hxxp://roblox[.]com

Analysis

max time kernel
66s
max time network
70s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
01-07-2024 11:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://roblox.com

Score

8^/10

defense_evasion discovery exploit

Malware Config

Signatures

Downloads MZ/PE file
Possible privilege escalation attempt 6 IoCs
exploit

Processes:

icacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exe

pid process

4460 icacls.exe
2956 takeown.exe
1984 takeown.exe
628 icacls.exe
2380 takeown.exe
1096 takeown.exe
Executes dropped EXE 1 IoCs

Processes:

UltraUXThemePatcher_4.4.2.exe

pid process

2864 UltraUXThemePatcher_4.4.2.exe

pid	process
4460	icacls.exe
2956	takeown.exe
1984	takeown.exe
628	icacls.exe
2380	takeown.exe
1096	takeown.exe

Loads dropped DLL 11 IoCs

Processes:

UltraUXThemePatcher_4.4.2.exe

pid	process
2864	UltraUXThemePatcher_4.4.2.exe
2864	UltraUXThemePatcher_4.4.2.exe
2864	UltraUXThemePatcher_4.4.2.exe
2864	UltraUXThemePatcher_4.4.2.exe
2864	UltraUXThemePatcher_4.4.2.exe
2864	UltraUXThemePatcher_4.4.2.exe
2864	UltraUXThemePatcher_4.4.2.exe
2864	UltraUXThemePatcher_4.4.2.exe
2864	UltraUXThemePatcher_4.4.2.exe
2864	UltraUXThemePatcher_4.4.2.exe
2864	UltraUXThemePatcher_4.4.2.exe

Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exe

pid process

2956 takeown.exe
1984 takeown.exe
628 icacls.exe
2380 takeown.exe
1096 takeown.exe
4460 icacls.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

pid	process
2956	takeown.exe
1984	takeown.exe
628	icacls.exe
2380	takeown.exe
1096	takeown.exe
4460	icacls.exe

Drops file in System32 directory 7 IoCs

Processes:

UltraUXThemePatcher_4.4.2.exe

description	ioc	process
File created	C:\Windows\System32\uxinit.dll.backup	UltraUXThemePatcher_4.4.2.exe
File created	C:\Windows\System32\uxinit.dll.new	UltraUXThemePatcher_4.4.2.exe
File opened for modification	C:\Windows\system32\uxinit.dll.new	UltraUXThemePatcher_4.4.2.exe
File created	C:\Windows\System32\themeui.dll.backup	UltraUXThemePatcher_4.4.2.exe
File opened for modification	C:\Windows\System32\themeui.dll.backup	UltraUXThemePatcher_4.4.2.exe
File created	C:\Windows\System32\themeui.dll.new	UltraUXThemePatcher_4.4.2.exe
File opened for modification	C:\Windows\system32\themeui.dll.new	UltraUXThemePatcher_4.4.2.exe

Drops file in Program Files directory 1 IoCs

Processes:

UltraUXThemePatcher_4.4.2.exe

description ioc process

File created C:\Program Files (x86)\UltraUXThemePatcher\Uninstall.exe UltraUXThemePatcher_4.4.2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Program Files (x86)\UltraUXThemePatcher\Uninstall.exe	UltraUXThemePatcher_4.4.2.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings firefox.exe
NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe:Zone.Identifier firefox.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

UltraUXThemePatcher_4.4.2.exe

pid process

2864 UltraUXThemePatcher_4.4.2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings	firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

firefox.exevssvc.exeUltraUXThemePatcher_4.4.2.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	3784	firefox.exe
Token: SeDebugPrivilege	3784	firefox.exe
Token: SeBackupPrivilege	2980	vssvc.exe
Token: SeRestorePrivilege	2980	vssvc.exe
Token: SeAuditPrivilege	2980	vssvc.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeTakeOwnershipPrivilege	1096	takeown.exe
Token: SeTakeOwnershipPrivilege	2956	takeown.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeTakeOwnershipPrivilege	1984	takeown.exe
Token: SeTakeOwnershipPrivilege	2380	takeown.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeDebugPrivilege	2864	UltraUXThemePatcher_4.4.2.exe
Token: SeShutdownPrivilege	2864	UltraUXThemePatcher_4.4.2.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

3784 firefox.exe
3784 firefox.exe
3784 firefox.exe
3784 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

3784 firefox.exe
3784 firefox.exe
3784 firefox.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

firefox.exeUltraUXThemePatcher_4.4.2.exeLogonUI.exe

pid process

3784 firefox.exe
3784 firefox.exe
3784 firefox.exe
3784 firefox.exe
2864 UltraUXThemePatcher_4.4.2.exe
5040 LogonUI.exe

pid	process
3784	firefox.exe
3784	firefox.exe
3784	firefox.exe
3784	firefox.exe

pid	process
3784	firefox.exe
3784	firefox.exe
3784	firefox.exe

pid	process
3784	firefox.exe
3784	firefox.exe
3784	firefox.exe
3784	firefox.exe
2864	UltraUXThemePatcher_4.4.2.exe
5040	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4620 wrote to memory of 3784	4620	firefox.exe	firefox.exe
PID 4620 wrote to memory of 3784	4620	firefox.exe	firefox.exe
PID 4620 wrote to memory of 3784	4620	firefox.exe	firefox.exe
PID 4620 wrote to memory of 3784	4620	firefox.exe	firefox.exe
PID 4620 wrote to memory of 3784	4620	firefox.exe	firefox.exe
PID 4620 wrote to memory of 3784	4620	firefox.exe	firefox.exe
PID 4620 wrote to memory of 3784	4620	firefox.exe	firefox.exe
PID 4620 wrote to memory of 3784	4620	firefox.exe	firefox.exe
PID 4620 wrote to memory of 3784	4620	firefox.exe	firefox.exe
PID 4620 wrote to memory of 3784	4620	firefox.exe	firefox.exe
PID 4620 wrote to memory of 3784	4620	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4624	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4728	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4728	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4728	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4728	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4728	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4728	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4728	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4728	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4728	3784	firefox.exe	firefox.exe
PID 3784 wrote to memory of 4728	3784	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://roblox.com"
1⤵
- Suspicious use of WriteProcessMemory
PID:4620

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://roblox.com
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3784

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3784.0.664898366\1330319826" -parentBuildID 20230214051806 -prefsHandle 1804 -prefMapHandle 1792 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ebd1f7d-68a1-441e-90d8-60b23e2dca14} 3784 "\\.\pipe\gecko-crash-server-pipe.3784" 1892 21036f0f758 gpu
3⤵
PID:4624

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3784.1.502433669\514594074" -parentBuildID 20230214051806 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {310e0614-3f61-41c5-92a8-c57efa84c6f8} 3784 "\\.\pipe\gecko-crash-server-pipe.3784" 2440 2102a285658 socket
3⤵
PID:4728

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3784.2.980968536\1049228978" -childID 1 -isForBrowser -prefsHandle 2884 -prefMapHandle 3124 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6471541-7f4e-4cd5-a8e7-6656eaed7c4c} 3784 "\\.\pipe\gecko-crash-server-pipe.3784" 2836 21035f91958 tab
3⤵
PID:2800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3784.3.1974499618\1038457118" -childID 2 -isForBrowser -prefsHandle 2956 -prefMapHandle 2952 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fba848c4-1fbf-4519-8d88-0188e4b6565e} 3784 "\\.\pipe\gecko-crash-server-pipe.3784" 3716 2102a276e58 tab
3⤵
PID:4056

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3784.4.1206523712\1551427079" -childID 3 -isForBrowser -prefsHandle 5112 -prefMapHandle 5108 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f2a1e01-900b-4a23-9646-3d1bf19c95fa} 3784 "\\.\pipe\gecko-crash-server-pipe.3784" 5252 2103efc9858 tab
3⤵
PID:2384

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3784.5.1193186863\1559860628" -childID 4 -isForBrowser -prefsHandle 4800 -prefMapHandle 5436 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36e8fc9c-dde7-45e0-85a9-0a9c184ebe16} 3784 "\\.\pipe\gecko-crash-server-pipe.3784" 4820 21037889858 tab
3⤵
PID:1772

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3784.6.1668665454\1247371789" -childID 5 -isForBrowser -prefsHandle 5552 -prefMapHandle 2904 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a58521f2-a5f1-44a8-94df-ed40bbfc41ab} 3784 "\\.\pipe\gecko-crash-server-pipe.3784" 5528 2103e0da158 tab
3⤵
PID:1356

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3784.7.2126728635\76219691" -childID 6 -isForBrowser -prefsHandle 5628 -prefMapHandle 5840 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e20f804-170d-470d-9061-7ee8dd2da7c2} 3784 "\\.\pipe\gecko-crash-server-pipe.3784" 5848 2103fa04758 tab
3⤵
PID:4848

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3784.8.534418262\138322676" -childID 7 -isForBrowser -prefsHandle 5132 -prefMapHandle 5216 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42ffbf07-b04c-48db-b49e-b830326725b9} 3784 "\\.\pipe\gecko-crash-server-pipe.3784" 5076 2103a20e758 tab
3⤵
PID:4640

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3784.9.2138354627\643815865" -childID 8 -isForBrowser -prefsHandle 3660 -prefMapHandle 3680 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b51df935-918f-4f0a-bb90-d9b127ab5065} 3784 "\\.\pipe\gecko-crash-server-pipe.3784" 3652 2103f570558 tab
3⤵
PID:244

C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe
"C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2864

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\system32\themeui.dll" /grant Admin:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4460

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxinit.dll"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\system32\uxinit.dll" /grant Admin:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:628

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxinit.dll"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a25055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g2lldp8o.default-release\activity-stream.discovery_stream.json.tmp
Filesize
29KB

MD5
6e45549491180240cd3c6ecdaaaa3695

SHA1
438c7b5509163d66ef175bd27558ce7e5168f654

SHA256
0da1e1218fc201c26fc437a2e5a3735132d2e44c143fa03a9a14f679ac6a6c54

SHA512
e5790bb5e0306fa08b4862534149c8637aeaff5b802fb62479c6bfd18792a326104dde9edca101213321d0232866f8a8c5187389f2b7d19f6840e5f2f6341c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb82B.tmp\SysRestore.dll
Filesize
5KB

MD5
4310bd09fc2300b106f0437b6e995330

SHA1
c6790a68e410d4a619b9b59e7540b702a98ad661

SHA256
c686b4df9b4db50fc1ddb7be4cd50d4b1d75894288f4dc50571b79937d7c0d7e

SHA512
49e286ccd285871db74867810c9cf243e3c1522ce7b4c0d1d01bafe72552692234cf4b4d787b900e9c041b8a2c12f193b36a6a35c64ffd5deef0e1be9958b1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb82B.tmp\System.dll
Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb82B.tmp\modern-wizard.bmp
Filesize
201KB

MD5
5f728e4e6b970db76c64be8ca3cafc87

SHA1
b7481efd9f6938903214451d792a8b13a645c922

SHA256
aea40659bdb08337064640ea8b4f171881d37456b37b3e2899349ac04f0889c5

SHA512
2cc4e870290f8faddc8eca1a03a1efb34711b3951e263a79f259fd998a9a1f957dbf58c110c5fe64febd414ec7a22e125353f9d5c363866bd0d4298452fdadc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb82B.tmp\nsDialogs.dll
Filesize
9KB

MD5
b7d61f3f56abf7b7ff0d4e7da3ad783d

SHA1
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

SHA256
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

SHA512
6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb82B.tmp\nsisFile.dll
Filesize
5KB

MD5
b7d0d765c151d235165823b48554e442

SHA1
fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

SHA256
a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

SHA512
5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs-1.js
Filesize
6KB

MD5
c66090e24dba59e15c6138d845e2eab1

SHA1
af2ee6fbf5e3916456c5aa709a7f51c40b234200

SHA256
665fca5485f3782472150a9478c85bdd21c0601d9eb75c26aba363b97d3b8761

SHA512
6cfcad15291454f3e13a9f5e619a8d5ae50282c7d2d25e961cc77b6906b4483284372ed65451aee5467dfd76029985644cd4d8e407f116e67664fcaf628f76fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs-1.js
Filesize
7KB

MD5
7ce9cc80d02f50991e738e8311aba0fb

SHA1
a38f546528094984e9121da5e9d6cf51ced7d9ce

SHA256
9004274745ec126cee35a9761f88ca5b1a2f6d586ce59a448d42aa1732b1ac2d

SHA512
cc9d060d9dd40c9e9c569ae02856492a9f9fca9a60403a4cd6dbf048f5e84d74525f6fe6658b7473c39bf6631873285f06a49f11cc50fd301cb5b27fac6468cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs-1.js
Filesize
7KB

MD5
e8ea6b5699423f5d4b7c892360ca90e2

SHA1
5a196acf4f89d282c35aef44149f94cc375fe30c

SHA256
0a1eb70e7f55b63a9a5ca43ae771d39c6dc025d143ad868ba53b86fd23c0e62a

SHA512
fe0a74f088b4fdff4453e55388b69b4f8ace158520aa7f15c21506f99a74d0282c415b6ed974f0dfae86c950675bc8b49057f9a0cd85f32b25c4527b701e71d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs.js
Filesize
7KB

MD5
19d8c366a64c22eae5bbb56a9de761ed

SHA1
283f69c3a46e3af027dc74f050a2ad560982e603

SHA256
c7d5cd609410b76c424fa716a451f3813d75338f4063d7d7259cb7dd1cace4cd

SHA512
4d6b7b8934716cbd059f356ccdfaa57f55b18a8a38ae3fb993ed1c0dc0fa89e616074e3a712fffeaa1845a63fafcf0bb2fc1dd40161b4ba169be96fccc33eaa7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionCheckpoints.json
Filesize
228B

MD5
66bdbb6de2094027600e5df8fbbf28f4

SHA1
ce033f719ebce89ac8e5c6f0c9fed58c52eca985

SHA256
df49028535e3efe4ed524570624866cca8152de6b0069ebb25580fce27dccebc

SHA512
18782069ef647653df0b91cb13ba13174a09ce2a201e8f4adfb7b145baf6c3a9246ef74bdad0774a3023ec5b8b67aba320641e11dd4b8a195e1c2b448202a660

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
217KB

MD5
0633a16a79b61a40ad156eecedcc096f

SHA1
9b3cd232df06412c5d0a65b5cc89f52563f8e220

SHA256
89c07c5c7264854d1f514f9e74059a6123a1489ac58ff85b325bbc298534bd25

SHA512
ce0e6c85028d3ae04367c8098aa279ceaf7a81cd8535e468d575cb56017dd779bb415e6fb6ad8a21c881b9cf502ba56bd2e3c79c0dd509a1696099f6db1fbe0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
219KB

MD5
8ffc93fa1b544661bc4b699d7f8489c6

SHA1
9d56ddb6e6fca750030d91fb4ba0685706e8fc27

SHA256
eb43738c6ee10f8f90668fe4a3e2e093a6e3e94dd2b84c996b7b7b82d5e5f169

SHA512
87b0f1ccec0276a5114f068961b5e8b466c2aacf271f207d6c166c60ff4bcad7c4a8faa716b555e7209d55577ce6e5ee3d7bb8e832614928813e8f044c4e2d6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
cc2b11158339e0822e764b3112e57f00

SHA1
5ec63bc3831b99c90812b06ddac0bcbcda66649d

SHA256
0e7fcc9cc41ccc802f80245f2fd1ce232c407d11c7c3eb4c93ab78d3ac7e8cc7

SHA512
78d1010eaca64c3a68c0e5875078efb763bbe1122a4cd8512d09e4f5d0cf2d459b12df083b4b3c34388a1e5b26b7a4cbdb3056cc1b8e17ece39685fb8d499914

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
219KB

MD5
ee1c64a79193f9c0bf605d13602daa0a

SHA1
50f4943e822cf5859b17624904a21ae10162aec7

SHA256
841bd4bb7a0903305316f0b2a8aa13854346b6c4261903c81ff7ace530ef51b9

SHA512
b1fce85e0d36654ef6c86289bd6bde8da0e8a699f0b5cfecdc8468210760985a273d05204da134f1d701e93e320f6bfe90478dfd4668ca29f2fd3a406c2798c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionstore.jsonlz4
Filesize
218KB

MD5
b11f936f36df8318bc4bae0552750b78

SHA1
48098e03c57243e32440ddc391104a973fab2c0a

SHA256
d5a1564ce5974c235f55dadb277049a45adbfc88d98d7f8a76432fffce32635f

SHA512
bf8a71886f14bceac8735f26f37d1f04639fa0fdbf40e0a717fb007833bfded3a56d215d4da014d8e9f586ae84e5b4996bc83a25ddc8bd17c7ea5229d358aa6e

Download Submit
C:\Users\Admin\Downloads\UltraUXThemePatcher_4.2W3mLf8f.4.2.exe.part
Filesize
6KB

MD5
c4153075ad5400296dce7bbcc1a0fc5c

SHA1
375444f6b908779645c39c23ca155445ed092e5c

SHA256
15bd89895536668eef01bda961523eb94f62038618c77235c118fd8dce9b9936

SHA512
72e1f806a1b84221fc331df0860da34bdb8a09b2fb15ff0f7fbe26908982406a5ed5a43bca35ff4806b52f028d6cc2baa3a6fe0a0b4a273fd8d35420751b47e8

Download Submit
C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe
Filesize
159KB

MD5
446db12350e471737925dc25e82eb21c

SHA1
5082ba44dccc26f278adacaf5e8bf5d4424666aa

SHA256
48fb5c4c2a2e6ab49bb10c599d69ab614d2c69f91854e00adaf5508d9ee14f7a

SHA512
564b995e2c3a8585aa262670ab13ec744ec198bec703107c9e9f2e2a8322acd3064d485bd8f9509f6d15a491e635f3b714ae99bc0c57190ceb4c28d59d9b804a

Download Submit
C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe:Zone.Identifier
Filesize
143B

MD5
c258a8babb6ad32c04162d393e34c916

SHA1
25c1b926287c721e5a8b18cf89c782fc59f4e3a8

SHA256
79d37e72e6ef64a21a959104cb610976c7651ba14f3a2296fb85c5f0ddb6a129

SHA512
6372a9958382aa0b884c0b26e9d26f7e89208c73705ef144e8852d8ab1683755719737074127093974d134f440c5fe65789f36dcbbad78ef593ab3ab45015740

Download Submit
C:\Windows\System32\themeui.dll.new
Filesize
452KB

MD5
48359e4ea17198c341697a50bd359ea3

SHA1
b178b6b3317ec0365b10f4b493fd80fbc85c709e

SHA256
a168df5b361469e957a8470d68fe2c4a1b664f519e6811b3ce7931ca7f01b669

SHA512
24ddd3c396630ce820d599168f856575bec19c065f73535565898d2eefc63b7c0515d56a4defee693328cb4b8e830ad1640b33e5ab316d8cd98be3aebc958075

Download Submit
C:\Windows\System32\uxinit.dll.new
Filesize
140KB

MD5
83f209434ea9b3f4f48f0dc498dc9a7a

SHA1
49ef0f3c6d6e76e121a4cc480737677d303f5f9b

SHA256
59a124cff1d4ebd1a0043d7652ec3a241d736489626f05415f65bae3a45a13a2

SHA512
15b58125e0803bcf1e2b0827a9544d4390c6721931b82d238f856dab07a51db11f27d64f9595bd625999863a2160934119edf5537e67799206ed248e89c438c1

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads