6dc7452115f902969b8a3fa2a25b9e1e52c9b2e6913b001b1839ca16e2c981fd

Analysis

max time kernel
840s
max time network
830s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
25-04-2024 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chaos V3/Anti-Crash (Anti-Crash method by 13ooeo).exe
Size

6KB
MD5

9e3727584d3c3d3f8071728378228118
SHA1

c366d3017e3d71d49e5ad596be88ee7b9d183ae7
SHA256

9731907ed2aa2c4ecd242edf582177cd87fde744ab4391675cc0b3d5d2d5df1e
SHA512

7ae42a8aafcdb9df7a695da52557a4c132c68a97039701ab3516d6c7a4cd859a798b1ef4651879d8ada926841a4412a7e81ebec9b5009d585b4c990ae1527982
SSDEEP

96:TFD8b1fph/kCo+AmdxirN1yR6PKYcD1UseL4VPNolhLzNt:ifphMCodmTirn46PKEL4VPNOhN

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 2 IoCs

Processes:

firefox.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Anti-Crash (Anti-Crash method by 13ooeo).exe

pid	process
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
5032	Anti-Crash (Anti-Crash method by 13ooeo).exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

10160 OpenWith.exe

pid	process
10160	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

Anti-Crash (Anti-Crash method by 13ooeo).exefirefox.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	5032	Anti-Crash (Anti-Crash method by 13ooeo).exe
Token: SeDebugPrivilege	4380	firefox.exe
Token: SeDebugPrivilege	4380	firefox.exe
Token: SeDebugPrivilege	4380	firefox.exe
Token: SeDebugPrivilege	4380	firefox.exe
Token: SeDebugPrivilege	4380	firefox.exe
Token: SeDebugPrivilege	4380	firefox.exe
Token: SeDebugPrivilege	9008	taskmgr.exe
Token: SeSystemProfilePrivilege	9008	taskmgr.exe
Token: SeCreateGlobalPrivilege	9008	taskmgr.exe
Token: 33	9008	taskmgr.exe
Token: SeIncBasePriorityPrivilege	9008	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exetaskmgr.exe

pid	process
4380	firefox.exe
4380	firefox.exe
4380	firefox.exe
4380	firefox.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exetaskmgr.exe

pid	process
4380	firefox.exe
4380	firefox.exe
4380	firefox.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe
9008	taskmgr.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

firefox.exeOpenWith.exe

pid	process
4380	firefox.exe
10160	OpenWith.exe
10160	OpenWith.exe
10160	OpenWith.exe
10160	OpenWith.exe
10160	OpenWith.exe
10160	OpenWith.exe
10160	OpenWith.exe
10160	OpenWith.exe
10160	OpenWith.exe
10160	OpenWith.exe
10160	OpenWith.exe
10160	OpenWith.exe
10160	OpenWith.exe
10160	OpenWith.exe
10160	OpenWith.exe
10160	OpenWith.exe
10160	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3284 wrote to memory of 4380	3284	firefox.exe	firefox.exe
PID 3284 wrote to memory of 4380	3284	firefox.exe	firefox.exe
PID 3284 wrote to memory of 4380	3284	firefox.exe	firefox.exe
PID 3284 wrote to memory of 4380	3284	firefox.exe	firefox.exe
PID 3284 wrote to memory of 4380	3284	firefox.exe	firefox.exe
PID 3284 wrote to memory of 4380	3284	firefox.exe	firefox.exe
PID 3284 wrote to memory of 4380	3284	firefox.exe	firefox.exe
PID 3284 wrote to memory of 4380	3284	firefox.exe	firefox.exe
PID 3284 wrote to memory of 4380	3284	firefox.exe	firefox.exe
PID 3284 wrote to memory of 4380	3284	firefox.exe	firefox.exe
PID 3284 wrote to memory of 4380	3284	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1256	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1256	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 1548	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 2956	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 2956	4380	firefox.exe	firefox.exe
PID 4380 wrote to memory of 2956	4380	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Chaos V3\Anti-Crash (Anti-Crash method by 13ooeo).exe
"C:\Users\Admin\AppData\Local\Temp\Chaos V3\Anti-Crash (Anti-Crash method by 13ooeo).exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3284

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4380

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4380.0.929580050\1057551842" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f068639-ad66-4faa-802c-e94b7bfdcc87} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" 1764 24a4f804158 gpu
3⤵
PID:1256

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4380.1.584292068\644520793" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4598bc25-4c62-4ef5-906d-a465e35487f7} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" 2120 24a43572858 socket
3⤵
PID:1548

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4380.2.118793768\894704301" -childID 1 -isForBrowser -prefsHandle 2664 -prefMapHandle 2896 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7411f39-4811-4603-9dfc-1b017a32015d} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" 2820 24a52697e58 tab
3⤵
PID:2956

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4380.3.1955257771\746796408" -childID 2 -isForBrowser -prefsHandle 3372 -prefMapHandle 3376 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60e61268-761f-4275-a199-6a1bd3ddf066} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" 3392 24a43569058 tab
3⤵
PID:4396

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4380.4.612855146\1618000397" -childID 3 -isForBrowser -prefsHandle 4180 -prefMapHandle 4176 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26867a66-81d9-4cf8-a2d3-05fab39bde3f} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" 4192 24a5445d558 tab
3⤵
PID:2512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4380.5.1802553980\1140369959" -childID 4 -isForBrowser -prefsHandle 4812 -prefMapHandle 4760 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4bec5d3-d112-4512-958d-cae3de9a561b} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" 4828 24a547f2858 tab
3⤵
PID:1884

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4380.6.1253411659\1588272182" -childID 5 -isForBrowser -prefsHandle 4964 -prefMapHandle 4968 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ea8db39-fdd1-4068-b78f-7277e6d50c67} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" 4952 24a54be6658 tab
3⤵
PID:1960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4380.7.1471325730\348367575" -childID 6 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6be18337-5959-411b-b174-2ce8f60491d1} 4380 "\\.\pipe\gecko-crash-server-pipe.4380" 5148 24a54be4858 tab
3⤵
PID:1824

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:9008

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:9760

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:10160

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\4fb9339c-619b-45e2-8cf2-92a123688353\3950266016.pri
2⤵
PID:10912

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C
Filesize
13KB

MD5
d5f1b4d6fc1e860c13e5c762e4ad82fb

SHA1
59a835a838973727ca9d26f287d87d502440e178

SHA256
aaff32f12d79d70b1130dc0de0165a2c84fa5480828ad2e443b821f2ed08c5bd

SHA512
b8e15422d274a50f468d606772268f504dd15eac154145a78ff006a35275d89048e83987fd9613f59ca3b6e0950dad37d4e066faf38bf80652259ffba8fd16f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
5KB

MD5
8fd556e3f862a9befa332330dd5805a5

SHA1
e045b0b54111caea873175647edd8597b278e213

SHA256
66c95be90ca39d94bf82c4749645c997ec2386a0cfa96b8b47cc9a95151a80bf

SHA512
c6d97b7125a16a8942258da1ce1a1b6d13759184b8002f9e4137d0979d126abfa8801f6b3a963ea18978d7249d8d2766a7e57374b214d9a475663438fb9d3c5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\bookmarkbackups\bookmarks-2024-04-25_11_ScpUM-Ibb5LR1l4-7-Og+g==.jsonlz4
Filesize
950B

MD5
708d579bb783ed9e58c4e87173aa5028

SHA1
54dcdeb367c15a06aa620df1559de185668992a5

SHA256
3f7fa0f3a61236b17951ef95bd63347281c40abbbcce937e8fc787d31c8faa28

SHA512
1c7f8b921e5f32d67b1150e24092ab800ca4939993832cc46f43638bdcce380da1e74b44aa2f368a74e5ae29b76ca1e3a20b837517a4f0464b7af53098772e95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\broadcast-listeners.json
Filesize
216B

MD5
51271c502f27e8db2946d496d6702498

SHA1
cb86bf1918944ebc4aef8444a1b33686ededb574

SHA256
3dc2577259a58a7c752fb982b2f25127b476cbea6238db744d3240a79a791ab9

SHA512
0c6b0fe736d103526c38a8bb49f1566691f78f86b60dc536ef99ed0d2f0793a9f7d74bcdc909ff50bdf1ad0ca1f36c6137ffd7151fbd8cf0e9768baf62b4fbff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
b4d3b3c6f2958e0389bbef53b052ad0c

SHA1
8982bfafa05cb5e1fd44a344b62af81ce023f3b1

SHA256
4788041b443a6cd68a7ca263cb5e6f68e7f081dab2e5f034dfdc472d234cc55a

SHA512
7d704fa07c2c4b8de29917e0e54d7cf226a630a2663b1b90ee56a49ad155bec339843c7192d469135aa93b81b385ba24cbea9fce110500266c9cb7f62843dd4d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\8b57f426-215e-48b8-856d-4a1411a315b8
Filesize
746B

MD5
c225e05e83fd7106f8cf7704764b5a4a

SHA1
f1f5dc6d2d9c6dcd63f8f1d7b12f6e9317417c00

SHA256
1afca92f3c03c99d600b9c9d457d257bef7b262b7cf8251412ea6f6e03d6e5b5

SHA512
4c889535a40a95b6c54ee5e30381530e37f4db3cfc7311c60c3e3b061364308be3e2fc4fc3a1a387e256f43f8f6eebc6a1743f3ff4e4f7dda1a016edfcc4c900

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\dbb254f0-b86c-47af-8ab2-91ce3d33bba6
Filesize
9KB

MD5
9463017458cc03cf0868e1a11838664c

SHA1
4894b162cfa3979cf45da4379db08957f5ea5e58

SHA256
7545ebb35649dbf1aac322aa31da24f36c76bc9086cdd79c11360052065279ba

SHA512
a387c00139274ed8700a07c01823591c79100b0eca4ad030419c3bbb66102aeac51569fcdbde5807b59e1d3df1ad74abe9c1b3b8c0b5902cec5fef8ed6efeacb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\extensions.json.tmp
Filesize
34KB

MD5
f94c10d1870509e3cc14ce6580d3f0a3

SHA1
a97270c9dabe132fd5e5c07c548178d77a4c360c

SHA256
14b226590dc43d2b6687dc8dd45a966aee381d90bf5dca1bfb79988f1fa23fb6

SHA512
e252cb161c013846bdf0c0651501b2a383d8c39d0dc10c0051cd69aa18afae5318f5d0c4a37fef0ecf956d8edf97e2ca6b0f07528fce6a8db70e281f5d840860

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
Filesize
9KB

MD5
407e13fa00771e98c6750dba4e2757ff

SHA1
3adbfa4f770f486758ddaf4e54adc4419ede6eab

SHA256
32b45614626a7206206ed8badcf404a703bed113de996487845629549532f890

SHA512
1966b17073db3374a0ffa68b07b37917df65baa23625a9dee772e5851366bcf5009f7f059d7a1315c7e57bb32d5b2f2bb2465adf3f07dd420eeeb8b4acc95419

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
Filesize
10KB

MD5
5afad5c0d455c332118ca9a6c5456462

SHA1
9584dd76555d11f8b89ea0271deea0961dd3dde9

SHA256
52541dd18d0f9000c1e4eb3f96774659c9e98fd9476ec44049fc7126fecb44d9

SHA512
3d43cb090eb8facc059ffb760a8440611b4e23f027fa93b44733ec36a418305cf9aff0c5700ae4a5b37648e8c376b2f2c01f40382d3f18aebe8178c874e810aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
Filesize
7KB

MD5
b1b6e116bb9dc472bdef43c733c4c546

SHA1
9db752a52ab095c9e7e7a92b9c07f3edb6e2996f

SHA256
5dbfb1e7f88db1c9859f0f46b1a59f385b009bcdc4adc7c436862eba83cd19ef

SHA512
0259013de1c080222793d8413abf5dcc19c5c9ffa3f6a3b30fb20b1de8a99fa87d39a745e76847e3d6a471d12b45a9c790e4198a7850c98cdca2639a7fbb65d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js
Filesize
10KB

MD5
d9b26e4a84e82c5aab65e2d4d3b67c04

SHA1
a05325efda826c95a544d5c0c5ed371b4bc67dcb

SHA256
f22a1c0b24a10414bc3bb3bbbf92e3db8d5ead82696def9451ed058910beecfd

SHA512
d3972e5801949a6921b47bc39415c98445afff71e2aaed1e474d1a5f565e36a0aa6b7f13411b4e8a377971969b043066659ad92838afe26993350cf6c443a0af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js
Filesize
9KB

MD5
dab251787997e5a9fbaac946df0d577f

SHA1
9dafb0899f7965571f4c229b4a634976288001ff

SHA256
c10a0592059c613189e6b1bc54116eab4bce06e1ca565ba7e33ecc58664c79e6

SHA512
0384d8a70a795d3cbb5b6fc6718133c77003ea91e7b497846d6a3ed6d81dfeb388170f5c0902856e473d9d6c2da2b14be19b4273070a58210c149c5523cf5163

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json
Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
397b287379286881c9952c0613cea582

SHA1
f0e70461540ae4aa41686387abcd38aa5fa79514

SHA256
6e87bf62162382714fb706e057f017f04a8f5792e609bc5e079b554d19d76103

SHA512
2e16cf7e47f67283ce9a60d8ea4176d2101a7474001de49f791c9ce25d05b4c90143a763e9f0fe12381d50c700450084d247c8d91cdec5e8a4a832e0060afdb3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
7.7MB

MD5
decd1b3c4617261a383bf282acbd45cc

SHA1
85aaaa2b40684a114779765badb5528108b740ee

SHA256
a9d9aed6d2ccc976bf1e3e97d3f164402ad1bbebf9cfe46b80170044f89b20a8

SHA512
f65099992476244863340cc64b7f8009a0b6d8225b79f5325c13fa29e293554a6090b8fb9bdedea59bb709fdc7e973a94eb57f60b5b799ebea6d49cff3f85db4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\targeting.snapshot.json
Filesize
3KB

MD5
ac366941c1231dc4f009e2c97f81bc47

SHA1
5fb5d6a128bf286c425bd32d5be5434777d79dce

SHA256
1ed87e5310c4c6062e8b024e6a77bf365b57c69cdf44ba31d7646ac168f72999

SHA512
a092e0210e8a61313bffa948086346008269f9e22437b28bd549adb464437b003fdbf78a7c9ad49f496e18c28a35f06ebe3ad449218abddc2980faff10697643

Download Submit
memory/5032-0-0x000001A9AEBC0000-0x000001A9AEBC6000-memory.dmp

Filesize
24KB

Download
memory/5032-77-0x00007FFCCBCE0000-0x00007FFCCC6CC000-memory.dmp

Filesize
9.9MB

Download
memory/5032-1-0x00007FFCCBCE0000-0x00007FFCCC6CC000-memory.dmp

Filesize
9.9MB

Download
memory/5032-4209-0x00007FFCCBCE0000-0x00007FFCCC6CC000-memory.dmp

Filesize
9.9MB

Download