035e12a7047dc45ee52cb8094d7a7a500d936565a15279803861738b43e7099d

Resubmissions

09/07/2024, 20:19

240709-y34xcsvgja 6

09/07/2024, 20:15

240709-y1mv3atcnk 6

Analysis

max time kernel
148s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
09/07/2024, 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

redirect.html
Size

6KB
MD5

8802e66b90f2011bb8c564b30973d4fd
SHA1

d5f03f85b2ea729a139bf8cc7e56240d334e7e6f
SHA256

035e12a7047dc45ee52cb8094d7a7a500d936565a15279803861738b43e7099d
SHA512

1e57a7bcdf5e6b25fb057a6ed15b9553688fcb52361fb2292ac4255a156c52f5c34641d90ba77332ace5ef6dce9a69c69ebc23ea917d28faf6c530f78888d7c2
SSDEEP

192:daHLxX7777/77QF73iyro0Lod4BYCIo0COtvX6+n:dar5HYO0+CIotOdX7

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
22	camo.githubusercontent.com
23	camo.githubusercontent.com
24	camo.githubusercontent.com

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Flex-Base-master.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
5100	msedge.exe
5100	msedge.exe
1920	msedge.exe
1920	msedge.exe
3352	msedge.exe
3352	msedge.exe
4104	identity_helper.exe
4104	identity_helper.exe
4572	msedge.exe
4572	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2628	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	firefox.exe
Token: SeDebugPrivilege	1972	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2628	OpenWith.exe
2628	OpenWith.exe
2628	OpenWith.exe
2628	OpenWith.exe
2628	OpenWith.exe
2628	OpenWith.exe
2628	OpenWith.exe
2628	OpenWith.exe
2628	OpenWith.exe
2628	OpenWith.exe
2628	OpenWith.exe
2628	OpenWith.exe
2628	OpenWith.exe
1972	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 4708	1920	msedge.exe	80
PID 1920 wrote to memory of 4708	1920	msedge.exe	80
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 2312	1920	msedge.exe	81
PID 1920 wrote to memory of 5100	1920	msedge.exe	82
PID 1920 wrote to memory of 5100	1920	msedge.exe	82
PID 1920 wrote to memory of 688	1920	msedge.exe	83
PID 1920 wrote to memory of 688	1920	msedge.exe	83
PID 1920 wrote to memory of 688	1920	msedge.exe	83
PID 1920 wrote to memory of 688	1920	msedge.exe	83
PID 1920 wrote to memory of 688	1920	msedge.exe	83
PID 1920 wrote to memory of 688	1920	msedge.exe	83
PID 1920 wrote to memory of 688	1920	msedge.exe	83
PID 1920 wrote to memory of 688	1920	msedge.exe	83
PID 1920 wrote to memory of 688	1920	msedge.exe	83
PID 1920 wrote to memory of 688	1920	msedge.exe	83
PID 1920 wrote to memory of 688	1920	msedge.exe	83
PID 1920 wrote to memory of 688	1920	msedge.exe	83
PID 1920 wrote to memory of 688	1920	msedge.exe	83
PID 1920 wrote to memory of 688	1920	msedge.exe	83
PID 1920 wrote to memory of 688	1920	msedge.exe	83
PID 1920 wrote to memory of 688	1920	msedge.exe	83
PID 1920 wrote to memory of 688	1920	msedge.exe	83
PID 1920 wrote to memory of 688	1920	msedge.exe	83
PID 1920 wrote to memory of 688	1920	msedge.exe	83
PID 1920 wrote to memory of 688	1920	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\redirect.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xdc,0xe8,0x7ffeb0243cb8,0x7ffeb0243cc8,0x7ffeb0243cd8
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,13850276660512903467,7854666388022813428,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,13850276660512903467,7854666388022813428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,13850276660512903467,7854666388022813428,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13850276660512903467,7854666388022813428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13850276660512903467,7854666388022813428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13850276660512903467,7854666388022813428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,13850276660512903467,7854666388022813428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,13850276660512903467,7854666388022813428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13850276660512903467,7854666388022813428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13850276660512903467,7854666388022813428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13850276660512903467,7854666388022813428,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13850276660512903467,7854666388022813428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13850276660512903467,7854666388022813428,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,13850276660512903467,7854666388022813428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7164 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,13850276660512903467,7854666388022813428,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6724 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2508

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:916

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2628
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Temp1_Flex-Base-master.zip\Flex-Base-master\.github\workflows\c-cpp.yml"
  2⤵
  PID:124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\Temp1_Flex-Base-master.zip\Flex-Base-master\.github\workflows\c-cpp.yml
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1972
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 25749 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddb83f5f-7d7f-407c-bb6b-51de468c1be9} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" gpu
      4⤵
      PID:4712
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2296 -prefsLen 26669 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a646fd03-79d6-4917-b302-c0f4d1d3d413} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" socket
      4⤵
      Checks processor information in registry
      PID:4448
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3080 -childID 1 -isForBrowser -prefsHandle 2812 -prefMapHandle 3120 -prefsLen 26810 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffb7ffc3-5d93-4742-bfa4-986f03fb4e65} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" tab
      4⤵
      PID:4684
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1368 -childID 2 -isForBrowser -prefsHandle 1268 -prefMapHandle 2700 -prefsLen 31159 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3cb7d6e-2fb8-4992-ac9c-e82c2781379c} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" tab
      4⤵
      PID:1880
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4480 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4652 -prefMapHandle 4644 -prefsLen 31159 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6212deb9-0fb9-443c-865b-20f726ef4986} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" utility
      4⤵
      Checks processor information in registry
      PID:5368
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5140 -childID 3 -isForBrowser -prefsHandle 5200 -prefMapHandle 4812 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f592ed6f-de9c-4638-abb6-c1387eb8ff76} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" tab
      4⤵
      PID:1424
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -childID 4 -isForBrowser -prefsHandle 5372 -prefMapHandle 5376 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {491ffa33-bff7-4217-a6ac-082a5119f588} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" tab
      4⤵
      PID:4196
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 5 -isForBrowser -prefsHandle 5548 -prefMapHandle 5552 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21ce7c2f-5962-4d70-8150-41d7c2dca179} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" tab
      4⤵
      PID:5380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d33f465a73554cd1c183cbcd0a28a2

SHA1
f5c16fc4edff600cb307f762d950500aa29a1e8b

SHA256
22d8c228cdcfd3e05431d7377748014035a3488ad3a0d4aecc334e724245a1f9

SHA512
7cc94f77f3943143ee86eabbfddcb110ce52c6ff0975842e3a3d06072f51f2c48914ee61f24484a539888ad19a7e6a1becfb029485cd5984bc736434a63cee95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
575466f58c7d9d3224035d23f102d140

SHA1
2fce4082fa83534b3ddc91e42fb242baee4afa1c

SHA256
9da0e657652daa1ef86af7c3db62b0af9cce372a5f765c98c68479922ccf1923

SHA512
06503e718fe967076dd8a061b57debdc663b9616b005f8567099a84fc7184880633079335d622c243918efc3356b40e683708fb0583084abeed7db6168a212ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7ea73ea2-8f1d-46c9-ac62-0084fae6731f.tmp

Filesize
5KB

MD5
0bb0aaa140d0a7a8e50fa09c717331aa

SHA1
9231afff972d69ee3c395a577e3daca37c8fd81f

SHA256
61437732891f348aee7d9c588bfd8e55339c1c8c1bd655aaa27db432ec92c0ef

SHA512
aaa75db86229962681990f8e2333c1e8cb95411aab8c86e8b911f1332ec6c2d9aefde6e0e6ba8622657eec7803a139c10fd7120d4a5c24144225e293d39cf21a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8a39e651cc7ef549f1e37b248c479d1b

SHA1
f19979a1dea94baaab7714c8fbab814b52b5bdb1

SHA256
3d16b89444c99875be555441689a3fc480a9566369f139d5095551af3be932fb

SHA512
0d7d7d23640028827b5266529c68cdf01412603a80021c40bd83b89ceb4e34c122b8f52c32845c63a91be9794895bc073fbf7938420e3bb78ac434a69819ecb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
570B

MD5
8a91504db5e3588912cc174f1ed714b8

SHA1
03c31b113d5879a9b2dd113121e3ed6d73c23bef

SHA256
4b52340dad37210bfd246f324fa747ad1e8e7b9defbe7fb0fa91e66bf9a8ec5b

SHA512
fb8238f66f41722b29931944063bc1df7c5e8b5cfb7382f5c2bf298e326545c5ef4a5ed113a7d2e740415809692ab72c9a267356af9ff685e3bf5b3a669fbc16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1f0143f6f691dd19510d3c272597106a

SHA1
d616cc4d29279e8ca37cd322d9b74d82ba5f6203

SHA256
a93143ccb5af9fc365639f0bab8a736149973f7085656f98957d99fe680ba424

SHA512
55765f73f61e793ad8c35937f80512a6f4c50eac0191ee6a5aec07f1949c663f21a7e92b883c2da4cd65486a856af92a98a5be6324b6c873f4c354a47000eb99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f5b00f9a50efeda0b56dac368f0da5e2

SHA1
b04e3869c0e85097825581c5a0af905690a8d717

SHA256
3063071054d710e7d6b006b28f41393e1ad00d5e02702a298b8d6828fd43c0ef

SHA512
d1b31cf3b69860f72878a196dbe670ea2466eb3ec1a67ce794ec93cf218cccb689dc23f5dfe709551188e66a512549fb003b056b48a53312d2d916d21a273fe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59bf9d.TMP

Filesize
1KB

MD5
ced20ec87332a6b5555e881273d7a2d0

SHA1
f47827a4788e51050a2374c37560f7b463f304e2

SHA256
fc753831ed37c3e65c8c9e310e6ed2174e6e4ba5288d6e62861d9463363d372d

SHA512
35820c9108e3a59c0bf4e4a1574bd861f73259f38bda02d76352dae5d29fb903b79269f088b6edafb0978db60972221d606540e972807bfdd96168fc3d12cec1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6ef152ac62fec3aaa6c9e19037c53af0

SHA1
482fa47d25bfeeb4e742e1929a0622dab7cbd6b0

SHA256
c8feb50497c92a9420a015aedd5f6276fbae819f4fa73dd21b7ca15252d2e6db

SHA512
32204329c5af4c327f669945b677f3e1ad593f9e6dd60eb1c1ef81b0ef211bf9659b2a8874e0c57e2ecd05cc1b7f551105f5e208e8d390dcef3b94cdd77e32a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5d8876e362b1748e57cb842942185824

SHA1
3663676b757b8c5d3e9817a11d778a46af309edf

SHA256
6d0b540479138cf4fb1cd68b6d95bbece0b455f8ee09a89a94b4f636a4a8c6cd

SHA512
161bb541ebfd315f25eebd6d7766931614a3c71443f4368939c2a146ff7abf07ecffcf0e5d715752679fad9899419614839123374ba1da16d8b4bac5dc167e7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2aa712cd2f11aa5776973b5272fcc5be

SHA1
cfe97a7eb5b333e72b1169c8ca4dc0f644378a6c

SHA256
6aaa5e58e450613544f285b9d4caf3aecc859c74d13facac2b9dc8217c3626a3

SHA512
797154624e8fe44c44e370d30760420a3763000fe7a534ee41e37f5165dd9b868e32b95d2051a21b312e7da8d3c1d298a3ffe68a429e4648cf9052a4b0f1db31

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz8w575m.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
a2949807bd0dfe35c90692011c2e401b

SHA1
d5e56ca3326c03a3afaafebf9039d66effcd973b

SHA256
bf07bc076874e7ec0ee87329cff75aebc68c9bac5b98afbc403fe56dc4398a81

SHA512
00565dd0b9c2918a2e881d0b50cfabf048a84cb2d0833ac0a68f86089f159250201c5d012c8338a1253f0ddba5f6c2b6a19911e496d05b53214041fd8e08a707

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
66ced9a5affe12c2ae279f4f8ec5e92f

SHA1
0d7b1f51fdb780fad34cf1a2493734acdafd7ba7

SHA256
39c3a542e851d0b3dc1f5b4bccf6f716e388fc4e769e0ffcdfb685eff30a9876

SHA512
dfbfe11ea71ecaffdf1da21ad10b6fc0be45e7439d93d762c010a0b2db61835b422ca78d352c06ea5bd7001a04f600df9e4c9c9f234d364e4103ba0323085d18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
e291751c659ebf9f719dc303b0cc6003

SHA1
c76554ebc2a9368167b0156a217bdf741e537fe2

SHA256
025e6e3e059d178c1386339071c403431d2540a0c6c717fddd75c1678f690e2e

SHA512
1141be34a5306399e4dd0e6abbf758fd983045ccc78061678fbc4a02d6ad2ed0915aafb55a5e9d002e35cdfa775061c4c3f23bf1e30e7c64c1aa85bfec7b2416

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
31cfdb4cec0ef21459a56bf92e219c20

SHA1
4cfc191d440411602ca6b18c9aa2bdb001e8b2e3

SHA256
44f17fc4df3fcf2de09f2ce0bba6396aabf87bb333d52986e4ae8e98ffe635b1

SHA512
a69fbfda637c6ca5e8cd0045eab0d4b4a11cf818c9baced4b57e836175c8f276132711a6cc882ade59770377cceb815586860ca289b226e6472c820d91988c4c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
40cab46beb8ba3157cbce8653de8c1d1

SHA1
750ccce5d989f576626a7241cc76b9e4ce915bdf

SHA256
dcd11a39667ad307f481dd0ee2579388df7123bb07795517aeff7cb5b808928e

SHA512
998bd65197fefc83e83ffcdc1d13435eb41c1358671846f1636ab58bddb9d3b3e60283c965504f04b7eeb1f4fc875ae373af33c13b1aac1ef1c26c8aff42d237

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\pending_pings\4d3566fa-06d9-413e-bc38-69be8da04102

Filesize
982B

MD5
1b85d135897950938724718a8e5563ab

SHA1
c68465766564d12dc1528192231d09155c11bcd5

SHA256
5e6d64b0e1b01278c376d46a979c6ed2e215d428b740a70a53b049879ef2eb4e

SHA512
bc1a7597591509501d81d23f04dc8f57b9c304dc1d65a10ccb96958b89891b9ddf8b1910a6141b48f90403a7625d95d577af4532820d3dd9510a066d69925e5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\pending_pings\b366ef63-f1f6-4aa8-8814-7ae92f9933ee

Filesize
659B

MD5
f00271c3d20232e52eb6bddd687be0a7

SHA1
99df589acfb28600434b1a791ea6f74af789e3eb

SHA256
2e89d1715965765b4f0b9c86cd8a9c20c8dd164c30d05abb0bbff954221fefc5

SHA512
10169486c15f8544e97e22c635818dcaaa1f2191abcb08a990628b1740c64fc484b5fabcad6c774d239e82bcbd59a04c9bb8d62e2daea2b2eecbdf3f11940610

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\prefs-1.js

Filesize
8KB

MD5
7bb6685f4d28bc3501812a1b4c3cc069

SHA1
ddec398debe915b52c4aede57884191c50d4c67b

SHA256
12fe4874c330c9891c0fa5a08da812fecae691e39e083462ffa03f128860b720

SHA512
6186ebc1027d29169a8353077d204df06f64d7dbd2eb735d80b9da5714e189c7d8a35f4560333480695b48a757048c21ac8eadf647ea542f1471567f668495e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\prefs.js

Filesize
8KB

MD5
7f0377134e8d728eada3c33cfa531810

SHA1
4cb32589a3cbe8a94837f624c427e472e0ceffe7

SHA256
d950ee4ff496f68d575309ffcb10b25ca4f0bbfef4139f3c1b044f77ba6eaee6

SHA512
2f073bd2bfd48410de952970c2af91fe832040cbf541418209bd1f6221b7b52d591312ea192c6879bbc52de85e9ef6a026fa6fc1fb8e0e33fa6381567df3f52b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
e08ef355498ae2c73e75f5a7e60eada5

SHA1
c98b5ab80782513f6e72d95ab070e1ed7626c576

SHA256
d1a98a30522d1bf882574df5ed2793bba5c4fdf0381788babea0846f6946745c

SHA512
a0550e83ecd1cf632b4e54bf43744ee9f7c0a8dfcf9a043e018c00d4ca0bba606cfcaaa469b204e7c9dffec1f79b91e16cd4f1c94ff512c45d3dd25b7174e859

Download Submit
C:\Users\Admin\Downloads\Flex-Base-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 689126.crdownload

Filesize
22.9MB

MD5
63b94d659df55107b32f019e9ed6452c

SHA1
89cddca3da4126f8a7e1c70006a6d5492798aecd

SHA256
503622e5c0791a1906bc4086fc0cb523c0e97a9b86e596e7ed0afc6ce8f18ff4

SHA512
a3ef594b006ee42a7403d98c880f3b5b65333c21bc8b163cc196d3c3dd42aa68a3c052c642ad0020ddfd486ebc7b28015123bf92dfe1999f9e8800a01eaf97b1

Download Submit