snakebot | hxxps://mega[.]nz/file/5TBXGKDY#V1ylJ25XIMNEjvCIYzGuVaRsd1iZc5Ufe1sJ6D2uBrs

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-06-2023 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/5TBXGKDY#V1ylJ25XIMNEjvCIYzGuVaRsd1iZc5Ufe1sJ6D2uBrs

Score

10^/10

snakebot snakebot

Malware Config

Signatures

SnakeBOT
SnakeBOT is a heavily obfuscated .NET downloader.
snakebot

Contains SnakeBOT related strings 2 IoCs

snakebot

resource	yara_rule
behavioral1/files/0x0009000000023101-459.dat	snakebot_strings
behavioral1/files/0x0009000000023101-476.dat	snakebot_strings

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31040042"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4091793663"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31040042"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4091845625"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000066e6313745c56945b5c0e72d4349aed1000000000200000000001066000000010000200000004923b6d2dacf9a7dd84f2e89b5747a3b6e1ec7397e9bd86abe651b237e6a1373000000000e8000000002000020000000bd4bea75d74e06cf30ab9ba39b96f5e21a67d528220c0e2d442e2d82cb9544a4200000006207431a746141db7a0869d9a6187e585e8ec278162aca22dfe0a58047b2843e4000000015d7b6767f80a8cbe3d0ebfd54854c0d770f26042e00bf94b13e2c7aed99e2c52428a44928ee11367d74dce63344dfb9b6350fb6204cb08b1a433d6d5383771a	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b06deef52aa2d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "393888279"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31040042"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4105631341"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0e3bff52aa2d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1EAF7111-0E1E-11EE-9156-DAE3AE61CC88} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000066e6313745c56945b5c0e72d4349aed10000000002000000000010660000000100002000000021f4186c74d55bb258113c1474b2a03f9fa869b99826f62cc1a844cdbd87aaed000000000e8000000002000020000000f6939afd069f0c3eb8535f50b1277e7f1a6867f1d15252ab5cd813ed3f6eb11b2000000000b1e84bc5b2520fc9b2b9ddd4133250f0cca28cb376a260ef80fc0219aff3bc40000000ba016b723ab0fa51b90a014a76234e2cff3f68fb8ab0eeede49a33afdb50d363c6e9bf267871dbf482824fb9a174a2647191e53dc2eb166e675c16819d686e6a	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\db_ Aternos.org [855k].txt:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4648	firefox.exe
Token: SeDebugPrivilege	4648	firefox.exe
Token: 33	5152	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5152	AUDIODG.EXE
Token: SeDebugPrivilege	4648	firefox.exe
Token: SeDebugPrivilege	4648	firefox.exe
Token: SeDebugPrivilege	4648	firefox.exe
Token: SeDebugPrivilege	4648	firefox.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4364	iexplore.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
5936	NOTEPAD.EXE
5936	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4364	iexplore.exe
4364	iexplore.exe
1576	IEXPLORE.EXE
1576	IEXPLORE.EXE
4648	firefox.exe
1576	IEXPLORE.EXE
1576	IEXPLORE.EXE
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 1576	4364	iexplore.exe	89
PID 4364 wrote to memory of 1576	4364	iexplore.exe	89
PID 4364 wrote to memory of 1576	4364	iexplore.exe	89
PID 4648 wrote to memory of 1972	4648	firefox.exe	90
PID 4648 wrote to memory of 1972	4648	firefox.exe	90
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 5060	4648	firefox.exe	91
PID 4648 wrote to memory of 464	4648	firefox.exe	92
PID 4648 wrote to memory of 464	4648	firefox.exe	92
PID 4648 wrote to memory of 464	4648	firefox.exe	92
PID 4648 wrote to memory of 464	4648	firefox.exe	92
PID 4648 wrote to memory of 464	4648	firefox.exe	92
PID 4648 wrote to memory of 464	4648	firefox.exe	92
PID 4648 wrote to memory of 464	4648	firefox.exe	92
PID 4648 wrote to memory of 464	4648	firefox.exe	92
PID 4648 wrote to memory of 464	4648	firefox.exe	92
PID 4648 wrote to memory of 464	4648	firefox.exe	92
PID 4648 wrote to memory of 464	4648	firefox.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://mega.nz/file/5TBXGKDY#V1ylJ25XIMNEjvCIYzGuVaRsd1iZc5Ufe1sJ6D2uBrs
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4364 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4648.0.1729962506\1884995066" -parentBuildID 20221007134813 -prefsHandle 1808 -prefMapHandle 1800 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {59c46b16-f20b-4325-8f6a-d6b785c7f2af} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" 1932 2337e7d5d58 gpu
  2⤵
  PID:1972
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4648.1.711009397\156605428" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e63e97a1-55c6-41ed-ade8-256534068ed4} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" 2332 23374172858 socket
  2⤵
  PID:5060
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4648.2.1340252732\1696258387" -childID 1 -isForBrowser -prefsHandle 3156 -prefMapHandle 3060 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f892a4a-b416-4410-a93a-6ca6465c39a2} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" 3064 23304d38e58 tab
  2⤵
  PID:464
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4648.3.2021714900\747103312" -childID 2 -isForBrowser -prefsHandle 3220 -prefMapHandle 3236 -prefsLen 21115 -prefMapSize 232675 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1b81e61-8491-46aa-a276-8138179ff16c} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" 3208 2337412f658 tab
  2⤵
  PID:4660
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4648.5.877613468\566850962" -childID 4 -isForBrowser -prefsHandle 3724 -prefMapHandle 3728 -prefsLen 21115 -prefMapSize 232675 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7cfb009-4a07-4854-9f65-67b1dd6e14d1} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" 3188 2337fc3cd58 tab
  2⤵
  PID:5004
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4648.4.544918934\348746970" -childID 3 -isForBrowser -prefsHandle 3636 -prefMapHandle 3640 -prefsLen 21115 -prefMapSize 232675 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aee2c9aa-8158-4c26-a34b-11fd0aa2de1b} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" 3196 2337fc3c458 tab
  2⤵
  PID:452
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4648.6.2105042664\1435890032" -childID 5 -isForBrowser -prefsHandle 4648 -prefMapHandle 4644 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51e28665-f7b3-429d-86da-f59926217af8} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" 4660 23305451858 tab
  2⤵
  PID:960
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4648.7.771631250\679011202" -childID 6 -isForBrowser -prefsHandle 5272 -prefMapHandle 5008 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d248de83-2024-4c00-ac5a-95e82a948fea} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" 5280 233073e8358 tab
  2⤵
  PID:4880
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4648.8.1883325164\160055863" -childID 7 -isForBrowser -prefsHandle 5724 -prefMapHandle 5720 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8420f443-e1b3-47a0-b253-8dc289f8c4cb} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" 5732 233083e6258 tab
  2⤵
  PID:4040
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4648.9.1376778491\416444303" -childID 8 -isForBrowser -prefsHandle 3600 -prefMapHandle 5112 -prefsLen 26851 -prefMapSize 232675 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {855b0825-205b-4590-960a-aead73ae3e28} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" 3788 233040a5e58 tab
  2⤵
  PID:2640

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a8 0x42c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5152

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\db_ Aternos.org [855k].txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:5936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
22cfc6e1f6014767f3ecf462b07b2dfe

SHA1
d8e0e7c4ee4df088f1d458b661bc5a3a29e4e337

SHA256
b764b9401ca232b2177ec55b9e03fd38c701b89119eb2f653c748637288ae3c0

SHA512
2a19ac9300702be5a1f77c7a048782ab2f22e47f3a65711cb2f9f8c314ba496743e397c5cb2bcf4b88ffecb21b051b38070aa9cfae967c338f118472d4aa84e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
071a19f62da3de6010c129167c0f709f

SHA1
5b88abe630c22507e799738cc8f425121aae9488

SHA256
176527776186e4f450742c271ad1756e33a9d5c203c272e4ee38b3a9dc816548

SHA512
66179bb8b4cc27748eee7e4cce3cb73dc809a9c933b00355bf75c9600efa8f4f83f223c6f80c013086766b5675ede70bbb0b3fc44f4dba12cd8ef70d4099e437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\95fmw5u\imagestore.dat

Filesize
6KB

MD5
06c121bb9a75ad3594a5d3e41e08eb88

SHA1
fc374f35a50dc371ab8e8003ba7df5e04079fdef

SHA256
4ad1a39ab3a9abb0e4cb0b395fb72ef1bc8d62552ca6f28b9f1dbaf57c50e49f

SHA512
06aecad4431fc8cc3c738780dea0e4b4e309bc6a9ad9dcdb83d82c761049ab6a62632467e51fc97e4341c488f885550074233f175f2dd72ac4e7c921859021d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1B83N948\favicon[1].ico

Filesize
6KB

MD5
72f13fa5f987ea923a68a818d38fb540

SHA1
f014620d35787fcfdef193c20bb383f5655b9e1e

SHA256
37127c1a29c164cdaa75ec72ae685094c2468fe0577f743cb1f307d23dd35ec1

SHA512
b66af0b6b95560c20584ed033547235d5188981a092131a7c1749926ba1ac208266193bd7fa8a3403a39eee23fcdd53580e9533803d7f52df5fb01d508e292b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7H82VOZS\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\activity-stream.discovery_stream.json.tmp

Filesize
139KB

MD5
b3ed4c6f1001316a9fde7be6b1264764

SHA1
04ee114be1f44056cef261fdd9cb20a59137916f

SHA256
54846ffcca1b55350fe9d513af0ec19d593ae7b2ef2a4b2acb891d7c46b3391a

SHA512
8755cd52460ced36e9c2c436d5b8a973cb4d095b504b1fcaf9aca8793e67c7d0304d4e4d2dc20df97abe82742c42a7b7b09ec27f59d2c5fb471b6555cdf7d552

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\cache2\doomed\792

Filesize
9KB

MD5
94493fee2f3c7cca91c4b6de67c5274f

SHA1
f5544da1db7c24e2c9f926c7a6eed4920e71176c

SHA256
7bd0c6d72884f86dd274d675fc49f9e69452dccb10f40225f766a32a4f1bacc9

SHA512
6e1bc1724e1e361a2208b074f05249d9512cb7a7b37d48a7eb25c1c2f19da33bb222b7c17b3fe3b0d9383ada3846bc0fc914810525a3474d5b86e850b341af94

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\cache2\entries\58D46C4012E4AD3623A4EA72BB3C1CDD25B3FF87

Filesize
14KB

MD5
2cb77271c678681ea092b213017f2e13

SHA1
944b6690c1b21a4811b42e78b59bb30eb8d9e60c

SHA256
a7ff801fdea347c8e82bfb9d5d3e175fab8bb78758ef63f10749bd66c598fb7f

SHA512
27f081ef4eaa3d876ed355a92b555b7267ee4eda54cae15051f43cc0199637cb2d664d63d3a01550b9402cb90673ac032fd21477ce7a18abc79e2948a8a63468

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\safebrowsing-updating\ads-track-digest256-1.vlpset

Filesize
54KB

MD5
4f9ef3d3a71d4cb49e623e3f4b7b1162

SHA1
c2d65973b44b051d043475e9387fa7100514acbd

SHA256
48ae004f3c542ac764dd5a1e894918ec4b250b5c1f7209256c191cae13106b1f

SHA512
f7017204ad37ceedbff4e8b58ab4edac75748d2f36693e59ea9d9157f637d29b53c6405d994ac9fc62712f2574013e95c4817ff49229c78dcc23cac805b13ed7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\thumbnails\76ca1b50843d6242d625034ef592e697.png

Filesize
4KB

MD5
ee876c442df987e93befb2e7d8406b9c

SHA1
2c63d35bc6778263e19ec88b0424231f1d43f665

SHA256
c23f59353a9d3e9bff668875ae857fd6beb90257f9dface9cafcb565cc4c27f7

SHA512
4715ce557e8f660235e726a12302c20117c7996bad059e48675c102fb879885fceb49c55f656fb8c0545152262268f600c3880352398e4bf52892c8990340e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
4.8MB

MD5
f858161a518cac00585f2f52333928cd

SHA1
ede428de61db445523efeaf4d34f22ee389c0a74

SHA256
a144721178fc62236518178db3185210fe13d99b1e9e3f32aafb23d35582e7c9

SHA512
c819ca1ed06b73222de0e785b70dacdd028190f85d31859afd88a0a1f904764040e3501efc4fd694faa380f85cf22524854de85cebd542fd9196d4c76e694db2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
3.9MB

MD5
8b0ffb4ef573d2339a2bdf800293a86c

SHA1
a29ee012e0797f69ff2ecdef90a926125930d96e

SHA256
ad60abb5a23460e8d0699a1815bc9d9896fe0d5c663bab12e14be83d2d479cd5

SHA512
05f29a956ca5a79d069b466cf059898cf0d1bca68f40e0aad9677f3b479e596c1ecb88221b735de1e5b2b930763795fc6c7c16444fb49672ec0f01aff8cdc23a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js

Filesize
6KB

MD5
168f11102e1d8974d75c0599d5f450c8

SHA1
f8d9ce2e4264adf5859d78638d5cd83bcb383779

SHA256
d0c772ebceb39907aa2d5299afdfb87ad26c1e339c95908d2720818fa20c515d

SHA512
97a1620ff1f77710f2b6afa32e70e00bb2923d867f9e733345f76d6fbe4ce3fc950adc5737e196310ab72c71b3b98f82073ef1533dc5e9943bc2cf760bfcdee2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js

Filesize
7KB

MD5
ceee16a9ac72b3db2d3fa60ce929be14

SHA1
4e70095e88c9ba90550718d92a9fc4a7d6098a78

SHA256
082a28cac204c62e1944b9f13e55f86b7a0d2216fae46d3afe5933408d21151e

SHA512
061582e4b34bf21f498cb075920f72e5b91c6979d33e8b0ba0407f013b9f75c1545376a6d15e318167ef038f8d8b06df953c052eb0723bd5709ec9f62dad3ee9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js

Filesize
8KB

MD5
390660b8f2fd09b0478b18f34d6ec157

SHA1
7f577a4259cd982091e7aef49a0eafe3ae455172

SHA256
510ea360bc9df08a4761eb7514c4844f864517c4f7cab7eaae208cb163b9c93c

SHA512
7b758b2bbdd5482666b80d922f3da8aabcf97721ce166329e823c0143c4657a04acb701c4d0a62becdd133d8fcf268e78c56b6998b633fb2ce9fe14d42596559

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
e4b0978e894651887fac0afeb85097c5

SHA1
c4a1e7453f3c06d15d2ee197b13c6fe80b720c92

SHA256
8c501d563151c9e1b6629cd83e66ac32e0e50859401d3e7cc2fe4b0736dcbe7d

SHA512
32fae644496e59aa8d285ba8faf74e983b195c3f72cecc4dfe8c5edccace1b6b43cf549fcf790792d48e3a0cd3e5ca99d8e888f2c6068221a3f7290545f0d1b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
1b561c34703388f2c1f6ecbfa1f53c9d

SHA1
58adfcaf2a5ec13646add68b8d33f0b56cf94dc8

SHA256
47fdb420fa9641e6443f3b233f870924b5e5787d312a036ec437350a3b6c1370

SHA512
2b68b1a6344d1182cdf84555dad544901a2d2f249ad676aaf4858521dd914ba3b2ceefbc524be5ccdc438440c6b6b72edc90caa34f5c1992ad29a42dc964f17a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
4671c4035787c84ed20a7a04cdc41a54

SHA1
aeb5a1c5e75a334c8406419c79dd866953596527

SHA256
3a8ca9255445107f9567392fbca7057c168675b9fbc12d373d133bfdfd485fc5

SHA512
75714c222ccafec360bfabc5c47bee02000f20250ac12db03412d61c5f58049a3a456ade110bb4371189b7d852ca78bc7a14ebf64d5e6c6d0fe51fa480abc7dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\storage\default\https+++mega.nz\cache\morgue\47\{08b07c0b-7979-4c05-89b8-a2618ac7712f}.final

Filesize
1KB

MD5
3efa9abd92666265dd81c4f4311a96f9

SHA1
41b6b716d67b93555e444cd453f3c6e3f8c9522c

SHA256
5066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7

SHA512
5961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\storage\default\https+++mega.nz\idb\3713173747_s_edmban.sqlite

Filesize
48KB

MD5
b075152c5fac5a4c3904c816cdf35079

SHA1
ba3f40289b63df706bce5812aaddd59d00fe4ffa

SHA256
0388f4bf0e151a09facd9ee488b83901643a5327f265d4bb18149fe925fb10dd

SHA512
56e952ccb1a69ba68ce931be87c824b689489c02d47c3e38c22cc51914a2b50c65a89e09067d38eecee186be7477ee7f596e1c12e6e911dda66d1986a18b88ae

Download Submit
C:\Users\Admin\Downloads\db_ Aternos.cwSlQFUG.org [855k].txt.part

Filesize
27.8MB

MD5
9125ee92fa8d5ea78604ba439e7d1f7e

SHA1
25282d38e1f5e20500b63192add3dcca9e735b99

SHA256
72fce8bd0293c1f42a6354b9c90e7fa1b4e99f33d0c984ad7a7daed346154643

SHA512
cbbc000028bf8769ceb32c62d37e8a66e9ba20bdc12f65865607b670063d9137b6dcd6d6e3ff4d096cedfa28c73eacbe801cfac7ff99a4340cca22a4050f5eea

Download Submit
C:\Users\Admin\Downloads\db_ Aternos.org [855k].txt

Filesize
27.8MB

MD5
9125ee92fa8d5ea78604ba439e7d1f7e

SHA1
25282d38e1f5e20500b63192add3dcca9e735b99

SHA256
72fce8bd0293c1f42a6354b9c90e7fa1b4e99f33d0c984ad7a7daed346154643

SHA512
cbbc000028bf8769ceb32c62d37e8a66e9ba20bdc12f65865607b670063d9137b6dcd6d6e3ff4d096cedfa28c73eacbe801cfac7ff99a4340cca22a4050f5eea

Download Submit