446e83f044b6319c85d16ace8fc63537a0d8b541658a90dae375756495535003

Analysis

max time kernel
54s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
Size

1.2MB
MD5

3a6da0bdd054d3f1bb0f4667c00dbf77
SHA1

888a1e905691c8b2b3b4daf556469be493fb10fb
SHA256

446e83f044b6319c85d16ace8fc63537a0d8b541658a90dae375756495535003
SHA512

1a384a49b4b5a81f8cf559bb476c57a3f7b73250eb86c625bffaa32a0cd679480076c9aaa49209fa73c79db1bf199724078763c1ecb05e7045911453c57f070a
SSDEEP

24576:HqgTM8/TP5XsxDzwHhCeiqKl6lKiWj3MryahDSVXT5X:HjTT/TP5cxDze2qKjE1GXT5X

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133644764326158509"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
Token: SeDebugPrivilege	5060	HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
Token: SeDebugPrivilege	1604	firefox.exe
Token: SeDebugPrivilege	1604	firefox.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1604	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 1604	3640	firefox.exe	85
PID 3640 wrote to memory of 1604	3640	firefox.exe	85
PID 3640 wrote to memory of 1604	3640	firefox.exe	85
PID 3640 wrote to memory of 1604	3640	firefox.exe	85
PID 3640 wrote to memory of 1604	3640	firefox.exe	85
PID 3640 wrote to memory of 1604	3640	firefox.exe	85
PID 3640 wrote to memory of 1604	3640	firefox.exe	85
PID 3640 wrote to memory of 1604	3640	firefox.exe	85
PID 3640 wrote to memory of 1604	3640	firefox.exe	85
PID 3640 wrote to memory of 1604	3640	firefox.exe	85
PID 3640 wrote to memory of 1604	3640	firefox.exe	85
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 1800	1604	firefox.exe	86
PID 1604 wrote to memory of 4504	1604	firefox.exe	87
PID 1604 wrote to memory of 4504	1604	firefox.exe	87
PID 1604 wrote to memory of 4504	1604	firefox.exe	87
PID 1604 wrote to memory of 4504	1604	firefox.exe	87
PID 1604 wrote to memory of 4504	1604	firefox.exe	87
PID 1604 wrote to memory of 4504	1604	firefox.exe	87
PID 1604 wrote to memory of 4504	1604	firefox.exe	87
PID 1604 wrote to memory of 4504	1604	firefox.exe	87
PID 1604 wrote to memory of 4504	1604	firefox.exe	87
PID 1604 wrote to memory of 4504	1604	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe
"C:\Users\Admin\AppData\Local\Temp\HITMAN 3 v3.10-v3.160 Plus 13 Trainer.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1604.0.1149426924\602267352" -parentBuildID 20230214051806 -prefsHandle 1752 -prefMapHandle 1744 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {17961eed-3a44-433a-801f-caa1ef24e443} 1604 "\\.\pipe\gecko-crash-server-pipe.1604" 1692 169a9b10e58 gpu
    3⤵
    PID:1800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1604.1.65087160\1294283215" -parentBuildID 20230214051806 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99647d6f-627f-4532-b130-582ccbd1dea1} 1604 "\\.\pipe\gecko-crash-server-pipe.1604" 2404 1699cd89658 socket
    3⤵
    - Checks processor information in registry
    PID:4504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1604.2.2099606346\876263887" -childID 1 -isForBrowser -prefsHandle 2808 -prefMapHandle 2840 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a18ad71-7181-4ab0-b166-901dcb2ff997} 1604 "\\.\pipe\gecko-crash-server-pipe.1604" 2812 169ac90c558 tab
    3⤵
    PID:4848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1604.3.1427037938\982330538" -childID 2 -isForBrowser -prefsHandle 3972 -prefMapHandle 3968 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce650283-4bf2-49fb-8077-4f7be8bc7145} 1604 "\\.\pipe\gecko-crash-server-pipe.1604" 3960 169ae7e0a58 tab
    3⤵
    PID:4464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1604.4.1491082113\816640577" -childID 3 -isForBrowser -prefsHandle 5012 -prefMapHandle 4988 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff40d029-3d83-4f7f-b8aa-2a6f512fefab} 1604 "\\.\pipe\gecko-crash-server-pipe.1604" 4420 169b0b2b358 tab
    3⤵
    PID:872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1604.5.1687417825\2078238296" -childID 4 -isForBrowser -prefsHandle 5156 -prefMapHandle 5160 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38f8343b-42a7-43d2-b5e5-d1c4c6de341b} 1604 "\\.\pipe\gecko-crash-server-pipe.1604" 5144 169b0b2bf58 tab
    3⤵
    PID:5084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1604.6.1633287711\206024153" -childID 5 -isForBrowser -prefsHandle 5404 -prefMapHandle 5408 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e11f862-8ffe-437c-a70f-1031930d0c97} 1604 "\\.\pipe\gecko-crash-server-pipe.1604" 5396 169b0be3758 tab
    3⤵
    PID:3488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1604.7.485520121\579579145" -childID 6 -isForBrowser -prefsHandle 4428 -prefMapHandle 3556 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6529bfc6-b38b-4cdb-8b1b-138dcd6f41ff} 1604 "\\.\pipe\gecko-crash-server-pipe.1604" 2764 169af47c558 tab
    3⤵
    PID:1064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa41feab58,0x7ffa41feab68,0x7ffa41feab78
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=2004,i,13938801666168289130,15717784341480260428,131072 /prefetch:2
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=2004,i,13938801666168289130,15717784341480260428,131072 /prefetch:8
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2316 --field-trial-handle=2004,i,13938801666168289130,15717784341480260428,131072 /prefetch:8
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=2004,i,13938801666168289130,15717784341480260428,131072 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=2004,i,13938801666168289130,15717784341480260428,131072 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3836 --field-trial-handle=2004,i,13938801666168289130,15717784341480260428,131072 /prefetch:1
  2⤵
  PID:5320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=2004,i,13938801666168289130,15717784341480260428,131072 /prefetch:8
  2⤵
  PID:5648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=2004,i,13938801666168289130,15717784341480260428,131072 /prefetch:8
  2⤵
  PID:5704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4936 --field-trial-handle=2004,i,13938801666168289130,15717784341480260428,131072 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4972 --field-trial-handle=2004,i,13938801666168289130,15717784341480260428,131072 /prefetch:1
  2⤵
  PID:6012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4960 --field-trial-handle=2004,i,13938801666168289130,15717784341480260428,131072 /prefetch:1
  2⤵
  PID:5276

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
810B

MD5
3c68ee07e5c26ada6761ca6c9da003d0

SHA1
29a63a3294de541c6da464676cb263b784c1c013

SHA256
fbd66933b4620a147ae917ed9dd439edf2a38d9876d5838206e603e21c7770b3

SHA512
168e0515958391451b925e44b04e4935db9cd1268ef97b3fb03889623f56944e4ea605a8bd1fdda2fe6f0d627c408f4e43b57576d819e626460e9a351f2321be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
62da864694f6d2e1a391964e7973ee68

SHA1
a709b0cd6d86a58ddbe06bdec24d3f81530ca338

SHA256
1c2f0405c631ccf3fd0c67ad07ce86daa6f0b687081e3cb5a2b2c29247bc0dc7

SHA512
3ca518ffa0269cb0555859409dff1737fb901bbdd14ec356e626cdfe1e379b92eee2543f3db26e95f6e705c52d627a621248864fcd572ed4f0fa4cfbd15c9fb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ace3deb3376a340a99bf508e41285070

SHA1
1f3bf8b2c580c1150781accb7045416b592cf1a7

SHA256
f0df45b202a92efce731f96749fa4c712fe8b2bdb1eec9fdce1b376051af7236

SHA512
fa196eea999303ade4d95f0e00ea69a298839160afbe8304336a40b79b5aeb890d98928514df36336575f8da61926fe9fc78cd5c7387ceca0561a33fac186acc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
60ec7a5fc021207b44d88dcd5fd05474

SHA1
25e0da6fd83ab8b3ca90e011e4ec3d981718c63e

SHA256
5e96f4f85bd9e21598d75b05fcdd585eb1c851cb113190b969749b4fe55c5bd7

SHA512
8cb414f397380f1a7ea3c5b378015997e099c9bc799f890ed99142dc0e91d9a16e3a6001b1ce543a93c65b734503bf5ec029fd8966de40638f7064e0a1063a14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
2bb47651877d96193cfbe272adda5de2

SHA1
7198496f6b7e21a0f8e6beb7c6a205bef4f3aaab

SHA256
140fcc301d6a28473992dbeef0af83b29126f8d13ac6de05f7473627503c8353

SHA512
37aca56b108409aadac4e8f1f0363cc18e2c028744dfd09cbade38900a3151fd938fb15d3cfed19e0b5c3b5b301aa6b4bc0da617b0b9e45a06418df5a69a1380

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
78034fb8ed0afb5d4215c56ffd1bbbd0

SHA1
61e3de548c734c565ee0405f5e2cbd933f1232b6

SHA256
317042d00dee9b98e03304f210d000396dff915e9a4b57eb2360f6c66c1a4836

SHA512
b998c51ec1a40f13b7059f2ae1a39fcca664effc296d8e35674a1efc7499ad2a295db3b015bf86bedf7a698a7687804b9bb49a6fdafa8e0ff4d48708bdd148f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
a78968b2ee63664806a08389bd9a617d

SHA1
5954f25c0909327f7cf7f8cd007fd48be20e6d46

SHA256
500ccf9cf1d37d63b0c024a4ea0ea2d5fd2be643399158e478426209bf48251f

SHA512
75d51a5b10678768a91a7016757ba72cf048e9ec26b04f297afdd7e833d3e4754e07c9adc51efccd468f9f063163aa9da92ff5a8ea01de4c9b07b39bfafd5fd1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

Filesize
7KB

MD5
c77133036f8bd923a13e1b3a56133f2a

SHA1
9340ec9134ab48b487dcc32410eed929d884b747

SHA256
dbd9793cec2d20475f1cbffcfbc045d828042551677e107daf2e11de2abde7ef

SHA512
fb313424a574c29872cbed0b032b85a2c568d387495a05faff3d98e6e0e950b56f3fc46f249500e774507b334ed0eaafe216546b552d8980558aa5dc7708105a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

Filesize
7KB

MD5
53bc6a545d715afe9a90d264730d78f0

SHA1
80e02db3c89cd759508a889edbdf59b5819f330b

SHA256
936c045b109b5a91979873089c09d7cd499a07c47bdede718224a08866305e27

SHA512
052ff2c6bfef007c27f647663b220d4224aeec4d11b10f1149abd120968d837bd04f89dfa6dfe3a0db987794012e4307f13761c02c86a3a10f65f11e2e305448

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
26006ff20d049601fef0f6734da66847

SHA1
38832665d76c18c503da8bc1b69a0f396d4f59fe

SHA256
bf021f254067f44cfaf5fba145eb4705b25b7c494668c663b35bd8dc62279327

SHA512
69611c0379aab074151efd0c33c1de9e0fe8c52c651e45197f7bcd2ad11931d72e9e540168b1845cd2739fbb1fc8d2141ff5cc99e4a4b5eb99bab5c82d8c6bf0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
7c97b4a35649cda9c33bcce8689ef1f6

SHA1
d7cee0d7d35204bae70833746cb45ce5a952fe6c

SHA256
926236c7f256421ba9e10c7e2a1f17cf0dae666e60bd295c32a35a61b921891d

SHA512
83991aee39c09841c857b6366e59bd8d2a39fd9e495e773d4338a61012fc7a1b98ea6d75742c46b2bcf6749c5a497a195afcdeece8446797559bd5cf5c468af6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
3e2a23f3d8de7990dfccab2f22a17b60

SHA1
ae107af66c99dde064254762eb14ff09b181a92b

SHA256
292e702e53417e24666c076f25ac8ecc02b48a536998edf3984a1f77e5ff2202

SHA512
112885c4ca5a2dcf3524c444df0163f1c560a1e5a3be23a943d24334b0725c30cb222230373b3aa59c0d496e78a0b338c293a8a708ae65afd99154679f7ff25e

Download Submit
memory/5060-7-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/5060-68-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/5060-56-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/5060-55-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/5060-54-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp

Filesize
8KB

Download
memory/5060-8-0x0000025CE2240000-0x0000025CE2278000-memory.dmp

Filesize
224KB

Download
memory/5060-9-0x0000025CE2210000-0x0000025CE221E000-memory.dmp

Filesize
56KB

Download
memory/5060-0-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp

Filesize
8KB

Download
memory/5060-6-0x0000025CE21C0000-0x0000025CE21C8000-memory.dmp

Filesize
32KB

Download
memory/5060-5-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/5060-4-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/5060-3-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/5060-2-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/5060-1-0x0000025CC3E70000-0x0000025CC3EA4000-memory.dmp

Filesize
208KB

Download