e28f198ca200445ab45dd4e94d49993ad1a9a21548908ca9c09ade6419c2e079

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2023 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JavaSetup8u361.exe
Size

2.2MB
MD5

d3809baddaf7b1e7d94484160043328b
SHA1

e1979f5248d3b20858b11386ce22b1ccb0a9bfb5
SHA256

e28f198ca200445ab45dd4e94d49993ad1a9a21548908ca9c09ade6419c2e079
SHA512

96350ef6c81a1bc7d3c6b29c2a66ffaa1cf4f86172d3f52d39bcbf3886da41208b75cfe16bbf4ea23e04b2e0616637083eeacdefb8c0edc3ce6d0f2f89f881c6
SSDEEP

49152:OOt2ad8mKKue2/8cTs0HFTPO86O3jUfkptVx41inlc8z+o2:OOt2yMT/8cTs09RjUu54Ai

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1492	JavaSetup8u361.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	firefox.exe
Token: SeDebugPrivilege	1628	firefox.exe
Token: SeDebugPrivilege	928	taskmgr.exe
Token: SeSystemProfilePrivilege	928	taskmgr.exe
Token: SeCreateGlobalPrivilege	928	taskmgr.exe
Token: 33	928	taskmgr.exe
Token: SeIncBasePriorityPrivilege	928	taskmgr.exe
Token: SeDebugPrivilege	1628	firefox.exe
Token: SeDebugPrivilege	1628	firefox.exe
Token: SeDebugPrivilege	1628	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1628	firefox.exe
1628	firefox.exe
1628	firefox.exe
1628	firefox.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1628	firefox.exe
1628	firefox.exe
1628	firefox.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe
928	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1492	JavaSetup8u361.exe
1492	JavaSetup8u361.exe
1628	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 1492	3204	JavaSetup8u361.exe	83
PID 3204 wrote to memory of 1492	3204	JavaSetup8u361.exe	83
PID 3204 wrote to memory of 1492	3204	JavaSetup8u361.exe	83
PID 3408 wrote to memory of 1628	3408	firefox.exe	86
PID 3408 wrote to memory of 1628	3408	firefox.exe	86
PID 3408 wrote to memory of 1628	3408	firefox.exe	86
PID 3408 wrote to memory of 1628	3408	firefox.exe	86
PID 3408 wrote to memory of 1628	3408	firefox.exe	86
PID 3408 wrote to memory of 1628	3408	firefox.exe	86
PID 3408 wrote to memory of 1628	3408	firefox.exe	86
PID 3408 wrote to memory of 1628	3408	firefox.exe	86
PID 3408 wrote to memory of 1628	3408	firefox.exe	86
PID 3408 wrote to memory of 1628	3408	firefox.exe	86
PID 3408 wrote to memory of 1628	3408	firefox.exe	86
PID 1628 wrote to memory of 1752	1628	firefox.exe	88
PID 1628 wrote to memory of 1752	1628	firefox.exe	88
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87
PID 1628 wrote to memory of 2492	1628	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JavaSetup8u361.exe
"C:\Users\Admin\AppData\Local\Temp\JavaSetup8u361.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Users\Admin\AppData\Local\Temp\jds240547703.tmp\JavaSetup8u361.exe
  "C:\Users\Admin\AppData\Local\Temp\jds240547703.tmp\JavaSetup8u361.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1492

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.1.294565837\949706028" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8bb830b-99b7-4bae-b762-20019b010de9} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 2332 22ac7971958 socket
    3⤵
    - Checks processor information in registry
    PID:2492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.0.1078166201\609029935" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20fc01f4-9940-4659-9a51-69329cf05a77} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 1932 22ad5a21858 gpu
    3⤵
    PID:1752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.2.1793206498\1425927855" -childID 1 -isForBrowser -prefsHandle 2860 -prefMapHandle 2788 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6129dc8f-e50d-4859-aef1-cdbe61dca6b1} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 3244 22ad83fb558 tab
    3⤵
    PID:3876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.3.2060811616\1671188230" -childID 2 -isForBrowser -prefsHandle 2812 -prefMapHandle 1292 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1824d8d0-9599-4bdc-bf49-3b7438546678} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 2496 22ac795e258 tab
    3⤵
    PID:4748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.4.753922413\1374896183" -childID 3 -isForBrowser -prefsHandle 4116 -prefMapHandle 4112 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bd7bd64-e06e-4190-b8c0-c5e9519ecd56} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 4132 22ad9399a58 tab
    3⤵
    PID:4228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.5.846353077\42934764" -childID 4 -isForBrowser -prefsHandle 4984 -prefMapHandle 5024 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5794e42-1ce1-4440-92ab-0b71e3aca522} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 4988 22adaa83b58 tab
    3⤵
    PID:4828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.6.1824584854\903141353" -childID 5 -isForBrowser -prefsHandle 1592 -prefMapHandle 5040 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e90be4a5-aecb-4b4c-95bf-d4f20d9aea09} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 5060 22adaf4b858 tab
    3⤵
    PID:100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.7.1901317574\743343191" -childID 6 -isForBrowser -prefsHandle 5436 -prefMapHandle 5004 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0dc06a9d-1038-426d-b52b-056e27d5c70c} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 5360 22adafc8d58 tab
    3⤵
    PID:2460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.8.953373103\1864358634" -childID 7 -isForBrowser -prefsHandle 5736 -prefMapHandle 5732 -prefsLen 27156 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94e61992-3933-43a1-a43a-28d4d3c68b85} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 5820 22adc208d58 tab
    3⤵
    PID:3416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.9.1661639731\218077844" -parentBuildID 20221007134813 -prefsHandle 6060 -prefMapHandle 6056 -prefsLen 27331 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d04c6354-dc8b-4a49-8b4b-9e06efdf9215} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 5532 22adc2daa58 rdd
    3⤵
    PID:5500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.10.1945289570\533070940" -childID 8 -isForBrowser -prefsHandle 5028 -prefMapHandle 5304 -prefsLen 27331 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0888104c-a57d-48ef-8226-0ad8fe7ba997} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 6060 22adcc94b58 tab
    3⤵
    PID:3428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.11.1053911672\806956579" -childID 9 -isForBrowser -prefsHandle 10072 -prefMapHandle 10076 -prefsLen 27331 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22951f7e-c46f-4beb-b5ff-18f5772d7543} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 7240 22add7a9b58 tab
    3⤵
    PID:5748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.12.42296532\2046637515" -childID 10 -isForBrowser -prefsHandle 7088 -prefMapHandle 7084 -prefsLen 27331 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b6c7c62-86c8-4dd2-82dd-410498e3919e} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 7096 22add7aa458 tab
    3⤵
    PID:5760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.13.1180176414\532840498" -childID 11 -isForBrowser -prefsHandle 7088 -prefMapHandle 6848 -prefsLen 27331 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6868da7-16bf-499d-b1b2-2a2af8e13dce} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 6864 22add9d3958 tab
    3⤵
    PID:4804

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\activity-stream.discovery_stream.json.tmp

Filesize
158KB

MD5
c18bd331604aeb5b6093e5fc8fe2363d

SHA1
ea0d60de68e88b0fd29e0336d73f0dac91125047

SHA256
c46b3da4b1378e3fce880187d9fea6b62c570464c30882dd7ff741b3bb396e5c

SHA512
386c828d44c697782084355847b5cbc0a32f57df8a5f2abe74b481b8c6a3ad20e8243a604f16db94d1c9b47df1fe7eddbe964c4089bd623c89cd65dcd70f63cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240547703.tmp\JavaSetup8u361.exe

Filesize
1.9MB

MD5
442dcacd62016db76c61af770301626f

SHA1
1ef7a54bb0fb6395b271d88e4d87e7ac3b76e58a

SHA256
8aa49738b3efd4a2e2b3d71991c209db46e082e1739de43147041f9af2a7fff7

SHA512
3c21efe1f3422107bddc48d0edd842924dfdf6682b1e81ace83aa992ba49e224d45fd0fc6a73be9de6806effe71d8a1908f550c8b1cf520df4972c252b721bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240547703.tmp\JavaSetup8u361.exe

Filesize
1.9MB

MD5
442dcacd62016db76c61af770301626f

SHA1
1ef7a54bb0fb6395b271d88e4d87e7ac3b76e58a

SHA256
8aa49738b3efd4a2e2b3d71991c209db46e082e1739de43147041f9af2a7fff7

SHA512
3c21efe1f3422107bddc48d0edd842924dfdf6682b1e81ace83aa992ba49e224d45fd0fc6a73be9de6806effe71d8a1908f550c8b1cf520df4972c252b721bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
267KB

MD5
04e7bb9d4c2d9e2424ceb6c7ade9368a

SHA1
852d5cb82b74214539f14ddaa6f127c705aeabc3

SHA256
11e06c4e409864ba503eaac953494d5268e6959e57107878e4721e414af886a5

SHA512
d73b2d128e838286e7e204828878457fee6d03611b6ddc2b73f064cc76646d6fb53c0f94393aaf4b31a782ea37a83c09abe01c16c344d0f1c04931ee48c0e295

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
268KB

MD5
899592f839bb8752c17e04266a995e27

SHA1
c732e6dc5ac289b10017d8e463a606d704253aa0

SHA256
ccd81e143ca9daad3bdf485cee248580762787c77db4ea3931156b3431474107

SHA512
98ffd11e58e788e269dd0e8964cde12b337a73e1274205bb49f9449967573bbc117df6f08eb27a3f1abd7e36c836ce153e4c2a7b6d50156ba9b12db4c8579001

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.js

Filesize
6KB

MD5
e9c3d8ac206d4d738ed7a030e4576541

SHA1
583f8668aefdf5dee78d6c9b0ac555c754b802c3

SHA256
0592c0ae24cfd718c8422dab757252bb7966c5d868bfa7637a627149718b0e00

SHA512
62b85fdc67fab40225d1ccd27ffbe03e363734fdeca9c07755cbba50b398869c4d6c9b8dc412c69738fcec8a7a53348857d30a74993858d2b502603dd71c93cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.js

Filesize
6KB

MD5
2c2b6d46a865916cad0b4e7fd78d20bb

SHA1
e15801db4b43c5025d77c0c4498b45dec87ed262

SHA256
7848f21293f9cdaac3850b0d6191e16bc3eb72ae35f3e3844d9db798898bf32d

SHA512
4f3dc6172fdf4175704e712632a805c9ebf4ec14b954cf14ea5c00dd019bc2588d08ca2c6c97b29306f5fb06ad731d3521b8b8cf2685d4ecbad2952b05fe1fe1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.js

Filesize
6KB

MD5
f8de2ce9975b5dece6e489580068f1e8

SHA1
be358a80fbd1c3e2e82380315812b585e78f0a7f

SHA256
d1eb4bdb389aaf756a9bc76ac2b803480c365cc2553367d2463e27eddd0575ef

SHA512
53f33161e696f686a0a054b8ffecd8ee7b997939aee51b5c2b2f76033ab590038df7e5d1090c6441dad3ba9d4909c202e95f0718bb299cacb19a6511e2006e3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.js

Filesize
6KB

MD5
9f2d0bd943173df482d15f33f1cb5630

SHA1
7217beade7768de09fe3f015aa368a6a65de0e06

SHA256
a645bab6baf6133679881f516a44b82cf7aba13613c712de8ff68db20002d3b1

SHA512
1d70eb317c9c724fe6efa1d0b22e3e674f80455817048a38ba7b2e6804e002fbfb97dfad01f1cf39d00682760dca3ee782e63e2bceaf88a60f66ac341b465902

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.js

Filesize
7KB

MD5
ccb15a4024d9d22b1f8249cd123e9968

SHA1
faaa4a5d7bc52a62cad0d1abf4a3e7128928e874

SHA256
a941638aef972feca28aa8ac49245f862819eebb3924ace7511835fb6262f1b0

SHA512
5d6f9f51c022529fb74bd9d0620ee34b81f01bfea0cf8fa0e32d90e4e0e71b23dd80d8e2984edd0a3722ca7a2f0cd84371493cadd807676db272e080b549190a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs.js

Filesize
6KB

MD5
207077fed406e49d74fa19116d2712aa

SHA1
3ce60cb9b4fbd6b00a9ae26c599b9fdbe2b6c5ee

SHA256
b02701ad3c4478f891a550eac65f0a8c183999aa22a1dd171bd698b990124c58

SHA512
0c6398230b3eb103a0ce280f127515d998a6c9ea8908b8b248b132782f8166141ba8e1faabc7ace4b80e9c925bc5d7885f0fba8c16cb2e7798055727dc66190e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
700fe59d2eb10b8cd28525fcc46bc0cc

SHA1
339badf0e1eba5332bff317d7cf8a41d5860390d

SHA256
4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

SHA512
3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
59e3e89867bbdfa4d96eb5aacc320327

SHA1
be67162a926a42976f267706e84d6c21129a5ff3

SHA256
0076b900189b563301a96b86554a5370ff26eec24370864f224d76d5f15e4ffb

SHA512
387d3131aea8190e9f64b9d1b1cd60a9143135e1b394f8f80269c543ec9f0a78a6e2f1896d023970a3642dd7a75f38ee3aab28df0ff153279833d095649ebc3a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
5a183b3b5ab72755dc866593b165c54f

SHA1
e29048271e1ef42c1cef4106dd03f30c08fedb2f

SHA256
43cd65491c2e98e316475b71146347612e6b7527c3d5cbd937aef3e3a30a34a2

SHA512
0af525a3663f6d39eee8b225736e9ec13b48abc44ea1144a33413606a9d9013b2277353cbd73b5b5bf2b0b12317f4099fe0747813e97ee98c6e52099198de0aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\sessionstore.jsonlz4

Filesize
3KB

MD5
ea22fe7008c86925a8da42994262a8d4

SHA1
5d6b41e474bdeb58a0da45497c2f454a1db4ec82

SHA256
6f857ff4b27fc067ca012612b4d9e948e8d4cbeaa5474ee8f0ea2d221910553f

SHA512
5e9eadc8a23b5005aa9272d7985fa74ab839e8a0d8fbc0250fc7fb5b794b1967e1c18c66f1dfab80e79803aee38e8e746e93aec65b74ab2eb0dcf73097ef34ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\storage\default\https+++www.pornhub.org\cache\morgue\79\{9d56b62b-6fa4-4e00-afc5-6cf6cf539f4f}.final

Filesize
456B

MD5
4849126d62348e96de9f534891ee372c

SHA1
04208116ad7cb0edcb2c7c754042554104172d10

SHA256
92930e52c17a5e42a09f648d090ba0e48384fe2b6f4f6b3e3fc70bd8a0e6ac5d

SHA512
bd7769637a8707a21027e442faf6911019a2c731bff17fc11b9da0b74490162ea4eba2fca41942a7c114cc75ab1941f208c1fcc789bdc0a594b5ed269f6e6f25

Download Submit
memory/928-544-0x000002D5393C0000-0x000002D5393C1000-memory.dmp

Filesize
4KB

Download
memory/928-540-0x000002D5393C0000-0x000002D5393C1000-memory.dmp

Filesize
4KB

Download
memory/928-538-0x000002D5393C0000-0x000002D5393C1000-memory.dmp

Filesize
4KB

Download
memory/928-534-0x000002D5393C0000-0x000002D5393C1000-memory.dmp

Filesize
4KB

Download
memory/928-533-0x000002D5393C0000-0x000002D5393C1000-memory.dmp

Filesize
4KB

Download
memory/928-532-0x000002D5393C0000-0x000002D5393C1000-memory.dmp

Filesize
4KB

Download
memory/928-543-0x000002D5393C0000-0x000002D5393C1000-memory.dmp

Filesize
4KB

Download
memory/928-542-0x000002D5393C0000-0x000002D5393C1000-memory.dmp

Filesize
4KB

Download
memory/928-541-0x000002D5393C0000-0x000002D5393C1000-memory.dmp

Filesize
4KB

Download
memory/928-539-0x000002D5393C0000-0x000002D5393C1000-memory.dmp

Filesize
4KB

Download