purplefox | hxxp://14[.]241[.]97[.]145[:]13769/2E0ECB2F[.]Png

Analysis

max time kernel
87s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2023 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://14.241.97.145:13769/2E0ECB2F.Png

Score

10^/10

purplefox rootkit trojan

Malware Config

Signatures

Detect PurpleFox MSI 2 IoCs

Detect PurpleFox MSI.

rootkit

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\2E0ECB2F.Png	purplefox_msi
C:\Users\Admin\Downloads\2E0ECB2F.Png	purplefox_msi

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133294968005665509"	chrome.exe

Modifies registry class 3 IoCs

Processes:

chrome.exeOpenWith.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2196 chrome.exe
2196 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

4052 OpenWith.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

2196 chrome.exe
2196 chrome.exe
2196 chrome.exe
2196 chrome.exe
2196 chrome.exe
2196 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

chrome.exefirefox.exe

pid	process
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
4228	firefox.exe
4228	firefox.exe
4228	firefox.exe
4228	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exefirefox.exe

pid	process
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
4228	firefox.exe
4228	firefox.exe
4228	firefox.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

OpenWith.exefirefox.exe

pid	process
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4228	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2196 wrote to memory of 2132	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 2132	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3404	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3908	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3908	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 3784	2196	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://14.241.97.145:13769/2E0ECB2F.Png
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8b389758,0x7ffd8b389768,0x7ffd8b389778
2⤵
PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1812,i,12336362938845026250,351648431254459629,131072 /prefetch:2
2⤵
PID:3404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,12336362938845026250,351648431254459629,131072 /prefetch:8
2⤵
PID:3908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1812,i,12336362938845026250,351648431254459629,131072 /prefetch:8
2⤵
PID:3784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1812,i,12336362938845026250,351648431254459629,131072 /prefetch:1
2⤵
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1812,i,12336362938845026250,351648431254459629,131072 /prefetch:1
2⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1812,i,12336362938845026250,351648431254459629,131072 /prefetch:8
2⤵
PID:916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=1812,i,12336362938845026250,351648431254459629,131072 /prefetch:8
2⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 --field-trial-handle=1812,i,12336362938845026250,351648431254459629,131072 /prefetch:8
2⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5176 --field-trial-handle=1812,i,12336362938845026250,351648431254459629,131072 /prefetch:1
2⤵
PID:2088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3312 --field-trial-handle=1812,i,12336362938845026250,351648431254459629,131072 /prefetch:1
2⤵
PID:3568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5180 --field-trial-handle=1812,i,12336362938845026250,351648431254459629,131072 /prefetch:1
2⤵
PID:3328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3320 --field-trial-handle=1812,i,12336362938845026250,351648431254459629,131072 /prefetch:1
2⤵
PID:484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4336 --field-trial-handle=1812,i,12336362938845026250,351648431254459629,131072 /prefetch:8
2⤵
PID:760

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1412

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4052

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\2E0ECB2F.Png"
2⤵
PID:3756

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\2E0ECB2F.Png
3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4228

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.0.5794453\1597383504" -parentBuildID 20221007134813 -prefsHandle 1840 -prefMapHandle 1832 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8db8b4cc-b3be-44d6-93d8-a6a283892129} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 1916 1dd45ded758 gpu
4⤵
PID:2060

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.1.1638173986\702538600" -parentBuildID 20221007134813 -prefsHandle 2332 -prefMapHandle 2328 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b89b0d30-da0a-4cf4-a6fd-a008cf1b19cf} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 2344 1dd38d6fe58 socket
4⤵
- Checks processor information in registry
PID:3044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.2.709417141\518496567" -childID 1 -isForBrowser -prefsHandle 2924 -prefMapHandle 3004 -prefsLen 21854 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1090d698-3568-451a-b861-1e4c0e9e3179} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 3260 1dd45d6aa58 tab
4⤵
PID:1172

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.3.1174260058\1760652388" -childID 2 -isForBrowser -prefsHandle 4012 -prefMapHandle 4004 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbd7281a-1ff6-446b-b115-15ec6d730c54} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 4020 1dd38d60d58 tab
4⤵
PID:4472

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.4.1382999896\1910253579" -childID 3 -isForBrowser -prefsHandle 4776 -prefMapHandle 4804 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2108fd1e-1415-4b53-bb8e-c3d7f6a31d0c} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 4416 1dd4c53ae58 tab
4⤵
PID:5500

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.6.2141232846\372787454" -childID 5 -isForBrowser -prefsHandle 5112 -prefMapHandle 5116 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbbfc8a8-4b83-456b-a105-b10891e94818} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 4520 1dd4c53a858 tab
4⤵
PID:5516

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.5.448265044\1085844903" -childID 4 -isForBrowser -prefsHandle 4928 -prefMapHandle 4932 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c87f8d6b-28cd-4c60-8434-1655c35b0ace} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 4920 1dd4c53a258 tab
4⤵
PID:5508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\288052cb-5806-4932-903b-0ecd727904dc.tmp
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
0e878ce9dc20ed5bb2d472bdb6b81a8e

SHA1
6e20df8dca8eaa85e96f2988fdfd7933767f20ca

SHA256
0475293cdb799c530628a208b54ec32448bb09a40f0cced53076f854a87e2f2b

SHA512
3f0e10407f5fb1f94b23d93d880c2b8f8f058426b14bd76e6f23488512c542d524b8f35598679f0d86c1f2943347e00d880d335c9813143ed07c60db25e21dc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
eeb2086c473ab3857c06198aaf9a4ff7

SHA1
0b3bc7378fa964ac277bc0ac72643ce5d41997e8

SHA256
c425788598d0eaafe77144d95fc7ace8bcddd6a85b9b3dc2365d4f51cb21153e

SHA512
b5fbbaa078e32b40c115a413896b3882ec6ddbfb053dd6cc462f3e8dcb9a287c521db591c705388ae059aa0b27b76500154d56e43f9b8be4dfc2a9faf4c76894

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
bdff2c05c9f95d5b9125d9dbdaf2223a

SHA1
0e49026a1e51b6f80518b02e75096c810076b9da

SHA256
8f7c84d5843d8079faaf20ff56906ab986d94f1a89f345870a92411439ff1330

SHA512
4da3de74731f38caec1989240428dd1c64f8bfab70e8985bffa4119ec06c0101ad9c9a59567fce0be31efb3196bc1bf100fdd8389bb1a9f2d3df5ab805002481

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
153KB

MD5
d525275db8769ec4b9915650b9cf0126

SHA1
0a6d1746e574e1107881e77f06358538d73366dd

SHA256
fab4fedb1d4d5d39cf60edabc48034a6ee60d0613958d7099b9d0244f2f42b2e

SHA512
d7d7708d5bac5b885bcdda80b88bee4b004bb97fee1f4fcefbf0c35217119b3d31ee6218e8f0182f09df8384b286ebae3ba5f6d450aeb5f089dbdea8e0b42d9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
153KB

MD5
a0ae1ca8bdc2672188c687230724b0ca

SHA1
7c9a0cfe1032751ba6bd5f70d2bc1e93578d3676

SHA256
2e41753e73639a8df5eef4e952bd98177fd4f44a9d0865db55e95ad73d21f785

SHA512
bdccb980d4ef14b4fccfc90181c55b56f7ef305eef5b38cbab63865432514dfa8ff140ef29be925b81f9ff735a1398def55253004382113f25c169d03e62ad93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
107KB

MD5
119b32cfad702e66efc65599a70458a2

SHA1
b16c0ac37023100a5c2c0dbd560a545682469b77

SHA256
9b7f9da5e2b6ba933c66bd5ac0985fad308c2ee9cd4e8e545dac67febdbc16ce

SHA512
96a5f8ec086cc6dcbf98af7ff057d1ed409a2b80bc54f76eab6c7c3c6d7742099c763fd5216b40e052956263cf441be91c692e461a5bd23dc8f6dcb5d298ea0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe576793.TMP
Filesize
103KB

MD5
82a73eb92913ef3b900c216fddd9b1fa

SHA1
77c1893166e375bc852f9a83588746bc3629edfd

SHA256
2dca66ca712c2480466c32055b4d0103988b32615b5f83ec1ddb5eb15531f1f2

SHA512
1f4cf15d72f785dc4473f573d76d8b8bb8eb2d42fcb690e04e85fe194d5786fa75667bed7ede24135e8b1588afab2ea54feeb493a02d231d360ec0efa921576a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\activity-stream.discovery_stream.json.tmp
Filesize
145KB

MD5
195ffc69ed4307b8ed4e879bb7e89584

SHA1
f51b14f3ec8970ac4b8754a87949d6274b5a9d1b

SHA256
cfc1aa7f38712b3c7aa76986d0e277bff04eb0259e6f8e0c4a161c379c159cf3

SHA512
7e42b4efc50230f36d8e15a5042e3be29ca16ebd98c036656426cceca124dbc1a9c0efeace52c488ddccccd9ffc040c2a3268872132a6f89a09b5400cf93584a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
Filesize
6KB

MD5
ba6f964e3a632c1eac7a08819893a758

SHA1
cb668c4f15c22cacd2bd8cf4554347e97d2ae380

SHA256
8e5d81a463d88b145ce9764c057adb4e8525e2aa729c13fb57e12ad36d09a2e1

SHA512
19bacd077be3fa77046ac14d3fd3ac19bef5dc36f3ca64eb9256beafb9e9a9bcb7f05a7896f598d3bc677fb8b1a2640874338a620a552e13a1b71c7f42395e54

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
Filesize
6KB

MD5
ea35468169decf68814d2c2b8ef4adb2

SHA1
be47887eebf7a3089e07ff58676b9314d51b3e2b

SHA256
ea8f7f6bdd8dc34fcaf2c1da8c633782482f10fd1f63afa5cff6a2b07978764d

SHA512
2e846b0e6133b23905ac1f035dfb037ce4840ef6dbaee106073eeb9b8800ef0aaf3131800b38edfda38689cfe86d6aa78ad9eb3b35f5c58f3cd154d07824c866

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs.js
Filesize
6KB

MD5
f73e52d124620d05267ba934f3b312d3

SHA1
34121aa291d9f88b3e8e3a2fa37cb1c06cac2d30

SHA256
fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7

SHA512
4ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionCheckpoints.json.tmp
Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore.jsonlz4
Filesize
928B

MD5
583762f9652b34f68027b86ae3537bde

SHA1
200cee80c72f353b789dc07a96d69e446679fae9

SHA256
b16ce9781ed4befdb146580381315b898a573140d686b13aba27129bc493a823

SHA512
0b86fcfe15492a5b7f2993af9617f41e4436f055a27549d2dfcd9507d1a57228ea85a40e0b5890f6327df6e413b1e4af6a333aff9570c5ff44fd533e52873ace

Download Submit
C:\Users\Admin\Downloads\2E0ECB2F.Png
Filesize
1.4MB

MD5
0a7e6b2a85348ef15e50ac9ce40e26e7

SHA1
5814fe8730954b0e69a74baa2e035350417c45c9

SHA256
8b24030f13a99619fb8275f3aa1c848c6b1ce64a67964f586398b428ac5784a5

SHA512
767cd407f3d7c8b36f7e7781196a7692b485855f4a0a090be43babdd211417ab0f69c77d3e820806abe4bdded0d5e1a7573aaac58e1f7be6dab47bf8aa52d9cf

Download Submit
C:\Users\Admin\Downloads\2E0ECB2F.Png
Filesize
1.4MB

MD5
0a7e6b2a85348ef15e50ac9ce40e26e7

SHA1
5814fe8730954b0e69a74baa2e035350417c45c9

SHA256
8b24030f13a99619fb8275f3aa1c848c6b1ce64a67964f586398b428ac5784a5

SHA512
767cd407f3d7c8b36f7e7781196a7692b485855f4a0a090be43babdd211417ab0f69c77d3e820806abe4bdded0d5e1a7573aaac58e1f7be6dab47bf8aa52d9cf

Download Submit
\??\pipe\crashpad_2196_FOKVRHPNVJSTOKEX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit