3861795ece849d6b417a3c9870a7e0a0eccd27f74e706b9242d94d5e8885b705

Resubmissions

22-03-2023 21:05

230322-zw7kcadc8x 10

22-03-2023 20:11

230322-yx9wesba78 10

22-03-2023 20:06

230322-yvvnqaba59 10

Analysis

max time kernel
201s
max time network
204s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
22-03-2023 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

obfuscation.xlsm
Size

35KB
MD5

b54c993e941836bf2c9c69948b30bcf0
SHA1

a3e6234b5310a3918b9e01c08badf3eb5f44a4b8
SHA256

3861795ece849d6b417a3c9870a7e0a0eccd27f74e706b9242d94d5e8885b705
SHA512

cda8807707e6ee42309df106c3c3f8daf1c63b154dbee9741ca25679732d6e61a36fc6dbbd1ca76b8d444296ba5001cafe57d11c6ded384451d71cbef7cc80f1
SSDEEP

768:YLsShCAVaV5WqShv3H4+jbXAAQpyQyAtewZP8a88ULsR6LQkZt5mZ2:YbhCLVkqStYuQgrCl38896LbZt5mQ

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4908	2476	mshta.exe	EXCEL.EXE

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEfirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEchrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe
Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings firefox.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2476 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4700 chrome.exe
4700 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

4700 chrome.exe
4700 chrome.exe
4700 chrome.exe
4700 chrome.exe
4700 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	firefox.exe

pid	process
4700	chrome.exe
4700	chrome.exe

pid	process
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exechrome.exeEXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	1060	firefox.exe
Token: SeDebugPrivilege	1060	firefox.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeAuditPrivilege	2476	EXCEL.EXE
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeDebugPrivilege	1060	firefox.exe
Token: SeDebugPrivilege	1060	firefox.exe
Token: SeDebugPrivilege	1060	firefox.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

EXCEL.EXEmshta.exefirefox.exechrome.exe

pid	process
2476	EXCEL.EXE
2476	EXCEL.EXE
4908	mshta.exe
1060	firefox.exe
1060	firefox.exe
1060	firefox.exe
1060	firefox.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

firefox.exechrome.exe

pid	process
1060	firefox.exe
1060	firefox.exe
1060	firefox.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

EXCEL.EXEfirefox.exe

pid	process
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
1060	firefox.exe
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE
2476	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.EXEfirefox.exefirefox.exe

description	pid	process	target process
PID 2476 wrote to memory of 4908	2476	EXCEL.EXE	mshta.exe
PID 2476 wrote to memory of 4908	2476	EXCEL.EXE	mshta.exe
PID 3376 wrote to memory of 1060	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1060	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1060	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1060	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1060	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1060	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1060	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1060	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1060	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1060	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1060	3376	firefox.exe	firefox.exe
PID 1060 wrote to memory of 208	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 208	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 348	1060	firefox.exe	firefox.exe
PID 1060 wrote to memory of 4288	1060	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\obfuscation.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SYSTEM32\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\LwTHLrGh.hta
2⤵
- Process spawned unexpected child process
- Suspicious use of FindShellTrayWindow
PID:4908

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1060.0.879345651\1396121197" -parentBuildID 20221007134813 -prefsHandle 1656 -prefMapHandle 1648 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d0ca9af-9980-4d74-8abd-7363c3396856} 1060 "\\.\pipe\gecko-crash-server-pipe.1060" 1732 26d9910e558 gpu
3⤵
PID:208

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1060.1.570508576\1724790798" -parentBuildID 20221007134813 -prefsHandle 2076 -prefMapHandle 2072 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ac616be-8447-432b-9c67-c11c8b8c76f4} 1060 "\\.\pipe\gecko-crash-server-pipe.1060" 2088 26d8c870a58 socket
3⤵
PID:348

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1060.2.958897781\75302589" -childID 1 -isForBrowser -prefsHandle 3056 -prefMapHandle 2952 -prefsLen 21117 -prefMapSize 232675 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {30b1d529-6986-49bf-aef4-068656d567dd} 1060 "\\.\pipe\gecko-crash-server-pipe.1060" 2736 26d9bf3cb58 tab
3⤵
PID:4288

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1060.3.994993983\511868838" -childID 2 -isForBrowser -prefsHandle 3748 -prefMapHandle 3744 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16e745cd-dd77-44db-9adc-cf8cd6e7d8c8} 1060 "\\.\pipe\gecko-crash-server-pipe.1060" 3716 26d8c85b258 tab
3⤵
PID:2628

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1060.4.76318015\24063063" -childID 3 -isForBrowser -prefsHandle 3952 -prefMapHandle 3948 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {857a0715-54dd-4e88-adc9-4c353fe202a0} 1060 "\\.\pipe\gecko-crash-server-pipe.1060" 3752 26d9d15a558 tab
3⤵
PID:1436

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1060.5.141289213\433999605" -childID 4 -isForBrowser -prefsHandle 2464 -prefMapHandle 2636 -prefsLen 26781 -prefMapSize 232675 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe9e1168-cb08-4c2f-8590-beac7f1ba0ec} 1060 "\\.\pipe\gecko-crash-server-pipe.1060" 4660 26d8c866858 tab
3⤵
PID:5072

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1060.6.82039889\461108751" -childID 5 -isForBrowser -prefsHandle 4948 -prefMapHandle 4952 -prefsLen 26781 -prefMapSize 232675 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aeec83fc-8cf0-479b-93ce-32f27cc5ddc4} 1060 "\\.\pipe\gecko-crash-server-pipe.1060" 4940 26d9d78b258 tab
3⤵
PID:5068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1060.7.327992145\1878621525" -childID 6 -isForBrowser -prefsHandle 5144 -prefMapHandle 5148 -prefsLen 26781 -prefMapSize 232675 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {726eaf36-c3a1-41a6-b356-bfa1b3042076} 1060 "\\.\pipe\gecko-crash-server-pipe.1060" 5136 26d9e4bc058 tab
3⤵
PID:4948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1060.8.175299223\1217364025" -childID 7 -isForBrowser -prefsHandle 2816 -prefMapHandle 2832 -prefsLen 26798 -prefMapSize 232675 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c751e227-891f-4f68-bc6d-6b2507da0df5} 1060 "\\.\pipe\gecko-crash-server-pipe.1060" 2624 26d9bda9558 tab
3⤵
PID:4372

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1060.9.94598698\994074754" -childID 8 -isForBrowser -prefsHandle 5580 -prefMapHandle 3196 -prefsLen 27199 -prefMapSize 232675 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19939950-fc0c-48e5-b784-74c6ec54cf28} 1060 "\\.\pipe\gecko-crash-server-pipe.1060" 4264 26d8c86be58 tab
3⤵
PID:3896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd4e499758,0x7ffd4e499768,0x7ffd4e499778
2⤵
PID:1404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1672 --field-trial-handle=1740,i,2032719502342271824,15181499964627832429,131072 /prefetch:8
2⤵
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2044 --field-trial-handle=1740,i,2032719502342271824,15181499964627832429,131072 /prefetch:8
2⤵
PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1740,i,2032719502342271824,15181499964627832429,131072 /prefetch:2
2⤵
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2664 --field-trial-handle=1740,i,2032719502342271824,15181499964627832429,131072 /prefetch:1
2⤵
PID:5208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3224 --field-trial-handle=1740,i,2032719502342271824,15181499964627832429,131072 /prefetch:1
2⤵
PID:5248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=1740,i,2032719502342271824,15181499964627832429,131072 /prefetch:1
2⤵
PID:5524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3644 --field-trial-handle=1740,i,2032719502342271824,15181499964627832429,131072 /prefetch:8
2⤵
PID:5548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4648 --field-trial-handle=1740,i,2032719502342271824,15181499964627832429,131072 /prefetch:8
2⤵
PID:5556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4788 --field-trial-handle=1740,i,2032719502342271824,15181499964627832429,131072 /prefetch:8
2⤵
PID:5640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4952 --field-trial-handle=1740,i,2032719502342271824,15181499964627832429,131072 /prefetch:8
2⤵
PID:5652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5072 --field-trial-handle=1740,i,2032719502342271824,15181499964627832429,131072 /prefetch:1
2⤵
PID:5880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3084 --field-trial-handle=1740,i,2032719502342271824,15181499964627832429,131072 /prefetch:1
2⤵
PID:6140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 --field-trial-handle=1740,i,2032719502342271824,15181499964627832429,131072 /prefetch:8
2⤵
PID:5724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 --field-trial-handle=1740,i,2032719502342271824,15181499964627832429,131072 /prefetch:8
2⤵
PID:5376

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
120B

MD5
8d1b92b88d5e04b0a459f7898925a67f

SHA1
8ac5db91f552c8074aa0f2adbe95c66bdbb38195

SHA256
ed00f2e639a4416503d0a0d22ab36103f3eaa3209ef55c6f879171c4b192dc8f

SHA512
ab6bf4647c22bc1722d4db66291c02f6772b376f937e5287e74ed7dc7a21d516875b7a563beaeea6e6bab3aa84d36cd91e6638164603cfbe8a0e42493d4e7ced

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
35994e06096d4f292f1e540d5f29dbe4

SHA1
fb9fc8c6ef5dd928e6b95234bb93d8374a5048ad

SHA256
eb3a94b4bb1085029f724af19f7f9d94a99093caf8d82b428a5358dac409a88c

SHA512
069f623c341b411f74d44c0b3e25ec850e637e6af7df8b14fe5172b2cf467a375cd833bc892958897b18df990dc0644fe636261890c20c40eb728e2719ad2725

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
2aff655a8a802b9200fb757658f01169

SHA1
37b74eafdd049b95c076847f9c2abfcf8f8a5920

SHA256
673bca02e0b5e6fb89c58bd59b8450ceb50396cf1f74f2482fb26aea97b79c42

SHA512
8905784f1d172212e5adc610aa2e969858948e2ba3cd559a6247f483ff681d18f96e9d311515f2ea0554fa7e69f01a702f42ed0876e2ab0cfb9938178fe6f959

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
c71be89ab736e7caaf67515e854076bf

SHA1
03e934af4dc39ec9081b90052b5514c3e704b1a8

SHA256
4a99c78d3439097b83f51fe154ea2dd32b06219c0ac4db46404c67bd6afc1a7c

SHA512
95d11fee9c99472b6ddc2a83a8fdd58b4a421cff800fa05b13ceb85ebc45c6d7ab402bc91a949c9ca4c70b47eb1d8fca812a69206086d63cd05397c89bcfb83d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
ac9586c6a760316571b821c827d85cdf

SHA1
ef0ee9f76a225d140beed911361e316590193d81

SHA256
9ebce95a6387c5438431249a7dde8e7aeecb8e094560b741e3f70508c4c6cc51

SHA512
09f98262c9af8c2f7752d507a99463bc2d3c1e390a5f78216b4b5f168b24e32dfedba041c1a107242c8b344cbfbb5e69c05fc8bacbda7c8ae5d97629457c971a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\activity-stream.discovery_stream.json.tmp
Filesize
142KB

MD5
69ab965c1044093e82384b01bb2f7b7d

SHA1
7e3e547840ff6c1c7674b993cacaa57939f2e09a

SHA256
aec670738b4badb7e98006afee839e9d96e2ef3b6dbd6f0c5d4cfa1be55aa9a0

SHA512
7f64d1d06fe119cf543a757ee35cda55e141586b777db5fc8c788806256089e74c1ec2dc113efa97c5e9e7a1bb69470207028ea3234b18a0ba15db5ae9a80c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\LwTHLrGh.hta
Filesize
17KB

MD5
084149c0fc6722b43b42ebc96f22effe

SHA1
d40525e84d7da7f2e193a4e2fc2a24739dc88027

SHA256
8d74853d271ec7a12880c4e33591df212628e3cb6a2f4038adad28c4b6891a96

SHA512
193a745b3bed038168d7523e9d7f670e62bf4f6ba81b4117a3c80b9c848b3ac69059bc3c4ab72eee41d4defacc32249cd9df1b6683c088eb820e54fa85d7280c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\prefs.js
Filesize
6KB

MD5
fc03769491e92557713bff75b3dcae44

SHA1
a4f4687575dba8a950a014c93d8f9f086a2b68d6

SHA256
3e943e423e8dd73d3afd2444234e9c1ca4eebd430da878f5bcc15e2141da7375

SHA512
8e2266f0af8f7833397b36b31482a43a4bd798693e069f8aeb823d12b767bcdac3aed772ce10b8907fca777436e4efc39ecb5172e81d2672f1165a2427b709b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
7b7a3c0c23f9fcb9b47b1c0e8edc2b37

SHA1
c9d81a632a5d788263a230a43197f9382dbe642b

SHA256
4d41601c8ba7c35f71c15255e07df659dbe225691cd633eaca64617a5352e2d3

SHA512
1d7e3bd7f7eb6f70889d33e18e3c1b6c1d5bc9db0f6b02706c063eec8c14a9247f3f1cbca731bc72d5a0482dccebcefd3a982a1b897637cf2e6fca1b02067d5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
d59711b485f6f325b336357e5aa51fcd

SHA1
29fbd16c3c4c7672616d198c7c67e55539d7bb30

SHA256
728649503a12c2e910960ee456f3932b1248e5be2042942e86a6e43173945025

SHA512
680143219acb9f6c9cd7f7b556e839639ad19891f9e991ba500d580b5f9b730897c40af46335a9066f5f8c7d05d0633de483b8852ce6e18a4f6c06ab0851b108

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
9b955b22d7badcebbde8a60a8a36e0cd

SHA1
bb174328dec85399a76af4c27a53720d23974e5d

SHA256
e24f98f5ce456c8891f13b8b40fae819f4d91667ef5efc22ae9bb1806d430c41

SHA512
640b4fc0f34e9a6126fd8ccc164299ee6a3d0c005e56395225b3c1a5680856b67b3d9798d457f69f37554949a8f2af24aa84fbac12d16f1443c021a8d6d79e6e

Download Submit
\??\pipe\crashpad_4700_TEAVLKDKYSCMQNQU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2476-348-0x00000255D8390000-0x00000255D83BF000-memory.dmp

Filesize
188KB

Download
memory/2476-335-0x00000255D2220000-0x00000255D2420000-memory.dmp

Filesize
2.0MB

Download
memory/2476-121-0x00007FFD3CA80000-0x00007FFD3CA90000-memory.dmp

Filesize
64KB

Download
memory/2476-304-0x00000255D2220000-0x00000255D2420000-memory.dmp

Filesize
2.0MB

Download
memory/2476-134-0x00007FFD39420000-0x00007FFD39430000-memory.dmp

Filesize
64KB

Download
memory/2476-133-0x00007FFD39420000-0x00007FFD39430000-memory.dmp

Filesize
64KB

Download
memory/2476-124-0x00007FFD3CA80000-0x00007FFD3CA90000-memory.dmp

Filesize
64KB

Download
memory/2476-123-0x00007FFD3CA80000-0x00007FFD3CA90000-memory.dmp

Filesize
64KB

Download
memory/2476-122-0x00007FFD3CA80000-0x00007FFD3CA90000-memory.dmp

Filesize
64KB

Download