b2949819e839b39bee345ecbe32b86027ccfa37b453e206273f2d864d44c6114

Analysis

max time kernel
377s
max time network
373s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
17/04/2024, 13:09

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ShibaGT_Gold_Lite_v1.dll
Size

2.5MB
MD5

abde02f852d21be64f0accc8c969e115
SHA1

03226be3d6da163e1ebe9c86a5af730cd7ebc5ae
SHA256

b2949819e839b39bee345ecbe32b86027ccfa37b453e206273f2d864d44c6114
SHA512

3e6601e859acc4c3d3b5e4bd38b5a77844d02cf501c4cc6eca15a3b3f8b5f60714a655e67fd1e46ddd78dc77a27b5fcc3d09ec52d3dfda815471843f736b2ef8
SSDEEP

24576:YQm/6BdLyPzrcBtYewrKMAueyE5kZIZkZ:6kdFoe8IZkZ

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C7F94C50-FCBC-11EE-8A80-EA18EDFEA9E3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2623801297"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000057d4c4d27ce63b43a1a44abcad2f983100000000020000000000106600000001000020000000452722916b04081508e695ae9fba242ee28dfb67e68a89b8c914d1e0aaeca51f000000000e800000000200002000000025828f59989b764f9e1cb7f56f859d6fe1ac9373385c8b80395832c8b03f1424200000009b96bd07d07b1915d4bb4411bddc216ce41360abfc05ffb2a612bafa9d1c64f94000000019d1122293413f84c18b374f7efde376e6d95144fec7be8bb7c8b1c3bdb8536c442f99073d1b0ab93f1cfdd99fb760c58a3a615e7c559e222b928505fa277446	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000057d4c4d27ce63b43a1a44abcad2f983100000000020000000000106600000001000020000000b6545a954df9475dbc943e6f4b5b807e10d59da80b3b3006db4ba465b53f80ce000000000e8000000002000020000000491304f0957f8c805bac4dcf48bc664233c57f212aa1b5bef87fd9d2d39e2b2120000000a921e2085aaa6336299c1011e05803e24881760dbf528406de31537b6359a99f400000006f92157998fd2429dfc0e15efdb7fd9b9ebb37b9e57425eceedc9ddc28c25c38cae700b706fe760a216d06373a497d9e72d19ea75394c01022ea4de0dd35c11e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff88000000080000000e0500006d020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31101129"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2623801297"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31101129"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20f0bea9c990da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30a6bca9c990da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	508	firefox.exe
Token: SeDebugPrivilege	508	firefox.exe
Token: 33	1260	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1260	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
4752	iexplore.exe
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
4752	iexplore.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe

Suspicious use of SendNotifyMessage 41 IoCs

pid	Process
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe
508	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4752	iexplore.exe
4752	iexplore.exe
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
508	firefox.exe
1368	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 2652	4752	iexplore.exe	77
PID 4752 wrote to memory of 2652	4752	iexplore.exe	77
PID 4752 wrote to memory of 2652	4752	iexplore.exe	77
PID 3416 wrote to memory of 508	3416	firefox.exe	80
PID 3416 wrote to memory of 508	3416	firefox.exe	80
PID 3416 wrote to memory of 508	3416	firefox.exe	80
PID 3416 wrote to memory of 508	3416	firefox.exe	80
PID 3416 wrote to memory of 508	3416	firefox.exe	80
PID 3416 wrote to memory of 508	3416	firefox.exe	80
PID 3416 wrote to memory of 508	3416	firefox.exe	80
PID 3416 wrote to memory of 508	3416	firefox.exe	80
PID 3416 wrote to memory of 508	3416	firefox.exe	80
PID 3416 wrote to memory of 508	3416	firefox.exe	80
PID 3416 wrote to memory of 508	3416	firefox.exe	80
PID 508 wrote to memory of 3112	508	firefox.exe	81
PID 508 wrote to memory of 3112	508	firefox.exe	81
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82
PID 508 wrote to memory of 1396	508	firefox.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ShibaGT_Gold_Lite_v1.dll,#1
1⤵
PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\InvokeSplit.bat" "
1⤵
PID:2300

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4752 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2652

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="508.0.888551219\1744094247" -parentBuildID 20221007134813 -prefsHandle 1644 -prefMapHandle 1636 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c77fb7c0-82ce-494f-a52d-309046a8d95c} 508 "\\.\pipe\gecko-crash-server-pipe.508" 1724 27b949d9758 gpu
    3⤵
    PID:3112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="508.1.46954557\110231872" -parentBuildID 20221007134813 -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83602f2b-ba90-4325-b242-54e6623da6a1} 508 "\\.\pipe\gecko-crash-server-pipe.508" 2104 27b8a371658 socket
    3⤵
    - Checks processor information in registry
    PID:1396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="508.2.1252548920\1055407756" -childID 1 -isForBrowser -prefsHandle 3200 -prefMapHandle 3196 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09da7251-c626-476d-b00b-771a01655514} 508 "\\.\pipe\gecko-crash-server-pipe.508" 3212 27b98e92958 tab
    3⤵
    PID:2328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="508.3.1044269809\1967420920" -childID 2 -isForBrowser -prefsHandle 3584 -prefMapHandle 3572 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1415368f-197c-4fa3-863e-990ab2a5b4ec} 508 "\\.\pipe\gecko-crash-server-pipe.508" 3580 27b8a362258 tab
    3⤵
    PID:2116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="508.4.1764107538\2040531417" -childID 3 -isForBrowser -prefsHandle 4156 -prefMapHandle 4152 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13e42424-0acd-44cf-941f-58763ad12d71} 508 "\\.\pipe\gecko-crash-server-pipe.508" 4008 27b9a19a358 tab
    3⤵
    PID:3796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="508.5.918863472\385468801" -childID 4 -isForBrowser -prefsHandle 4856 -prefMapHandle 4848 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76e98043-ec78-41f8-ae30-c5cd88446df1} 508 "\\.\pipe\gecko-crash-server-pipe.508" 4868 27b9a85f258 tab
    3⤵
    PID:3988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="508.6.1442110439\1396346935" -childID 5 -isForBrowser -prefsHandle 5004 -prefMapHandle 5008 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a842dd68-2598-43ce-9823-0a17dd1da044} 508 "\\.\pipe\gecko-crash-server-pipe.508" 4992 27b9a85f858 tab
    3⤵
    PID:4568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="508.7.1759931417\2133009205" -childID 6 -isForBrowser -prefsHandle 5164 -prefMapHandle 5168 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de3a985a-e8b6-4cd4-8704-73621cc24f1a} 508 "\\.\pipe\gecko-crash-server-pipe.508" 5152 27b9a860a58 tab
    3⤵
    PID:4508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="508.8.1787150746\373984601" -childID 7 -isForBrowser -prefsHandle 5608 -prefMapHandle 5604 -prefsLen 26593 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b110d94d-22ac-433b-bd5e-efc74fdf6c67} 508 "\\.\pipe\gecko-crash-server-pipe.508" 5620 27b9cbb7758 tab
    3⤵
    PID:4128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="508.9.1010955680\1798972151" -parentBuildID 20221007134813 -prefsHandle 5396 -prefMapHandle 5400 -prefsLen 26768 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37b108ca-e6a7-41a6-a666-114d3e1388bf} 508 "\\.\pipe\gecko-crash-server-pipe.508" 5848 27b9d12d758 rdd
    3⤵
    PID:3920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="508.10.1126530477\128116608" -childID 8 -isForBrowser -prefsHandle 6080 -prefMapHandle 6076 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03133ee1-fae6-4e75-b508-0ad35a40ed6a} 508 "\\.\pipe\gecko-crash-server-pipe.508" 6088 27b9d31fd58 tab
    3⤵
    PID:2652

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3af4055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\18516

Filesize
16KB

MD5
73890d71edc7f58cb3514bfa74a534d8

SHA1
6567e1aa0acb934e477d677aa04b1207b107f63b

SHA256
f2b59cc22047062e7436c34d2167103b554784534136a5499fe281782378660e

SHA512
0c691a77f9c748dab0c57d6f23c32d4568b1e76c800aa2ab8a67143d89930fc01b554a94f5cd3deadee5ea5d74494ba4f8f08f52c7137eba5c3e28db56f58956

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\29033

Filesize
15KB

MD5
88db5f29f55acbdff85aec2365e056e9

SHA1
93d50225afd935aad85e12985006d70ac4d3e0ae

SHA256
3d73e587aa2f4ea7d8fbdbde08c05ff4206c1c487f1c39b60d7d7a61d015946d

SHA512
795f384c6a473de1601e2a3f46f929805fab4e85a5d839d39d4f96e8b4dab0b935612f95ed136a23171bac1da244752a421b7a27e3eef252ed36c81fce5cbe76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
1fb17aa7a13369dc6fc8fb946cd6d057

SHA1
456e744a53878df1f62f4edf23ab8d42768b64f8

SHA256
5f176a333bfaff56661889c31da52e3baa70bc21515f068cbd3d2024f9e71f09

SHA512
a1b3be9bbf9655c8baf360f9d354a8a929c9dccb0cd81afe76b0174e4ce7a775fee4f2079182b1dc9e8cfda212e917daa43af7cf9e0a2b50da2c53cf84545b07

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\83810d86-bace-4424-9cec-2a54527ffea1

Filesize
10KB

MD5
16389d0db81450b3f2f84da162ab14fe

SHA1
960abfc980bbab84939b30770c855f359fe10994

SHA256
16d448db756a495aa809f93b7d0f5a5962fe0c2263c3a7f785251ebad80e5170

SHA512
e255990503ffa567b77ea170a2e0b75361c13a2c7d28c6bfd1f82a738b833b296ee79bba007b64c962ee779a935cf756110381a2616c581c5c01c6afdbd2a93c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\d5c9a2e0-f8d5-430e-9808-f69c70040284

Filesize
746B

MD5
405a23ba85fa5ab82f1bb52d75367498

SHA1
16c810a9a05e9cad8a92d90609a37727096fa3e3

SHA256
bd4d78d500c9209f1784ff590363ef0539fc142c9e6d4cea7f89c4e606dc16a3

SHA512
38ad09d3a885ca321eeb2f084a020be8775cdd20b2b3b9aab573d8c436b5b844a6c023c5818ceffdddc95c541d8baba9631544b7a2e57bb9b0828d568b5743c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
56f602096ae14d782ada0d8035e84aa8

SHA1
6971ae6289a52ae2c2a815375a9a294c1ffedf0c

SHA256
a36d21f77b1b973efbfa280ff086e3bdba0b51cd47fae70dc22ea6778af76774

SHA512
c2108c718aa74733c141278e74d8af979805d9f695d8b4fa8e839ffc45c11073976f3c69fb2cc9470c693637af777e16e9f664c17e86e304f897ee9d6f827e48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
69378c2f303d7be83a5ca7cb69d528ff

SHA1
45774f223852966f309e6f0d1b721a655415ff1b

SHA256
9d1e83d7eff98520d4d62b7a115d6adafbe2a15b1f298107c042d492d0a262aa

SHA512
48013e42528af0c5a62895b9134fef4f568c0ea7e7b46e89e4096f7a7ffcf7b89a58d990342f3a87567525788e0c45918da2d20c79124038bbeba0249232e32d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
c41b8a441c1fb27a18de548287a7dde8

SHA1
58ec6315a7c3c5eecdea8f901e589707c3ef2056

SHA256
344925fa540f00fbc7e35ea8fa19340d7be9e950b16607e74a249db60d650adc

SHA512
c6a09fb6927aa11fa29b5bba3f9c805033c442346efcf899dc10232c98cec61427b2e47136b0e9da2a69bc06c785258fa5baf4a2c1cb4412ccb2f6b765a83010

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
9541398af272fe69b96513947459b0f5

SHA1
f7f32ebad1e77b48a8049d5bd3ed45f31d78b56f

SHA256
d6879bc876792203004cfaf02a4ac50d9443c0871c7e2733b8dce4c753722f77

SHA512
853b87f27523af000bdff05d989c452de721612f81eaf3a31e560fcbfad69501e73ef59279ff1c9b2014bcac3c8fffb21d637db92d6982c06459141a30adb378

Download Submit