hxxps://awpi-01[.]mwoengwage[.]com[.]/v1/emailclick?ewm=joaquim[.]brites%40sma-europe[.]eu&user_id=%40%24xy%2A%40%21hYs·%3AçèZ+Ø%15ll¸ÊÚ2®+½Õh¤A%0Aó%00[.]5%1F&d=%40%24xy%2A%40%21hn%3C%60f%3B%24%5CoR%1B+cm&cid=%40%24xy%2A%40%21hº§M%14%24%0FD¿îZf%08ù%17ùôbl%03rxvMV%28Ñ%00ï%1Ds§Vä%3F%0DÑOt³J¾Ç¬vs%1BþÁÑªiqDøó%7F%2C%16+%3E%5CÈÈ×o%21%07ªá%25%0B¿%00%10&ut=l&moeclickid=61b35f5997223f7c61e6625a_F_T_EM_AB_0_P_0_TIME_2021-12-10+14%3A09%3A02[.]859891_L_0ecli27&rlink=hxxp://oa5[.]rei[.]stwpbogor[.]ac[.]id[.]/?QQQ#[.]eWVydmFudC5wZWx0ZWtpYW5AZHJpbGxzY2FuLmNvbQ==

Analysis

max time kernel
49s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17/03/2023, 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://awpi-01.mwoengwage.com./v1/emailclick?ewm=joaquim.brites%40sma-europe.eu&user_id=%40%24xy%2A%40%21hYs·%3AçèZ+Ø%15ll¸ÊÚ2®+½Õh¤A%0Aó%00.5%1F&d=%40%24xy%2A%40%21hn%3C%60f%3B%24%5CoR%1B+cm&cid=%40%24xy%2A%40%21hº§M%14%24%0FD¿îZf%08ù%17ùôbl%03rxvMV%28Ñ%00ï%1Ds§Vä%3F%0DÑOt³J¾Ç¬vs%1BþÁÑªiqDøó%7F%2C%16+%3E%5CÈÈ×o%21%07ªá%25%0B¿%00%10&ut=l&moeclickid=61b35f5997223f7c61e6625a_F_T_EM_AB_0_P_0_TIME_2021-12-10+14%3A09%3A02.859891_L_0ecli27&rlink=http://oa5.rei.stwpbogor.ac.id./?QQQ#.eWVydmFudC5wZWx0ZWtpYW5AZHJpbGxzY2FuLmNvbQ==

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133235406683148530"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeDebugPrivilege	2036	firefox.exe
Token: SeDebugPrivilege	2036	firefox.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2036	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 3288	5064	chrome.exe	87
PID 5064 wrote to memory of 3288	5064	chrome.exe	87
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 2592	5064	chrome.exe	88
PID 5064 wrote to memory of 348	5064	chrome.exe	89
PID 5064 wrote to memory of 348	5064	chrome.exe	89
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90
PID 5064 wrote to memory of 4820	5064	chrome.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://awpi-01.mwoengwage.com./v1/emailclick?ewm=joaquim.brites%40sma-europe.eu&user_id=%40%24xy%2A%40%21hYs·%3AçèZ+Ø%15ll¸ÊÚ2®+½Õh¤A%0Aó%00.5%1F&d=%40%24xy%2A%40%21hn%3C%60f%3B%24%5CoR%1B+cm&cid=%40%24xy%2A%40%21hº§M%14%24%0FD¿îZf%08ù%17ùôbl%03rxvMV%28Ñ%00ï%1Ds§Vä%3F%0DÑOt³J¾Ç¬vs%1BþÁÑªiqDøó%7F%2C%16+%3E%5CÈÈ×o%21%07ªá%25%0B¿%00%10&ut=l&moeclickid=61b35f5997223f7c61e6625a_F_T_EM_AB_0_P_0_TIME_2021-12-10+14%3A09%3A02.859891_L_0ecli27&rlink=http://oa5.rei.stwpbogor.ac.id./?QQQ#.eWVydmFudC5wZWx0ZWtpYW5AZHJpbGxzY2FuLmNvbQ==
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffac51c9758,0x7ffac51c9768,0x7ffac51c9778
  2⤵
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1816,i,6039434089417817283,14110351701313729964,131072 /prefetch:2
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1816,i,6039434089417817283,14110351701313729964,131072 /prefetch:8
  2⤵
  PID:348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1816,i,6039434089417817283,14110351701313729964,131072 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3192 --field-trial-handle=1816,i,6039434089417817283,14110351701313729964,131072 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3212 --field-trial-handle=1816,i,6039434089417817283,14110351701313729964,131072 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3864 --field-trial-handle=1816,i,6039434089417817283,14110351701313729964,131072 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3476 --field-trial-handle=1816,i,6039434089417817283,14110351701313729964,131072 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1816,i,6039434089417817283,14110351701313729964,131072 /prefetch:8
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4004 --field-trial-handle=1816,i,6039434089417817283,14110351701313729964,131072 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1816,i,6039434089417817283,14110351701313729964,131072 /prefetch:8
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3928 --field-trial-handle=1816,i,6039434089417817283,14110351701313729964,131072 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4752 --field-trial-handle=1816,i,6039434089417817283,14110351701313729964,131072 /prefetch:1
  2⤵
  PID:1504

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2300

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3256
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.0.1635289704\328237393" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {34098fea-c40c-4a65-aee2-23321aca1173} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 1900 233600a6458 gpu
    3⤵
    PID:888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.1.518306904\459525319" -parentBuildID 20221007134813 -prefsHandle 2288 -prefMapHandle 2284 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bc90915-6c19-47bf-b44b-1d93290281bf} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 2300 23352071f58 socket
    3⤵
    PID:5000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.2.970454475\264393924" -childID 1 -isForBrowser -prefsHandle 3248 -prefMapHandle 3244 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6526f9c1-4fc6-470f-b3f9-7e21030fd5d8} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 3256 23362cfb558 tab
    3⤵
    PID:2040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.3.115504607\1507834117" -childID 2 -isForBrowser -prefsHandle 1272 -prefMapHandle 1100 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9db9b6ca-f987-4840-9bf9-be26d96cfd95} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 2776 23352070458 tab
    3⤵
    PID:1536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.4.340299618\1739553055" -childID 3 -isForBrowser -prefsHandle 3760 -prefMapHandle 3756 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ffbc0ce-05f4-4519-ab9a-74d1404669fc} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 3772 23352061c58 tab
    3⤵
    PID:3784
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.7.1546615049\534109010" -childID 6 -isForBrowser -prefsHandle 5376 -prefMapHandle 5380 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2420b2d-611d-4fbc-8f67-a32bd5ed17dc} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 5460 2336547d058 tab
    3⤵
    PID:5664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.6.357595833\1213305742" -childID 5 -isForBrowser -prefsHandle 5188 -prefMapHandle 5192 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbf70643-cba0-48f2-99a3-8290c3e684d6} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 5264 2336547df58 tab
    3⤵
    PID:5656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.5.1021351710\1436996655" -childID 4 -isForBrowser -prefsHandle 5112 -prefMapHandle 5104 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45d28c43-8fb6-478d-a1c9-ecaf76c71529} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 5100 2336547cd58 tab
    3⤵
    PID:5648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.8.568003848\1231895733" -childID 7 -isForBrowser -prefsHandle 5832 -prefMapHandle 5828 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3619260e-7913-4064-be74-cbeffb9b0369} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 5840 2336547c758 tab
    3⤵
    PID:5484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
eaed629b70413ca0dc88cfd7827340ba

SHA1
5e736c3f8f3ef908ea871f4e049e87920f2e5205

SHA256
2653ed060e3c238b533d1d32ea547ebd37f1860a085a8d2971621719c9d9b80a

SHA512
516bc2666635eb257fe1bf077e057a13e5dd42fd8e25d263dbc53745b9de54b38d393ad5beaf47c4c4d2372aa386e1ee03d578820fc905ed581c785e04d6fa11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
895547b948d2e3abdf1093c87f3c8ff5

SHA1
50005e05b3fea9c4842da89dbb76f31b228979c6

SHA256
bd24859acfa2ddec22397391942b41f7efc996812462773fd66e7758efbcd87f

SHA512
886d97e7350ba364e06b63d0ff11636024f8afe7a3c3a066558621a5e14ae0f9f17ad3280a8f1bd4376a43307cabbbfc95cb64b8965d4c02c1efcf5d6542549e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
43bb95280641f008cb0db3d4e86e5b79

SHA1
9ac483054295010712af04d4a7b362d96ad31ebb

SHA256
9417efc07de02c607b69933b1dd6f3663504521ab4fa03ec904d14ec4364af21

SHA512
6e7c6f4c9378cbd1cb95bdceacacc71098e22da519ac64acb358f6bb50fc3c7d3d3fb1a560bb018e38c83b0468cec6a6d31c908bec11fa5449ef50a5ec51e941

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
8578d663fcb583c7aea9c0b21245f727

SHA1
59e07a6a166a3b3177ef4e6db837150bda270de4

SHA256
d88ed2724585df7322c09de2f1e8c6f35277aa5ca8ab2a129201e0cb871b5dcb

SHA512
d4239a239022250fba038f0f389552b9323686e64bf11c2d57690a01f5ca923c8c2fc72ed1a7e92a1ded2dab6c649e7157ff897ebb4e4b2be8f5af94fb2825be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\activity-stream.discovery_stream.json.tmp

Filesize
149KB

MD5
748cedc966988485ce117b2c98a66a03

SHA1
953eb9a6126cd88499337ac3ba379d9863046c65

SHA256
def0201b51bdd3f6c555b7fc715c5bd6da460a3887aa6c2b2dd7e95c296cda74

SHA512
85f6c08225ba121fb586878175f959eebc8a9c5991712e5d03a259f7e65e6a1335e6d1684ca6c42ab8843586641aa8d29ea09a424adc7404401495f9819f8f33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
6KB

MD5
c3b082b1607c53445221910421c510f1

SHA1
830aad63d3a2d19357a4e75dc82c1c42b8ae6b6c

SHA256
64dd4a856407f65c6c0ac64a6dd44b1bbbffb287148267aaf2db0cbd6350353d

SHA512
5955406c4e76c86391d3f0be926a47ef1ef44c6f987e6966bf60fb7e6f84feb32e3bfcf502b469464479bc043d3701b021aab122d6cacd1bbaeb8392ceff5737

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
6KB

MD5
cf4e69197d8bc61745b4b65421845def

SHA1
87ec72c3a67dec1e7afab2b08b4adf2c9a550499

SHA256
d19f0ae68f4f2ef28cb3d8b0e7f8bde7d1dfba2857221e1a28f91c1ccdc41637

SHA512
63dde3d2590f00bd54d8576f5597e04d0ffcc68c15aaf48b17e4c36df04a277b7a89e64a9e6112f431e3b6f0e734efa21e112ceaaaeee1adf4347d44a07baaf4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs.js

Filesize
6KB

MD5
feb8a52858c8167a58f36caa1b37f116

SHA1
7ae7f9d2721ae3c579f9e18e4fea679e8c848158

SHA256
adbc4c7b5e775c3d401ae811d5be5a69b844f5937e3d0a416d374dd5a7ec227a

SHA512
109d42ec5b9744b3561d29a9cabdcf2ffb81233935fa5c2d80c39f27b92ae55366c3c51ae3d26cc1a8936635662acbd11af89e54efac374aceaa279f13e7dc16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
1f575e802d5f599d5c8c24932672029a

SHA1
b498cc4b7b252f77f40f182a3b083211d2125c39

SHA256
4c52750a1bbf09cd984d88cbef8c79e45b57a7568b24fe9035b6463c65ccc79a

SHA512
38f5f82c42c8b66530a62479cfe1ba8af9f2de48f111f0df002d5019ed40f23cb09a4486726cc8943e9b7ea00e30ad371efd0fa98827f04a09d9ea86b6a7f0b1

Download Submit