hxxps://pdf-harmony[.]com/getPdfHarmony[.]html?gclid=EAIaIQobChMI9Nu80rifhwMVnWL2CB0m3A2lEAEYASAAEgIyTPD_BwE&campaign_id=21397574353&creative_id=703167045775&adgroup_id=166571168791&placement_id=www[.]mediafire[.]com

Analysis

max time kernel
64s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pdf-harmony.com/getPdfHarmony.html?gclid=EAIaIQobChMI9Nu80rifhwMVnWL2CB0m3A2lEAEYASAAEgIyTPD_BwE&campaign_id=21397574353&creative_id=703167045775&adgroup_id=166571168791&placement_id=www.mediafire.com

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5912	PDFHarmony.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133651902121591128"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeDebugPrivilege	2896	firefox.exe
Token: SeDebugPrivilege	2896	firefox.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
5912	PDFHarmony.exe
5912	PDFHarmony.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 1228	4948	chrome.exe	84
PID 4948 wrote to memory of 1228	4948	chrome.exe	84
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 4264	4948	chrome.exe	85
PID 4948 wrote to memory of 3816	4948	chrome.exe	86
PID 4948 wrote to memory of 3816	4948	chrome.exe	86
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87
PID 4948 wrote to memory of 1792	4948	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://pdf-harmony.com/getPdfHarmony.html?gclid=EAIaIQobChMI9Nu80rifhwMVnWL2CB0m3A2lEAEYASAAEgIyTPD_BwE&campaign_id=21397574353&creative_id=703167045775&adgroup_id=166571168791&placement_id=www.mediafire.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb290ecc40,0x7ffb290ecc4c,0x7ffb290ecc58
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2004,i,9362795887971300907,1735462634306704675,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2000 /prefetch:2
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=296,i,9362795887971300907,1735462634306704675,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2044 /prefetch:3
  2⤵
  PID:3816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,9362795887971300907,1735462634306704675,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2264 /prefetch:8
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,9362795887971300907,1735462634306704675,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,9362795887971300907,1735462634306704675,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4576,i,9362795887971300907,1735462634306704675,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=1580,i,9362795887971300907,1735462634306704675,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3840,i,9362795887971300907,1735462634306704675,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5012,i,9362795887971300907,1735462634306704675,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4376 /prefetch:8
  2⤵
  PID:2356

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2568

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2876
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f23b92b6-d0af-4933-975c-73ece61ce835} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" gpu
    3⤵
    PID:2508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 25787 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89aa81e5-26e8-46cb-94ff-1025bf1e9d4c} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" socket
    3⤵
    - Checks processor information in registry
    PID:4516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3184 -childID 1 -isForBrowser -prefsHandle 3204 -prefMapHandle 3036 -prefsLen 25928 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9df5ee91-36b2-4e44-9d61-f033dd5a072a} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:3748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4244 -childID 2 -isForBrowser -prefsHandle 4236 -prefMapHandle 4232 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8f37bd2-dfc0-4d3e-ba29-fec464a07c67} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:4520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4796 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4756 -prefMapHandle 4736 -prefsLen 31215 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0ef509c-e8bd-4d8a-b556-01cec81d814c} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" utility
    3⤵
    - Checks processor information in registry
    PID:5880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2756 -childID 3 -isForBrowser -prefsHandle 5236 -prefMapHandle 5232 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89e8c2b5-0133-41ea-8654-930795149053} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:5756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5376 -childID 4 -isForBrowser -prefsHandle 5464 -prefMapHandle 5460 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed22f2a6-76d2-4b19-bf04-545b96fdeaca} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:5788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 5 -isForBrowser -prefsHandle 5600 -prefMapHandle 5604 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15232850-a4a0-4ca3-ad4d-678659d57756} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:5728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5892 -childID 6 -isForBrowser -prefsHandle 5868 -prefMapHandle 5884 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c864cee6-8ae5-4b23-b2f0-8c3d2b7e96e5} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:5380

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5988

C:\Users\Admin\Downloads\PDFHarmony.exe
"C:\Users\Admin\Downloads\PDFHarmony.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
065115b7a9e3c0c4ebb88fb486d62d0c

SHA1
1549038d0ae85c12e8acfb70b5628a62849e9d85

SHA256
724ac29f56a1679e037978bb570dc2e5ae6a4d2b43d0be4f126f733adc12e9ff

SHA512
0bf514ae4b35b0565e779d2a90fda7466a8b7002229290add3b785cdff4847f133552d99f4db94924e2eabacb7043e14f5bd710a8c0d6238b5aafd9788644e5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
e16db59e0a3bcd8b0f6e03f1ec7a7948

SHA1
4bc16795d5abfd80a05d419e066d1eff5c0fb5c3

SHA256
10dca132730f1901d8705234e83659a2c0b8493972134d1450b0fda0e55e6d24

SHA512
8ee51b866609949cc2d4d65678d5cac38b144f12ed01b8443c8492c14b33c49d7a60de44e3a49b3390d17b09f67b348aa71ba0fa73b4b319ac39817b79453a7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e4dc643657fab6b557e43fd5965315f1

SHA1
deae740b8847f996b4978b2338e7e1f88ea3e3c8

SHA256
034c8c10e321acfb13020c83f7cf268a8b5a1516401ae86dc5a8acf972da07a7

SHA512
af8f1ce1f33395ca64c40e9a4483f893ebf5bb30ed6ac5ecd955da6354d3200abb79a8c7de0454efe8ccc71915ba9b53dcf11314cde25076baae38607e744beb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0ba07d39b499b2ab1da8dab1c06008dd

SHA1
f58a8b8705a2950f1f14c5912e5cb5a603641ef2

SHA256
e6267f25ee9c2a56a0c12e7623648f6b8c491e6764c74d3aaa7938e8f5da8e9d

SHA512
fb983993eda5175e7ba98352a136a6c69eac6d7399d69a4dacf839e45d53538ba04ac359d14dd8e87c5edeba21f76c1fc9bbcfbe157537fb0e74e10ddd7b389e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5bdcbc470a08f0481bf43b18d43b2880

SHA1
1dbbf0c76436a45d9ba05f38d6e3fed8ff7d3225

SHA256
35d6050bec105977103cf95875800079cbee66e1b9d21d75e3f230b56bcb4adb

SHA512
a8da6e0376ffdac75845dd45d917e09c495058f8a55f56c2e0b4fa6945ce34cefbe4dd675fa6694e5e9969815403696ea0565b0b031b91fbf1fe9bdf8b87998d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c51f6550b7a0648b4e5f7e9702ad9756

SHA1
4a2b4eaa8d5454186ab8ccf713411145bfb2c43f

SHA256
acbb1c3ec98ea1582bf1f69671cc0698bb3faed2747272946aecee3c699e2ffe

SHA512
13f13eebc005704b92800503dde8f248295a0a3886c4e4c38c543dded732a06f9e8fc46bdc08ae5ccd9f26be2f4f39593f7ec166cabb50b58effa8700534d048

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
f0bae0ca1cba684f1c72244602087ab1

SHA1
753145ffb90351ad45cadfbf12bbb362b7f02eec

SHA256
edd6d09b85cf17b7420fb3cc6991f0767d21d86fbc1c2f37f74bcd631c247e94

SHA512
a3522d46a653a650131410ea29fc20c7213328834916501188755f480b16be4151c88c14c24935d1b85a1446f3bf0d9459e71d2ea7fde4b0eed737bb348fbf07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
5a8d50a99ce7ebe8a1d4b96fa8b0f3ba

SHA1
47600b09dba61f8bbf176270b7870916fa3ff5cc

SHA256
18d34733cd99789cfdf2c60a79ae4fdc13ad099efe57c07534887fcc39dec1e5

SHA512
1b2dac811cf5526a9e901254d033b8880478e44bb932245b3dba1ccaca21a641627d00f4a78ef91cae1e4c66dce0c22ec88048be89bf758851e97311cf5c4ee0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
82a1d19edd293611329e5581b088b195

SHA1
3c630ea73ff5f234a1323ad175037bd280c14a0d

SHA256
f9850b3b3609b91b5deacca2e886f1320df2b2bd0771aea7aacde7ecfa58687a

SHA512
d3f06d7ada2139f7437971f674671c7623c2d984209fb83fd361cc0e51c40f9724d3148bafe1eb1070d27ce5bc9323e27c1a0bfec7b89b77f80d5cf6867ad462

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\cache2\entries\0F1C1C0FA5379D18701FADFD0F51A20E71A14BBB

Filesize
59KB

MD5
3f99c148c8378c3b0dcfcf02ba103fda

SHA1
9241d33f7218727f3c35ce2cf18d8a6e389e965c

SHA256
02c333bce875bde6880d0b04ee7d2e366e040529282902502927e639a950b4be

SHA512
c7c824573b082c51c9187a055e2d38bb085a6948fcdbc314a4315a5a241a6a77e94187d2a267f64047a8cab7c4db3dbd1bb2ad4c037f6e1ae8f4c2d534ca8bf7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\cache2\entries\BE7A4C6A4E8CFE054BE55E872B2761CCF3737D69

Filesize
58KB

MD5
7b8ecf37c057c6e5f683efc0bd64c23c

SHA1
8b68e52dc95f37fe3f3af8e1753bc3e81daa954c

SHA256
5326ad61f40d1c9ff5153f794f7007e62ff52adc0ddf9fb762c02ef30dd749d7

SHA512
b4e2690a09bf9c6866ad82384dc234d95a085ceecbed9b40fd3d9f4b05f1cd0239d9015aacd179a5345a69034e5db925a56557845095d345df0822c120b82e7b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\AlternateServices.bin

Filesize
7KB

MD5
d74a515af5b2fea9fd7dfea83e3ccb8b

SHA1
8979dcee753b71eb124121d47b4290b8f9bfe8ac

SHA256
1e6b8f748c97cee910cbdadef9d0eb20e8b80c8dc3a15a74a27b175645d7b1e2

SHA512
25475964ac3b16ddc24a28209107d2fab9e4b310ec8251b31f3805d1e55d8ed4f470d299853ee74038d5609308f349a7e99c0d67e71114b937e4956dfefa1d6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

Filesize
32KB

MD5
1bd2d3e274d513d8e61a17b9119c673d

SHA1
937126560149866023cd73e29e17946ac58cdcd4

SHA256
c8fb630d88fecf808fae7805c4a07bb1f372e0123bc5bd24c56711f90f3e2f5a

SHA512
363e319409781f03d2cbe0f1fa8543240b392380d46528dc84b183f865bf97f1851f4d79724cfb26e3b8fff2bdfb6c937e307fe82d4f57ab56d8432580f513a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
1e3fe4ec32f8c918ff63860d4da6d891

SHA1
867d583562dc4b2620b6e914d4592dca998986f9

SHA256
1433304128fd6a7d76f05362d458a0e0f5f73e112b3a4c0b447864bd17134f9f

SHA512
7bbed34ba0e2f362d6a31a2137ae131995572ef4ea72845862ce2008cb1d275982e8261a0a096fc086f48e413f39d96476e7fa79da02a6b4d0fe7cdf7de54979

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
9b8b93ae61f2ed1ed0329caf705b2464

SHA1
436d6c9a22ec15517172830a715234f58c86b408

SHA256
d1730340a4cf2c7f7948c61c1ca16885d3c9f015cdbd1cdad4e773dadd41550f

SHA512
05faf7890dfedb99985e4d3784f6c46dc45a6b039842217623aa7fb2ca7ec37a4a60de636680d651acbec5e8c856b22d1e7356f5a0443e1251517620ed474119

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\0f492a45-9591-4044-b0f6-5f88cc54461c

Filesize
26KB

MD5
ccfd0ad507f317c742af7e513511fa89

SHA1
77eb1aeb9ebad709d0480654e3f51edd7b38d849

SHA256
023871b7c224fe042549e74025511f4395b6d97667799f8116832aedda169af0

SHA512
5c6de0c5839cbf63d691d5dfff0312705682208f3b9f26317219943a4c56c128049a30de7e10ef34778abd74a3ca8ab59c08bd9f0ec0847f39a65c56d42a8c1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\22b4b43e-39ee-4605-9e60-896a518dca48

Filesize
671B

MD5
90cb0f4b15d8a7a2ee92ecc8815c6acc

SHA1
98aa79ebf59e59308de1591baacc15aa55b1dc3e

SHA256
07ac9747b8d9674b61073549ffe007980c6dffbeabb75bb414db938bc16689c8

SHA512
366acbe8114375cadb1b70c5aa173d1588f9a4f26d5a68b220f44229471b8594ab823fc8e2ab3baa4d26b023842ccd8997863b1f540d3f0f97a1456169724065

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\49255a8d-5c0c-4ff6-95a3-644b59906288

Filesize
5KB

MD5
aecddbcc666e4c14c2b02da7bbb3df20

SHA1
1d81c85bb77f34331091a31123bc87c2b20b07ab

SHA256
fa72e45ffabdb764b5f8da069c9d98e6d15fd36276d94d03a7a832ed489aab44

SHA512
1bbcfff84782704b2610e604baef358d499618147aa22136feb800a0af41dfce22304564137800a8b8bd331687c85796a1180d8c73e5e3cfabed378439d0e55a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\f1890feb-25b3-4dee-8147-025bd1a08fb2

Filesize
982B

MD5
a42554f0a78e945cc441cc61e994f6ad

SHA1
4af55570c3f6bde9fa4fcd9836b9c5a170e5aa0e

SHA256
ce0cfbb697fbb2d30be2d6772d88eda6db160a9607ec4d65a6adf3f236e91531

SHA512
616566ec475e063431fab9368046ea1942431a7155cde84c50ca8dc27eaf5b5161d3c86305e3607d77ebcc44b35403e0648a9d71bde67276dea94a17855121b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs-1.js

Filesize
11KB

MD5
ee2c92b08be0f863336b25482378ba6e

SHA1
3dc81bdcc82d3c745501a2025b7207bf26674aaf

SHA256
a3e4b87a6797a23f479acfdcfcec36154febc1926e741492f46b683b0374895b

SHA512
10b4784a35d11d1cf2da765b68da7483d02b1fd7be427dd9f3359e0a00aa4e45fd0e5e4061c51f868a0bd9b77a6ae6728ae49e8d4a764851f20a083e187a6ecf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs-1.js

Filesize
11KB

MD5
56c2edc84b4ccc2ff1c53f5e7d63ae2d

SHA1
1bd04db678d299bde08b1df1df9cae41a638439c

SHA256
e4c2980896843f2b04f9549ee1eaf4bdfc92d7c2fd91ccee8f72473fae3f26c2

SHA512
717af393a41b2583326ba34926bb3d270dc379c124ebabeae120674a19f90f2181d8f213ea1d9e36b65e2d5f7f2461649ac3da961dbe7633ed09d662985a339e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs.js

Filesize
8KB

MD5
434d87c659473e5e24e851770569ee51

SHA1
e6b005ddfebacfac7c9d77f031a71120ce19e4af

SHA256
31baeae197360e57ae8053a1a578b49722e60928c0dba5fbd975ee173cae9b80

SHA512
f5aa547c3b01829d11d35c571b403f1e713a33b2ee566180709ec2ec8d077a10b1bee89364e7f7564c2f36c086cbd7d29a13a88ccc3b6b2d04cd721ace55bfdf

Download Submit
C:\Users\Admin\Downloads\PDFHarmony.exe

Filesize
8.0MB

MD5
ed43b217040a609161c5cf78ec7be453

SHA1
5bc2f13aecc61677787b138d2ce3b24d875d1166

SHA256
b1019e3d8f24a12e52856c985f29297fb07eacbb2d19abf69c73b4bf2e255c7f

SHA512
526e3b903506bae5bd6dc892a44818fb19a7681ac8ec1896f86577375deb2cfddc6b72675ae96a95bb529644b8dd8de851ec25e6c326100782f2d0c7c377259c

Download Submit
memory/5912-592-0x00007FFB151A3000-0x00007FFB151A5000-memory.dmp

Filesize
8KB

Download
memory/5912-593-0x0000019991980000-0x0000019992188000-memory.dmp

Filesize
8.0MB

Download
memory/5912-594-0x00007FFB151A0000-0x00007FFB15C61000-memory.dmp

Filesize
10.8MB

Download
memory/5912-596-0x000001A1AF7D0000-0x000001A1AFF76000-memory.dmp

Filesize
7.6MB

Download