3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

Resubmissions

05-04-2023 01:27

230405-bvfhgada5y 7

05-04-2023 01:24

05-04-2023 01:18

05-04-2023 01:16

05-04-2023 01:13

28-12-2022 04:22

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2023 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ.exe
Size

16KB
MD5

1d5ad9c8d3fee874d0feb8bfac220a11
SHA1

ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA256

3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512

c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
SSDEEP

192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MEMZ.exeMEMZ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5848	MEMZ.exe
5848	MEMZ.exe
5848	MEMZ.exe
5848	MEMZ.exe
5888	MEMZ.exe
5888	MEMZ.exe
5848	MEMZ.exe
5888	MEMZ.exe
5888	MEMZ.exe
5848	MEMZ.exe
208	MEMZ.exe
5888	MEMZ.exe
208	MEMZ.exe
5888	MEMZ.exe
1456	MEMZ.exe
1456	MEMZ.exe
5848	MEMZ.exe
5848	MEMZ.exe
5036	MEMZ.exe
5036	MEMZ.exe
5036	MEMZ.exe
5036	MEMZ.exe
5848	MEMZ.exe
5888	MEMZ.exe
5848	MEMZ.exe
5888	MEMZ.exe
1456	MEMZ.exe
1456	MEMZ.exe
208	MEMZ.exe
208	MEMZ.exe
5036	MEMZ.exe
5036	MEMZ.exe
5848	MEMZ.exe
5888	MEMZ.exe
5848	MEMZ.exe
5888	MEMZ.exe
5036	MEMZ.exe
5888	MEMZ.exe
5888	MEMZ.exe
5036	MEMZ.exe
208	MEMZ.exe
1456	MEMZ.exe
208	MEMZ.exe
1456	MEMZ.exe
5848	MEMZ.exe
5848	MEMZ.exe
5888	MEMZ.exe
5036	MEMZ.exe
5888	MEMZ.exe
5036	MEMZ.exe
5888	MEMZ.exe
5036	MEMZ.exe
5888	MEMZ.exe
5036	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

firefox.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	3844	firefox.exe
Token: SeDebugPrivilege	3844	firefox.exe
Token: SeDebugPrivilege	5256	taskmgr.exe
Token: SeSystemProfilePrivilege	5256	taskmgr.exe
Token: SeCreateGlobalPrivilege	5256	taskmgr.exe
Token: SeDebugPrivilege	3844	firefox.exe
Token: SeDebugPrivilege	3844	firefox.exe
Token: SeDebugPrivilege	3844	firefox.exe

Suspicious use of FindShellTrayWindow 50 IoCs

Processes:

firefox.exetaskmgr.exe

pid	process
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe

Suspicious use of SendNotifyMessage 49 IoCs

Processes:

firefox.exetaskmgr.exe

pid	process
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe
5256	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

3844 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3764 wrote to memory of 3844	3764	firefox.exe	firefox.exe
PID 3764 wrote to memory of 3844	3764	firefox.exe	firefox.exe
PID 3764 wrote to memory of 3844	3764	firefox.exe	firefox.exe
PID 3764 wrote to memory of 3844	3764	firefox.exe	firefox.exe
PID 3764 wrote to memory of 3844	3764	firefox.exe	firefox.exe
PID 3764 wrote to memory of 3844	3764	firefox.exe	firefox.exe
PID 3764 wrote to memory of 3844	3764	firefox.exe	firefox.exe
PID 3764 wrote to memory of 3844	3764	firefox.exe	firefox.exe
PID 3764 wrote to memory of 3844	3764	firefox.exe	firefox.exe
PID 3764 wrote to memory of 3844	3764	firefox.exe	firefox.exe
PID 3764 wrote to memory of 3844	3764	firefox.exe	firefox.exe
PID 3844 wrote to memory of 2012	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 2012	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4240	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4496	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4496	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 4496	3844	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- Checks computer location settings
PID:4424

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5848

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5888

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1456

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:208

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5036

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
2⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
PID:6000

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
PID:6100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3764

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3844

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.0.516426419\2066845796" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fcce612-546b-4f1d-9424-1a16aec79e9c} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 1912 225798ca458 gpu
3⤵
PID:2012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.1.93641395\1091867900" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cc31df6-8fef-4163-9220-a8bb5565b14b} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 2316 2256c971358 socket
3⤵
PID:4240

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.2.2137148512\791412350" -childID 1 -isForBrowser -prefsHandle 2864 -prefMapHandle 3080 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f6cac38-840a-4352-980f-7b913f031b37} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 3096 2257d5e7e58 tab
3⤵
PID:4496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.3.1158136058\2067085507" -childID 2 -isForBrowser -prefsHandle 1232 -prefMapHandle 3500 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d618a2d-f5e7-476e-af6f-867cad9b268f} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 1452 225798e1558 tab
3⤵
PID:3800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.4.1952241434\1908010759" -childID 3 -isForBrowser -prefsHandle 3988 -prefMapHandle 3984 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61a0d420-edc5-49ff-a66b-3124d8695687} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 3996 2256c95b258 tab
3⤵
PID:3244

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.5.484659133\1091389256" -childID 4 -isForBrowser -prefsHandle 4820 -prefMapHandle 4856 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61a57d07-1b59-4b18-a761-5a3756224d1f} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 4908 22580b4d558 tab
3⤵
PID:1052

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.6.792947190\578865952" -childID 5 -isForBrowser -prefsHandle 4800 -prefMapHandle 4852 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f1a267c-4a7b-4dcc-8f6b-cd9cdd5d6124} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 5060 22580b4d858 tab
3⤵
PID:4176

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.7.1348434689\289818507" -childID 6 -isForBrowser -prefsHandle 5416 -prefMapHandle 5356 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12b73ec7-3307-41ea-a3da-990448d84ccd} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 5328 22581159b58 tab
3⤵
PID:1472

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.8.265135270\186568339" -childID 7 -isForBrowser -prefsHandle 5832 -prefMapHandle 5776 -prefsLen 26913 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c228274-47ac-4ec4-99a6-9714324d249e} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 5840 225812d8358 tab
3⤵
PID:4816

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.9.367655781\1994437734" -childID 8 -isForBrowser -prefsHandle 3628 -prefMapHandle 2792 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9372f7d-c7e7-49fa-b62d-c1227fdbfa72} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 3712 22582503858 tab
3⤵
PID:4552

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.10.728062035\88008804" -parentBuildID 20221007134813 -prefsHandle 6100 -prefMapHandle 3968 -prefsLen 26930 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {408ce94b-601f-40c1-99ad-2df5713c2738} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 3552 2257d598b58 rdd
3⤵
PID:780

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.11.804792298\1585750223" -childID 9 -isForBrowser -prefsHandle 6180 -prefMapHandle 6172 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c7992c5-d1f9-4aa3-b967-86c6f54cf063} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 6196 2256c96d658 tab
3⤵
PID:1832

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.12.1963627039\1736896746" -childID 10 -isForBrowser -prefsHandle 10256 -prefMapHandle 10260 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91ff6dc0-ed38-468e-88bc-6632c91d9ea3} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 10288 22582cfab58 tab
3⤵
PID:5372

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.13.1425574933\1580098362" -childID 11 -isForBrowser -prefsHandle 5160 -prefMapHandle 10116 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a5fb06c-f2d3-4fa6-bcad-b00e9c4c9e1d} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 5412 22580b4d858 tab
3⤵
PID:6044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.14.1291610596\566576834" -childID 12 -isForBrowser -prefsHandle 5360 -prefMapHandle 5252 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2364dbb6-3b92-4486-9a57-d51471a2a0e7} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 5244 22580b4f658 tab
3⤵
PID:6052

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.15.1371503054\1806127596" -childID 13 -isForBrowser -prefsHandle 3576 -prefMapHandle 4816 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a896fa69-451a-48ba-b6ee-cc15ae9dc55d} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 3708 225810b9258 tab
3⤵
PID:5756

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5256

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:3128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\activity-stream.discovery_stream.json.tmp
Filesize
153KB

MD5
e21781adfe8678d5de2c648d734aedb8

SHA1
583475a17ee01f9ce53b1cec0f342bfa77a4a9fc

SHA256
2fa70e9f11e28d69941f63f0ba8a7eb96e4a281b083cb7cfeb9fb53cbbb26769

SHA512
b87fc3332b460dd3ed2f1b3ad8d6897289d0056d2bf550f0b63e742864e8ceb907940e0e272e4891936a0b2a1103059050d5144c452cc6c48d58707073fff22f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\doomed\21429
Filesize
9KB

MD5
de7540589454679b48e8505f2a10abc6

SHA1
353f634684cc34e7020c4b8800cbdb2c25a67f9f

SHA256
7c1a69c7f8cde8ea528fd0272d6aded87005cae9291f9895310de74b36e4e088

SHA512
37f6304bb6148edebd764a95e09899ec964c027cd80779f772aaffdbed486ad10d18f0af83bb09d03777b72031e6f7865c8620c570c6edf9eb0ed63f95ca0ad2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\600F3DD8A8247EB6F0186CD659FC83289C8238EE
Filesize
116KB

MD5
333388d1539c1e04b743d9e6014869e1

SHA1
b9df0510a4dfb08c4269be0405f0de9c242777ac

SHA256
1c246228014ed9ff151da35966a5ed8170d3847dc704b05ff7f437a9af293209

SHA512
0fd3feeba17a6b6cef19cabcbf008d6e40c4ee76c246c51869971e69e9f0e3341794cd893f6a27cffd086e80bc5854810cd36c330d7199ebb4e79ab2461c6ce6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\77F62D25A8D9C42B3254CDE3AAFD9D5C24F586CC
Filesize
113KB

MD5
1a117f8b2c8885232e4e294587423c3f

SHA1
80090da59d6c1b52fed93d2d0b5c8eafcb3711dd

SHA256
3566019f788a089bdd22e3c923f9deb85a2bcd03d6322a0d2f413a8d331de300

SHA512
c41025377ca034aaf4ec5f3e1aa90d5498e8a5635dc5988f016296a1b6eeec6454bb9a2f3bc6b98339c9db30704c49c3f795ba63b3fa2e7a9051de546724a05b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\8EB4709CF4843214700D0810750FD22C74FF2F46
Filesize
186KB

MD5
058920e63bae704cc2ffc331d8a969d5

SHA1
43b5cdd25a36e7f00193482bae5e32c70b020421

SHA256
6b122a0e996cc72c157ede03f553b4fccb6ae6adc6c0759d1ddc27504f8a7c79

SHA512
7fee71e559493cfe7eb51b55349eadb52b9097c0f63992ec085115c5aa57a2a5ab93224ca19e36d5c69a221a447f4db89a16f38bd212d0d129a39768554812c0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\A724F9F5B68A246DFC44D3C3CFE3374D41B1400C
Filesize
38KB

MD5
58c0fda88accd8d592e4b0ace43ded4e

SHA1
71e4b2a5296023e903fa0ca9d0f8cc79a8a1b1ba

SHA256
a577182d2e2d80a75c631f3d378322f1e53c7f8f30253133b167f051cea6eadf

SHA512
2e5e461230be0baa7a97bebe7139f28523eca58a6004c0dc1484cdb2b4482c9845d5d271dd2dcdc80b9188ee4ab4e6979e9e1a9d54c003a985710d83e408d351

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\E8822254DC619071D1B92E269BA12A6969E5DC25
Filesize
806KB

MD5
0baecd5cf7bf05ebc221e3517d244bec

SHA1
d94c1dbe3c40a11dc9367f67a1f58024796b8d6e

SHA256
3aefbe0b1462562bb5f3d639c4d8460b9e57c3a170d541413d468444b0eaacbb

SHA512
be3d3336eab4bf598dc8f05b9f13eb30dfce0171fe3c05945e8167794e84abb6ad21ec093ba0f29274821a9d7b864a840d7ac864ad1d4b98ea9c6529aae95e89

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\ED0DD8DCE0DE3E4FC96AAC8179C42223422E1147
Filesize
97KB

MD5
43ce1aee655c3bcfa179f874a0f275ea

SHA1
a911a4d26d7d7a3664f9a45ffcd1c30509c2cc7a

SHA256
d45337071791bfb1385a9d92c2d6d0120a177f3c72661f051e0dd684b9669e57

SHA512
1a4c58eb7178d1d2f22a95e52c60e072a467c476d1559cb48d80cf9a78e51cd548eaaa96538946833b450be3245f7ca5c794f61ceb98ee26f251b4f62499f293

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
Filesize
6KB

MD5
41930d0b787a3ccca440d07d7eb4c77f

SHA1
ef4705fbfc650b45c482d3291c7e411151530d5c

SHA256
d3c2830fc4c7cf6a046871cdd316a65cf55762b37144ece1ec73f3c8a97f8ca6

SHA512
1fb805ea6c93d543600f13d5abb63b758a51c2f2b82116aa83361e66153fd7e516a3fa9cbd3254a90b066e4dd19119a13b0a01ca27fc1932790a19af14e21499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
Filesize
6KB

MD5
992126ff20b5fc23ff6d7f5cd5d00a6f

SHA1
657055c65998ecac7ea0142911ca03c637e3c3e3

SHA256
8cc2e42ea00b3307612905dc43c6abce90519f5fc9305786ab323eab541274cb

SHA512
8bba857447a56e64e96dc9b686671ae3c983741a696fc344efd76793a6b1defbd0f8a909fe9264776803bb188baa86a6ea9ece7ee5a59ef92cc35957f5105e79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
Filesize
7KB

MD5
375c987280824ca24e472e03e701398b

SHA1
5715eceaedcb625aea1b106469b66022f72d7106

SHA256
cf82578c21aadea88b1448f36fda275493dccbf3a22ce0d15b22d537415924f7

SHA512
dd6b98f016a204ed53f3c66d14b830adb2d929830090b36984e751ed6c4d34d47c43ba22957cb9f4b42c6ca4d398a772cd6d9f64fe6663f202154881eddf01e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
Filesize
7KB

MD5
ab73fb487f60640baf245246c84bbae6

SHA1
a243b4931425a86259315ac6571b893c3d34bec6

SHA256
57afaa9d8eb23327862d4ecefab5bd61665a8ae61939485e181c244b654cc079

SHA512
5f03f85908c0d77604b00a51d284a40319fb363667fa36e33655e12bf8993a8e42d73b4c5efb16f28ac096bff9ed10a912138363374696db6eee9004a08cf8e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs.js
Filesize
6KB

MD5
f73e52d124620d05267ba934f3b312d3

SHA1
34121aa291d9f88b3e8e3a2fa37cb1c06cac2d30

SHA256
fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7

SHA512
4ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
192f12b166cf56f34f660c5c6f4b0411

SHA1
4a22b2c2d0ca24a5d70ed8f1575735d0ab5fdf77

SHA256
ddbc3315061af3db6c159f8fe570ce2b89e361e5d9a990c444f71caea3848521

SHA512
12217fde078540a2c114f081f4301e7b9d28decf33d7a9455f494f16c12c265720865890464f86e8e05ce57a45b3b8033389f62085d58842275b3543bc62c8c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
5c3cf67fe98fa91e8087c4532f353c7d

SHA1
dda7bf433152bc25453fbd43dd53368e10d5e4a7

SHA256
c82df1937aa3ef3ff6e5fd37e66f59f7a5e15e41ba89ae8ba9e7b9dbf4c82672

SHA512
40b50ce304c323a2672622f1b848b344192474ca6075268aa4cb69a9ec183a5f7fff345fab1a15a3c3f6ec3f56e7328f956cc7dbe5bf5e0345a4c4ecf8debeb7

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/5256-1617-0x000001FC03E10000-0x000001FC03E11000-memory.dmp

Filesize
4KB

Download
memory/5256-1610-0x000001FC03E10000-0x000001FC03E11000-memory.dmp

Filesize
4KB

Download
memory/5256-1616-0x000001FC03E10000-0x000001FC03E11000-memory.dmp

Filesize
4KB

Download
memory/5256-1611-0x000001FC03E10000-0x000001FC03E11000-memory.dmp

Filesize
4KB

Download
memory/5256-1619-0x000001FC03E10000-0x000001FC03E11000-memory.dmp

Filesize
4KB

Download
memory/5256-1621-0x000001FC03E10000-0x000001FC03E11000-memory.dmp

Filesize
4KB

Download
memory/5256-1622-0x000001FC03E10000-0x000001FC03E11000-memory.dmp

Filesize
4KB

Download
memory/5256-1620-0x000001FC03E10000-0x000001FC03E11000-memory.dmp

Filesize
4KB

Download
memory/5256-1618-0x000001FC03E10000-0x000001FC03E11000-memory.dmp

Filesize
4KB

Download
memory/5256-1612-0x000001FC03E10000-0x000001FC03E11000-memory.dmp

Filesize
4KB

Download
memory/5256-1706-0x000001FC03C00000-0x000001FC03DCD000-memory.dmp

Filesize
1.8MB

Download