nanocore | 25d72728eb6cbb742beb57aab0840e798d3188c2567911cf5e7cd39d81bb7efe

Analysis

max time kernel
207s
max time network
210s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
27/02/2025, 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PW Loader.exe
Size

353KB
MD5

56643e8d47bf957982131424f5813be5
SHA1

3a3f934194846aca94feb191711c310221013cc3
SHA256

fcf8b6406f92a604fa5f8972fc48e55c1790a63abbcb72811984e35515cdf058
SHA512

805f0252c41bee936f96f0584f393d84248dbe1ed8efbc71dd8a5b0246db55e5cfeaf1b50508e8517252bfe2f9a0e9f119a0fbb0d83f9e33714fd3ecc63ac69d
SSDEEP

6144:/2HTwL6csbaj/4vtvL33qzYti59EvgEINhclb/wjVbtzRup1JFD+wMoxrM:/76c4pH8yBvPKC/wjVbt0hFDfPxrM

Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Executes dropped EXE 2 IoCs

pid	Process
4488	PW.exe
2388	Loader.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Subsystem = "C:\\Program Files (x86)\\UDP Subsystem\\udpss.exe"	PW.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PW.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UDP Subsystem\udpss.exe	PW.exe
File opened for modification	C:\Program Files (x86)\UDP Subsystem\udpss.exe	PW.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\PW.exe	PW Loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PW Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4520	PING.EXE

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Delays execution with timeout.exe 6 IoCs

defense_evasion

pid	Process
888	timeout.exe
4092	timeout.exe
2236	timeout.exe
952	timeout.exe
1568	timeout.exe
2500	timeout.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4520	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1156	schtasks.exe
1704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2036	powershell.exe
2036	powershell.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe
4488	PW.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4488	PW.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	4488	PW.exe
Token: SeDebugPrivilege	4488	PW.exe
Token: SeDebugPrivilege	3524	firefox.exe
Token: SeDebugPrivilege	3524	firefox.exe
Token: SeDebugPrivilege	3524	firefox.exe
Token: SeDebugPrivilege	3524	firefox.exe
Token: SeDebugPrivilege	3524	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3524	firefox.exe
2460	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 2036	4728	PW Loader.exe	78
PID 4728 wrote to memory of 2036	4728	PW Loader.exe	78
PID 4728 wrote to memory of 2036	4728	PW Loader.exe	78
PID 4728 wrote to memory of 4488	4728	PW Loader.exe	80
PID 4728 wrote to memory of 4488	4728	PW Loader.exe	80
PID 4728 wrote to memory of 4488	4728	PW Loader.exe	80
PID 4728 wrote to memory of 2388	4728	PW Loader.exe	81
PID 4728 wrote to memory of 2388	4728	PW Loader.exe	81
PID 4728 wrote to memory of 2388	4728	PW Loader.exe	81
PID 2388 wrote to memory of 3928	2388	Loader.exe	83
PID 2388 wrote to memory of 3928	2388	Loader.exe	83
PID 3928 wrote to memory of 4880	3928	cmd.exe	84
PID 3928 wrote to memory of 4880	3928	cmd.exe	84
PID 4880 wrote to memory of 1464	4880	cmd.exe	85
PID 4880 wrote to memory of 1464	4880	cmd.exe	85
PID 4880 wrote to memory of 3424	4880	cmd.exe	86
PID 4880 wrote to memory of 3424	4880	cmd.exe	86
PID 3928 wrote to memory of 4632	3928	cmd.exe	87
PID 3928 wrote to memory of 4632	3928	cmd.exe	87
PID 3928 wrote to memory of 3560	3928	cmd.exe	88
PID 3928 wrote to memory of 3560	3928	cmd.exe	88
PID 3928 wrote to memory of 888	3928	cmd.exe	89
PID 3928 wrote to memory of 888	3928	cmd.exe	89
PID 4488 wrote to memory of 1156	4488	PW.exe	90
PID 4488 wrote to memory of 1156	4488	PW.exe	90
PID 4488 wrote to memory of 1156	4488	PW.exe	90
PID 4488 wrote to memory of 1704	4488	PW.exe	92
PID 4488 wrote to memory of 1704	4488	PW.exe	92
PID 4488 wrote to memory of 1704	4488	PW.exe	92
PID 3928 wrote to memory of 4092	3928	cmd.exe	94
PID 3928 wrote to memory of 4092	3928	cmd.exe	94
PID 3928 wrote to memory of 4520	3928	cmd.exe	95
PID 3928 wrote to memory of 4520	3928	cmd.exe	95
PID 3928 wrote to memory of 2236	3928	cmd.exe	96
PID 3928 wrote to memory of 2236	3928	cmd.exe	96
PID 3928 wrote to memory of 952	3928	cmd.exe	97
PID 3928 wrote to memory of 952	3928	cmd.exe	97
PID 3928 wrote to memory of 1568	3928	cmd.exe	98
PID 3928 wrote to memory of 1568	3928	cmd.exe	98
PID 3928 wrote to memory of 2500	3928	cmd.exe	99
PID 3928 wrote to memory of 2500	3928	cmd.exe	99
PID 1680 wrote to memory of 3524	1680	firefox.exe	103
PID 1680 wrote to memory of 3524	1680	firefox.exe	103
PID 1680 wrote to memory of 3524	1680	firefox.exe	103
PID 1680 wrote to memory of 3524	1680	firefox.exe	103
PID 1680 wrote to memory of 3524	1680	firefox.exe	103
PID 1680 wrote to memory of 3524	1680	firefox.exe	103
PID 1680 wrote to memory of 3524	1680	firefox.exe	103
PID 1680 wrote to memory of 3524	1680	firefox.exe	103
PID 1680 wrote to memory of 3524	1680	firefox.exe	103
PID 1680 wrote to memory of 3524	1680	firefox.exe	103
PID 1680 wrote to memory of 3524	1680	firefox.exe	103
PID 3524 wrote to memory of 4832	3524	firefox.exe	104
PID 3524 wrote to memory of 4832	3524	firefox.exe	104
PID 3524 wrote to memory of 4832	3524	firefox.exe	104
PID 3524 wrote to memory of 4832	3524	firefox.exe	104
PID 3524 wrote to memory of 4832	3524	firefox.exe	104
PID 3524 wrote to memory of 4832	3524	firefox.exe	104
PID 3524 wrote to memory of 4832	3524	firefox.exe	104
PID 3524 wrote to memory of 4832	3524	firefox.exe	104
PID 3524 wrote to memory of 4832	3524	firefox.exe	104
PID 3524 wrote to memory of 4832	3524	firefox.exe	104
PID 3524 wrote to memory of 4832	3524	firefox.exe	104
PID 3524 wrote to memory of 4832	3524	firefox.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PW Loader.exe
"C:\Users\Admin\AppData\Local\Temp\PW Loader.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAaABiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAeAByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AdwBkACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\PW.exe
  "C:\Windows\PW.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "UDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB585.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1156
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "UDP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB631.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1704
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B2B6.tmp\B2B7.tmp\B2B8.bat C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4880
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
        5⤵
        
        PID:1464
    - - C:\Windows\system32\cmd.exe
        
        cmd
        5⤵
        
        PID:3424
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4632
  - - C:\Windows\system32\mode.com
      mode 76, 30
      4⤵
      PID:3560
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:888
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4092
  - - C:\Windows\system32\PING.EXE
      ping /n 1 /w 400 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4520
  - - C:\Windows\system32\timeout.exe
      timeout /t 5 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2236
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:952
  - - C:\Windows\system32\timeout.exe
      timeout /t 5 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1568
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2500

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1924 -prefsLen 27661 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28eaab38-a75c-46d6-a8d5-6e6444268ddf} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" gpu
    3⤵
    PID:4832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 27539 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e143a77e-5d67-41cc-a953-4c379a1c7db1} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" socket
    3⤵
    PID:1916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3372 -childID 1 -isForBrowser -prefsHandle 3244 -prefMapHandle 3240 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6775de8-91ae-4b77-9fc9-ec1dff104670} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab
    3⤵
    PID:4768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3288 -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 3908 -prefsLen 32913 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81da19c3-0f8e-49f3-8728-555fff2f1851} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab
    3⤵
    PID:1732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4860 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4852 -prefMapHandle 4848 -prefsLen 32913 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b87f6c1c-538b-49cd-921d-17055a64d637} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" utility
    3⤵
    - Checks processor information in registry
    PID:1176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5472 -childID 3 -isForBrowser -prefsHandle 5384 -prefMapHandle 5464 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1690f07-f28e-4607-a104-a88b2cc87c93} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab
    3⤵
    PID:1188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5616 -childID 4 -isForBrowser -prefsHandle 5628 -prefMapHandle 5452 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5990dfb0-ec82-43e1-b161-762de7bc6239} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab
    3⤵
    PID:2032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5872 -childID 5 -isForBrowser -prefsHandle 5792 -prefMapHandle 5796 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30cadc68-be23-4187-b1c3-0b55e7552fa5} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab
    3⤵
    PID:2168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2940

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2460

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5188

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\activity-stream.discovery_stream.json

Filesize
25KB

MD5
ab4dac9bfac2e975096cbdb556feebe5

SHA1
a7014ccff06ae27e3dbc269ea6c60e243503c04a

SHA256
e45aee945424aa854b482f477dcd9eba097a132288f1a90e8131ecfb143f4180

SHA512
c3ed765680b72b14e1d49a1a6738cad6a95b702c930ab33b658cb4eac71153be81f86d38a6faba61a3ae7c3ed757f4b94308aa6de51f8c63b418e2cfee0ea7f1

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\d22ca13b-e79c-42ec-be9a-86bcede0edac.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
203b2ca5a2fe1d3878718d1bb3773c8c

SHA1
c93a804898f610a9cc2f0381662861fc4b29aa19

SHA256
15d0f55e1c46a3c7f596c74c720763d650e93ce8b17bcda04ece3e1a1d9f0709

SHA512
d927ab3fb0e8073510bec19270f6c162597906455ab8852b28191e8b7e3535924ac8968afd24d8afa00a262165a93637387d164a366837507ef09fb64964516b

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
b7ba1387f6cc063a62920459e03c4ef7

SHA1
1720ee0079c3b2deba2445a392504fc8883d1291

SHA256
90729d09ec2a6b70d547430de246f65ce9c754668d3c80cb8b3dae0b80b89481

SHA512
dd1278cefc1b064ba74609a2f025890160ac3c3ba5774c8ffb98538e2b2868f0d9d59d52eda7674b0a5993ea4f6261a462fdf152d3a2e9a682b586630f959c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2B6.tmp\B2B7.tmp\B2B8.bat

Filesize
873B

MD5
566e6a066b92cfebc3d0335e4040cb4e

SHA1
46d51fafe54222520870b8b0152ec21171c9b74d

SHA256
32ae4d96a660d1a0e4383d7b589a581d0c6cd20727cf918c787fa695f2820a0e

SHA512
c9f8d55845368226163c605c44ce47f92dea81d4d40dfdd317ffb67a0175de1cd9ccd74285fac940974be7bf41642055a79775baae3f766df323c142f8eca556

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
117KB

MD5
02d696883a7203cc4751705c59bc1e2a

SHA1
2ab1c8e52cee860f41342949d9b7cf8d2f1011d9

SHA256
5ca70c26ef954b416ca7f7419f8291a5db7db3523139126e5a8e07d3a33ca72c

SHA512
0dc4c42e406783946ec279c037c7141839c73cf080e834a12abc3ac4e016af8bc52b712affd539693ddc5f40f3231ac983a9e3c3db5bc4aefadacad2a8efc6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iyxbvobh.h2r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB585.tmp

Filesize
1KB

MD5
2ffead7bac45fb92c7e7fdd337c3d07d

SHA1
cf1335a23b061148d12ab7297b09bc9a028a0e3d

SHA256
08f809f86780ba005342a9cbb3ae9a54a3c151a0b494cbcd59fcc53903e705d6

SHA512
0f9d3da64b85770e1e8e383071b42d193cd24e2f4e1693a7f4ce98a1e0c92a175c683f69b9ff727abad6161f5ece39f0ea2caa098e24314256a90864192ac178

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB631.tmp

Filesize
1KB

MD5
c4aecdef99eba873119e79616df3f4b0

SHA1
b1b3af52655fb633eed909dfed05b64fbbfac37c

SHA256
24fd0d87bea36a024449a95f808aaa174e4ed9003cb8a427b67c02411b8a2e0b

SHA512
e3f44b07267fccf4f5abd4efe80f2b037ddadc4cb898bdfca9d21ac5d79fcac828950065c2060d3ce125ee971fc3096183afee5287ba9951fbbda7257d8ed8d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\AlternateServices.bin

Filesize
8KB

MD5
0c7937dabc0620db324e4c15b870de39

SHA1
53b2501438491a349e9d88b5077772e191131ae1

SHA256
9527c272604b882c01637d2a0607ad5b4d0e3ca66c3c8ad7e6f37de026a00b84

SHA512
fd23bd6a494b88f2b50659cf8aeb887b349784229bbbea1f1f592458f9f579bcec4ec321776957484179e9cfe565ae20a4dc16953a111e0ed8ba689a8e9a72e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
303fcc10aef4ec2270f9260f681cf2d0

SHA1
0dac70614be44b29c20d193fb3b8d23f4c2aa8e8

SHA256
4a608bc56edb8b942bc362e20941da5284d3b4f0961ed8cc0adf377769cc2e6e

SHA512
ad0529f48451c235e125dc305d10f9c537cb84f8b33119637fcf6cbece1b24a3096109fd0e17b43bc9f2f9bb43f8d4862fbae33c620a57d1a6b81c8a1a9b6f5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
8826a1ecc5c35eda7ae9d9f40f208392

SHA1
aa5a680e46170ae19c779ce099f3ba17ab4a5ca0

SHA256
57dac38ddade6ec727679ba88b97d446936135ad08c37dbd1fa84216b80805fd

SHA512
1d1d3730a685de42cde0ad6f632c35ff07a85270f7d78bf40436f5bf13ed590d36a6126ecb8bcca1f9a842a74737498929c069c06397a936749701215d26cf7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\datareporting\glean\pending_pings\50b584d0-dc56-4079-8f59-c2104e139e16

Filesize
671B

MD5
7901409a5cd9b6d11bc7db678e1a15c9

SHA1
978e2ea8714af19feba859ffcb7d853b0fe30688

SHA256
1dccb8fe982d33d5a698b86d2ef3dff2e5e7ac8edfaa1b0dacebeb6aa2624955

SHA512
64140d31893eb8fd7f1c56cfdece9ed69414f0554ccc7904909ef89f2e49820ae56aca28488a67f31ad9530cfbf9c52e50dbcb97542c3248dbbb74a641faf5c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\datareporting\glean\pending_pings\e210d542-170c-467e-9437-5a2580198fdc

Filesize
982B

MD5
05cfc237673ec9c17d4656c75d3359b5

SHA1
0eec3b407cede9fef0ef58454505c3c2a4e01f66

SHA256
3863262d16278d4f3005696ca2222154df36e472432ef70cf43d1c5f2c0f7979

SHA512
26bbdab8e1b46f3f2b3dbf668deb9d205f30ea57d6d7479f60b32c8f47097a8961550462471b37760628e6df75680b995d62f434652bac0fb11e81900438a911

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\datareporting\glean\pending_pings\f018a901-1fdc-46f3-9ae0-890edbcb9d81

Filesize
26KB

MD5
751552ebf565199c28c0876ade2acb55

SHA1
48a4782e39158332006da6b8075bae57a1770f0b

SHA256
ae922a531a53fe15cd664f5d2a87e58a28c3f136f78f7b519af89222ddba8ab2

SHA512
e10ffc74ceec92673efd1f73518bd31f2a7c358f34d278d0a90ecd8e59b7cf1239a7d04759add4eb24d0ed9d531e21f6e8210998ab89b13f7f79434f933e8f53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\prefs-1.js

Filesize
9KB

MD5
a17452a97685b3596f687da4b894aea5

SHA1
b5fc5200e95cf3f4b363c6d894669803a55505cd

SHA256
a64152b0189f2cc0c00e4aae6f5acb5a75bf500d383a9388de26a0e034b7b447

SHA512
eaec8e4a9c05836cec40e49de881f47a951286422445e64f2a05765f264a88e1c2d56f64416b52e624f976a1627a7e40813d8912c4782a90d8bca50ce37c9968

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\prefs-1.js

Filesize
10KB

MD5
2cc3b203b57c87dbfe93b955cd54032a

SHA1
9b8d3ed22430e568015752bd25daacca8692d29f

SHA256
47a393c5db85720fcbcdb1346592622a3a468b0ba8104b492b0bc1969012779b

SHA512
b25d584bbced0784799d47969c407db848d70b1928cdc3b0863018b6a6ab8d7ff578ad71e32b21742473bc5460bb7abb28d742cdfeebe52d6cba49bae1ac381b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\prefs.js

Filesize
10KB

MD5
9160fdf5017d0dfb98e593a7c3f987d2

SHA1
3b437c3f02771dafcccf0ca13fcf233f15b4daf4

SHA256
bcb6590303b77b7fc304be3559338bfc82e20f20bd392612c0132c599f959058

SHA512
66b2f60e7b91f5e985af44b3feec235d0efa5183876fe78e693856c07a6573ac9dc97c14ad4eb096c311ce18d46e8e43f5bbef02f82812577044494acad7c73a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
d195288baa5ed0c084529aa7e1dcfcf4

SHA1
21b13e6063ecb86848ec84d23e7d115e352e05e2

SHA256
d820f8ad15c68b6f268aae63d6512246a6502c76b1e3fab25dcd6732d4a410d4

SHA512
0c2e52ebc167fa3030015b652528cca717c6f5d7418732c3140e0e8ee9f2597ca22726cab750dfb51486cdc60f0ee3449642269dab9062dcb82214d36b369540

Download Submit
C:\Windows\PW.exe

Filesize
203KB

MD5
661853c344c274af24c2d172db42cc9b

SHA1
4bf93aa965559f99c85e521f5984cb409591f54c

SHA256
54c028b0bb2728975b22d500df2164a3218670a3db6cb8a9a31654fdc2b8a20b

SHA512
ebc3286c97af3f8df973842c21422c124160fefeeeda50757f7e41c9b9fb7405d4d25bd11c5e0a31ab90b41482b444aa5a6e2348f1b475a08238e0784bcd2503

Download Submit
memory/2036-46-0x0000000006400000-0x0000000006434000-memory.dmp

Filesize
208KB

Download
memory/2036-63-0x00000000073A0000-0x00000000073B1000-memory.dmp

Filesize
68KB

Download
memory/2036-65-0x00000000073E0000-0x00000000073F5000-memory.dmp

Filesize
84KB

Download
memory/2036-66-0x00000000074D0000-0x00000000074EA000-memory.dmp

Filesize
104KB

Download
memory/2036-68-0x00000000074C0000-0x00000000074C8000-memory.dmp

Filesize
32KB

Download
memory/2036-21-0x00000000749CE000-0x00000000749CF000-memory.dmp

Filesize
4KB

Download
memory/2036-20-0x0000000004990000-0x00000000049C6000-memory.dmp

Filesize
216KB

Download
memory/2036-57-0x0000000006E40000-0x0000000006EE4000-memory.dmp

Filesize
656KB

Download
memory/2036-56-0x0000000006E10000-0x0000000006E2E000-memory.dmp

Filesize
120KB

Download
memory/2036-47-0x000000006F4C0000-0x000000006F50C000-memory.dmp

Filesize
304KB

Download
memory/2036-59-0x00000000077C0000-0x0000000007E3A000-memory.dmp

Filesize
6.5MB

Download
memory/2036-44-0x0000000005E60000-0x0000000005EAC000-memory.dmp

Filesize
304KB

Download
memory/2036-43-0x0000000005E30000-0x0000000005E4E000-memory.dmp

Filesize
120KB

Download
memory/2036-64-0x00000000073D0000-0x00000000073DE000-memory.dmp

Filesize
56KB

Download
memory/2036-62-0x0000000007410000-0x00000000074A6000-memory.dmp

Filesize
600KB

Download
memory/2036-61-0x0000000007210000-0x000000000721A000-memory.dmp

Filesize
40KB

Download
memory/2036-38-0x0000000005950000-0x0000000005CA7000-memory.dmp

Filesize
3.3MB

Download
memory/2036-28-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/2036-27-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/2036-24-0x0000000004FA0000-0x0000000004FC2000-memory.dmp

Filesize
136KB

Download
memory/2036-60-0x0000000007180000-0x000000000719A000-memory.dmp

Filesize
104KB

Download
memory/2036-23-0x0000000005010000-0x000000000563A000-memory.dmp

Filesize
6.2MB

Download
memory/4488-72-0x0000000073EE2000-0x0000000073EE4000-memory.dmp

Filesize
8KB

Download
memory/4488-71-0x0000000073EE0000-0x0000000074491000-memory.dmp

Filesize
5.7MB

Download
memory/4488-22-0x0000000073EE2000-0x0000000073EE4000-memory.dmp

Filesize
8KB

Download
memory/4488-19-0x0000000073EE0000-0x0000000074491000-memory.dmp

Filesize
5.7MB

Download
memory/4488-15-0x0000000073EE1000-0x0000000073EE2000-memory.dmp

Filesize
4KB

Download