Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 18:32
Static task
static1
Behavioral task
behavioral1
Sample
Free-Robux-EXE
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Free-Robux-EXE
Resource
win10v2004-20240508-en
General
-
Target
Free-Robux-EXE
-
Size
253KB
-
MD5
8701e5e1960097c6ef3a286d5d948f0a
-
SHA1
10b55179c9863d4c88777efbe3e07b6236efc951
-
SHA256
55fc468737e15de1b24b0bf2c6fcec653ae9399eaefd613b6a62bdf89fcecd38
-
SHA512
8540d1b0ac75aff29cd58710a3543b679d0769226f60cee4d33f1b9b835adfa8e83510f70b7754078f7f8859f48c2f64e9fac47b3fa3b7daf26fc9e0dfe68518
-
SSDEEP
6144:7ZoPY2n9dH5M2vkm0aWyRv3pId9RxH9mvZJT3CqbMrhryfQNRPaCieMjAkvCJv1E:toPY2n9dH5M2vkm0aWyRv3pId9RxH9mD
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exechrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exechrome.exemsedge.exechrome.exepid process 1988 msedge.exe 1988 msedge.exe 4896 msedge.exe 4896 msedge.exe 1416 chrome.exe 1416 chrome.exe 6068 msedge.exe 6068 msedge.exe 6068 msedge.exe 6068 msedge.exe 3492 chrome.exe 3492 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exechrome.exepid process 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
firefox.exechrome.exedescription pid process Token: SeDebugPrivilege 3020 firefox.exe Token: SeDebugPrivilege 3020 firefox.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe Token: SeShutdownPrivilege 1416 chrome.exe Token: SeCreatePagefilePrivilege 1416 chrome.exe -
Suspicious use of FindShellTrayWindow 55 IoCs
Processes:
msedge.exefirefox.exechrome.exepid process 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 3020 firefox.exe 3020 firefox.exe 3020 firefox.exe 3020 firefox.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe -
Suspicious use of SendNotifyMessage 51 IoCs
Processes:
msedge.exefirefox.exechrome.exepid process 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 4896 msedge.exe 3020 firefox.exe 3020 firefox.exe 3020 firefox.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe 1416 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 3020 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4896 wrote to memory of 3080 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 3080 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 4356 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1988 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1988 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1652 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1652 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1652 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1652 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1652 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1652 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1652 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1652 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1652 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1652 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1652 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1652 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1652 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1652 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1652 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1652 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1652 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1652 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1652 4896 msedge.exe msedge.exe PID 4896 wrote to memory of 1652 4896 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Free-Robux-EXE1⤵PID:2708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6e7b46f8,0x7ffc6e7b4708,0x7ffc6e7b47182⤵PID:3080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,16200592390998209127,6084530895591820315,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:22⤵PID:4356
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,16200592390998209127,6084530895591820315,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1988 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,16200592390998209127,6084530895591820315,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:82⤵PID:1652
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16200592390998209127,6084530895591820315,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:1356
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16200592390998209127,6084530895591820315,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:4028
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16200592390998209127,6084530895591820315,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4328 /prefetch:12⤵PID:4724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16200592390998209127,6084530895591820315,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4372 /prefetch:12⤵PID:640
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,16200592390998209127,6084530895591820315,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3604 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:6068
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2912
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4484
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:3436
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3020 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.0.386991422\1615273299" -parentBuildID 20230214051806 -prefsHandle 1776 -prefMapHandle 1768 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c762f4b-c49a-492d-b96e-6a432eaf49cc} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 1888 29a1c0b0f58 gpu3⤵PID:4940
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.1.1588672995\2093572871" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ec5a038-a0ae-4b16-9545-21401394df62} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 2436 29a07d86258 socket3⤵PID:2688
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.2.257653460\1626823709" -childID 1 -isForBrowser -prefsHandle 2964 -prefMapHandle 2960 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1258775d-d0e1-4065-a060-4736a1373dbd} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 2976 29a1e8f7158 tab3⤵PID:3940
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.3.1960682621\1622563271" -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3664 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b78007d9-ab94-453b-9c4a-1ce1fa46411e} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 3680 29a07d76b58 tab3⤵PID:2612
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.4.1121927017\721836528" -childID 3 -isForBrowser -prefsHandle 4956 -prefMapHandle 4932 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c12a59e-230f-4139-975b-01a7f651209e} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 4964 29a22e1f758 tab3⤵PID:4792
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.5.1747363688\1897095577" -childID 4 -isForBrowser -prefsHandle 5100 -prefMapHandle 5104 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f0892ad-89f8-40e8-b6b0-a22ea87f8d49} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 5088 29a22e20058 tab3⤵PID:3720
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.6.1089070221\577694696" -childID 5 -isForBrowser -prefsHandle 5284 -prefMapHandle 5288 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf3b3e7f-811a-405d-94d4-d9efa3f49c4c} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 5272 29a22e21258 tab3⤵PID:3532
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1416 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5d80ab58,0x7ffc5d80ab68,0x7ffc5d80ab782⤵PID:512
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=2024,i,17108230462573328136,4717012228254174365,131072 /prefetch:22⤵PID:5252
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1980 --field-trial-handle=2024,i,17108230462573328136,4717012228254174365,131072 /prefetch:82⤵PID:5260
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=2024,i,17108230462573328136,4717012228254174365,131072 /prefetch:82⤵PID:5304
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=2024,i,17108230462573328136,4717012228254174365,131072 /prefetch:12⤵PID:5448
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=2024,i,17108230462573328136,4717012228254174365,131072 /prefetch:12⤵PID:5456
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3608 --field-trial-handle=2024,i,17108230462573328136,4717012228254174365,131072 /prefetch:12⤵PID:5684
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=2024,i,17108230462573328136,4717012228254174365,131072 /prefetch:82⤵PID:5312
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=2024,i,17108230462573328136,4717012228254174365,131072 /prefetch:82⤵PID:6040
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1576 --field-trial-handle=2024,i,17108230462573328136,4717012228254174365,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3492
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:5636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
6KB
MD57a9a0283bf0c6a7828f4fb125fa7a730
SHA13951497d56482fe0c0f99a4930421994381856e2
SHA256ab6a915dc11f782edc2e069dcbfd45017c0303f5a1926539ba3f4111a99ca28c
SHA51289737fba9f5814c080415354aeb1252672faa75a9715ef91df17743940a87bf6b14020cc924289ff8546f7c810e37cc2198ae48dfe037d60f844a68dd93c27c6
-
Filesize
257KB
MD5465bf4b183cf7905d656af65d40ebaef
SHA1f5e53400ae9cdcdc9b0e733748180f369fe020bc
SHA25688123793f676d99b5522375ea7e6f94d81c570b99ff7d97ab921005f948db326
SHA512a11c2fe670d956ee43c0b7ddb9f64bc9e5bb15dd2e20ae0775006c635caceb623bb9485d3f2c7a51ef111d12c74409ba23c5655dbf10e4cd56168f3c0dce1c05
-
Filesize
257KB
MD54c7853e5205fd92bfdfdf15c03ae6114
SHA1fe119b0e988b15550692c5baf23da64b44e7dc65
SHA256342bc7cf0cb60041940943d3a93f0bd2a1cf52121615e4363ec10ebc3c086e2a
SHA512a9430d29ac455e7107d3953846f81faf65c1ba9b96d868331d9f82af5d38df91cfec6846bd0bcf6757e692563d6577c66fb2a7b1ebedb31a2cf21ba36fe0f8d0
-
Filesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
Filesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
Filesize
5KB
MD5f50065af2d59e9d504f29c592c7d0e87
SHA1dd39db9d901f0389c04711489be5d888b46c6602
SHA256171cc2f51b8484fd9c4f6fdcc3b800394b9feb95c403d28d59530d9c3eefcb8b
SHA512987ca45c3ff5414fd5b6320a66d102c07c38f0a06ebb8ae1c9df817cebebb4dd682748cbd53e109c7b56d3b52b788789b521109d73dcd5f71adb138ad64d7be7
-
Filesize
8KB
MD5f5fa170d0b40e862160631f9a7dec934
SHA102c782c5bf55af8f92d6f7f35b8e14ca722fe2d9
SHA25628d7554ebcca0fd9eb5c49b6f96e19de4367f7ed81b59e10b5d058c02a183891
SHA51271f65562e4e503a3183041a35b0d2e6921de917c189cd52c66b59979ce65e97d441a0186519bbd7700cfdeb6f45b2fa0a10d38e48b1b4e4fce30957abf04922c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e6zhegwu.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD596d3dbb9960c87e740a8f5d984f10608
SHA108dfbda952dcee8f33ab66ec13f247f834498402
SHA256797dc0e02cb1c31949caf169d0beece8f8c279813371dd706668b9dc0df35285
SHA512f3353493e2256afabe1889b756044e75d511b36f40e87e72a6c400bd97728982b874a7107b04d7b4374b549b27574db2c812fc7e2af45ba5d9e9ca410857ddb0
-
Filesize
7KB
MD5c93fa2e8f4f8992251a356d8e3aad02f
SHA1f79bc97603ab8624d1a34bf300a7610392cb11dd
SHA256834f558d45353e3ee15930d38f76457768aad7c01c5787f7d217cfcdaaf91f1e
SHA512ca00b95bc51e7ab4cff16387f3670ce873752318b80cefc6f058d6123918c22a3e89568592af2beac824a4a0f13b7b52b61ac80820ca097ed1ae3bd035aebbe8
-
Filesize
7KB
MD5bbda8eca4de94d55eb9c90f501d06de0
SHA1ca1045923e0ecf0a354457052b32da79820fdc7f
SHA2564c3ca24eb15f42efae5ac0891d247c4a6666a644b4e05691183a1707e209e112
SHA512e1bfaf3a71d2b48575c77a4a50f2ea17385b66b9e3f6792b53935bacdd1a46893949e768172fcef088dc10a45af8604b3e2ba544644d35681a9fd1b5893c5966
-
Filesize
6KB
MD5cef41f58d64a47cde7b2843e98583c96
SHA1bea018b8c46feee4207ba7f24315d1c10b40f2cf
SHA256978b8be4454b91617199ebc44113c3da686574de8951108977b3b66232b2a4b1
SHA5123ae7d77599c8c34fa89798fd28c48a512f3a128c8b9e6f522fbca64a21fbd79c02e61893ea7228dc2d2647f0a65c85209d1490498d958078cf8ed254de263b0b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD56a16b13a16fad4d42a0f87f8ba72250a
SHA188bcdb2ebe0e235a39cb0f7b9805dd0714cc39cf
SHA256cbb866cae92b3e4cb8a658d00b64e7024789f2056031b739d529ba401a349bd8
SHA512a7bce4279495966d46bf3db1ecccc1f41509f779922fe5ff80abead18c2bd07ff9b98e40858b0109d00677d3245423679e5876a21b7b4527d9177ab603ba4d32
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e