njrat | 78812079a5ac503085915fbdd6ff3f3ddbc3dfd2d51883bf381ae8b7b461e6c1

Resubmissions

30-09-2024 21:47

240930-1nh3fswgrp 10

30-09-2024 20:16

240930-y16yyaxdmb 10

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
30-09-2024 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

031b08cf4ccd44e4f2507f47aa49794c_JaffaCakes118.exe
Size

127KB
MD5

031b08cf4ccd44e4f2507f47aa49794c
SHA1

9e38d1e535f2ac77d464c4ecb4da7a6a8321d9a1
SHA256

78812079a5ac503085915fbdd6ff3f3ddbc3dfd2d51883bf381ae8b7b461e6c1
SHA512

328711abffdc66c3e048c66c32b969caf1d996834548d15875176cd9aab9591a012c31504021492ff7fd8ba121f7b91d918ebc355fb4d7efbe1c7cd472b180f3
SSDEEP

3072:U5VoIlMJg61fm9efb02TCA0QojtTlTvIn4xQEpV/RlD:U5Ve+Q2DQoNlb1

Score

10^/10

njrat discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2712	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d1bdedbb684e4a7e51ad819088373ddd.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d1bdedbb684e4a7e51ad819088373ddd.exe	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
2904	Uofnjponstiw.exe
1492	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\d1bdedbb684e4a7e51ad819088373ddd = "\"C:\\Windows\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d1bdedbb684e4a7e51ad819088373ddd = "\"C:\\Windows\\svchost.exe\" .."	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	Uofnjponstiw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uofnjponstiw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	031b08cf4ccd44e4f2507f47aa49794c_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\hash_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\뗬겒꬀退鏠䒠Ź	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\뗬겒꬀退鏠䒠Ź\ = "hash_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\hash_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	031b08cf4ccd44e4f2507f47aa49794c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\退䒠Ź\ = "hash_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\뗮겔ꨵ蠀뿸翾	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\造䒠Ź\ = "hash_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\hash_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\.hash\ = "hash_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\翾	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\hash_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\翾\ = "hash_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\退䒠Ź	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\뗮겔ꨵ蠀뿸翾\ = "hash_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\뿠翾	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\뿠翾\ = "hash_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\造䒠Ź	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\hash_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\.hash	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe
2904	Uofnjponstiw.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5092	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	Uofnjponstiw.exe
Token: SeDebugPrivilege	1492	svchost.exe
Token: SeDebugPrivilege	3924	firefox.exe
Token: SeDebugPrivilege	3924	firefox.exe
Token: SeDebugPrivilege	3924	firefox.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe
Token: SeDebugPrivilege	3924	firefox.exe
Token: SeDebugPrivilege	3924	firefox.exe
Token: SeDebugPrivilege	3924	firefox.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
5092	OpenWith.exe
5092	OpenWith.exe
5092	OpenWith.exe
5092	OpenWith.exe
5092	OpenWith.exe
5092	OpenWith.exe
5092	OpenWith.exe
5092	OpenWith.exe
5092	OpenWith.exe
5092	OpenWith.exe
5092	OpenWith.exe
5092	OpenWith.exe
5092	OpenWith.exe
5092	OpenWith.exe
5092	OpenWith.exe
5092	OpenWith.exe
5092	OpenWith.exe
5092	OpenWith.exe
5092	OpenWith.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 2904	4360	031b08cf4ccd44e4f2507f47aa49794c_JaffaCakes118.exe	78
PID 4360 wrote to memory of 2904	4360	031b08cf4ccd44e4f2507f47aa49794c_JaffaCakes118.exe	78
PID 4360 wrote to memory of 2904	4360	031b08cf4ccd44e4f2507f47aa49794c_JaffaCakes118.exe	78
PID 2904 wrote to memory of 1492	2904	Uofnjponstiw.exe	80
PID 2904 wrote to memory of 1492	2904	Uofnjponstiw.exe	80
PID 2904 wrote to memory of 1492	2904	Uofnjponstiw.exe	80
PID 5092 wrote to memory of 4752	5092	OpenWith.exe	81
PID 5092 wrote to memory of 4752	5092	OpenWith.exe	81
PID 4752 wrote to memory of 3924	4752	firefox.exe	84
PID 4752 wrote to memory of 3924	4752	firefox.exe	84
PID 4752 wrote to memory of 3924	4752	firefox.exe	84
PID 4752 wrote to memory of 3924	4752	firefox.exe	84
PID 4752 wrote to memory of 3924	4752	firefox.exe	84
PID 4752 wrote to memory of 3924	4752	firefox.exe	84
PID 4752 wrote to memory of 3924	4752	firefox.exe	84
PID 4752 wrote to memory of 3924	4752	firefox.exe	84
PID 4752 wrote to memory of 3924	4752	firefox.exe	84
PID 4752 wrote to memory of 3924	4752	firefox.exe	84
PID 4752 wrote to memory of 3924	4752	firefox.exe	84
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85
PID 3924 wrote to memory of 2668	3924	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\031b08cf4ccd44e4f2507f47aa49794c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\031b08cf4ccd44e4f2507f47aa49794c_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Users\Admin\AppData\Local\Temp\Uofnjponstiw.exe
  "C:\Users\Admin\AppData\Local\Temp\Uofnjponstiw.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\svchost.exe
    "C:\Windows\svchost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2712

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Lntdnwewjx.hash"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\Lntdnwewjx.hash
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bb5b986-38d8-4e32-a55a-cae4ed4d7331} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" gpu
      4⤵
      PID:2668
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e776d040-1661-43e9-a74c-8854983c4b51} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" socket
      4⤵
      PID:4064
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3444 -childID 1 -isForBrowser -prefsHandle 3436 -prefMapHandle 3432 -prefsLen 24739 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d24b86ee-915e-4c43-994f-84d4d9ff2be2} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" tab
      4⤵
      PID:3948
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1628 -childID 2 -isForBrowser -prefsHandle 3144 -prefMapHandle 2948 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e371ac7-8bd4-4e9d-a00e-2fa722cb982a} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" tab
      4⤵
      PID:4736
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4256 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4228 -prefMapHandle 4160 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e16c8d5e-9d20-43c1-8b5d-ae357e77ced7} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" utility
      4⤵
      Checks processor information in registry
      PID:1412
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5428 -childID 3 -isForBrowser -prefsHandle 5556 -prefMapHandle 5552 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae332149-677c-4e8e-93e1-10cfe0d111bf} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" tab
      4⤵
      PID:3956
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 4 -isForBrowser -prefsHandle 5696 -prefMapHandle 5700 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d71bad13-4eeb-4bb0-812e-397d9692ea27} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" tab
      4⤵
      PID:4852
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5880 -childID 5 -isForBrowser -prefsHandle 5888 -prefMapHandle 5892 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d62b5eba-f955-4fde-bf76-e9021e72b88d} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" tab
      4⤵
      PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\activity-stream.discovery_stream.json

Filesize
25KB

MD5
cefe57e57b4b6a04ad10f2b029ba60d2

SHA1
d34b3983021b3f64e94f2bfcf198961e5cc3b35b

SHA256
1498621057d7825e492906956675a1c789e096bfb1465b805542b6069bcc20c3

SHA512
19236faf41447db79fe1fb9208a7d29887fc692ff2ed662b54467b8edd0086687834790723c37e6eeeab87e1d5e5729a11256137c5a5854dc15bb948bd516db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lntdnwewjx.hash

Filesize
16B

MD5
6b14078dd1b974407f6d07ab56add8cb

SHA1
2301764ce6f800147c39f717c9c24a6c14b48caa

SHA256
b3f20860803f09634997e9e24e29d09f7b478e724554857fe8699f072904a755

SHA512
81596f6e3248d7b0ea8e3baca3b15b3834f2cdac12e44903d98698758da4b50c108f4e0617a198cf6c3b46d237776f86693db529286e1179d4bb3e72e3d6f07e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uofnjponstiw.exe

Filesize
158KB

MD5
e3edf4dfadaab9c5afc71a7552e9c0d1

SHA1
5dd299e6a794f9e306dd975aafe5275c4eae28db

SHA256
1cdd10ef166f4e110daf659365dd6ac8f38188c1ec8b6236673bb38efd10f771

SHA512
a23204033abd0d1e49a67f848b1536af382fc45885f7d80eeae1e60919bf39606bdcac20e68942b427d57ffaf4164b42b6f3d9479460fdaf1bf0e4a49733b4d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin

Filesize
6KB

MD5
74f981ec66bab447711319f3d8ab46b9

SHA1
fd07ff55a97e2cb50be506f01d5007babf3a578b

SHA256
1768d617c9d6fc16fa0d12416f264d57402be3bea32b7c01b31e018dcc61e1c6

SHA512
943dd62310c3e8c7c9b65bcd2e736f3499120f747f2f86b0fa350bf0c2f95a586dfabe14a286e90cdf945c3dffd1045d73ff8e4b602355f91ae8c9afb5d821d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin

Filesize
6KB

MD5
0a86a65519a93bebedadeeb2fbf129d4

SHA1
cd268a7df823becd751333e0259133b56547a6be

SHA256
2ae935d56dda4c5ac67b454a88dc1b619e5ca79e2b5c873d894b71a5069daddb

SHA512
95622942009ce654a5a383d8604f5cca46c4bd8f5749f0443a61d82b53d34891622f0a1fda83608b6ddfd72e3a7b593a647511c6bba8a34fea2bd490cffb224c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin

Filesize
8KB

MD5
3c5fc6f16c3b6cc3be0bbe42aeeadda4

SHA1
abc6c94b958c9745956f4cca18a70ede36b81a23

SHA256
6be58340d8776898ddcb51917f4b1ee12ed66224b7ef6af885541622a898e90c

SHA512
35cdf28c11b11a3bad215cd6d9642ae53660736d188e343788659cd9b4dffc745189bf445a5ea748898fe854b9c54a762ee1af91b519c6c000cd10a825e18899

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
8bc859c50901b469893e7e8efccbe61d

SHA1
b04354d2739ace5f874e57a2d3de9eff291c6fa2

SHA256
15d7c18026f6da9b1061d77ebd0aa9b969dbf0d511aac75d10199f6859f9600a

SHA512
2c2e7dc6bf5fd6935a48ad8fa816c2722fa67d53993ef2e8f20b39b820110aad0d5d2152fe8c63df26833dd0674d2403e92aae60889de0bbd55ab797adfed4b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
77e183fced085131b9b4d15eab19cdaa

SHA1
e41a579eded17a40e431c28001ab1411989af673

SHA256
a7421033cfacc66eda681fe4c8a7c534c9d10d2b68c7ca5fb2ccbd8aa2fa4f06

SHA512
d75c6bae529a49dff61208831ac4a871f13f552bb7ee739696e8b465a45fd2a31250c2427c81892b65e0943f7f3d10436ca93f3fee1a602d41741dc2e621cc9a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\067a8457-2750-4a26-823c-63f95449773f

Filesize
982B

MD5
9bd560c1c7eb382511b3059f1599d7ee

SHA1
32625bb45a776d4a6bf79890d8121af8d18ba738

SHA256
4ad44273d14f3bd27f4946a9dcd9f1edf1467ba5c0b55ee4831e1f9326a11ddb

SHA512
7dbc5b0e906bb127501a4afaa2bf07b9cca01e16ce95d876d29e38a2b1866ee6aed5f89eb3987d08078314e81db9b82f052ee55d10ad85ff8fbfd13c479621a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\296891c2-01b1-4e48-a05e-bdba351ee777

Filesize
24KB

MD5
d9ee7dc59057aaeac4a6ed6d28fbc46e

SHA1
82265abf945296793261c32424db12eda2375674

SHA256
d2e7f637eda7acbd533b5ed993d74f33091e3006b88cffbb6f9d47a1dc5ec8bc

SHA512
8b66528f1cb7381c70f18095be830d9a21205dedb792c41d0902f245f45d39ca1c00e9a0e520669ea9a6536cf0c90a6a67dac58560412aa47744295f56cb52f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\7b897639-e59a-426e-8520-cfc42a0777c2

Filesize
671B

MD5
91522f7f431d5813347a263a9f4d817c

SHA1
4972f3d0ffdfdb2f1703b903c2db655db46c2ca4

SHA256
3b5e5ebe0a0aa2478ca812ea5101ddf86a0104909802c25f47b189c36ef84339

SHA512
37c09bec30fbc0e81a3f211bb6f62d5ca9dd83a2f6e699296968ad050181862b70cf2fa5e46a93cf12fcf4aae12b72d4a44d84492fdb1620a4d833f17a2afaa1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

Filesize
11KB

MD5
be1613f07493a33c41646f3432ef6add

SHA1
b0a374992a89c35e412512ac3ece0431f22ae047

SHA256
50cdff2315738ad87f69299466792ab5b0ae362a0a41cb1015b3c9571fbeac3b

SHA512
6f32f3aef0ee5a4094f19da1291c8b85ca20b5f7496a16f3843c795d36f54248221b9d562a4a3d7febbb02944cbe4f15d12b168c19d6bc7727ec6718909eafc8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs.js

Filesize
11KB

MD5
7311780c37760a471c7d69e3c1e51195

SHA1
d4d185996409415ade0a00c38fbe09ad1f35c8a6

SHA256
3fcd31226c33a3b60030b563d8c20615a497a48f82006a51580eeb49e74d70fb

SHA512
7ab58a009084647418ca3121fbbfe313779302e7553d07c547952e99022da0eb24fa4ee92f83dc30ba2ab169aaddd2620fe635502957d2ceed1c186307a1be13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs.js

Filesize
10KB

MD5
463d5446ff9e81e3555043db51d8f6a7

SHA1
289857f91b4c3d0a795353ddbe83c6770c5ba31c

SHA256
ff255908ae1eb5e585416c84421e351aa2752d6fccf2288df3b0ceb0dfb5dca7

SHA512
cf7be756ae89bd3bb03e04f392a9091a9c04399a51058ca654cd75d7b6cdc52cf4228741e1de77348e524109835170f9f03330cfa67d1b2fca9da2b41bb59daa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs.js

Filesize
11KB

MD5
ebad19279f55d1a4953b91f676b54418

SHA1
2301df0e2fbd311adae8fb52b7ded94765bf5e6b

SHA256
a986cb2c851b81311f155fc382837242a586f40d7947df5ca295ea79ee64579d

SHA512
896fea2399e50849ac9a47dd97f78f60b52597e1a864c5e807d8d6783ac892f2588c80395d421f2b9c58451c5af21879e3fffd324db7cbd631b785288d04a865

Download Submit
memory/2904-18-0x000000006F860000-0x000000006FE11000-memory.dmp

Filesize
5.7MB

Download
memory/2904-16-0x000000006F861000-0x000000006F862000-memory.dmp

Filesize
4KB

Download
memory/2904-17-0x000000006F860000-0x000000006FE11000-memory.dmp

Filesize
5.7MB

Download
memory/2904-30-0x000000006F860000-0x000000006FE11000-memory.dmp

Filesize
5.7MB

Download
memory/4360-4-0x0000000005130000-0x000000000513A000-memory.dmp

Filesize
40KB

Download
memory/4360-3-0x0000000005070000-0x0000000005102000-memory.dmp

Filesize
584KB

Download
memory/4360-5-0x0000000074840000-0x0000000074FF1000-memory.dmp

Filesize
7.7MB

Download
memory/4360-2-0x0000000004AC0000-0x0000000005066000-memory.dmp

Filesize
5.6MB

Download
memory/4360-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4360-0-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/4360-20-0x0000000074840000-0x0000000074FF1000-memory.dmp

Filesize
7.7MB

Download