppData\Local\Temp\is-ETHBI.tmp\ska2pwej.aeh.tmp" /SL5="$160064,4511977,830464,C:\Users\Admin\AppData\Local\Temp\Temp1_Walliant.zip\ska2pwej.aeh.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe"C:\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Walliant.zip\ska2pwej.aeh.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Walliant.zip\ska2pwej.aeh.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-IL6CD.tmp\ska2pwej.aeh.tmp"C:\Users\Admin\AppData\Local\Temp\is-IL6CD.tmp\ska2pwej.aeh.tmp" /SL5="$2039A,4511977,830464,C:\Users\Admin\AppData\Local\Temp\Temp1_Walliant.zip\ska2pwej.aeh.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --field-trial-handle=7272,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=7296 /prefetch:11⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c668559b-8976-4e1b-8ad3-f3f8575e345b} 572 "\\.\pipe\gecko-crash-server-pipe.572" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 23638 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {176e33fd-205b-4887-aee6-dacfdcc49405} 572 "\\.\pipe\gecko-crash-server-pipe.572" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2980 -childID 1 -isForBrowser -prefsHandle 3064 -prefMapHandle 3192 -prefsLen 23779 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1c6b055-bcc7-4497-a6a0-b3a33202f475} 572 "\\.\pipe\gecko-crash-server-pipe.572" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4160 -childID 2 -isForBrowser -prefsHandle 4172 -prefMapHandle 4168 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66f6587a-37c9-422e-a129-60bd060cbe93} 572 "\\.\pipe\gecko-crash-server-pipe.572" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4704 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4740 -prefMapHandle 4824 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16f17028-b06b-43a0-89cb-914f3b6c2234} 572 "\\.\pipe\gecko-crash-server-pipe.572" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5048 -childID 3 -isForBrowser -prefsHandle 5044 -prefMapHandle 5040 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd434ef7-a93d-4bc4-b8be-624f1efc55e3} 572 "\\.\pipe\gecko-crash-server-pipe.572" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5196 -childID 4 -isForBrowser -prefsHandle 5276 -prefMapHandle 5272 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1310b4a6-ebd4-4519-be4d-71fe62ca2442} 572 "\\.\pipe\gecko-crash-server-pipe.572" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5204 -childID 5 -isForBrowser -prefsHandle 5368 -prefMapHandle 5372 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b13c50df-b4ed-41c8-af4f-a6568447657b} 572 "\\.\pipe\gecko-crash-server-pipe.572" tab3⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=7392,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=5492 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=7392,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=5492 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --field-trial-handle=4648,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=7396,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=8024 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=5568,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=7216 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=6360,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=6128 /prefetch:81⤵
-
C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5568 -s 15562⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5568 -ip 55681⤵
-
C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 15282⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5648 -ip 56481⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5c460716b62456449360b23cf5663f275
SHA106573a83d88286153066bae7062cc9300e567d92
SHA2560ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30
-
Filesize
23KB
MD535cbdbe6987b9951d3467dda2f318f3c
SHA1c0c7bc36c2fb710938f7666858324b141bc5ff22
SHA256e4915f18fd6713ee84f27a06ed1f6f555cdbebe1522792cf4b4961664550cf83
SHA512e1f456f0b4db885f8475d2837f32f31c09f4b303c118f59be4786cf4303a31a2d3004656a3fcfbbf354326ed404afcb4d60966bca04a5e5de8fb8feaf581bce7
-
Filesize
114KB
MD5bf6a0f5d2d5f54ceb5b899a2172a335b
SHA1e8992a9d4aeb39647b262d36c1e28ac14702c83e
SHA25632ef07a1a2954a40436d625814d0ce0e04f4a45e711beebc7e159d4c1b2556b6
SHA51249a093345160b645209f4fc806ae67a55ff35e50f54c9fa7ec49d153743e448db9c2fafae61659165d0082fabc473c3e7d47573a481161ddb4c9b5fdd079fc90
-
Filesize
495KB
MD5283544d7f0173e6b5bfbfbc23d1c2fb0
SHA13e33b2ef50dac60b7411a84779d61bdb0ed9d673
SHA2569165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735
SHA512150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b
-
Filesize
72KB
MD5c1a31ab7394444fd8aa2e8fe3c7c5094
SHA1649a0915f4e063314e3f04d284fea8656f6eb62b
SHA25664b7231eda298844697d38dd3539bd97fe995d88ae0c5e0c09d63a908f7336c4
SHA5123514a69552dd1e1b63a235d7e3a1e982a72a9741ade4a931fc8d8e61f402228ad3243be9321d87fdefdfe137fc357925a931966266ec58c19296adb210be9b0e
-
Filesize
378KB
MD5f5ee17938d7c545bf62ad955803661c7
SHA1dd0647d250539f1ec580737de102e2515558f422
SHA2568a791af9e3861e231662b657098a823b21a084cbb6a4901d6ccf363405849a78
SHA512669a89ad811cda4f3ff4aa318aa03e26e4cb41ea22bc321bad02a671273d867cbd223a64bb30da592a5484a9f1cec77c96f5bf63b1fe586b6d3688b8c9da530c
-
Filesize
11.3MB
MD5fddc7534f3281feb4419da7404d89b4c
SHA119bdefc2c9e0abd03fe5ee4fad9c813a837f844f
SHA256f13da9813fa11b81ee4180794cbad2b280422716a080bf4c0791996be7f7908e
SHA512c5428179dc222366234125bd78f63a9350c9329e4d46646bb3361de143974d261bd7a8df6155bc7ef46ad3725302837f4769a26459b8b4b5b5304a810303b1ea
-
Filesize
257KB
MD560d3737a1f84758238483d865a3056dc
SHA117b13048c1db4e56120fed53abc4056ecb4c56ed
SHA2563436c29dec2c7f633f4766acaf334f6c395d70ea6180c0ea7c1610591d5d89b9
SHA512d34f42b59349f3be1ac39a57207f616a44f56a6c74157be8116fff5df75275928065065a89f10bd79849e58b14d1e5e0ea156be5996ff8ca4f5d854e107c96fe
-
Filesize
1KB
MD5b492287271363085810ef581a1be0fa3
SHA14b27b7d87e2fdbdda530afcda73784877cc1a691
SHA256a5fcca5b80f200e9a3ff358d9cac56a0ffabb6f26d97da7f850de14f0fb2709e
SHA512859fa454d8a72771038dc2ff9e7ec3905f83a6a828cc4fc78107b309bdcd45724c749357011af978163f93e7096eb9e9419e3258ea9bd6b652154fe6dd01d036
-
Filesize
2.5MB
MD562e5dbc52010c304c82ada0ac564eff9
SHA1d911cb02fdaf79e7c35b863699d21ee7a0514116
SHA256bd54ad7a25594dc823572d9b23a3490ff6b8b1742a75e368d110421ab08909b2
SHA512b5d863ea38816c18f7778ef12ea4168ceb0dae67704c0d1d4a60b0237ca6e758c1dfc5c28d4fc9679b0159de25e56d5dfff8addacd7a9c52572674d90c424946
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
8KB
MD5f69237a47df1a759ce559d0f3f6c2f6b
SHA144e752b982c9f5acfbe6e3f62c4f21a705fd9279
SHA256fe52b7c1a7092997fe9403e2e1ab317d0f6f7993ca41d1fe21b0a90ef3d0f78d
SHA51227fdd8038e647bb6c48da58bd2a3d99290ad1c90380ea9ff6c5b2ae378d90b95de81f82d408cc7ee732f5a8bfc491ccf96a0a4b22db2b9a1f683b0341ed2107c
-
Filesize
5KB
MD567ebfa60e32103dd42d4ea76c5749f62
SHA199c607bb51815d7bae99ac072c758633ffcea6a8
SHA2569a21c79b34be8e503faf2a30d6b592e77e1d0320d8fcf6c40a3918734f641938
SHA51270bfc4f7a7f7b742619b304a3ee8fc6118a2ccdd7dc48e393ce31a8feee305165e7e894aafeb5f2d3dd82d6ad7cf516a265209c249f239755e6533838912bc6c
-
Filesize
28KB
MD54bb193080c479df0a9686d7109ed5316
SHA1b13c0dc02dc53717aa98bbf217b68e852735c4ab
SHA256f4eeeec085bd75002fe3854948b47c1da037d38e135980edcf6c7c65924a8c46
SHA512ca75d312bfaaf25075ec7ac20bd08f2a5a85de8167fbf308b24c527dc1c960a5b84ddf28b9899a487cd887c0b4ab054dbfd2745e17d6a051f004ba3028329440
-
Filesize
982B
MD5fff1f8737112146e174615368963a1ee
SHA1c264e4dadc4eb3e77a2605cbb70ba99e372cd562
SHA2569375cc53fa7e0007bf7e92025b74d27d5fd489ab50db839e2058b146114cb23c
SHA51268e81178c5b1a46765753916d005592f8cdf4d768c88ba32c2a695ac2e804affcfc04b020fb8a314a901493dc3fe29e8288f80be951444ac74bddd42af097042
-
Filesize
671B
MD550832e0de3a0494fcfe1f3ed3c5f2d6c
SHA1c4c692fd18847ac9913a81eac04d37057529b89e
SHA2569c2115822f1690c568f07926cb7740bd3e11ca0a83f222a7872d41f3ff3afee6
SHA512ae6b9399f3f749b36a5deb1274e06de41e597624d569d7c09802b5afad06d8ebf77f1808d3c2993a35b803916f5bf021c57cdd5f497120f49483acd576b8a0bd
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD541d217375b688a8e61169b0e77fadfd2
SHA1b03a90a602d014a30d88ef63ffc6c72a4714aef0
SHA2569ee80b2456c650fd87016065d0e6e1d20bcd3c946812119cf14906db6885737c
SHA51245aba7dcd2209a5d6f888484c0e065929bbbff797d82e42aa5000422c0e6247cb573d056b11d14f2539930fba96b04f0a6c876a9f9928aab1b382be8b2dea676
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
Filesize
401KB
MD5c4f26ed277b51ef45fa180be597d96e8
SHA1e9efc622924fb965d4a14bdb6223834d9a9007e7
SHA25614d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958
SHA512afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
456KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
40KB