Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 03:22
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10v2004-20240709-en
General
-
Target
XClient.exe
-
Size
38KB
-
MD5
40fd7f5d00604ab1cc3abf3125acce25
-
SHA1
7c5e873cdc6cc1441f35e3eb5359b90adf2b6312
-
SHA256
a43ffa9b770fee9756cb922845498e312a0c46db2bd050808c437f2015901a7c
-
SHA512
494b8492dedc35d27c42b5131c076c792ebdcf72514a540c9905edb4796e92ee8dc94f43dd8b8968c83128d0c6d2f31e7f3ee9ece6950935db165c08a8b1c4dc
-
SSDEEP
768:IKpWF9zkAoWaLtTxnbSXFyw9BHs1Ff6rO/hbPyEnlX:IKpWvQAozBbEFr91UFf6rO/xplX
Malware Config
Extracted
xworm
5.0
t-protecting.gl.at.ply.gg:24735
1EuBk7bTbdnZc8s4
-
Install_directory
%AppData%
-
install_file
GtagCosmeticGiver.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1576-1-0x0000000000790000-0x00000000007A0000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1576-57-0x000000001DDC0000-0x000000001DEE0000-memory.dmp family_stormkitty -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1476 powershell.exe 548 powershell.exe 2152 powershell.exe 1136 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
XClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation XClient.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GtagCosmeticGiver.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GtagCosmeticGiver.lnk XClient.exe -
Executes dropped EXE 3 IoCs
Processes:
GtagCosmeticGiver.exeGtagCosmeticGiver.exebbplsq.exepid process 4144 GtagCosmeticGiver.exe 468 GtagCosmeticGiver.exe 4496 bbplsq.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GtagCosmeticGiver = "C:\\Users\\Admin\\AppData\\Roaming\\GtagCosmeticGiver.exe" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 24 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exefirefox.exefirefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings firefox.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 452 vlc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 548 powershell.exe 548 powershell.exe 2152 powershell.exe 2152 powershell.exe 1136 powershell.exe 1136 powershell.exe 1476 powershell.exe 1476 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 452 vlc.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.exeGtagCosmeticGiver.exefirefox.exeGtagCosmeticGiver.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1576 XClient.exe Token: SeDebugPrivilege 548 powershell.exe Token: SeDebugPrivilege 2152 powershell.exe Token: SeDebugPrivilege 1136 powershell.exe Token: SeDebugPrivilege 1476 powershell.exe Token: SeDebugPrivilege 1576 XClient.exe Token: SeDebugPrivilege 4144 GtagCosmeticGiver.exe Token: SeDebugPrivilege 4304 firefox.exe Token: SeDebugPrivilege 4304 firefox.exe Token: SeDebugPrivilege 4304 firefox.exe Token: SeDebugPrivilege 4304 firefox.exe Token: SeDebugPrivilege 4304 firefox.exe Token: SeDebugPrivilege 4304 firefox.exe Token: SeDebugPrivilege 468 GtagCosmeticGiver.exe Token: 33 4828 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4828 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
vlc.exefirefox.exepid process 452 vlc.exe 452 vlc.exe 452 vlc.exe 452 vlc.exe 452 vlc.exe 452 vlc.exe 452 vlc.exe 452 vlc.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
vlc.exefirefox.exepid process 452 vlc.exe 452 vlc.exe 452 vlc.exe 452 vlc.exe 452 vlc.exe 452 vlc.exe 452 vlc.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe 4304 firefox.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
vlc.exefirefox.exepid process 452 vlc.exe 4304 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
XClient.exefirefox.exefirefox.exedescription pid process target process PID 1576 wrote to memory of 548 1576 XClient.exe powershell.exe PID 1576 wrote to memory of 548 1576 XClient.exe powershell.exe PID 1576 wrote to memory of 2152 1576 XClient.exe powershell.exe PID 1576 wrote to memory of 2152 1576 XClient.exe powershell.exe PID 1576 wrote to memory of 1136 1576 XClient.exe powershell.exe PID 1576 wrote to memory of 1136 1576 XClient.exe powershell.exe PID 1576 wrote to memory of 1476 1576 XClient.exe powershell.exe PID 1576 wrote to memory of 1476 1576 XClient.exe powershell.exe PID 1576 wrote to memory of 1740 1576 XClient.exe schtasks.exe PID 1576 wrote to memory of 1740 1576 XClient.exe schtasks.exe PID 2200 wrote to memory of 4304 2200 firefox.exe firefox.exe PID 2200 wrote to memory of 4304 2200 firefox.exe firefox.exe PID 2200 wrote to memory of 4304 2200 firefox.exe firefox.exe PID 2200 wrote to memory of 4304 2200 firefox.exe firefox.exe PID 2200 wrote to memory of 4304 2200 firefox.exe firefox.exe PID 2200 wrote to memory of 4304 2200 firefox.exe firefox.exe PID 2200 wrote to memory of 4304 2200 firefox.exe firefox.exe PID 2200 wrote to memory of 4304 2200 firefox.exe firefox.exe PID 2200 wrote to memory of 4304 2200 firefox.exe firefox.exe PID 2200 wrote to memory of 4304 2200 firefox.exe firefox.exe PID 2200 wrote to memory of 4304 2200 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe PID 4304 wrote to memory of 4520 4304 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GtagCosmeticGiver.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "GtagCosmeticGiver" /tr "C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\bbplsq.exe"C:\Users\Admin\AppData\Local\Temp\bbplsq.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exeC:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SavePublish.M2TS"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SavePublish.M2TS"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33d9751f-61f3-45a4-a862-bb6d9d781816} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 25789 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95ee5af6-abf0-49bd-849f-d543d0f9656c} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" socket3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3284 -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 2956 -prefsLen 25930 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad4d01f2-94cf-4302-8ed4-aea216e4014b} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3772 -childID 2 -isForBrowser -prefsHandle 3784 -prefMapHandle 3832 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3769bf2b-5f21-4002-b1d2-c528c94ea00e} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4460 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4488 -prefMapHandle 4484 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c10fcce-2ac7-424d-87a3-93d6d1324ab3} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" utility3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 3 -isForBrowser -prefsHandle 5536 -prefMapHandle 5472 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c81a411c-b6b6-47f0-9881-07a89743c01b} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5796 -childID 4 -isForBrowser -prefsHandle 5616 -prefMapHandle 5720 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44fd90b4-7520-4e05-982c-4b223cc8f417} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 5 -isForBrowser -prefsHandle 5940 -prefMapHandle 5948 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15a70e42-60eb-4ac7-bd6d-ac98ce43b7e7} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
-
C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exeC:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x408 0x5201⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GtagCosmeticGiver.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD563aec5618613b4be6bd15b82345a971e
SHA1cf3df18b2ed2b082a513dd53e55afb720cefe40e
SHA256f67a667039290434cad954285ef9a93ab76b848158bb7fd1f698bd76b5bdd721
SHA512a6c3b084ae6b41b2c3a9acb90a6f52a5acaff3bd94927389aa6698d1f2713e494b2e8f190cbbc963d56d8d30d5644df0e5c616c1f081d19275e0803dc576a033
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD54165c906a376e655973cef247b5128f1
SHA1c6299b6ab8b2db841900de376e9c4d676d61131e
SHA256fb0b3c822d300abbb892e6f218d6b4b62b80bb26d9184d1f4c731600053a3fc4
SHA51215783f2d3687388339c06423bd18c17a5704cd367bf1a1d08e436088984c0b5c52dc88d3b8455495a8051ba9f977aae34b69453e5ee252d928e74dcdebd4a11a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\activity-stream.discovery_stream.json.tmpFilesize
18KB
MD5f058c0bfd3f016ff04af0fe62c279cad
SHA1697a36f5059b623f236d94d705d8821bbf447720
SHA256cd0c06c298eb0076ddc77d0292b29432bafffd09a23d14f1b15e992844a956ed
SHA512f11bb8cd1e81c1b5f943bbc4e25615f5c7c2a33f288ed88971b3b8ea270690c254ef04766a862a4c62216e7f457d99bfc4d83592d0e65b52dda13f4d04a979d1
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hjlxof14.abo.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\bbplsq.exeFilesize
131KB
MD5bd65d387482def1fe00b50406f731763
SHA1d06a2ba2e29228f443f97d1dd3a8da5dd7df5903
SHA2561ab7375550516d7445c47fd9b551ed864f227401a14ff3f1ff0d70caca3bd997
SHA512351ecd109c4d49bc822e8ade73a9516c4a531ebcda63546c155e677dcff19708068dc588b2fcf30cad086238e8b206fc5f349d37dda02d3c3a8d9b570d92e4d9
-
C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exeFilesize
38KB
MD540fd7f5d00604ab1cc3abf3125acce25
SHA17c5e873cdc6cc1441f35e3eb5359b90adf2b6312
SHA256a43ffa9b770fee9756cb922845498e312a0c46db2bd050808c437f2015901a7c
SHA512494b8492dedc35d27c42b5131c076c792ebdcf72514a540c9905edb4796e92ee8dc94f43dd8b8968c83128d0c6d2f31e7f3ee9ece6950935db165c08a8b1c4dc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GtagCosmeticGiver.lnkFilesize
823B
MD5714933964af9d9c57ab098ea2f766f67
SHA1346594e15d730728754004067ef9253793707f3f
SHA25632c935a9bcdc8ef95a8dd943f9834c70b9d519891008a9c5fa81ecd942a9b242
SHA51214a9aedaabeed2ee45ec22d9870829b11ce99402619ec4b07542f21c54ede79c2a61643debdaa97a44458ad2f72d8d3c218a51b3e6114306b86a0bff6c697f2e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\AlternateServices.binFilesize
6KB
MD58e12a86a8f85c892c9c5a7eb15671019
SHA1930dda8e9ea2ce7e841e6e1b21481067e0dc04f2
SHA25699f77159c3858c263c3665e1e8b1461759f3fe0674e1c1e4f8477cd780296f7b
SHA512b1c6035a2f7d95e86cbcc3319d6c69b7fc27b1849064fe6235e4d253bbe97003ca7b4778599b45f2a5e2a330cfa2359f99f33c13f618a6b1595a16c5d44513a3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\db\data.safe.tmpFilesize
22KB
MD5dd95d66db3410293e26f2d5733f0fa8e
SHA1fe9860b7bbd5fb28069229efb716219f65ae51e9
SHA2564ba4ca0e7a1864600b2cf0038878510845e9485af93c4367481b7dcd15c2ffc6
SHA5123827f00819754e40e945b632c0a410b22539bfdf0c91c7a62e2d35623a65029d3674b575bab504f0f9ee599d2042df853b53475dd4fd72d4823b0745f98ec28b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\db\data.safe.tmpFilesize
21KB
MD537bba839c8b30d381eb797a46497e9ea
SHA1b27d636af1557c706e8055ea395b86dcb431cd21
SHA256fecfac36109a7a463571bb82edae75885d2f1c83ee754c652b80239511c4c5af
SHA5121c36511600d3549641de74c5620bb8f731aef89e668a7b83e18223d90c9b44aaf0439d19c6669a4f84253cf3cdbc7541ae57548cbdaf9b42abe63d9ea1bfc2de
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\db\data.safe.tmpFilesize
22KB
MD5c2dabad1a62b63d9dbc902e9f6a573a0
SHA1371609f590c447285b401aec0c3c1744461b2b50
SHA256408c5af50a9cc4a705fcc0293283f27cb8b1571e4a578f15279b08478a92a140
SHA5126bb0285d8f318e7e0e15325ea77a8efd8821e5e789de370c5d8f06dae2d1e7851955b4f98085e77dcc1841dffd652d2978a2c0b235e61d796296240845f47ab5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\pending_pings\1507d9a3-c0d2-4af1-9c68-d2586fa35b64Filesize
982B
MD5761acf532df1ab6f0747ee606fcd454c
SHA16cbbaa8778b592b8b89bfd56a3c0d2bfd50501d7
SHA256be3a52f2b2b0c85913ff5ddee0706a56cfb06f7b518d7bfb464f1c76d9726c4a
SHA5126310b63719489e947aacca18266dde8ccc28e8eb9f87373e98b5a5d5773cdec2cec5790971465657a36d6899b55f0e31d80e3d876f05660b4af6eeb07e726acb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\pending_pings\1cb04339-5421-40c0-a1ed-1dcb6bd908efFilesize
659B
MD55e31017e8e9e2f8afbf7b9624e9b01ac
SHA1a528a935e7546cefc5258afd4dd6001a1b715441
SHA2567c3f2acc3b4dc3811e054cb469127ac736427951cf1f7f9cb9b0e9234b3176da
SHA51265b57dd14d7343c3ee3ac50689919255712a3ad4ec85dfaefd9eced743f0c5cec9c089741b5b3e45eec82bb8a051ffaf816262351b0861060cb7fe7bbb6d540e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\prefs-1.jsFilesize
10KB
MD5f6a766e4c70b2b22418b7ce43b01b10d
SHA1dc0ff96917a1755f66204447ebe57aa471d4f1e8
SHA25601d56a4fb96afce34ad83f1b2d799b59fb106ea2909e8704889fb77ef7106df4
SHA512ac176cc9d0491b3cf0f535569d77ecd411e295b97414401e38c0b8fa4dc043ecfb3247210b5ec9c2c9d70b9baff647820338103e81a5ae4b90fd7a6dbaae4bc7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\prefs.jsFilesize
8KB
MD5b759a48a1f709035e74528cc6f47c5fb
SHA19c2a1c8bc069157d72ea76daf944a9b0c81b85f7
SHA25614101a450a352e958a953da6579fa139d1171ccaa4c03dd4274970519d3fd296
SHA5124b1647a2a27ccc4202fdd54ca856be5e484fb8191ae8aea13b095a8b4efbffee556985b5f15b97ac9fa9a7e8ade41351e0328546c073ae4bf900de3a071f4246
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\sessionCheckpoints.jsonFilesize
288B
MD5948a7403e323297c6bb8a5c791b42866
SHA188a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA2562fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA51217e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a
-
memory/452-417-0x00007FFCCD4B0000-0x00007FFCCD4C8000-memory.dmpFilesize
96KB
-
memory/452-429-0x00007FFCC08D0000-0x00007FFCC08E1000-memory.dmpFilesize
68KB
-
memory/452-527-0x00007FFCB00E0000-0x00007FFCB1190000-memory.dmpFilesize
16.7MB
-
memory/452-425-0x00007FFCB00E0000-0x00007FFCB1190000-memory.dmpFilesize
16.7MB
-
memory/452-426-0x00007FFCB6C90000-0x00007FFCB6CD1000-memory.dmpFilesize
260KB
-
memory/452-427-0x00007FFCC5650000-0x00007FFCC5671000-memory.dmpFilesize
132KB
-
memory/452-428-0x00007FFCC8110000-0x00007FFCC8128000-memory.dmpFilesize
96KB
-
memory/452-430-0x00007FFCC0210000-0x00007FFCC0221000-memory.dmpFilesize
68KB
-
memory/452-431-0x00007FFCBAFA0000-0x00007FFCBAFB1000-memory.dmpFilesize
68KB
-
memory/452-432-0x00007FFCB2AD0000-0x00007FFCB2B2C000-memory.dmpFilesize
368KB
-
memory/452-415-0x00007FFCC9A30000-0x00007FFCC9A64000-memory.dmpFilesize
208KB
-
memory/452-418-0x00007FFCCD3F0000-0x00007FFCCD407000-memory.dmpFilesize
92KB
-
memory/452-419-0x00007FFCCD340000-0x00007FFCCD351000-memory.dmpFilesize
68KB
-
memory/452-420-0x00007FFCCA050000-0x00007FFCCA067000-memory.dmpFilesize
92KB
-
memory/452-421-0x00007FFCC9340000-0x00007FFCC9351000-memory.dmpFilesize
68KB
-
memory/452-424-0x00007FFCB2490000-0x00007FFCB269B000-memory.dmpFilesize
2.0MB
-
memory/452-422-0x00007FFCC8F00000-0x00007FFCC8F1D000-memory.dmpFilesize
116KB
-
memory/452-414-0x00007FF77D020000-0x00007FF77D118000-memory.dmpFilesize
992KB
-
memory/452-423-0x00007FFCC8EE0000-0x00007FFCC8EF1000-memory.dmpFilesize
68KB
-
memory/452-416-0x00007FFCB18F0000-0x00007FFCB1BA6000-memory.dmpFilesize
2.7MB
-
memory/548-5-0x000002297F640000-0x000002297F662000-memory.dmpFilesize
136KB
-
memory/548-15-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmpFilesize
10.8MB
-
memory/548-18-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmpFilesize
10.8MB
-
memory/548-3-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmpFilesize
10.8MB
-
memory/548-4-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmpFilesize
10.8MB
-
memory/740-107-0x00007FFCC9A30000-0x00007FFCC9A64000-memory.dmpFilesize
208KB
-
memory/740-115-0x00007FFCCD3F0000-0x00007FFCCD407000-memory.dmpFilesize
92KB
-
memory/740-106-0x00007FF77D020000-0x00007FF77D118000-memory.dmpFilesize
992KB
-
memory/740-108-0x00007FFCB18F0000-0x00007FFCB1BA6000-memory.dmpFilesize
2.7MB
-
memory/740-116-0x00007FFCCD340000-0x00007FFCCD351000-memory.dmpFilesize
68KB
-
memory/740-114-0x00007FFCCD4B0000-0x00007FFCCD4C8000-memory.dmpFilesize
96KB
-
memory/1576-100-0x000000001C4D0000-0x000000001C4DC000-memory.dmpFilesize
48KB
-
memory/1576-101-0x000000001E4E0000-0x000000001E830000-memory.dmpFilesize
3.3MB
-
memory/1576-0-0x00007FFCB9F53000-0x00007FFCB9F55000-memory.dmpFilesize
8KB
-
memory/1576-99-0x000000001B480000-0x000000001B488000-memory.dmpFilesize
32KB
-
memory/1576-97-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmpFilesize
10.8MB
-
memory/1576-96-0x00007FFCB9F53000-0x00007FFCB9F55000-memory.dmpFilesize
8KB
-
memory/1576-57-0x000000001DDC0000-0x000000001DEE0000-memory.dmpFilesize
1.1MB
-
memory/1576-98-0x0000000000F60000-0x0000000000F6E000-memory.dmpFilesize
56KB
-
memory/1576-2-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmpFilesize
10.8MB
-
memory/1576-1-0x0000000000790000-0x00000000007A0000-memory.dmpFilesize
64KB