chaos | 5560a7aa16362f2783af483ae2e92ef7ad73fef414aa39641c07734f720c2624

Analysis

max time kernel
135s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adadadada.exe
Size

42KB
MD5

423e608ecb3df0edeed33a1e7f1eaeaa
SHA1

fc78ae3736d06e81c0bb6e0d1cdea08ce3143174
SHA256

5560a7aa16362f2783af483ae2e92ef7ad73fef414aa39641c07734f720c2624
SHA512

08c6317b68c8bd117e062f13bdca098986ff7fbd93ec4a4e6a41d9a0e51870da71e0845e87cbd2df639c57a15fdc89cba52c01f420a34bf991304471e534b807
SSDEEP

768:Z3qo2LfZpULbTz8gr93bxXTVeVDC1SRUSnSk5mzAz2URJNZovB9VqiE7bYec:0o2I/8gr93bGVhtSLzk2UR+v7Vutc

Score

10^/10

chaos evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Family

chaos

Ransom Note

----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

resource	yara_rule
behavioral2/memory/4004-1-0x0000000000480000-0x0000000000490000-memory.dmp	family_chaos
behavioral2/files/0x000c000000023b50-11.dat	family_chaos

Chaos family
chaos

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3012	bcdedit.exe
2680	bcdedit.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	adadadada.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
5116	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4esepqykq.jpg"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1028	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5116	svchost.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
4004	adadadada.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5768	OpenWith.exe
5820	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4004	adadadada.exe
Token: SeDebugPrivilege	5116	svchost.exe
Token: SeDebugPrivilege	1724	firefox.exe
Token: SeDebugPrivilege	1724	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe
1724	firefox.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
4776	OpenWith.exe
1724	firefox.exe
5768	OpenWith.exe
5820	OpenWith.exe
5820	OpenWith.exe
5820	OpenWith.exe
5820	OpenWith.exe
5820	OpenWith.exe
5820	OpenWith.exe
5820	OpenWith.exe
5820	OpenWith.exe
5820	OpenWith.exe
5820	OpenWith.exe
5820	OpenWith.exe
5820	OpenWith.exe
5820	OpenWith.exe
5820	OpenWith.exe
5820	OpenWith.exe
5820	OpenWith.exe
5820	OpenWith.exe
5820	OpenWith.exe
5820	OpenWith.exe
5820	OpenWith.exe
5820	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 5116	4004	adadadada.exe	87
PID 4004 wrote to memory of 5116	4004	adadadada.exe	87
PID 5116 wrote to memory of 3232	5116	svchost.exe	96
PID 5116 wrote to memory of 3232	5116	svchost.exe	96
PID 3232 wrote to memory of 3012	3232	cmd.exe	98
PID 3232 wrote to memory of 3012	3232	cmd.exe	98
PID 3232 wrote to memory of 2680	3232	cmd.exe	99
PID 3232 wrote to memory of 2680	3232	cmd.exe	99
PID 5116 wrote to memory of 1028	5116	svchost.exe	100
PID 5116 wrote to memory of 1028	5116	svchost.exe	100
PID 4180 wrote to memory of 1724	4180	firefox.exe	121
PID 4180 wrote to memory of 1724	4180	firefox.exe	121
PID 4180 wrote to memory of 1724	4180	firefox.exe	121
PID 4180 wrote to memory of 1724	4180	firefox.exe	121
PID 4180 wrote to memory of 1724	4180	firefox.exe	121
PID 4180 wrote to memory of 1724	4180	firefox.exe	121
PID 4180 wrote to memory of 1724	4180	firefox.exe	121
PID 4180 wrote to memory of 1724	4180	firefox.exe	121
PID 4180 wrote to memory of 1724	4180	firefox.exe	121
PID 4180 wrote to memory of 1724	4180	firefox.exe	121
PID 4180 wrote to memory of 1724	4180	firefox.exe	121
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122
PID 1724 wrote to memory of 216	1724	firefox.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\adadadada.exe
"C:\Users\Admin\AppData\Local\Temp\adadadada.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3012
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2680
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1028

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4776

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2112 -parentBuildID 20240401114208 -prefsHandle 1764 -prefMapHandle 1824 -prefsLen 21257 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e3391ab-b8a5-4ba7-8a45-3693a51852a0} 1724 "\\.\pipe\gecko-crash-server-pipe.1724" gpu
    3⤵
    PID:216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1596 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 21257 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90420fe7-1a4e-4ae0-ba8d-216e17da6d8d} 1724 "\\.\pipe\gecko-crash-server-pipe.1724" socket
    3⤵
    - Checks processor information in registry
    PID:1836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3000 -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 2988 -prefsLen 21326 -prefMapSize 243020 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4c07cb5-0726-4bdd-bb96-57bd65acfe0a} 1724 "\\.\pipe\gecko-crash-server-pipe.1724" tab
    3⤵
    PID:532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3568 -childID 2 -isForBrowser -prefsHandle 3464 -prefMapHandle 3536 -prefsLen 22178 -prefMapSize 243020 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7eea6e5a-dc72-4907-a445-9c60b532a004} 1724 "\\.\pipe\gecko-crash-server-pipe.1724" tab
    3⤵
    PID:1488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4612 -parentBuildID 20240401114208 -prefsHandle 4648 -prefMapHandle 4644 -prefsLen 28819 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a060eb1-9610-4545-941a-cafd36d58f34} 1724 "\\.\pipe\gecko-crash-server-pipe.1724" rdd
    3⤵
    PID:5708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3144 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 3132 -prefMapHandle 3464 -prefsLen 30557 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d21bd2b-615e-416b-9385-a4ec9f5485e9} 1724 "\\.\pipe\gecko-crash-server-pipe.1724" utility
    3⤵
    - Checks processor information in registry
    PID:6372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3256 -childID 3 -isForBrowser -prefsHandle 2100 -prefMapHandle 3668 -prefsLen 28585 -prefMapSize 243020 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4d16b7f-13bf-4bc2-90f4-0d86d53db698} 1724 "\\.\pipe\gecko-crash-server-pipe.1724" tab
    3⤵
    PID:6468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 4 -isForBrowser -prefsHandle 5284 -prefMapHandle 2100 -prefsLen 28585 -prefMapSize 243020 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42345685-b433-44be-8832-b7c68f3feb44} 1724 "\\.\pipe\gecko-crash-server-pipe.1724" tab
    3⤵
    PID:6504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5548 -childID 5 -isForBrowser -prefsHandle 5688 -prefMapHandle 5684 -prefsLen 28585 -prefMapSize 243020 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f07495ca-70f0-4a74-a2ae-14d690eebc55} 1724 "\\.\pipe\gecko-crash-server-pipe.1724" tab
    3⤵
    PID:6616

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5768

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pn4buwn3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
0bb5da89a4d415ee1819520e031c2732

SHA1
8813eab97555e375b7aa385997ccbf97e8e9b45c

SHA256
50a451300b849795189ab98d815a6bebebd55d9fcf7a77e604f21cc05b797765

SHA512
5df4221e0a7528fbb46bdc2dc1b6e816e5551d590ee1361c99830ff6c822964c2dc84edb79dbbdf8c104c878682b4dbdceca0f0c7befbf46b6879d57e8d4b226

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pn4buwn3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
638946189b5fcb6a776f648abcf7ef66

SHA1
1e1179aa492fca24f196f5b20c872ca02da544cb

SHA256
454c08f38c2b2def5c821beeb5a8a0a6da058a20fbea8bca882f3952231e0fee

SHA512
9caa29ffd558120689dd5301bd6f1d1e612bc364c364c427489990fc28527de1e5a1a53e89c36acd88b8d07f57898662fc47e576093bc5279ecd296972e31c7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pn4buwn3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
40367f58e81d3d72ba8df11d03255f03

SHA1
bb7c7a2f1e606c32fe8366d98e84267beabac002

SHA256
5e3effab374e9898e06cba3c63aa24958ee2ff4afe45771aad0f61ef5c9ff082

SHA512
09ea3f552ac29244e073915356675005693c6cabdd171807d0a332de195b3338d10f52d74a97f186d4f947921460706f63a663811f7c44016e80b18e29e1a985

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pn4buwn3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
2b500f231e74546255692b2ec98a1d8c

SHA1
fd0db46351a0a34f86d4864e014a10838ac408e5

SHA256
e4c8a940ad9e6f74fa54c9db1d14bd534a2aba2429873927244d33cd3ec80971

SHA512
83f070c5622c8c61664967935256c9e02d6f89d27aa7d45bab77bbf6faca70e3101dfbc9ea9bf38367099f00f2616e11ccadfea5fe541d10394fa37d0c08a37a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pn4buwn3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
524672bdf16125c871e55bb4df1b0860

SHA1
e33cb5bd7b61eac6ce57385e60ce91d0f9c71a48

SHA256
d9bfaae70ad5a5b369e648908237e26239ad2e45281a1a72595b3c78c6e5bcd1

SHA512
369639ca4db709ca56207d97db3a637d1d238e08fb3c2c3334c8354627967ac82325df626d50cf2c78ec8334c458d0c3eb558f78ac3a155d9e8b6066a86077e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pn4buwn3.default-release\datareporting\glean\pending_pings\42e70d0c-7577-47b3-8384-c543bbff49f4

Filesize
566B

MD5
307683a49219c1e28c3a868a856025cc

SHA1
706f397226b2bb261a33388b18e793bccdbe557b

SHA256
808c3f73f33629fc1e364184a4f5d4a255f53e0c4512d22962647d36a7e7e762

SHA512
4566c968a91a88486e7596be984099662b021958f17665f0db66dc750a2203ff7a994f36238346e84c736dce3414cad080222f26684199848b5f9efcb66e6466

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pn4buwn3.default-release\extensions.json

Filesize
34KB

MD5
9bea45194c97533a4b127c4e20825131

SHA1
6cf62e50dfca45f31531606641f67f3692409c2d

SHA256
37622c39a7e40bfb9ea9ccec46a031789df49ebf503072299877ae9827399c7c

SHA512
ee0511b343d2f9626cc0755ee5404e69b19d4a18d3ba132c6df6126eb9833932b8581c7a2dfc6556276f7f4d7d1fdfa2c66888c5dd9564319d074ba43bb28ba4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pn4buwn3.default-release\prefs-1.js

Filesize
11KB

MD5
725b384c59fcf6d30669cd3a3705541f

SHA1
bc44cedfa4f108e38c643dffda4bce1f7e0ef1d8

SHA256
e001ad1b1311c831885dac0d569b6facfd44aa89dfaf466b1d2b02f6969f2317

SHA512
5883e67112b874523567225a97a4ddab85983fc820cc86a40c1ebf9979da87383f7298c0ae1bd3615819cb4f7a189625aff2b0fbe6ea41be0f24b2197f187097

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pn4buwn3.default-release\prefs.js

Filesize
1KB

MD5
a6c3a787dbee61f5efcc56a65db644b2

SHA1
ad3d54b78805fd52256bb485ecb65938e5d3dc2e

SHA256
03c1e2b0305025d7c229bf6dfb2cac63911990c5ac48f8eabaed25760b7fcaf2

SHA512
8750e1d5fb0003bd33f7e86625758a27c6d49f59b916d15e4c95b312fec9c18d6476b5c26be40ef530f9d0d6ea377a9cfe6d36816c459c7ce09358108f12cd7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pn4buwn3.default-release\prefs.js

Filesize
11KB

MD5
1e64c53dc24a4428d285f0f9858062c9

SHA1
0364cd013ab9f7aa592e5a4d85bd8c3c5939b3dd

SHA256
77e92f8eca440a21d2353f772d3b3b37398820406c69c02da35c6e1b3c8e1d4e

SHA512
0b5645cb18fe7efc9a158d466feb342e955b77cebc66b6223a705c4227233b6cf37c7054d5f7c24a305ddc5b9b641bb9aae2833cb13c1bbc316ae580772e15df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pn4buwn3.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pn4buwn3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
48KB

MD5
6ada628f6b987eb467de9e9b4f6b97d3

SHA1
7d1ddffe91df0ca673f266c7ad2159856c2846db

SHA256
ff926eaa701a687f10d22af138c334e8f5a8cf2632dd64d8353af10fff6f862d

SHA512
7a5df97cf3f9ef55908a4181504f904cb784ca4acb63e5cfb67f8081e921fc116e5c9e02a3e1cad3b8199cc34ffedae2fa6c718919a683c2efafd3ac345bf7f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pn4buwn3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
152KB

MD5
39a3f7c19d573ceeccacbb0dde8541f2

SHA1
2fe14ee493f55e98bf13aa34045681f7200b98f5

SHA256
332036d1e4e9dd12e768badc28acd0299af3c4b78c2de56e79d1df9402ae403f

SHA512
172fcff0ee3a73d2c4184f645d91c0e60f31c3b46ee6d70267c2903f98f1314df8c9de1848a55703a9ddc293822a9ff23acdd09959c39b08daabfba765b8433f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
42KB

MD5
423e608ecb3df0edeed33a1e7f1eaeaa

SHA1
fc78ae3736d06e81c0bb6e0d1cdea08ce3143174

SHA256
5560a7aa16362f2783af483ae2e92ef7ad73fef414aa39641c07734f720c2624

SHA512
08c6317b68c8bd117e062f13bdca098986ff7fbd93ec4a4e6a41d9a0e51870da71e0845e87cbd2df639c57a15fdc89cba52c01f420a34bf991304471e534b807

Download Submit
C:\Users\Admin\Documents\read_it.txt

Filesize
964B

MD5
4217b8b83ce3c3f70029a056546f8fd0

SHA1
487cdb5733d073a0427418888e8f7070fe782a03

SHA256
7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121

SHA512
2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

Download Submit
memory/4004-0-0x00007FFA9AB13000-0x00007FFA9AB15000-memory.dmp

Filesize
8KB

Download
memory/4004-1-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/5116-14-0x00007FFA9AB10000-0x00007FFA9B5D1000-memory.dmp

Filesize
10.8MB

Download
memory/5116-544-0x00007FFA9AB10000-0x00007FFA9B5D1000-memory.dmp

Filesize
10.8MB

Download