Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 23:44
Static task
static1
Behavioral task
behavioral1
Sample
Deceive.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Deceive.exe
Resource
win10v2004-20240508-en
General
-
Target
Deceive.exe
-
Size
1.3MB
-
MD5
8601a9bf03b194b7e70de918c86235e0
-
SHA1
ba49b40e83cd833ebf8ab62e47e10fbaec0f7de5
-
SHA256
8ae665c9f2ce17156a11d63bf5f3400a832733cbd3686b2e272aeeac50b006df
-
SHA512
8850df97bbdfade1534efaa2443fa5c791d5ace2793fce351caf5b559c78d4dfba787886950b750cffe13c88f4e353179e44f05184a10eaf2377cbedb5b6ba91
-
SSDEEP
24576:9ljj1jWV0il9s7yHjTjCJTd08imlKfITk5BkAptcxBOqDVphkgRUpbch8:bjRS+i3s7yHjTjCv08llAIIcC6BOqDVl
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618454967070877" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3436 Deceive.exe 3436 Deceive.exe 3436 Deceive.exe 3436 Deceive.exe 3436 Deceive.exe 3436 Deceive.exe 1716 chrome.exe 1716 chrome.exe 6768 chrome.exe 6768 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3436 Deceive.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeDebugPrivilege 5588 firefox.exe Token: SeDebugPrivilege 5588 firefox.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe Token: SeCreatePagefilePrivilege 1716 chrome.exe Token: SeShutdownPrivilege 1716 chrome.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 5588 firefox.exe 5588 firefox.exe 5588 firefox.exe 5588 firefox.exe -
Suspicious use of SendNotifyMessage 27 IoCs
pid Process 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 1716 chrome.exe 5588 firefox.exe 5588 firefox.exe 5588 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5588 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3436 wrote to memory of 4976 3436 Deceive.exe 101 PID 3436 wrote to memory of 4976 3436 Deceive.exe 101 PID 1716 wrote to memory of 4836 1716 chrome.exe 115 PID 1716 wrote to memory of 4836 1716 chrome.exe 115 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5388 1716 chrome.exe 117 PID 1716 wrote to memory of 5396 1716 chrome.exe 118 PID 1716 wrote to memory of 5396 1716 chrome.exe 118 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 PID 1716 wrote to memory of 5404 1716 chrome.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Deceive.exe"C:\Users\Admin\AppData\Local\Temp\Deceive.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/molenzwiebel/Deceive/releases/tag/v1.14.02⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4612,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:81⤵PID:1844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --field-trial-handle=4896,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4912 /prefetch:11⤵PID:4704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --field-trial-handle=4916,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4984 /prefetch:11⤵PID:1460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --field-trial-handle=4964,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5408 /prefetch:11⤵PID:4264
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5548,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:81⤵PID:3624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5860,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5932 /prefetch:81⤵PID:3648
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=5776,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6068 /prefetch:11⤵PID:3848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6348,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6368 /prefetch:81⤵PID:2432
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f8 0x4fc1⤵PID:2500
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd9a5aab58,0x7ffd9a5aab68,0x7ffd9a5aab782⤵PID:4836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=2068,i,12816379708265863676,15886828290103317031,131072 /prefetch:22⤵PID:5388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 --field-trial-handle=2068,i,12816379708265863676,15886828290103317031,131072 /prefetch:82⤵PID:5396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1864 --field-trial-handle=2068,i,12816379708265863676,15886828290103317031,131072 /prefetch:82⤵PID:5404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=2068,i,12816379708265863676,15886828290103317031,131072 /prefetch:12⤵PID:5436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=2068,i,12816379708265863676,15886828290103317031,131072 /prefetch:12⤵PID:5476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4216 --field-trial-handle=2068,i,12816379708265863676,15886828290103317031,131072 /prefetch:12⤵PID:5944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4228 --field-trial-handle=2068,i,12816379708265863676,15886828290103317031,131072 /prefetch:82⤵PID:6044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4520 --field-trial-handle=2068,i,12816379708265863676,15886828290103317031,131072 /prefetch:82⤵PID:5152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4440 --field-trial-handle=2068,i,12816379708265863676,15886828290103317031,131072 /prefetch:82⤵PID:7044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4452 --field-trial-handle=2068,i,12816379708265863676,15886828290103317031,131072 /prefetch:82⤵PID:7120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=2068,i,12816379708265863676,15886828290103317031,131072 /prefetch:82⤵PID:7160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2880 --field-trial-handle=2068,i,12816379708265863676,15886828290103317031,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:6768
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:5516
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5588 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5588.0.919858959\1428685704" -parentBuildID 20230214051806 -prefsHandle 1744 -prefMapHandle 1736 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d54eae40-e2b3-4611-a64b-03b8836dd0e7} 5588 "\\.\pipe\gecko-crash-server-pipe.5588" 1836 182c580c858 gpu3⤵PID:5968
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5588.1.737618701\2046088464" -parentBuildID 20230214051806 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b1f56c5-ae66-4cfc-870b-0d84672da104} 5588 "\\.\pipe\gecko-crash-server-pipe.5588" 2452 182b8a8a558 socket3⤵
- Checks processor information in registry
PID:5244
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5588.2.1227743435\1704350076" -childID 1 -isForBrowser -prefsHandle 2908 -prefMapHandle 2932 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce02da56-1955-49b6-89ca-12bb0d4ab8c5} 5588 "\\.\pipe\gecko-crash-server-pipe.5588" 2884 182c4696c58 tab3⤵PID:6092
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5588.3.1821440382\1371928415" -childID 2 -isForBrowser -prefsHandle 4188 -prefMapHandle 4184 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e64ab28-9eb1-4c6c-aa4d-18010ceeb7b8} 5588 "\\.\pipe\gecko-crash-server-pipe.5588" 4204 182cacbfd58 tab3⤵PID:6396
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:5644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6488,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6224 /prefetch:81⤵PID:6644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD577ef608698e6f5e466fdf714b5191754
SHA1622b29d39ec1e7e631e3ecbf7689818347d76c2e
SHA25654b2440b118ce4b53727e7ef18204a1833e6650d56222c64736525c910123457
SHA512c815cedf4a09523b9c7bd71de81d9ffead5a6d31f3093c6c291a86edbb4047b081224aa12390c0c9c4f1b526a6a379573d382ea867b53b2ffbc100e9099ef11a
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5ddfda34afbc3fcb58da468112cdef3c9
SHA1c60b87d9bf6386127bcbc93ec2f92a6d6090af07
SHA2568fbb7fc141d834c8dda1774ca771109920cc0f2ff4958dcc36a1cb9847745b4d
SHA5124a9b7c597c5cfc173f60103bfb61a06d7dfc5915e3a9a6230dc78fbcc2049a1aa9cb2b23cf0f1d423d34d877b83150f9f3780702eeafce51f04229f16b1131c8
-
Filesize
6KB
MD527a82a947ab7d329248f49d7582fb584
SHA1f250bd9fe9715387966b77f3ccd1babeadf3a25c
SHA256997a997eb11891e54146ace65e7a7ea46aa8b925e1d067e6d2bbc68fb76efe40
SHA51259fc4cef89ee4fe3fbebb025a84465a97f01b48e433f321f4c82d35b4e159dc8205b5b0e0df59608752c2e28bc18df3c8766a19a09bd0fbea4d1b342b7e91a99
-
Filesize
16KB
MD5cb51bb94e20225d1a47bd351d3dede12
SHA1381192e6f09226824f51dbeef6ac6522007cc755
SHA256915d1940ae6687ca3b065128023fb4f3fe79fe8dbbdaedc66176cdf333cd2f4e
SHA512bf08bfc3ceb2a4b3f93cabb41c75d10f59490be30f068f82f480647e68244502635341d3203f745ff84e4954927cc1719666105a0f9e9aa2d35fb5b871acff77
-
Filesize
261KB
MD5538eb84ac5a3890c9bd36a8cc8f2baaa
SHA1cbaf6e96444aa410707bf26c75efa31c23d4b483
SHA25624f2d20e788def1e86e34f6914a715f885311f71fc6066b23236cbf35b33c07b
SHA5125f3041340fc207be54c3f8e8f812567682d9600f82a28662e2a5833a36d1ec50a10fda7c5d5ddf65608a36ca213ae6772379d645722cbcf7ef4c9ff984a1166d
-
Filesize
6KB
MD5771fe58a0b9cfa1560549121fd6392a7
SHA11f18dd83a60f8f504f8bf12bfd0bb3df22e4f070
SHA25638c94ad6b8eb714e3ef7bd5af7e628650fad696b2904f02fd180b4d25d925443
SHA512251fb6e34ba32c6198d4cb90e1868abbad5bc0e8459a9c4d3e5bdedad534354f54f0261d7b18f8e8afd80cfd0e64c08bd7fe9a8b97433e0a769487f142715a79
-
Filesize
7KB
MD58eaffe2e1d205f5d50701a943c4c59c3
SHA1f35faf78e5811a915215de674052d057332c97ca
SHA256f9e14db8a783904dbe9756173d652a366c02c37b68ea57d9a4d31819a1404bea
SHA5123c50a5a413219c61dfa1ea60953bf1cdddb507bca45381636f69d1cda7b5f09707133df5be9438989366168950697df8a0d2c80bdc8dbc8118bb5cba1f1e894c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore.jsonlz4
Filesize901B
MD5653a33ed3d06597555b8c287ee530b42
SHA100e9846376a64bd6b6c71065ce57ab46fbeb9a8d
SHA2569e01e3d09bf02e1a60c2f103c02229269645e32ae2aec7351c02758d19a28a71
SHA5125ab31a07b0ffa65511934efde5de6498901fd50a03ac8410db90ea65427680e478610ac5b542100326be791c393cc79fd0ba65b71ba52ea49b91773316ead12b