hxxps://www[.]fbi[.]bet

Analysis

max time kernel
124s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 08:22

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://www.fbi.bet

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587661849693687"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "42"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2876	chrome.exe
2876	chrome.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2204	firefox.exe
5860	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 4468	2876	chrome.exe	83
PID 2876 wrote to memory of 4468	2876	chrome.exe	83
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 3520	2876	chrome.exe	84
PID 2876 wrote to memory of 4808	2876	chrome.exe	85
PID 2876 wrote to memory of 4808	2876	chrome.exe	85
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86
PID 2876 wrote to memory of 5016	2876	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.fbi.bet
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd8ea7cc40,0x7ffd8ea7cc4c,0x7ffd8ea7cc58
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1876,i,4964515687191403232,10124142189905272412,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1872 /prefetch:2
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,4964515687191403232,10124142189905272412,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2152,i,4964515687191403232,10124142189905272412,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2600 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,4964515687191403232,10124142189905272412,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,4964515687191403232,10124142189905272412,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4620,i,4964515687191403232,10124142189905272412,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4632 /prefetch:8
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=5012,i,4964515687191403232,10124142189905272412,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4892,i,4964515687191403232,10124142189905272412,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4984,i,4964515687191403232,10124142189905272412,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3368,i,4964515687191403232,10124142189905272412,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5136,i,4964515687191403232,10124142189905272412,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5196,i,4964515687191403232,10124142189905272412,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3156,i,4964515687191403232,10124142189905272412,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4036 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5720,i,4964515687191403232,10124142189905272412,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3176,i,4964515687191403232,10124142189905272412,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5580,i,4964515687191403232,10124142189905272412,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:1152

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4988

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
PID:1172

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4672
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dd1c663-801f-4e72-81e1-813bd575955a} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" gpu
    3⤵
    PID:4188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2440 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2408 -prefsLen 25493 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82e41178-253c-4950-ab6d-23e8ef0b9bd7} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" socket
    3⤵
    - Checks processor information in registry
    PID:1068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3116 -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 3144 -prefsLen 25634 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {528ced1a-5ba0-4af2-ad6c-2f30f01d5a1d} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" tab
    3⤵
    PID:1920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4260 -childID 2 -isForBrowser -prefsHandle 4252 -prefMapHandle 4248 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce53227a-50f2-4c12-b406-8d31165d3e0a} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" tab
    3⤵
    PID:2508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4788 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4808 -prefMapHandle 4784 -prefsLen 30867 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3980f323-58c8-40d5-bfdd-5218cd9e1151} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" utility
    3⤵
    - Checks processor information in registry
    PID:4092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5240 -childID 3 -isForBrowser -prefsHandle 5180 -prefMapHandle 5236 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f01cd07-8b3c-4996-a05e-2030ab87b307} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" tab
    3⤵
    PID:5576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5376 -childID 4 -isForBrowser -prefsHandle 5452 -prefMapHandle 5448 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99f2f694-e9e3-4202-bf7a-0ec82bdef027} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" tab
    3⤵
    PID:5588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 5 -isForBrowser -prefsHandle 5644 -prefMapHandle 5640 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e11cd4f2-37e9-43b8-ac0b-1b444e804733} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" tab
    3⤵
    PID:5600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6016 -childID 6 -isForBrowser -prefsHandle 6012 -prefMapHandle 6008 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {afa5d4dc-2e9b-4b05-88f8-4338e11a87db} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" tab
    3⤵
    PID:6112

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3977055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
893d1e8f953d49411a6df5855d955d76

SHA1
960baeb0185ab4e6e40aa44f1972a59e426ae28a

SHA256
9c63930feb2cc64429ed6dbf2180bec81e94bb171470b21844fe54322722bb44

SHA512
1b10bb8378aa1d5beea481a592d7f8bb9e589fc6509a13ccde2754c742b50c0cd07876bfe67296703afba13b585a0bb0a7560746afde70662eb2b91973b30d3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
144cb5341af2e4951ae954dd0e717967

SHA1
5652d28459d9343ed68b7e5ae3d5475a421b9c1d

SHA256
e2a103456475ff00ba83a6c4f38402515de39551a03e837a7f40452ec08e4ed7

SHA512
8a844c7c2c69936815a5b6dd30d0611a875f42bf35fb8476c2d8f0fa07c8353de37cb7573321fe5cbef7ff549b6235f9dfdf6498b96a93dbfe65654d4ef758ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d3dd7ae1a3857530c150249234438d0a

SHA1
152128ae6a0fa6e67b009e684f3049bffa9fdcf9

SHA256
9e365f63cc51b5615b4da331fa64cd5d8771d0569d86578ab18d74d8f62ff3ef

SHA512
4390c1e8db1ecb216dcadf5b5f30209074af8fb89d347726a6457a49ecc4e70ff9bceb58c89c8ceef3d62387caf4d39acb2538e8fd8ba20845d64fad2f2825af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
02a8bb04cf19922deb311cf0928b3f32

SHA1
8ae721bc1c77d1bd26be3f46f4f0dce9dc37ce19

SHA256
64d9cd77c5dd97495ef4d40ae1d2a296a41dac925ff10e2b8ba1377064b18318

SHA512
5fe47b48c5ba44c543671532e75f132a2376ea80415e5100e59fe33f54a28302859c08f176bdc6f0c8135331637675fcd7c8f3d572c40b8d5a1c1812791c9188

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ce9b54cbd363582781f4d4fad27ec9b2

SHA1
7167c17105ed21f7c5cd80c9bb5e928c98e868a2

SHA256
0fde8109aadfef2b62042f5ffc1c41f404125a00ecc9576859b6b9421ed407c2

SHA512
208d073a4a8520a68e6932ea7f4c69190a8f331963ad9c5514185c49ed26945713e3ebe75691b102a8e6edee6a0a725627c6fb9284b23d8401c213694d314c30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d0ec13f9f7b4c0bd74ead44b75cf6b9b

SHA1
6d4445d2df4f33779549732891139fef86ff2cac

SHA256
dd1f15d6c5fca0e42adf3a516bf10247b6ba10c3dbad4df6bd840b5ee71153af

SHA512
670b0dc711d0ee84d84cdddf6482b56fd532293ee49f9ac3f93ceac3723510ee78ee524cef899193e81395a35b04ec438cbee5ca317e125061ec93b418e277a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
04f069f880297a02e27b8e16fbec4ee7

SHA1
8ab9c5882ca07cfa415ac28d485e6aa6e8fd0773

SHA256
1767c15de8735a137e834ab34ace46f2ec7a6ebd8f8e39f6e7dd46b597d73c33

SHA512
251ef8434ee42a96c5b5d5a3f94d955eb0d02c6f2c5f468c716a4d1fa88baca942922231a1ce3a55a660d4ec135f0056ba1ce69fe2d94b3f7144cdc9d9d1edab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
88e07e0043c450e93420271229073842

SHA1
d88949687f4973b49773dc4dff9367211524e639

SHA256
8b55b34d7c362b5b45186bcf60891cbf9de1f8103b4bafa9bd719050f5c8f709

SHA512
b861c4c0e7ba1288b9b6e454d8e48a11fc567f9b802c6345211f0b0275773e6a1f47afbf60740ee551114e1244a7b6c307aaa8903430e2b9f969b013359b3ddf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
0cb6cfb5da4e51c1d3b78f9c3ef1c8b0

SHA1
e39d870748095396f15c154aa1ef818e6f4d7f23

SHA256
0e52d8506c266148005a112ddecb79aca5e56e454820a3c88fb8a46ad1f6a895

SHA512
0b9d3c20d3ad597b7061ffc9b6bb7af885d6ab678e841b61988f7c085a527d1adceaaef63766962729a1762b891b8e2aceed1c73e3ea9384652c38fe385e5d53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
aaf65863ee61bd05d10f852d459bf833

SHA1
55f1f8dcb3ba782b81e277e50c086b0bdc6201e3

SHA256
63159d709036527e5bc4b36e42cf7d795e57715a221e92afd6f7cdf5f370e7fa

SHA512
f6412d1d32589fd98e84dc68091e1580ca3ad391396fb80ac92b6fe883315e26979cc17da2cb76f0956596f0b6b2a16ed643ab85151cafa03ef10d38925c0897

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
0bf67460d79e2a67afd874c6dbf32f18

SHA1
cebc51f9093def2b599f9fd767a0cd60b55e6c7e

SHA256
12c4f773abc9ea641a825e22853d6166f899d0b11a4ec9f1a41daea0452955eb

SHA512
511fddb51bc6f5373b3aed453c9ec922432b4ed7e378b4f711faa33abebe1029cf98ee396cfcb21f12caa457a3db038b4e7169bf9dbe0ac039b2c4edaf0c270c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f99d9c2dadf930df811704cf1088b31a

SHA1
53d1fcc79748b437a54a90e8ecc415f9f36af815

SHA256
a365362e203ec1a568804f08c59181edf860c933c94c1153b5bec566bb8619d3

SHA512
4aee50411c41286cc8cd4144f8e45725c30525aa139491e32e7211df01122dc465d4e5b429a4fd7453ea1e016b0e70e22035c285a176e647798cb510ea28306f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\activity-stream.discovery_stream.json.tmp

Filesize
20KB

MD5
0eb129599f7de9a1f797852a48850919

SHA1
36283624618c93d78651d20e2da758f59ee88aa8

SHA256
82c9d6476325594fbcce61c764f44cecf1ad0fdbf54d38953eea85b5f995340e

SHA512
4c6851fb23096e169474af0ce73630925e1a1df609e91490314a8f09e040d601b7339d380a003930fd11c8520f35a17cb8a5dd0df9ad77fa84844d24b9f86269

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
980b0a8a328b432cc68807697a402a23

SHA1
ac62dd7d15fa8c5f45e19e6b2ea6b8c93851ed48

SHA256
43fd56652417536072b0a5691d8d60e08bec70f8091b274f6da99680904ad514

SHA512
78b43e3e6d87cdd088d117a45b7ef0602ff2040ddd4d79ec88345a414ad15731dbe8b5e4dd2d3135771fce3a720999936058cbb14210eae3ebcacdd0920ad3d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\pending_pings\18845a52-60d0-4c46-a9a9-46e8c21ec199

Filesize
982B

MD5
68f574f9851129e17c546692f01ddcb7

SHA1
e81d73e9f78261861521d26a511c2f85b97963be

SHA256
b41d343bd51d893e6ac4ff8f9a213a2ce55e09721ef1d9cd04e0789346ef4923

SHA512
e35c5b61092f5a95c0319a0a8ddba6f2a812927edaed25ebb530b5e700153dade92f91713994a8a9babadf15d02812747edf93898766aa10a6b964aabd850622

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\pending_pings\70d04f6e-f5c7-49c8-89d8-7040ae0bb56d

Filesize
26KB

MD5
25644464b501986ac5c99646ea298d42

SHA1
db1ae0b36df8817c5dbdc9f9715077db8459c7b3

SHA256
2dbb4c40bb550a20b6e6320a22cd7a00e2dc2a4f7b16c7b74c189c716f73a461

SHA512
39ac68c5057eba7b4a28dd0f78587c4fd584e3bc5ec510821baa5cf367d974be2c1e6323d340c1e02bd1030b618c6e6d060c4b16b40eb9f06a3e7c850e7b509c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\pending_pings\8e590f6c-59c9-48f7-a6eb-274d00ba57d8

Filesize
671B

MD5
59ecceca5de74b8cb229ae66dcca9794

SHA1
f19c252eabaf4b208d1e11e0699c5b4d265d881c

SHA256
4dea74c4638a8e02e8e4839bd1815167e7430efb377ada158cfcfbb219d725dd

SHA512
e84a67516255de1d6be0f27b923b812d91fc427dee8cf0d250c4ecd8b3e8f4e7d75577c915198d0431175e8e42da8506b64f8439f34ba144b7ae7e162b5b6260

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs-1.js

Filesize
8KB

MD5
ad3153d41bbe28369d3c77b1de962f33

SHA1
3d786a5fc63666f16675ef4c1a8fd4202d3f225b

SHA256
15c66a8d46e300ada6f65dbe11c662b1da68e634780b9cc7bf07f2ddf774046a

SHA512
6bd0a07e2dbb09b0060456d25d846d83a1b6a32a4dccff9f301de828a0b2d5c6de76d6cfa70ac652d3e2efd6b978bc7a77d52dd6c1b1a4d0c711ef367c9155ef

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads