469f208de455fcb6d334b6ec3655102ae6893de374f890961ab9f317bdfb2c8c

Analysis

max time kernel
60s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lethal Company.exe
Size

651KB
MD5

a5721809407229d21ea49a2eb5d8e962
SHA1

1456ec35a2d975ec9d5e732c1fb27987c4184697
SHA256

469f208de455fcb6d334b6ec3655102ae6893de374f890961ab9f317bdfb2c8c
SHA512

f2d5dfb53b790f65987cba5340a3983f03eb23416dc8eb1a1d768a109d845191c48a445f54783b16ed4e089086d2f2815f91582a0f2a547d959a74c5a2f4064a
SSDEEP

12288:p/744aOD8q/jZe+uMPnH8ENDk1sqhtNswxLwNfZI9MFwKF9qlfLCkG:x9aOSMPnH8ENDk1sqhtNswxLwNfZI9MD

Score

7^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /autoplay"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer\CLSID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\\1"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\FileSyncClient.FileSyncClient\CLSID\ = "{7B37E4E2-C62F-4914-9620-8FB5062718CC}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CLSID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ProgID\ = "SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\VersionIndependentProgID\ = "BannerNotificationHandler.BannerNotificationHandler"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ = "ILaunchUXInterface"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\ = "OOBERequestHandler Class"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\odopen	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\ = "UpToDateOverlayHandler2 Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ = "IFileSyncOutOfProcServices"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\AppID\OneDrive.EXE\AppID = "{EEABD3A3-784D-4334-AAFC-BB13234F17CF}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy\CLSID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VersionIndependentProgID\ = "FileSyncOutOfProcServices.FileSyncOutOfProcServices"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\ = "FileSync ThumbnailProvider"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\ProgID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ProgID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\FLAGS\ = "0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\ = "IFileSyncClient10"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ = "IDeviceHeroShotCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\OOBERequestHandler.OOBERequestHandler.1	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013"	OneDrive.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5060	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5060	OneDrive.exe
5060	OneDrive.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1304	firefox.exe
Token: SeDebugPrivilege	1304	firefox.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
5060	OneDrive.exe
5060	OneDrive.exe
5060	OneDrive.exe
1304	firefox.exe
1304	firefox.exe
1304	firefox.exe
1304	firefox.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
5060	OneDrive.exe
5060	OneDrive.exe
5060	OneDrive.exe
1304	firefox.exe
1304	firefox.exe
1304	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5060	OneDrive.exe
1304	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 1304	3404	firefox.exe	103
PID 3404 wrote to memory of 1304	3404	firefox.exe	103
PID 3404 wrote to memory of 1304	3404	firefox.exe	103
PID 3404 wrote to memory of 1304	3404	firefox.exe	103
PID 3404 wrote to memory of 1304	3404	firefox.exe	103
PID 3404 wrote to memory of 1304	3404	firefox.exe	103
PID 3404 wrote to memory of 1304	3404	firefox.exe	103
PID 3404 wrote to memory of 1304	3404	firefox.exe	103
PID 3404 wrote to memory of 1304	3404	firefox.exe	103
PID 3404 wrote to memory of 1304	3404	firefox.exe	103
PID 3404 wrote to memory of 1304	3404	firefox.exe	103
PID 1304 wrote to memory of 4536	1304	firefox.exe	104
PID 1304 wrote to memory of 4536	1304	firefox.exe	104
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4104	1304	firefox.exe	105
PID 1304 wrote to memory of 4304	1304	firefox.exe	106
PID 1304 wrote to memory of 4304	1304	firefox.exe	106
PID 1304 wrote to memory of 4304	1304	firefox.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Lethal Company.exe
"C:\Users\Admin\AppData\Local\Temp\Lethal Company.exe"
1⤵
PID:3276

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3040

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1304.0.46726148\109568233" -parentBuildID 20221007134813 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 20750 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3f0adaf-cda5-4c38-a96c-2676019be3c0} 1304 "\\.\pipe\gecko-crash-server-pipe.1304" 1980 211ca7d9758 gpu
    3⤵
    PID:4536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1304.1.447364853\149990449" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2340 -prefsLen 20786 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {215a409c-2d1f-47c6-89a4-afb93a51a3be} 1304 "\\.\pipe\gecko-crash-server-pipe.1304" 2380 211bdf72b58 socket
    3⤵
    - Checks processor information in registry
    PID:4104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1304.2.628866151\717370427" -childID 1 -isForBrowser -prefsHandle 2956 -prefMapHandle 3104 -prefsLen 20934 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43a63708-ea07-4f6d-8169-fa8d2fb4eb84} 1304 "\\.\pipe\gecko-crash-server-pipe.1304" 2952 211ce58f558 tab
    3⤵
    PID:4304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1304.3.1479676880\2138029655" -childID 2 -isForBrowser -prefsHandle 3560 -prefMapHandle 3556 -prefsLen 26112 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a6eee93-0c09-4b69-a544-64b46cd68c84} 1304 "\\.\pipe\gecko-crash-server-pipe.1304" 3572 211bdf62b58 tab
    3⤵
    PID:2940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1304.4.751801427\2125258737" -childID 3 -isForBrowser -prefsHandle 4256 -prefMapHandle 4248 -prefsLen 26171 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c50e857-d03e-4da5-961a-7dce76b048c4} 1304 "\\.\pipe\gecko-crash-server-pipe.1304" 4312 211d04b8858 tab
    3⤵
    PID:1912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1304.7.1373035541\1331621590" -childID 6 -isForBrowser -prefsHandle 5320 -prefMapHandle 5324 -prefsLen 26171 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca4a91e3-9469-4e03-a59c-2fb85d3aeef2} 1304 "\\.\pipe\gecko-crash-server-pipe.1304" 5404 211d0ed6558 tab
    3⤵
    PID:3012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1304.6.1682647793\2119354513" -childID 5 -isForBrowser -prefsHandle 5128 -prefMapHandle 5132 -prefsLen 26171 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d18bbf43-ec6d-4064-8170-f663ed841a3e} 1304 "\\.\pipe\gecko-crash-server-pipe.1304" 5116 211d09f8858 tab
    3⤵
    PID:2872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1304.5.2017131385\1816790356" -childID 4 -isForBrowser -prefsHandle 4856 -prefMapHandle 4860 -prefsLen 26171 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67bbab77-27b0-41ab-a039-b290ccc34b5a} 1304 "\\.\pipe\gecko-crash-server-pipe.1304" 4884 211ceb8e958 tab
    3⤵
    PID:4288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1304.8.1641600815\1330080733" -childID 7 -isForBrowser -prefsHandle 4324 -prefMapHandle 3968 -prefsLen 26346 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cd49ac0-341b-4c77-ad96-bc1738395b3b} 1304 "\\.\pipe\gecko-crash-server-pipe.1304" 4416 211bdf71958 tab
    3⤵
    PID:5500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\viagl6cs.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
00226efd42cd510f3eaee498d4807763

SHA1
0f2b51c149da11fa5258d6686429eb5404839000

SHA256
c37febc8989748780d5c12cc9d3db6e707b37539e34241eb8d230629acdcbf98

SHA512
9f3907ad4c11adfaabee27741c2d518473ead0984ae23bc27ace975ed528b5df8e5e632cc2cf5f13509b074737a33eef82b5aad6cd8c9964c412fe5716dded25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\viagl6cs.default-release\datareporting\glean\pending_pings\85b067b1-c550-49fe-9741-ebc03d08eb88

Filesize
746B

MD5
1ba35a2ed1a3fe71fbb2483dbb55f00f

SHA1
f8018eba7c3c8f1148b85e0fcecab867909f0be1

SHA256
45e2eced474a23959af4c9fd026331de28dfbfcba6d2a5f1c4eb28705ee03f34

SHA512
b37fa2c7628cdd1c955b6d396a704c5f0846fa853bc70e8468d8958e582beb26823d66abc9fc53eadfa28ece87c99ff9ae3590e5c60d55c772415e1b74a5f160

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\viagl6cs.default-release\datareporting\glean\pending_pings\a06568ac-2e9c-4d88-a4a2-3cc0a70c22a9

Filesize
11KB

MD5
d797e8677a49eeef083c48f4b9ea6e74

SHA1
fa207fae4e2db2c0cc3d267cd290434014eec56b

SHA256
5faf666a964a15bd86cbcb7fb7bf3cc0e6c24dfa8627460ae61e2039ee55f115

SHA512
c4e8681f17a732879fa855724c9089b5137337c8e2e7e65bd4967ae36fba941269a12186e20767172d34557119b72c390b146d24c298a95d8c5d13d976e2d1cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\viagl6cs.default-release\prefs-1.js

Filesize
6KB

MD5
5c538e9e73e4fa51e4780b2d7dfaac25

SHA1
05d7fb51db069208bc25c241f0cdf97fd9aae723

SHA256
58b7a0c10681ad7660c741e9e02eee948199e7e3ca183d026c92f8d33a8cd41b

SHA512
841f52239ab59bb195b9793bcfdda3296bcd1e6fec574b0ecbf76906b4d7e776ad3e92f1c831f97de3ca36220e5d2e6e37bc5f4981c22ae7c81abfa59eac699a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\viagl6cs.default-release\prefs.js

Filesize
6KB

MD5
cb798f7a098a8e375fd1904d13dc2c76

SHA1
855a0e18fc0f866187028571aab4fa34b99ce345

SHA256
7de4fc28fea39de14e69c25fd1af97b4832c2c16cfd7611190f4521cb6d53512

SHA512
e654206ccf6ee87368c0b4257f7a1272705cfef1534507d1d0e67acb70f6567f5adf7da08f77cb32d1ffa5b6ed7d1f765179a99fd5fe4a586c7ee3d5a22a52ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\viagl6cs.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
2b4a7e4c36880fee7a3bb7a9f1e1601c

SHA1
68dbfb9e63102356d3aea4d292f12c527d4c8032

SHA256
a8a7f2e6c704202060eb8470673ba88ebb676c9d43a9353f971381434be861b1

SHA512
b198e60bb2393019119b94bf38dfead85d45f7ce36efc97b6e96c91935f022ec2908483dfd2ea58700622c28e9839192fb3490c7c9697de4d7434840e770ee23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\viagl6cs.default-release\sessionstore.jsonlz4

Filesize
938B

MD5
a7b1ddfd1ab98b38c0b0437e105bbd65

SHA1
c89c8fd7cdf3e1039b0ef5695a03f91da4d0b57f

SHA256
7b2bafe3091a478664400a12ad9aac818ba764bbd6c391309d7e59475c78c72a

SHA512
07bc66fbc9d19ad8027efafc67eb2408895b5771b77caa631cfe80a2b37e2b9ed11b08da4d44fdb52d397b910ff8dc33d89ab4f872aa6e118970ec841cc7255d

Download Submit