hxxps://nitter[.]net/pancak3lullz/status/1788576614051135669/photo/1

Analysis

max time kernel
235s
max time network
280s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://nitter.net/pancak3lullz/status/1788576614051135669/photo/1

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133597547087896153"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	control.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
624	chrome.exe
624	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeManageVolumePrivilege	4816	svchost.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
5220	firefox.exe
5220	firefox.exe
5220	firefox.exe
5220	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
5220	firefox.exe
5220	firefox.exe
5220	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
6068	SystemSettingsAdminFlows.exe
5220	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 4900	624	chrome.exe	88
PID 624 wrote to memory of 4900	624	chrome.exe	88
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 3412	624	chrome.exe	92
PID 624 wrote to memory of 4248	624	chrome.exe	93
PID 624 wrote to memory of 4248	624	chrome.exe	93
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94
PID 624 wrote to memory of 4176	624	chrome.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://nitter.net/pancak3lullz/status/1788576614051135669/photo/1
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeacddab58,0x7ffeacddab68,0x7ffeacddab78
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1868,i,18213046453579738261,17239436892222618707,131072 /prefetch:2
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1868,i,18213046453579738261,17239436892222618707,131072 /prefetch:8
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1868,i,18213046453579738261,17239436892222618707,131072 /prefetch:8
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1868,i,18213046453579738261,17239436892222618707,131072 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1868,i,18213046453579738261,17239436892222618707,131072 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4284 --field-trial-handle=1868,i,18213046453579738261,17239436892222618707,131072 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3304 --field-trial-handle=1868,i,18213046453579738261,17239436892222618707,131072 /prefetch:8
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3320 --field-trial-handle=1868,i,18213046453579738261,17239436892222618707,131072 /prefetch:8
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4612 --field-trial-handle=1868,i,18213046453579738261,17239436892222618707,131072 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2236 --field-trial-handle=1868,i,18213046453579738261,17239436892222618707,131072 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2684 --field-trial-handle=1868,i,18213046453579738261,17239436892222618707,131072 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4404 --field-trial-handle=1868,i,18213046453579738261,17239436892222618707,131072 /prefetch:1
  2⤵
  PID:1492
- C:\Windows\system32\control.exe
  "C:\Windows\system32\control.exe" /name Microsoft.DateAndTime
  2⤵
  - Modifies registry class
  PID:3824
- - C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\timedate.cpl
    3⤵
    PID:5276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1712 --field-trial-handle=1868,i,18213046453579738261,17239436892222618707,131072 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4308 --field-trial-handle=1868,i,18213046453579738261,17239436892222618707,131072 /prefetch:1
  2⤵
  PID:2056

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1424,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=3916 /prefetch:8
1⤵
PID:5108

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetInternetTime 1
1⤵
PID:5336

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetTimeZoneAutoUpdate 1
1⤵
PID:5368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s tzautoupdate
1⤵
PID:5388

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetNTPSync
1⤵
PID:5428

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetNTPSync
1⤵
PID:5452

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetNTPSync
1⤵
PID:5476

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetDateTime
1⤵
- Suspicious use of SetWindowsHookEx
PID:6068

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1640

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5144
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5220.0.1156587479\1711163561" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 21998 -prefMapSize 235091 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a13ab605-45c9-44f8-a826-1f573dfacb91} 5220 "\\.\pipe\gecko-crash-server-pipe.5220" 1852 2249b731e58 gpu
    3⤵
    PID:464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5220.1.1813542274\722065222" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22034 -prefMapSize 235091 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2faabd28-ec6b-4464-8be0-b7d135ef4730} 5220 "\\.\pipe\gecko-crash-server-pipe.5220" 2420 2248e98a258 socket
    3⤵
    - Checks processor information in registry
    PID:3460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5220.2.257804660\180707650" -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 2976 -prefsLen 22072 -prefMapSize 235091 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3eb8f0c7-ef9d-47b4-990b-dcd024ac0658} 5220 "\\.\pipe\gecko-crash-server-pipe.5220" 2764 2249e2f3858 tab
    3⤵
    PID:5516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5220.3.2112003016\2042601589" -childID 2 -isForBrowser -prefsHandle 3692 -prefMapHandle 3688 -prefsLen 27538 -prefMapSize 235091 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be45c2fa-4f7b-449c-8b4d-0a8e1d4f4c7a} 5220 "\\.\pipe\gecko-crash-server-pipe.5220" 3704 224a01c2058 tab
    3⤵
    PID:180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5220.4.706089174\1603945395" -childID 3 -isForBrowser -prefsHandle 5024 -prefMapHandle 5036 -prefsLen 27538 -prefMapSize 235091 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1bff62c-4814-4429-a241-b7ed5ccb8dc0} 5220 "\\.\pipe\gecko-crash-server-pipe.5220" 5060 224a26ca458 tab
    3⤵
    PID:5828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5220.5.1052210382\1959145518" -childID 4 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 27538 -prefMapSize 235091 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fff00748-1286-48cf-b49c-b14fc3a9cc87} 5220 "\\.\pipe\gecko-crash-server-pipe.5220" 5148 224a26c9e58 tab
    3⤵
    PID:5656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5220.6.372961327\460004912" -childID 5 -isForBrowser -prefsHandle 5428 -prefMapHandle 5424 -prefsLen 27538 -prefMapSize 235091 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4c0fb57-d120-4a82-8beb-4e35603cb14e} 5220 "\\.\pipe\gecko-crash-server-pipe.5220" 5344 224a26caa58 tab
    3⤵
    PID:5676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5220.7.663112460\309411404" -childID 6 -isForBrowser -prefsHandle 5736 -prefMapHandle 5744 -prefsLen 27697 -prefMapSize 235091 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f566998c-37cf-4211-9626-b48bd0344f7c} 5220 "\\.\pipe\gecko-crash-server-pipe.5220" 5760 224a34e8258 tab
    3⤵
    PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
17db18b3bf32b5aff8dafe6fba60337b

SHA1
824cd9b7e7de3713008e61a0a62fd4a039700885

SHA256
d14f89488025af386fbfe86c408b82ae8af0a5d517e68d28122f86f3ac535950

SHA512
01034600154fb5420ac12ade073e7afb05a08e485b3ed06456903275b0d463f73cf1c22533d351d98c512312e50dcfe60f067241ac3a64ced7e5ef6d90ea55ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
900e2423263755b860db6de1121d5f32

SHA1
5cf65a21bb65dd203e7fec60d3ecdb164fda6178

SHA256
a8bd873266ba14997d174976baeaf73bde92ddc490aba47fe9f5960df3bab83c

SHA512
2ded40e9a387c8a9b3677a35a51865be0caa800a87b186520ddae6fe20974d734b07a32f2d3a6f74ae8231f87069e33e4c39e1995d13728a9dc9da6d04a9c809

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
92ccb422e71b221b0694c70d1113a47c

SHA1
ba3a66cacd89b1a1989f3b864c5658ce48404bd7

SHA256
ec27357a42f9a5c5195085f0de1ed326ebc11c288c3cc3ddae5df9c7fa16c52d

SHA512
a4661e7cca09449ca138b7990be05f1dc7ee73f083428378e3e7a3e08237d7c8394e613ff1d45987634851877e1c956f17acec5a0badd05d803bf7069e4320b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ea5e37217f4946d3567f3eb5ea0c6b3d

SHA1
fe14ee8a08c9edb4ca798007a42fd98ace089bfb

SHA256
28083cf7aca0923ad3ab8d0cae4291f54c42551a1e0d7b67bc0874d1f0e9c680

SHA512
b99a2e110a0a86ad8dc067fb1e5152b7e62cd5ba8aec4290bc06ea06f68308a5446b170a090e5a6cd149f08d48404d18663887fc286bff34e32ca75b25fcea26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
082fdf11a9bcb7bb397c52b415ea0c20

SHA1
bd096d17cfb918c732b2ec1a877feea9efb1b98a

SHA256
011a35497fa85f7ffbd3a456dcbc12aea14601c17ee387404230523a8b168332

SHA512
f3a2047f3bd7fd0c53bd35965cc24e983b9031eda21933ebaacdb30b7319d1e833cbb64a97ab1218f26262f3eeab722196b3b3fa53d0c25a6cbe9171d064a9b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
cdb1a7b844edcbc0c4d225e102b444c0

SHA1
6ea8ac2948181b50309f851925e721eb27bf9d94

SHA256
b0b8390031108cd34873625c376b342f92b077eb847edc3dd806a172def78c64

SHA512
22d7933133ac16004a0bfae5d31e17946f5c0b2a80136e7a4ea4cffcbedddbac18f05b516482fde240602179560a2bb10ed62d3b577df160d3385147368b2375

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
a105d224d8fe95c0d893c7bd178cdf75

SHA1
bcaced4285ced1ba618d4083fca4e1fad39ceef1

SHA256
f101109ae196e0e7ee5b8a46884815749043bef28055374c056d9baf90257fc7

SHA512
8f33958344b81a973db61f31b8ac5d06ee46d6b0a8f4f74e5f80bc8b744169ac59b36a83f32977541f1acc37b69fe8351badc0eea439f944404ce3c387638114

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
a193e84052ef134f0480a99f1e53c9c7

SHA1
b77dd005c48d5363fe27429bdf2403d3b050805e

SHA256
4b2fff0f2e42417329b4f26a0c226f188fd879e310d61de63956688b2cc06650

SHA512
0cbe5b283f1fd76733edbe9eb98834d6354f6f3eaca54aebf8255e2135e3d23844e2966c893fb527119879da7b9c1b62a49389f77af3bf481229d20fe2b8982d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\activity-stream.discovery_stream.json.tmp

Filesize
27KB

MD5
a24c83ab57ec4695d39a642234a884bc

SHA1
9c95faf26e60bff5a2c7dc4754d2a20022e4f2bb

SHA256
56819159dc2740de4d080a8a7912aab048c25b6f5caa6ac5ddc47de32eb58ea4

SHA512
85f238656375c623a117807cd1b469e8ebd101729983b960554c2d90e3910a763d8892df81551e8ab82491dc1a8e6a1ec04dd54c95134ef1b468c337e6a7d5c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs.js

Filesize
6KB

MD5
bd67a70d42ab0dbc126aac770a93a841

SHA1
4f7704899554999ca9fc9d4177e31ba2175438be

SHA256
481287d6ccac663ca207bf576204edd128f6cc24e0e7b367255cadba434d7c58

SHA512
e6f545782ed8c0f094f3c14efdca0142f17e991034b7e258efd65345891a49cefd8984018899e5d529dadfb3dc30100298cb2658e107348e944627e371141c90

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs.js

Filesize
6KB

MD5
38a3dc7765dbe134733ccfdecc056581

SHA1
41871af23695237795f630e018f3461a85717459

SHA256
294929e309a1af29e9c188ec1a4e29d1924f033b985bc0707e5bdc61fb761be3

SHA512
1abe7d9f29a05ffb6e1333a1adf96dfccabe1a0d1a018acc317594924410abc98f0029dcf11439bb739feb687a9e2a5908ae7a577e2997ee282f9871ecbb7665

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs.js

Filesize
6KB

MD5
0fd7a4ee90e9aadab93f62dd9ed145f7

SHA1
b87f6f31d18d755ac385a98543c64feffacc82b2

SHA256
61043844ec8a0a4bf0849b200b6fa72aefb89c2bac73ba9d8c4ce3a1ac469c80

SHA512
76e621478eaf30bb11aa25c6e4cda60c770fbbb2651af34fc2e18127d6e26cbbe755791ca1eb04a1c644b50d7d57b5ea66a5a9ed2ecbedd16a6b75258d26f227

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionCheckpoints.json

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
68cc11e7295cf42699fae82bf8b15ffa

SHA1
11924a8c71104bdae4195a5ce1a0cf6e676df062

SHA256
0d3ef14cb44c5674fe49fb056b812778af0eaecb8537a8070fc4baa780a28d90

SHA512
73789ef1c1d7620d771f603cedc0a6b1e27113bf76f0021da692f0cf293a1f07376d5f1894b2b23a7f9950107901ef6bef5e0c30468bd8a159d7a691f39ae7c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
23b9290f7f2f1436516f71713612bb24

SHA1
65d056506a41abb5250f713e106868afa99486a1

SHA256
648f567be089867e033fda6c5ebf891464fabd0da3aff6d4ae10fdc049cbf63a

SHA512
f177d60d1f56fb9d29ec8f24660046bdb4c060d77fd82f927009cd996d197db9cd237139d86c17da0e8520780865f09b82317b98496f16d802a7532e6e23e953

Download Submit
memory/4816-68-0x00000259D4130000-0x00000259D4131000-memory.dmp

Filesize
4KB

Download
memory/4816-33-0x00000259CBC90000-0x00000259CBCA0000-memory.dmp

Filesize
64KB

Download
memory/4816-49-0x00000259CBD90000-0x00000259CBDA0000-memory.dmp

Filesize
64KB

Download
memory/4816-65-0x00000259D4100000-0x00000259D4101000-memory.dmp

Filesize
4KB

Download
memory/4816-67-0x00000259D4130000-0x00000259D4131000-memory.dmp

Filesize
4KB

Download
memory/4816-69-0x00000259D4240000-0x00000259D4241000-memory.dmp

Filesize
4KB

Download