hxxp://tria[.]ge

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 19:46

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://tria.ge

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\2229298842\4028190398.pri	LogonUI.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "251"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3872	msedge.exe
3872	msedge.exe
2472	msedge.exe
2472	msedge.exe
3552	identity_helper.exe
3552	identity_helper.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
644	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4144	firefox.exe
Token: SeDebugPrivilege	4144	firefox.exe
Token: SeDebugPrivilege	4144	firefox.exe
Token: SeDebugPrivilege	4144	firefox.exe
Token: SeDebugPrivilege	4144	firefox.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
2472	msedge.exe
4144	firefox.exe
4144	firefox.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
3180	LogonUI.exe
3180	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 3908	2472	msedge.exe	88
PID 2472 wrote to memory of 3908	2472	msedge.exe	88
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 832	2472	msedge.exe	89
PID 2472 wrote to memory of 3872	2472	msedge.exe	90
PID 2472 wrote to memory of 3872	2472	msedge.exe	90
PID 2472 wrote to memory of 4924	2472	msedge.exe	91
PID 2472 wrote to memory of 4924	2472	msedge.exe	91
PID 2472 wrote to memory of 4924	2472	msedge.exe	91
PID 2472 wrote to memory of 4924	2472	msedge.exe	91
PID 2472 wrote to memory of 4924	2472	msedge.exe	91
PID 2472 wrote to memory of 4924	2472	msedge.exe	91
PID 2472 wrote to memory of 4924	2472	msedge.exe	91
PID 2472 wrote to memory of 4924	2472	msedge.exe	91
PID 2472 wrote to memory of 4924	2472	msedge.exe	91
PID 2472 wrote to memory of 4924	2472	msedge.exe	91
PID 2472 wrote to memory of 4924	2472	msedge.exe	91
PID 2472 wrote to memory of 4924	2472	msedge.exe	91
PID 2472 wrote to memory of 4924	2472	msedge.exe	91
PID 2472 wrote to memory of 4924	2472	msedge.exe	91
PID 2472 wrote to memory of 4924	2472	msedge.exe	91
PID 2472 wrote to memory of 4924	2472	msedge.exe	91
PID 2472 wrote to memory of 4924	2472	msedge.exe	91
PID 2472 wrote to memory of 4924	2472	msedge.exe	91
PID 2472 wrote to memory of 4924	2472	msedge.exe	91
PID 2472 wrote to memory of 4924	2472	msedge.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://tria.ge
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe937846f8,0x7ffe93784708,0x7ffe93784718
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,2201098883596008433,430074976867087896,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,2201098883596008433,430074976867087896,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,2201098883596008433,430074976867087896,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,2201098883596008433,430074976867087896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,2201098883596008433,430074976867087896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,2201098883596008433,430074976867087896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,2201098883596008433,430074976867087896,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,2201098883596008433,430074976867087896,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3076

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:528
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4144.0.112702048\1799093840" -parentBuildID 20221007134813 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c98d7bb-e3a7-44e0-a553-2d4fb35d3173} 4144 "\\.\pipe\gecko-crash-server-pipe.4144" 1976 159b29f9e58 gpu
    3⤵
    PID:5292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4144.1.1419774642\1946373809" -parentBuildID 20221007134813 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {026fb1c6-cbce-4beb-bbdc-457df51ab8a1} 4144 "\\.\pipe\gecko-crash-server-pipe.4144" 2376 159b2906b58 socket
    3⤵
    PID:5392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4144.2.256394672\221877544" -childID 1 -isForBrowser -prefsHandle 3484 -prefMapHandle 3480 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f346eae5-bc93-4e0a-b9a3-06f4aa574e1e} 4144 "\\.\pipe\gecko-crash-server-pipe.4144" 3496 159b2960358 tab
    3⤵
    PID:5860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4144.3.1898614557\85838888" -childID 2 -isForBrowser -prefsHandle 3828 -prefMapHandle 3824 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ae7812a-8a89-447a-91bc-a4abec7721b0} 4144 "\\.\pipe\gecko-crash-server-pipe.4144" 3836 159b6db1958 tab
    3⤵
    PID:6008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4144.4.541825637\1169349703" -childID 3 -isForBrowser -prefsHandle 4508 -prefMapHandle 1704 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29a3f421-cab4-4d4e-b2f7-6fa7741aa382} 4144 "\\.\pipe\gecko-crash-server-pipe.4144" 4516 159b8493958 tab
    3⤵
    PID:5620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4144.5.444651191\992855370" -childID 4 -isForBrowser -prefsHandle 5044 -prefMapHandle 5100 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c62958e-a30e-43eb-803f-af3851f5dce1} 4144 "\\.\pipe\gecko-crash-server-pipe.4144" 5128 159a6165f58 tab
    3⤵
    PID:5984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4144.6.1440928787\2038299619" -childID 5 -isForBrowser -prefsHandle 5268 -prefMapHandle 5272 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {452fbd22-1bd3-4825-9a85-cc284fc307ee} 4144 "\\.\pipe\gecko-crash-server-pipe.4144" 5260 159b8f48b58 tab
    3⤵
    PID:3792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4144.7.1682979769\3052624" -childID 6 -isForBrowser -prefsHandle 5468 -prefMapHandle 5472 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2acab5ec-1712-4578-98b2-7d41e5ff163c} 4144 "\\.\pipe\gecko-crash-server-pipe.4144" 5456 159b9068258 tab
    3⤵
    PID:6100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4144.8.1348027623\1685590245" -childID 7 -isForBrowser -prefsHandle 5764 -prefMapHandle 5760 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3443998a-b958-4ff4-895a-4082d75b060b} 4144 "\\.\pipe\gecko-crash-server-pipe.4144" 5776 159b2ef9858 tab
    3⤵
    PID:7060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4144.9.2079471082\468077717" -childID 8 -isForBrowser -prefsHandle 4640 -prefMapHandle 4540 -prefsLen 26460 -prefMapSize 233444 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2774d65-f185-4ed2-b5d5-12a375d6a067} 4144 "\\.\pipe\gecko-crash-server-pipe.4144" 4064 159b963dc58 tab
    3⤵
    PID:6380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4144.10.1186359839\362972980" -parentBuildID 20221007134813 -prefsHandle 4896 -prefMapHandle 5784 -prefsLen 26725 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {994e77df-acef-496f-982e-b8ffaf6195ef} 4144 "\\.\pipe\gecko-crash-server-pipe.4144" 5728 159b9850858 rdd
    3⤵
    PID:5628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4144.11.1777664586\23051005" -childID 9 -isForBrowser -prefsHandle 6044 -prefMapHandle 6040 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {997fd2a4-44ee-453b-abab-4826bbff506f} 4144 "\\.\pipe\gecko-crash-server-pipe.4144" 6052 159b9853258 tab
    3⤵
    PID:4792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4144.12.194235671\882215286" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6236 -prefMapHandle 6228 -prefsLen 26725 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {402ddf93-27c3-4110-9bbd-66e9a45ea1fd} 4144 "\\.\pipe\gecko-crash-server-pipe.4144" 6156 159b6f55258 utility
    3⤵
    PID:116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4144.13.1330502726\429458724" -childID 10 -isForBrowser -prefsHandle 6420 -prefMapHandle 6416 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7c19bed-5357-4460-913e-ebd33522e67a} 4144 "\\.\pipe\gecko-crash-server-pipe.4144" 6428 159b9b17058 tab
    3⤵
    PID:5596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4144.14.1338239378\859160994" -childID 11 -isForBrowser -prefsHandle 6860 -prefMapHandle 6856 -prefsLen 26765 -prefMapSize 233444 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {724f337c-0847-40fb-bfe1-4212c98e7247} 4144 "\\.\pipe\gecko-crash-server-pipe.4144" 6880 159bab5c258 tab
    3⤵
    PID:6816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4144.15.1970775285\891293261" -childID 12 -isForBrowser -prefsHandle 5624 -prefMapHandle 5620 -prefsLen 26765 -prefMapSize 233444 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb77a6d0-8ea9-4fb8-bb86-d0e18d165410} 4144 "\\.\pipe\gecko-crash-server-pipe.4144" 5612 159a6170758 tab
    3⤵
    PID:7160

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38c9855 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
73c8d54f775a1b870efd00cb75baf547

SHA1
33024c5b7573c9079a3b2beba9d85e3ba35e6b0e

SHA256
1ce86be0476a2a9e409fcb817126285bc4ad83efd03ee06a2f86910fe18d4d94

SHA512
191344f5830cfea68499bd49073ffa7215a42265a9629d203d07849b2417c0ffdbdbf288bf2c669e91009a0d7e8bd6a6b378c92fc283049141231ca7bf4da3b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b206e54d55dcb61072236144d1f90f8

SHA1
c2600831112447369e5b557e249f86611b05287d

SHA256
87bf9a4c3564eb3d8bef70450da843ae6003271222734c4d28d9961c52782e0b

SHA512
c9e8d2452368873e0622b002a0c2f8a2714b5897a09475738a9f9740122d716a9f0d3841725230d58e039564c820d32a6f3a675a7bb04bd163bab53dcb4e22f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
14750eb7ef09ab03aafad2b65abe9f3f

SHA1
7f26d1097b9579aacd9597f16758b86bdc5fa94f

SHA256
27cba3e485d5fecac243e1fb2c0989389e1f4930bf337b017563849fc580e80b

SHA512
6834e2cc5ec651182d9fa77c407179bde6b7da94f4830d7db45575af48e5f1edd2f8384beeb9370fd1ba712faaa1f8fc87ed61bac5c468e85b588b32d41b3a04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
314B

MD5
c3cd7e310818cbd156ada64fedb80bfe

SHA1
73e07cc4ef0117958d43de19e95e5501fcfee8e6

SHA256
0e65b28321c166c50248fdfd017d92ab9fb44c9d6a174ec654275ba78cb1a5e1

SHA512
0cb972792ac0d160a6f7c7fe5efbc136d44743679cc6db0245a799403432a1aa436680175d6a0ddbf8b76ab0d4e5813b7fd03dcaaee55fb4cb6251f16e9a9edd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b302f276cb76e7b011589ce337e2e4be

SHA1
3d3fe1111a8094d206d752f25e360c167a958580

SHA256
08f0993cb51656daf8cc820001bbafd3f653242aba1c949b6175cac43d7da1f3

SHA512
c4c7386084a46c4b6c1f22672937e46abd3722089c1e3ab63ac061a2de0af46733e79c3c3fe6048e37291c7dfc749da2f89180efad4768f185ded14d8a919990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
79b6cd8e568049554b56a922d9c323c0

SHA1
4d6257d49073730037bb19598693e72dc946442e

SHA256
6b32b48de0cd1d3b8ecfdcc707c8e29a3ee12b2f46c510bf2fcb59e1364c1244

SHA512
51a6c97c24f2e945682141df083480a4a4c89e4a5e1a884af5ad517f6bb6b7d5659adce4344fe6120b3a7593bb26d44e541bef41b57e3468edd3a14e3166ae75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
64648c57197df523d3c376bdffb1ae9d

SHA1
5a7e8dffb1530d9476feba7593d8bc9de2c8ab5e

SHA256
fcee06e10267305c340a70aad1008e77c4f4c85e2e2f476facf22111833759f8

SHA512
c102011630af21b81273f8995e348a5317ca32778740698fe3c5622099280b483f759ec121264026ed954ba652616226e664cdcdec9c383a49ddd2738c944cd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0469c06891f6f6d159fbe7dee57eeb26

SHA1
699ca7ec4bcd9e72c5661dbe1816ccd2ac2d6ecb

SHA256
ac9151c791f5018cf853387b155a8842b152f708d5b2c147153ea99227340afd

SHA512
9e8206e13ac8a6e9fa0a31f2fb462f82da95d2ee6493bd25caaeab0fb2e3675bdd89eb7ba0b0ccf6f4bfd0cf1f296c5a113153d89044c906da3fbef8537b1f4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
98fdac69010aae893bc6f0a2f20bc247

SHA1
e250f7d50a06683c8d1e1ba220ebbd516aa07986

SHA256
bbf476b1dadcd146e15fd0bb309f51c830a10288c08c5a075efb912d8bf69e7a

SHA512
30016128e9421dc2c00857c5ec581a0e2cae35ab6eeb3f000f9e1588d7c0b720825916c2748f36e03f75f4ae0ceda85a19cad2ce91129527abe726e768cd7d88

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tooqwtv0.default-release\cache2\doomed\32758

Filesize
11KB

MD5
eb236ebedef059390b854e67708b05c3

SHA1
2b307f1428da9f139be540331859dac7b0d3ff57

SHA256
d297b64ef83e07c75f2b32e24ac79d12ae17f87c06f90ac3e014b89b4dc80ebb

SHA512
03c6cbe17761c7bcc60ddf21980e8bd3508e0cc56e8cfb7c6bf656db2f42bb340307f269a4fa0a6c43a12dc7f11145057aff26175b64fc36002fd46239c3615a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
5242e394bdf7f3caf95de89f4954ffe7

SHA1
eb4534740f0d6143d580bcb275d7d5cd39c5d986

SHA256
eb13c8b1becd7bc8ec79cbf87d9481fe5ef6fc91943045514c6f68f4902bd566

SHA512
7ddbf7ab3f032fdf11b74c8d80b704528eaefd1b03cc5a2222849bfe84f7eb72eaa6d26f679778ef5b447f90d5af63fc0a14d703148c07142664f90545b1584d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\datareporting\glean\pending_pings\30058169-7ff5-4a32-8d32-fd9706287d61

Filesize
746B

MD5
1c8ceb5d2573097ace2203ed95b195ab

SHA1
cb4f769ac690d03eb32e5ace6a453da1d86fc76a

SHA256
bbcda97e91dc2a17726238a625c5947b77fa4ce3f81682476c47d770953424f8

SHA512
7057984301ae63ccde4deb442e837fadcfc8307868911eb6a89a256fde18d6206a8bbb32b5672487af1aebf4fdc4cbd780a36f5d3eb6b3bad003585da854216f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\datareporting\glean\pending_pings\75081793-479a-4f54-a6f9-fc45d28d7baf

Filesize
11KB

MD5
23e296fa7abf33ccc059cf36d5d56b49

SHA1
676285e7c965fc5746b25ceafed7060179b9a2d2

SHA256
a39fab4d92547432ee11a2e5e6f1d528ec119625c738d308d0ab6809d4cb0856

SHA512
060170d89f04187128f621e1f338dc5e54c3ac9fdd187f32d28d86994d74177308ae74579d58782b68b10efe1fe0563940cbdb58f9117b72f9ef40814018163e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\prefs-1.js

Filesize
6KB

MD5
f0ed2f7dce6b8ef90a35ee1b2b54b2c8

SHA1
96c94b7b3712618338556b8948bab3e4a203b137

SHA256
7747ae36cc29c30e6323319c86b0e36f4ea9960ef9b5d5f118f3560c7511d811

SHA512
bec7028ac3cf342e67adda6fb350a4bb280e5a3e9608221952d82ebfa254ea8bf971cb4d45e7734b3ec0ffc94e1c9c97fca55b541bcb450162fbe4a0cd50fcb2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\prefs-1.js

Filesize
6KB

MD5
f72bd6972bdfab3a968b4ca5f63ddc7e

SHA1
5d05cd3d839f3126dde3a75928f3803da220ee0a

SHA256
02925439b6acc86fa70cc4eb4dfaadfe05696bc3617c798fd5f172d1bbdfa541

SHA512
8ad3eb33b1e42bae5386bbd0c0d004a6be2c3f9461069ac44781161dce366a64f5459d1303bdbb94e0902577907d63b65030a6be5c789ec479a88a9f53319751

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\prefs.js

Filesize
6KB

MD5
a9ab3be003406b89bf6bcf53b1b88931

SHA1
1c70fed55dfd308aac1f628d9553fb0696ea908d

SHA256
a9e7cb5aa419d58bcbe3637915910de1e012af2d78221f28a97d4909f948cf49

SHA512
5377503853b27ca7850097f7d2cf10f2afd4a62964f4081c61f397c4d2e906fe12643fdcf5d17ace26225dbffdfac835d71c9a2a2019e8e51f86216a65626d0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
49f6bd7bb582aad08be89bb670e60391

SHA1
01df672ee8408ae839c8fe93b84d5ae9b5c54a5f

SHA256
e710880eabdd5e528982247e01997b1c80c18082a332e629ea5aa849bdd909d4

SHA512
1e8c66c621f0b23cbbc90dfbc6dae21c24d693d5b44841bf3c4dc24f066c5f03904645ef272a9c416112e7e19083ce4c33f8c73795f198eb07410a80a9139da0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
3c18a4d6b2863ef234b13b912fffbe0a

SHA1
eba4feb5b9101b46e0c7fecde07ea70a1306e918

SHA256
080f8fcb5a4c412b66879a08f3de7e50a4de946b77d0288224a98fed58f5e836

SHA512
fa5a769e4f206c6f22dd138af7b5df9a0c3e33290847a0737923b112228db6621edd7d5bdf8cf8c48a6c679d8443496f4858682caf12cf22edf2572ab9db3c33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
0cfc68fd970f80fda1cd8475b0ecc740

SHA1
66ce32078177fbef6448b0cc5fafb59751a218d1

SHA256
3b40b940ca7142b0e9e021113c5fbd89bc2f062a86d3085a3722bce9feb4fb92

SHA512
22456b68ef5ad81aa71a42c085ade4231cb208166d88686f82bf048039b3e5e29e847c79c1f96b34190ec572db9f309f4b13eed599cb66007b586d0026fa8adf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
f79e42230ab354f46094614b13fecc67

SHA1
29de46e3fc91f661295f0ed6186b5ac736469ac1

SHA256
8fda0ce8d10f8334efd903018297fd30348b535bb0c4c6e2913d9a0445748ac9

SHA512
f6946cc0ea92284ef40d6a7a7503357bac2597f6b9d25505f34e7944116e68d8592d70038a4ecbfd81ec9f754b7f0f633e9f76d85f5a297466ce9eef9e18f86d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
db4405d237f58b3fdf60220f47cfebd6

SHA1
33b7557b6921728081e8ef6b7e90fd0c2c2fe4cc

SHA256
ac4479bb7d18c705fa1b7e06ff9c698011b3a7094bee1f9aef76f97544013b2f

SHA512
e04d239e07a3f3cf4198ea4d0615e5889e250b3b4cb63af332ba50f44a10ca5f9122040ea6ed8f8ed3743b39e2842594a9f57daebfaccb3e225fbaecefbd134d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
a04eb087131ae342c6de5aafdc09f0cf

SHA1
4c73e4ea2e2c0592d53f63a75eaceda66a607189

SHA256
9a8bc3ee1ebd75ddcfdf2f7b8bfbafd38b1e0b8912ebea725785efab85e1a014

SHA512
9f6675b7904d817d2126619ad1df66f26dd36925a7a9d7b42c7c4fb6b99a6fefaca7c0ff39e2a76ec2552c600922dc0b1d5f76e2d43d70776df69bf48edd7d87

Download Submit
C:\Users\Admin\Downloads\LibreOffice_24.rb_9RxZ6.2.1_Win_x86-64.msi.part

Filesize
812KB

MD5
5728a214cbbaeca527409e110b92fe56

SHA1
4f7a9e1e20850bb17d1611009b95ebb0c68d2514

SHA256
8ee412233fc5bdbb61cae37ac8cf8fcf3e23f99cc5d1fb81ccec0441a2a7a8ea

SHA512
dc7f9b1fb48662548f1fb35236f27e43b2f226c5d852cf8432333fe1b22426e7541f94608d3401d7db605b040d5a918ac976904ffef147b354ab6b191572bbb5

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads