hxxps://api[.]getpxlemal[.]com?id=11541916&stepNo=1

Analysis

max time kernel
269s
max time network
274s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://api.getpxlemal.com?id=11541916&stepNo=1

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133571299437363868"	chrome.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2400	chrome.exe
2400	chrome.exe
1464	chrome.exe
1464	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3524	OpenWith.exe
4348	OpenWith.exe
4108	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2400	chrome.exe
2400	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
3572	firefox.exe
3572	firefox.exe
3572	firefox.exe
3572	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
3572	firefox.exe
3572	firefox.exe
3572	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3524	OpenWith.exe
3136	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 4724	2400	chrome.exe	85
PID 2400 wrote to memory of 4724	2400	chrome.exe	85
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 4440	2400	chrome.exe	89
PID 2400 wrote to memory of 3684	2400	chrome.exe	90
PID 2400 wrote to memory of 3684	2400	chrome.exe	90
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91
PID 2400 wrote to memory of 364	2400	chrome.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://api.getpxlemal.com?id=11541916&stepNo=1
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf5299758,0x7ffdf5299768,0x7ffdf5299778
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1872,i,9332209524312932886,14455733289194677652,131072 /prefetch:2
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1872,i,9332209524312932886,14455733289194677652,131072 /prefetch:8
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1872,i,9332209524312932886,14455733289194677652,131072 /prefetch:8
  2⤵
  PID:364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1872,i,9332209524312932886,14455733289194677652,131072 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1872,i,9332209524312932886,14455733289194677652,131072 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=1872,i,9332209524312932886,14455733289194677652,131072 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 --field-trial-handle=1872,i,9332209524312932886,14455733289194677652,131072 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 --field-trial-handle=1872,i,9332209524312932886,14455733289194677652,131072 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3816 --field-trial-handle=1872,i,9332209524312932886,14455733289194677652,131072 /prefetch:8
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2376 --field-trial-handle=1872,i,9332209524312932886,14455733289194677652,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1464

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2292

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:444

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3524
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\download
  2⤵
  PID:1996

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3136

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:1900

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4348

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:4692

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:4840

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4108
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\download"
  2⤵
  PID:984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\download
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3572
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3572.0.1834733526\2080341941" -parentBuildID 20221007134813 -prefsHandle 1896 -prefMapHandle 1868 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fea36b4d-d2dc-4778-ae0c-40b40115ad61} 3572 "\\.\pipe\gecko-crash-server-pipe.3572" 1976 1df935cff58 gpu
      4⤵
      PID:2524
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3572.1.1664639702\119090882" -parentBuildID 20221007134813 -prefsHandle 2388 -prefMapHandle 2376 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfe6e01c-c783-4c3f-8dae-2d25de037d0a} 3572 "\\.\pipe\gecko-crash-server-pipe.3572" 2400 1df934fa258 socket
      4⤵
      PID:852
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3572.2.1246720052\515203999" -childID 1 -isForBrowser -prefsHandle 3712 -prefMapHandle 3508 -prefsLen 21603 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e666137f-ef3d-4837-ba29-26262f836a8e} 3572 "\\.\pipe\gecko-crash-server-pipe.3572" 3008 1df97738658 tab
      4⤵
      PID:3680
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3572.3.279774566\318527804" -childID 2 -isForBrowser -prefsHandle 3588 -prefMapHandle 3468 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a17409c-b27c-489c-95b5-fb11fcc23f59} 3572 "\\.\pipe\gecko-crash-server-pipe.3572" 1692 1df9612aa58 tab
      4⤵
      PID:968
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3572.4.1162432032\150808573" -childID 3 -isForBrowser -prefsHandle 4988 -prefMapHandle 4960 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {696b77f6-51cd-48b8-a414-2c3103070731} 3572 "\\.\pipe\gecko-crash-server-pipe.3572" 4996 1df97c71058 tab
      4⤵
      PID:3992
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3572.5.123658922\1857473829" -childID 4 -isForBrowser -prefsHandle 5100 -prefMapHandle 5104 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c4c0c10-cec8-4818-8fd8-fe1b99d119d4} 3572 "\\.\pipe\gecko-crash-server-pipe.3572" 5016 1df998b9e58 tab
      4⤵
      PID:4328
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3572.6.2061810398\1317361556" -childID 5 -isForBrowser -prefsHandle 5296 -prefMapHandle 5300 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f1d4e16-d549-4fbd-a975-228a3c718a6f} 3572 "\\.\pipe\gecko-crash-server-pipe.3572" 5288 1df998ba158 tab
      4⤵
      PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
871B

MD5
fa2b5a4f6bdebce2cad1797a7a816302

SHA1
2a65205afee53d8c8b8c554e90ce03e31ed37b14

SHA256
4bdedd0c98c3c576e18046677450c767e5b283eac881f23d95e0d94e38a8d49a

SHA512
25d9624590b8d9df59043177abf7868b70118544bc83ba4436b16cc171ba9384f310377eecde71d1fbe2caf220ac29ed94790041c0078d9be62f0d296f106239

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
536B

MD5
42fa3fe3677ae846802aef80dc23e3be

SHA1
36f3697901855bb062354796999c784419cac859

SHA256
e515d348d0504d57dc5072df45de12a4a53daf00800f6f5938d603cc2788be25

SHA512
30e5601c175719ffaccc67a3064ba47e040010bcec9e1850ace019180de1faf8e9a594c37ec40a4795e84ca6bca3e27516f6b12a2107bbd65a3a875b97aeb703

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1dc7fd072e8a1c941f2f3da82a1ead58

SHA1
eb54b614cdeca022259636cfe7f8f814f8d51bb7

SHA256
294a9c0a6c3f7379f95f7954a3d4a9d64c6381a4e9a7b7d938209da93a7ff1e8

SHA512
e0d18b39e49d9a8defbdd041971eb53ee34643bdd46e922393498f2a518ce0a6fed276074f1f35105ad6e9651d07e9f30713f5be9a1dcd9ad0e3d8974d0b2d1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b6f7b1f8b386254bcae6dc79e82a8b74

SHA1
4d39529a7a0831bcee9835cb0d4ccd8018e776ef

SHA256
d88c19a7930f11ba98fef0e844947fe2f847b1a216c2acde71ed881892728737

SHA512
cd9adecb4c3655e3de20609549735991278c29aad13b39a9388f5bb30ac26492d9e3c1a7478d4d707c27d0dbcdb9ac83e33c6bba76c9539da37bcc6ea3b405cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
98eafdfa39ae2fec82cc53f141d42117

SHA1
0656b72cbc49d82b594028ab342ecc6376bba865

SHA256
1d17867cd1e9762730511c6c1207caa50ee3aa0af188a5991a8200dfea2b56fd

SHA512
e3e12523717d069baa389be759f0f1466f72d562c3bdeb987b52ff808abac59ef9536340e10bc5ac77d61fd02cfd52fab904639a7c4905f4a9988fde217c2e69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
5d82d298f156bec90e3a0891516a32a0

SHA1
f1592624c31952d339343b4a81317bca3ed4325f

SHA256
dc6ac1ea292b998e342ed0c44f1433b38edf08327188ad32f1543b31c64f312c

SHA512
6dd4609161c0b725dd7c17fad4df6c776a6ca838259cff50ec3bf21478eaa128ea3ad389256fc26f25d20ffd58adf9309d820ac63d94e4a2f4559e1cb613f3a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe591081.TMP

Filesize
103KB

MD5
71ffa2a7bdfb2a32c9c1320253b55968

SHA1
12f9bd90e5658d85ca08b02ea5af481376d71a21

SHA256
00f8de70f8b5995ab22943238c26d1014d484a4ac57626294ff8d457ac96ae1d

SHA512
cd74d87fdcf5b54cf6cbf8446a9f4c70684b8136ec90d10ee5f1cfa43333b7838b63ef13944c62284f75d073226ed4bb99f4a923839a136d4206554ac5a7558d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
74b9e4c2dca403ab1276f8a837b4e00a

SHA1
0b97e329cc2096e3f97b6a9ba60ba4cd45e503ee

SHA256
46a5eb669049de4bf7d73d481f144bb1bd4fbdbf662eebe9864272f012b79c36

SHA512
055733fa4806ad0a7b2824b1465dd69dbfbb40b3ae9b90be0316f91d37a797461f19ce8d4de4550e9eab3075de11f80ea193ee400da455d010543d7ef943954b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\datareporting\glean\pending_pings\8cdac300-e03c-4f16-ace0-49ef9482d409

Filesize
746B

MD5
9b69a4e44dd26079cc03d09845bc9b8c

SHA1
879cdfe6351e55a92294ead13dd8ec2d7cf0b30b

SHA256
81b9f26aa0bf1d1afb029abd261fa763d675eca375ec9ad4af78600047a82956

SHA512
56689ad36a23183fc6d1b50e32f74c1d7c2dc8e0dc9358d887918a9af6aa8b86d2f85cc0cc33fa8a2762e7443d672ba400329180303eb7fa47eb5caee4bad385

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\datareporting\glean\pending_pings\fb110248-3b4d-4fae-b25d-ad6684d6f9b6

Filesize
11KB

MD5
748ddda004e4d977e53a1e2e86b4523f

SHA1
8ba34b5a7d1163d5a026aff9d79a7ff6608e4f33

SHA256
1f0489fa0a05076aa1694ddd4de12ea0406edb4361db69db653c49808d4e337f

SHA512
22f8951fd03d145f86f4c005708a85742bc0cf5982b1fda4255b004b2270a092d3fbc6d71917ac180b2e91e1e1397aaa44cf1bde4a44ce02aaae49fc000c16cd

Download Submit
C:\Users\Admin\Downloads\download

Filesize
95B

MD5
71a50dbba44c78128b221b7df7bb51f1

SHA1
0ec63b140374ba704a58fa0c743cb357683313dd

SHA256
3eb10792d1f0c7e07e7248273540f1952d9a5a2996f4b5df70ab026cd9f05517

SHA512
6ad523f5b65487369d305613366b9f68dcdeee225291766e3b25faf45439ca069f614030c08ca54c714fdbf7a944fac489b1515a8bf9e0d3191e1bcbbfe6a9df

Download Submit