hxxps://tria[.]ge/

Analysis

max time kernel
443s
max time network
438s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
18-05-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tria.ge/

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exemshta.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{303D3B11-1532-11EF-99EB-F2F7F00EEB0D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000355cdfc764e7bf4c783caf6c87a2e493a600bdc48204218ca98dd40106e9d644000000000e8000000002000020000000f4f2e2fed74d0a9cdad8d3f6c93a443bee7432238e5810f1172f18c3e6e0c97b90000000e8b84c00449256793ca5e150bad8be06f40b6c4a1e10bc368c3105f6a8f656d76a359498b7de690553960457261babc7b0a9c47bb7fb45ac4bac986721abed33b7815f2e1e04bb1062ace045ce9823c503c400dc373afd5ff4ac8145a47eb58287876763c9dfdcb1c9b035e4bbb9126408a245535f46089743c369f7af1d656cb635a482a2132a37b05083754295ed7a40000000ba08d79f372d633e937654e2788c164fd597c33bbdd12586ac33f6d459284254162779bf87120c64aaf97549ba5c4f7c2d2c8ef43db9a0a4b493b7a211ad6138	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000009c70afd70066bb4de11c63bc3643e6c52a1371a111bd71fee792ac896cd38e08000000000e8000000002000020000000aa0815591c254b475a1928b31a91b244b0a713e0de10e527e1b42b029415a2412000000002dbd0b5b17d378779638712263f119809ed38aa34d238a5c41ee5a6912fd03f400000001a0d125025f9814e984ada35d95bc3c7c257213bfc7a8a250b7ffaad556492375ef87d49352ff0d109b81ae94b55bdd7937c4a883152b597fccd236689f40536	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422210947"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a016fd043fa9da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings firefox.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

taskmgr.exe

pid process

1812 taskmgr.exe
1812 taskmgr.exe
1812 taskmgr.exe
1812 taskmgr.exe
1812 taskmgr.exe
1812 taskmgr.exe
1812 taskmgr.exe
1812 taskmgr.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

1812 taskmgr.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

firefox.exetaskmgr.exe

description pid process

Token: SeDebugPrivilege 1692 firefox.exe
Token: SeDebugPrivilege 1692 firefox.exe
Token: SeDebugPrivilege 1812 taskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings	firefox.exe

pid	process
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe

pid	process
1812	taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	1692	firefox.exe
Token: SeDebugPrivilege	1692	firefox.exe
Token: SeDebugPrivilege	1812	taskmgr.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

iexplore.exefirefox.exetaskmgr.exe

pid	process
3056	iexplore.exe
1692	firefox.exe
1692	firefox.exe
1692	firefox.exe
1692	firefox.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe

Suspicious use of SendNotifyMessage 23 IoCs

Processes:

firefox.exetaskmgr.exe

pid	process
1692	firefox.exe
1692	firefox.exe
1692	firefox.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe
1812	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3056 iexplore.exe
3056 iexplore.exe
2888 IEXPLORE.EXE
2888 IEXPLORE.EXE
2888 IEXPLORE.EXE
2888 IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3056 wrote to memory of 2888	3056	iexplore.exe	IEXPLORE.EXE
PID 3056 wrote to memory of 2888	3056	iexplore.exe	IEXPLORE.EXE
PID 3056 wrote to memory of 2888	3056	iexplore.exe	IEXPLORE.EXE
PID 3056 wrote to memory of 2888	3056	iexplore.exe	IEXPLORE.EXE
PID 2948 wrote to memory of 1692	2948	firefox.exe	firefox.exe
PID 2948 wrote to memory of 1692	2948	firefox.exe	firefox.exe
PID 2948 wrote to memory of 1692	2948	firefox.exe	firefox.exe
PID 2948 wrote to memory of 1692	2948	firefox.exe	firefox.exe
PID 2948 wrote to memory of 1692	2948	firefox.exe	firefox.exe
PID 2948 wrote to memory of 1692	2948	firefox.exe	firefox.exe
PID 2948 wrote to memory of 1692	2948	firefox.exe	firefox.exe
PID 2948 wrote to memory of 1692	2948	firefox.exe	firefox.exe
PID 2948 wrote to memory of 1692	2948	firefox.exe	firefox.exe
PID 2948 wrote to memory of 1692	2948	firefox.exe	firefox.exe
PID 2948 wrote to memory of 1692	2948	firefox.exe	firefox.exe
PID 2948 wrote to memory of 1692	2948	firefox.exe	firefox.exe
PID 1692 wrote to memory of 2532	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 2532	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 2532	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 3000	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 352	1692	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://tria.ge/
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3056 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2888

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\CheckpointLimit.hta"
1⤵
- Modifies Internet Explorer settings
PID:2392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1692.0.2104568760\283937714" -parentBuildID 20221007134813 -prefsHandle 1208 -prefMapHandle 1156 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5295af3e-6bbb-4a1f-b397-de5cd1857138} 1692 "\\.\pipe\gecko-crash-server-pipe.1692" 1284 111f3d58 gpu
    3⤵
    PID:2532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1692.1.1188951878\1804846316" -parentBuildID 20221007134813 -prefsHandle 1460 -prefMapHandle 1456 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b383e73-c284-4d56-89e5-a4ac9fa66bea} 1692 "\\.\pipe\gecko-crash-server-pipe.1692" 1472 403ab58 socket
    3⤵
    PID:3000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1692.2.465110904\86381326" -childID 1 -isForBrowser -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6206529-4c24-4278-9d67-41d09ddf62bc} 1692 "\\.\pipe\gecko-crash-server-pipe.1692" 2184 1914ef58 tab
    3⤵
    PID:352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1692.3.436833357\1578659325" -childID 2 -isForBrowser -prefsHandle 2488 -prefMapHandle 2484 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {621600ea-02a3-445d-84e6-825f6557443e} 1692 "\\.\pipe\gecko-crash-server-pipe.1692" 2500 1bd79858 tab
    3⤵
    PID:296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1692.4.929747159\1204636786" -childID 3 -isForBrowser -prefsHandle 3016 -prefMapHandle 3012 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a09c419a-0889-4a8e-94c2-42311a43022e} 1692 "\\.\pipe\gecko-crash-server-pipe.1692" 3028 1c567958 tab
    3⤵
    PID:672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1692.5.1098180669\74090262" -childID 4 -isForBrowser -prefsHandle 3824 -prefMapHandle 3816 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e073588-ed7f-4a1e-94f2-6fb1aafbe5c1} 1692 "\\.\pipe\gecko-crash-server-pipe.1692" 3472 d63e58 tab
    3⤵
    PID:1780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1692.6.1617895123\658872028" -childID 5 -isForBrowser -prefsHandle 3952 -prefMapHandle 3956 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a93223f-ab4a-4dae-ace7-9a1c83999775} 1692 "\\.\pipe\gecko-crash-server-pipe.1692" 3940 1f6fb258 tab
    3⤵
    PID:3068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1692.7.607816613\1720650015" -childID 6 -isForBrowser -prefsHandle 4144 -prefMapHandle 4148 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {46f03253-4544-4f47-8e20-aea1b24ef124} 1692 "\\.\pipe\gecko-crash-server-pipe.1692" 3940 1f6fd958 tab
    3⤵
    PID:2572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1692.8.1349256711\337549708" -childID 7 -isForBrowser -prefsHandle 2716 -prefMapHandle 2016 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {130e5d9f-c526-48c6-adfe-907341f46c83} 1692 "\\.\pipe\gecko-crash-server-pipe.1692" 2056 d5df58 tab
    3⤵
    PID:2684

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1ce42bc4a347b78e8c3718b92b4d2b44

SHA1
0c445af2a7c2bbd014fce5370a4bf51e3f352ab1

SHA256
330d3818b510541b0274cd96ff1382aebd55456569ee2c41751e111692241a5a

SHA512
00dde6cdbb0f184f753890389367d1a4139d3835486cad67f710b435744cfc271d2f7b95d59939a4641f24e27d2fbf4c82bf4d2c67f90c52276fc441bb7a236c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2cb9078b3a6eab1100c54e66de5341f9

SHA1
b9077a250c8674db4949143a8d496c1d0d145ac0

SHA256
90d9ba83edb3adb54a64c62df88cb61c4cbfa0fd867aa8a0768fe11ceadb2da6

SHA512
9afc14eb478918957a164fb8e7ca0b3814f012858942c0da549f7a9497ad961efb3335e58d52565441f515f940544625067117927d03c275c67511c5f7f05634

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3ff97f5e2a17cc70e0052fe0bc278ca2

SHA1
beda4c3451b37325d02e269d2cf7de8c01405b41

SHA256
40af8d7cb058402e106b842b6ccf6960ac609bb3e1041eda17d8b624388f7042

SHA512
4f689b204cac4918cdc41abc525dcd67a07acd0e271c94a8f8d024f69fd1db1c2d0cee63d49df12016828c6862dd41e5ba8d64834251f4dd1c33d0aa3990e089

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6cefbfb557105b91ce135705c90c3396

SHA1
9ec4e96417bd06b187fcbd82ed4492d5cdcff04f

SHA256
b101d1836b4f7e2831d74e43638ce8458bc7d8a7d301f0d9917e32330e5172ed

SHA512
8a7de3730f494e833e1f996ecbdbe4f4a43e9a7d4408aa2a5fbbad5c9af5caebbad215961a817567f43c74b64139ea55a70a1fabcff6a7c7a253f59255766227

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b97f41f57d93ad32f34a00e756f1eff9

SHA1
c57f3ff4f6756adaf01c7ae34fed9d5297fd0e68

SHA256
16e77bc4f52c68f74160a6e65be713d2d76752d228c51e46de5d8fdb0de9197f

SHA512
8755b3e00c6eb9b4f0ab307897bf51efd9291c3bf79841729a83a5d79c62f1838f45290408d7d69a767a3442d688d008ff0fb58e2ced0509e6987b859a4eed54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
af228ca983122b1aa6e69d8937ecae06

SHA1
33c6b3ec320bc51b5b6b9dd7c4a8fc902142bcd9

SHA256
c6244884ee0006a0c22fd761719b6d240c44d703afaeccf36679ba61cd5b70b6

SHA512
9a55f54548d8d519b11947858366fdf6b28b14eb4d58514519b880451b825b320bfcfd536788a1821605b5e28a43c781d5e5827259d503bbeb84118b7aae3dcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb6a8d63d142c018d4984880bf519421

SHA1
2a8a997355909ef94b56bf7e4385bc79a1b3073f

SHA256
cee67b6bcdf2d4addd393384f1b5ad60ffb5b05ea87552e564ddb0aa953742e7

SHA512
65299d30d479eec97ecab019fd024547eec6498de4ddbebbec8ad7fe3b0856e60e9de775aa71b2676a7de32cdf64c910c2b4c21c69356ad2a6499fd9c667e1df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a2afde921d1b998d63ddf247eeecd322

SHA1
ae9c066872b6953545de155a0918d66d6f292d67

SHA256
5e3296f6f1629b35497cbf271c56b6e8a60bdd3f20b266a91d0c54bd911ac267

SHA512
16cdd8a170e7a32a320cefb66c2d261f953b51cb1ae674186b2ced4e11842da5e3754b27df5eac09d3e1ee697e07944766b2b4576c3dd3b67ba175aebf7853da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b627693e6114e3b700cd0659a43508de

SHA1
eced4843538a54a29129ee972dee1a21e76f30cb

SHA256
7bc35354ea3d45c70aa27a53d5183f45081a3291d3dfc2d25ffbc1110fe2d1fe

SHA512
2e84425a44b2421df50c6f55340bc9ddbc37c397ac194686f6bc1cb9fb95d984aebff60b637da729083b626f17a6cf7a84ed1ac1359ead356d0af9225454be2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38e8753d8f51bc9aa3a819984fe36844

SHA1
2197cae300d12fbbe0dce1142f7c4cd63aee4dc6

SHA256
ff7f0f7247994fd95a045ce4543228dc29a14b5cc8a43f0256c890f0d48f98bc

SHA512
c8260cf06acc16c1e450ed25e873445c3a805112a6baee90785ff1783b76dd3eac54c28a75564fbb890201a49dae8a56fee8e53d56612f9f4fb04ba267cd43e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1627853e8d115e35f29b2ad48ca414fc

SHA1
81a279b7948054c9a104658856a215722e82a8fa

SHA256
0a021d8e4824ec701d95ad22f94c58c3fecd5d8c013ba38080f429c7951c8e3f

SHA512
ec3903295d37d21198a2abda6acd62d13b573141d5a7622079000203c1a9d11149df609264a8a997c95e4a725bf9d7bb0e2a932da5c1a62b1ee646f5a1acecdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
03300315b2b8bf3800095d5d1e658d3c

SHA1
82067045b7bafbe3026454fb15e781e20712a424

SHA256
ec82cc99287b8646f88fab6d20c16563d98fe462a770741bde25ea4fc63297de

SHA512
d466c3d7a763d3d17e4fa14b3393e2fe227263012f31f5ba6d217b4da80816733d224573194bad0f0470a4917a5b1066616368c17eedbf8add1925d42c119571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
049de38b818df615e9410807ea297c3a

SHA1
7e79ed6b91464cbab92f3165367116b8b8f1676a

SHA256
40a26fe8671eca3bc2e0c7b8a3e943049ebb127cfad8524b83c577330df3c952

SHA512
892f5243b08a8c623b1a6e561e0442e825430a0d04d50c02a7891a5c36354d2309f371991554577d7d6c6bb6e2ecf361c0f833257e635d140cd0efa7dcaa8e7c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
5ccd61cb8680a05deef2435c54fcb4f6

SHA1
299f3ed66b2c2726600e6c63c4063f36bdfe08ba

SHA256
092cf187729278214590d60ca19478429bf657d0e37b45e7df5f0e150bd10972

SHA512
5f25ca7c24b466da253d3b0528b0930721f56da2e5da34727dce01a64d4197a543608482f72464ec896c4bcafb0d6e37db2746d7273153bc7be18029e6b37c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3C48.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3CA9.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFAC2A2584C737B3E6.TMP

Filesize
16KB

MD5
a31ce1a83affabd761c99d4200186b2f

SHA1
243dd66726fd8874bb01c0285aca2bf1ce6d2418

SHA256
37f694006352072bd8970242169eefe281f8a0857b220beb34651c5e253e1412

SHA512
645ede9c9c863dce7c015e0a6e28412f3556e5bbeee49ae7073ccfde811eda8a526e8d0cf113dc3c20abd085b6fefe57c05d30972eacf0ba1f6d2f5a7625b389

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
b58ac016fb015e44184d5a3dfb926767

SHA1
2fbd0c09e35633963d45238436ef4f39efa74ae5

SHA256
ad6773181d9035bda90f8591d7867d096a200706e0b39db65c584a707a910342

SHA512
7d117aa76a12198a08b9500dd0409f2e600fbbab9ed5d3f266b87c3ecf20abc326c3be2ec3fb0d300f97d7e4e9228b37ee0f5eeeb7c44bde83e57b21fce74b7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\datareporting\glean\pending_pings\3626a351-6428-4b82-b8a3-8fee631ccc97

Filesize
745B

MD5
b437f36595f184445f7084059421b7e1

SHA1
cf017cf56bde60480e94e092bfe6a5aa3c805717

SHA256
17f39dab606249ed2d9556e5de05f16ff52e7d189d9005475c3e8ce726cfbb34

SHA512
09e4888d02787912dd1d968e6ba2f5d6b35abe7c6ab5054e279c44f1fed32132c780316fc156afef19191b717135107b5ee1bf6f5b28d65f4b9b65c215ec14e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\datareporting\glean\pending_pings\ffe83f3b-7c20-4c8a-b049-b82ce4f6ce04

Filesize
12KB

MD5
a8ef78ba9aab820d84ee9bbb7fddf2b8

SHA1
26a040b82fc8bf801fa3235b9a1db206e3012312

SHA256
63714e1a51dd5490536980b609c2b5b8f1ad48a29e27bcf337932535d6cb04d5

SHA512
33cb0a6f9110d8f7fa6a33d4c04fc10367fc0459077f75e44899a87ef735a0bc4b4efa0365d688da487946bbf98208356572d02c5f2f1f809063326f7c44feeb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\prefs-1.js

Filesize
6KB

MD5
8328d5d0817cc45c83f7205037bc584e

SHA1
b02ac07af5f0192bbffa0d17f8bc7b565f3452f3

SHA256
383203392e91afc7ebbccf0c7ceae344a1953dd27b56f2cb48771d4f73ccbae6

SHA512
2390c6dc89fd1971d18d35022d868d6225fb8a214e5b6af6463c0ff896bcdeab8e616ae7d1d3bc26f870602ad990121d4d50270b5ce023ba721d48efb8915237

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\prefs-1.js

Filesize
6KB

MD5
5c7532a7354ca9bdcc1eb4636751c174

SHA1
83456fb56bf38624074a5334e8c5fdffef63540d

SHA256
a3b7dc3ceadce3a4c1fe3cb981e86f29fa0c10cb23d78a0b9522cf6698874641

SHA512
1f69ffce3fe7a407e204519d802b09f23eadc9951fd17df9ccffc095df942adff694c065a8c1035684a03cbe22450aaf8bc59af3c1b3c6cab4246f72ce91f045

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
88abb25eda802c45f426a18ababb372f

SHA1
e0a5c008f300bff4608e282ba12dda7a986b8d55

SHA256
8ac8d656fffa4b09871af33a7e254a8f63f20b77fbec9cb00092fca2cc13e585

SHA512
a51c784bc81d1cdb58427cbb2b404791ce5fa13d51290f665a8700b3ccf535c86242c6e72a073419dddade60d8d4a77dae6293742d58410216601592699ed2e1

Download Submit
\??\PIPE\samr

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1812-1062-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1812-1063-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download