hxxps://gofile[.]io/d/LOwIP7

Resubmissions

01/09/2024, 13:41

240901-qzjg9aserf 4

01/09/2024, 13:40

01/09/2024, 13:39

01/09/2024, 13:37

01/09/2024, 13:34

01/09/2024, 13:28

01/09/2024, 13:25

Analysis

max time kernel
231s
max time network
233s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 13:28

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://gofile.io/d/LOwIP7

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133696710048234502"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "198"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
5728	msedge.exe
5728	msedge.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeManageVolumePrivilege	2344	svchost.exe
Token: SeDebugPrivilege	3464	firefox.exe
Token: SeDebugPrivilege	3464	firefox.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3708	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 1412	4896	chrome.exe	84
PID 4896 wrote to memory of 1412	4896	chrome.exe	84
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 1000	4896	chrome.exe	87
PID 4896 wrote to memory of 3708	4896	chrome.exe	88
PID 4896 wrote to memory of 3708	4896	chrome.exe	88
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89
PID 4896 wrote to memory of 3416	4896	chrome.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/LOwIP7
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd761ccc40,0x7ffd761ccc4c,0x7ffd761ccc58
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,2019342586361984513,5895651437322432851,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:1000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1816,i,2019342586361984513,5895651437322432851,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,2019342586361984513,5895651437322432851,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2280 /prefetch:8
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,2019342586361984513,5895651437322432851,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,2019342586361984513,5895651437322432851,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4464,i,2019342586361984513,5895651437322432851,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4448 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4712,i,2019342586361984513,5895651437322432851,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4788,i,2019342586361984513,5895651437322432851,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1568 /prefetch:1
  2⤵
  PID:2136

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1332
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd0dc0f2-a271-4997-adcf-03731253d181} 3464 "\\.\pipe\gecko-crash-server-pipe.3464" gpu
    3⤵
    PID:1648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {991a7ad6-3782-4f94-930e-d714d97dd3b4} 3464 "\\.\pipe\gecko-crash-server-pipe.3464" socket
    3⤵
    - Checks processor information in registry
    PID:1804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1504 -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 1492 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4aa8301-bd6c-4736-800a-17ae26e81da7} 3464 "\\.\pipe\gecko-crash-server-pipe.3464" tab
    3⤵
    PID:1988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3716 -childID 2 -isForBrowser -prefsHandle 3700 -prefMapHandle 2820 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72bce722-cc59-4453-b3f0-01973f7980d6} 3464 "\\.\pipe\gecko-crash-server-pipe.3464" tab
    3⤵
    PID:4512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4592 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4616 -prefMapHandle 4612 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {331ec6d7-6b82-4da3-b802-5848ad06a879} 3464 "\\.\pipe\gecko-crash-server-pipe.3464" utility
    3⤵
    - Checks processor information in registry
    PID:1040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5216 -childID 3 -isForBrowser -prefsHandle 5144 -prefMapHandle 5200 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1064546d-06f7-4096-9773-61b40325cdd4} 3464 "\\.\pipe\gecko-crash-server-pipe.3464" tab
    3⤵
    PID:5688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5356 -childID 4 -isForBrowser -prefsHandle 5128 -prefMapHandle 5132 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a5c448e-0910-4f83-b8cb-29f2d8f56b52} 3464 "\\.\pipe\gecko-crash-server-pipe.3464" tab
    3⤵
    PID:5700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 5 -isForBrowser -prefsHandle 5524 -prefMapHandle 5528 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d91555ed-0af8-4411-856a-3d1e78b62652} 3464 "\\.\pipe\gecko-crash-server-pipe.3464" tab
    3⤵
    PID:5712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6100 -childID 6 -isForBrowser -prefsHandle 6104 -prefMapHandle 6032 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57c2a1ac-2471-4652-956a-57aca20754a1} 3464 "\\.\pipe\gecko-crash-server-pipe.3464" tab
    3⤵
    PID:5144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault271d0be2h4fe6h405aha051hae29d96dd278
1⤵
PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd685146f8,0x7ffd68514708,0x7ffd68514718
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,16576564216725153883,17054209096300229619,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
  2⤵
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,16576564216725153883,17054209096300229619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,16576564216725153883,17054209096300229619,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:5548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5692

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa394a055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
aec8395881c9b21484973a3f890b81f1

SHA1
7eabac13dc54674e497670be1d6273efbcaf625d

SHA256
f54bf2ff799bcdb743592bd2b1166a2edeca4ef7a1153ac554a167faa4d37550

SHA512
567329968c8827e4a2525c37db14ede9c98582922e5c4d802fbeeeea91c2baf24f2a9798067bad29012d45a88b8744620060455504f6921357c2049ba07e56dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
bac5c47c7c4e00880dcdc6421ed1beb8

SHA1
4b132300a0e6524f109fe6a77c42c17f85550297

SHA256
c5de8800cebbce734cbb75b9c07cdb431bec0adc2ab2ee0a15393503a2cee307

SHA512
d5e82a048dde4dc2e87d6b41adda72f237ddd299b54110633b474347f8bba04c519f035909a023de810a966d28628eb79069c6de08058a1332a759ec75a78872

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
73a222a1b8df386980ee43d0b603e07a

SHA1
517c910a7905ca62646179456245f828531d3b15

SHA256
8f2c8ac29560e4f48f0464c08ed8463b8530ca073f291311b9dbc54843deb84e

SHA512
1bd787165130491d9d8be3d9adcda8967374316f4d868a5ca81a11b2bec04f5b856de3e0b246bd871539a1cd5fee65d39ee460631a19def979589c7be975e089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5059489d7e7aa9e39e7a1dfd06e49021

SHA1
3cfe700459e954a8925c95d31977dd81d611e265

SHA256
71c3019646feb52316d37a2defeedc65d3a9df8cac625f3825a5225942134b4b

SHA512
bf34047cc883f76714f014dabc3b550c342bc28429bdba48024d7d3b361873f4b4b7855258195393919afe4df66fb1a70a1054e36ccc40849a66dd8d315f81d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
2bcbdeead2cc962f5981aea0fd3da7e4

SHA1
1e597f556608d6919b49669eb8fd1c24c903c0a1

SHA256
2beffeaf54f56a3e867f1c4e3176b4b8cea6e574f336f03ea4bb3c369b78fdfb

SHA512
d6dc28c910c42a604ab281bfa53864003459f78c326db388176626e1ca02b027be39076a41cfc2e8c75528b8414cb33ceded279db943d59db14bc933631dd0ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
662028af6b7eeea680884597002a7295

SHA1
2d119197094dd0e9decd480c468908455a706eff

SHA256
ced4dae9f0ae414af0ff186111560130f1f9d08973e0473b54bf66d33d1f4bd5

SHA512
3f7cf8e6401bee30d060a371d59f984aebe170643910b52a9efe26ca5cfedb439c2e1d2df2bd5a3a92d9032f313dc6c612a21dd6c7fa18d2505a9e3a895e498d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
292786ff21f2df4114a186b4faaf4c87

SHA1
d989296008d30ffad6708ae28a0b6cb15b799213

SHA256
72b1a488bcded93c37ec941ba089b96684cfeb9f96cd4fcc757a10b63c9d2e5c

SHA512
3c38d711ec1266954e11c23a94e08dba0cfba49584f6cd991ce14b1fd71aef8647af6154765d241ab407907b8944c510439638db103c2779008306cdc7d125f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
0ae5008cad1e80a0fdfa3cce882e2406

SHA1
4e55a82dd7a511602618d6fb30dcb2be41a454d3

SHA256
dffe249bbea2c2ae3ac7d4d8707ea5da8637eb73409cf0af44c21e9e2479b7cb

SHA512
3ef818e78aa746ea7465018bdef3610bec91e40aa9c6ac42440b26c6a4c159bcb8c86caf6d32eec48fbdc20d97a93560deb864b2a4520b8d85218c21b73229d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
180bf901356bfc467e5186d6246249a6

SHA1
2201a16baf3a1621484a905b840552d97f27f461

SHA256
215d33abdaec9ccb5dbfbb84ef14f98a3eb425b0b54a842ed39f90ebaecc6887

SHA512
b154c84e379333fdb8e4968bb07ff2102567c019696b93c548198babd7f2fe136609ffb087b239a8594af9fa83865807415c25838a9335a2c4644d57f404cfdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1097df4d7b64eaf57d60f12826ab4c67

SHA1
907a1d8f4036fd87282bebc59b7e717b20163719

SHA256
3d958f48a5f3e8c613a498b5493b49380d5c0e1061be59df83a306a15066f781

SHA512
c4f7f9ade8dea2557226001362c3b713699402f7b9feb8467e0e57d390ebc3a46a985e470521d94f3d0bb8febdfc5b5e8bf6c9f70f32ec2f7a5bf4a3ae4a73f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
95adff852e33a160f6675e9fb7f05d8d

SHA1
38236ef11edde9dec50e451e3bcf8ea6b546036d

SHA256
80742d3c06ba029d446ec7aed1352bde12c29df1b0ad1cdb74dabd26ae7a9a4b

SHA512
6bb1b1475036c514599e3f267aabc3d72244cf7a925d9eedcbd8aff42459b605d4a6c3f5a356d665838caccbba9336879b03afedae8b19a2e001c09d67b75814

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
fc9cd48d2ac09b284be5c11be4d4e6b3

SHA1
1e1c316d0aa7ef361c8896083546dc461115a867

SHA256
fc23d1ff6cc5663cda9c406e7738df9b78328001ec125d95a2ea4ce44adea12e

SHA512
0a1894c51a319f4cabcfe7aa2f002c37ac4b40231d23c3b57137f17f2631afb44819144deb4a74d9336d6976c71f6063e62f43df35d1b2cfe9fd831f612e8004

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
35632bd8f46d736120e5d79bf7e99895

SHA1
d3311efddfb75216bf5440641dfbb059998a1550

SHA256
06dd56b487ce06bfdb49bbe596cd49ee1063930fde9da1fd6d64a059ea86efb9

SHA512
e9840762646f3832b6fcdb9c7287585f361abd5b7d8200d3d1660c410874be317b00e890bb2a395e40da281e6e910da4eeebaf08ce3b33b54448cedae4122829

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\09c8cfdc-fcde-4dcb-ab4b-3a246fb53ef1

Filesize
5KB

MD5
ddb717dbb6b785e1b54ba4266475c8eb

SHA1
abbdff47d5d989fc37d7c3343a164b0e82e5bde6

SHA256
8eda3f7eebfe4f4207fb7b0fbec6788f80c526b7895cec562a64918a2c4afbe2

SHA512
34cb4a1996c9d3ea9e77b196da856243f1e1dd3f1e8ec05769ce754b886c577d8b5219ca9900390aaa7449610539a2c354641b84fa0495404db248385c7d46c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\0ea1c9de-17f0-4ffb-a36e-64d449596905

Filesize
982B

MD5
a344127314f7a01e0774e568dd591b3e

SHA1
76172167ed480b8772411fe972b4f8f4249a490b

SHA256
a38b5b350ad31f37c218203d61ecd16af5274b168cb0065f72352d589ab72273

SHA512
d3d81928fb61537851b6fbb74836fabb6ea881f6b38ee94262eef0e8be033ea5ae59992223489bc7e766fa93f91a9b337e5d4e326c46dacf8aeab31df226791f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\cc6e2d26-a9fd-4be2-bd39-68a205902adb

Filesize
671B

MD5
9442d34edf98da391cd0f7e52fe7039b

SHA1
f2a225ad118180b8f6d99529625d5fe6ba8d8e02

SHA256
cb7dff66b72302f66c3d4b2a469229f43d67e934084584360ecec0a1a1f99ec6

SHA512
10291fc5446a40b484792be980f2eaf92844af519848881b721607f2e60339ceda2bcb27b29eee4cd925a9b9f3b659ae02116826ac6be458a5b32efefa68fd0b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\fc88a793-03ab-45a3-acf5-1010cfbc4153

Filesize
25KB

MD5
0b4e9659d2cfcaec8aed2960a8cfedd3

SHA1
9f97e1843ee4bbd42bdb544a2c53c2df358133f3

SHA256
ac0dd40e84020b88ba32ab4b851b1975f90092154635d539ce003907eb9353ec

SHA512
4fbf515870065637ebb88957fbc36951ed85c95ffb18b9746a68c04272a93e169fcc0f56baf20d5585525b4c7122d2b17ab1d028467c934a8b2494d0962a7958

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

Filesize
10KB

MD5
eaebbf2db5e5a83bae6a986c7b1dbeaa

SHA1
bc5e9cd3b09690446b1209f2c9610f84fe1d9570

SHA256
eb2af32346a02dbbd91f08b549934d272b9f8d27295c137a6af57743455a6762

SHA512
588df1f326fa8c9110d489fb169f1d5f6656eeb68b6215bb7bf1c5f926132b85b8a631e364e8d28c01cea8314d84471c55a2147c233273a3d7ace64001ac6de8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs.js

Filesize
11KB

MD5
604e656e6ecf720afd8c2df0656968a9

SHA1
a377726294026d74c838f2179113262fc1ff5779

SHA256
057253500ca03fcfa49be833e26875420b6d9801fbea950b6ad0c45df8aee170

SHA512
7710c2f2c0ca90a136aa78b8def5ca4e2b5272bbb55ad64e78e0f1e4a1ed1abc2fdf99a694cfe0e5d9c18cfe7e617628e56c24e61a624f1b28cfc45354fb5594

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
68854ea5cee03148626a8a006fbb5a56

SHA1
77a208f16976b8e46fe2b52b2fd0534e1390dc1e

SHA256
3dac566a39fb52a0f333cfaa19b47be69d09b3930ec1c30ddbe5b3979a0993e0

SHA512
1bb3ddd303481992161e595e10c11043e447a2d8b04c25ec35ee8cda3cef87045285185f0c16a3898151c788cedf42764e3770f473f366bb6424f8264fd3c239

Download Submit
memory/2344-239-0x000001DCAD6B0000-0x000001DCAD6B1000-memory.dmp

Filesize
4KB

Download
memory/2344-238-0x000001DCAD5A0000-0x000001DCAD5A1000-memory.dmp

Filesize
4KB

Download
memory/2344-235-0x000001DCAD570000-0x000001DCAD571000-memory.dmp

Filesize
4KB

Download
memory/2344-237-0x000001DCAD5A0000-0x000001DCAD5A1000-memory.dmp

Filesize
4KB

Download
memory/2344-219-0x000001DCA5240000-0x000001DCA5250000-memory.dmp

Filesize
64KB

Download
memory/2344-203-0x000001DCA5140000-0x000001DCA5150000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads