e78ef578f567e0eff001f5cf89ed114895a9c3e656e2b6ec9917ad50d5dca50b

Analysis

max time kernel
190s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2023, 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ChatGPT - The Good, Bad, and the Conflicts.docx
Size

329KB
MD5

704c94564afaff2b7b9d26b9710a088f
SHA1

05b9e67a5e5347c9250319921a71beaf49392684
SHA256

e78ef578f567e0eff001f5cf89ed114895a9c3e656e2b6ec9917ad50d5dca50b
SHA512

7c4f832cb5e620bdc0076009648ada8608272fdf15e5039a99ccf0899c12d883646425abd0e9f6a9b1b6d9d846df922ace9336d86b57a80a384c29610109c98f
SSDEEP

6144:95DkY5vGwH1Y3hOL8ybLQGJ6AoJd+EN+ubA3PxK8QbMhfYK/zJvHA8Pq69su0Q:95DkSvbH1YxQYG8AApN+/3PxKqRHA8Pl

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1768	2040	WerFault.exe	85

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1796	WINWORD.EXE
1796	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5864	msedge.exe
5864	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4872	firefox.exe
Token: SeDebugPrivilege	4872	firefox.exe
Token: SeDebugPrivilege	4872	firefox.exe
Token: SeDebugPrivilege	4872	firefox.exe
Token: SeDebugPrivilege	4872	firefox.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
5868	msedge.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1796	WINWORD.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 4872	4512	firefox.exe	96
PID 4512 wrote to memory of 4872	4512	firefox.exe	96
PID 4512 wrote to memory of 4872	4512	firefox.exe	96
PID 4512 wrote to memory of 4872	4512	firefox.exe	96
PID 4512 wrote to memory of 4872	4512	firefox.exe	96
PID 4512 wrote to memory of 4872	4512	firefox.exe	96
PID 4512 wrote to memory of 4872	4512	firefox.exe	96
PID 4512 wrote to memory of 4872	4512	firefox.exe	96
PID 4512 wrote to memory of 4872	4512	firefox.exe	96
PID 4512 wrote to memory of 4872	4512	firefox.exe	96
PID 4512 wrote to memory of 4872	4512	firefox.exe	96
PID 4872 wrote to memory of 1604	4872	firefox.exe	98
PID 4872 wrote to memory of 1604	4872	firefox.exe	98
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 4268	4872	firefox.exe	99
PID 4872 wrote to memory of 3836	4872	firefox.exe	100
PID 4872 wrote to memory of 3836	4872	firefox.exe	100
PID 4872 wrote to memory of 3836	4872	firefox.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ChatGPT - The Good, Bad, and the Conflicts.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 2040 -ip 2040
1⤵
PID:1400

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.0.2042531540\101291161" -parentBuildID 20221007134813 -prefsHandle 1856 -prefMapHandle 1852 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b842888-2721-43ca-a4c4-39f278b089f2} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 1932 14f72716e58 gpu
    3⤵
    PID:1604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.1.1688057047\103623873" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c19c2b78-c4f6-41cd-97e3-ef19d7a76c8b} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 2332 14f64772558 socket
    3⤵
    PID:4268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.2.731905189\2026450223" -childID 1 -isForBrowser -prefsHandle 3288 -prefMapHandle 2752 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7b3a53c-4b54-4139-a449-323fd9bfdb63} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 3080 14f71693758 tab
    3⤵
    PID:3836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.3.2081703576\925542041" -childID 2 -isForBrowser -prefsHandle 1660 -prefMapHandle 2964 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec892eca-8cd5-4dc6-8b70-7a5b15f83b39} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 1188 14f64764458 tab
    3⤵
    PID:4432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.4.1162996251\926664961" -childID 3 -isForBrowser -prefsHandle 4184 -prefMapHandle 4180 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9ec0662-41d8-4554-a13b-16d3d518c090} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 4196 14f7668e458 tab
    3⤵
    PID:4888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.5.563234400\2108592296" -childID 4 -isForBrowser -prefsHandle 4904 -prefMapHandle 4324 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70748d9a-fcf0-4dc1-9cc6-af6d346f8920} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 4864 14f770c2658 tab
    3⤵
    PID:3708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.6.961656388\409365816" -childID 5 -isForBrowser -prefsHandle 5132 -prefMapHandle 5124 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a810050-b13e-40d7-9555-2f72194f3955} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 5144 14f77b65e58 tab
    3⤵
    PID:5076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.7.1440349256\327125117" -childID 6 -isForBrowser -prefsHandle 4864 -prefMapHandle 5072 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2434097b-9713-4eca-a038-9403476f2104} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 5108 14f77c64b58 tab
    3⤵
    PID:1248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.8.1459883441\228417207" -childID 7 -isForBrowser -prefsHandle 2876 -prefMapHandle 1664 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3896ae90-f0c5-4c59-a5ad-691215cd0fac} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 1624 14f7668ea58 tab
    3⤵
    PID:2280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.9.18336467\1425206825" -parentBuildID 20221007134813 -prefsHandle 6052 -prefMapHandle 1216 -prefsLen 26578 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b135243b-112b-4d7d-8a92-bf47ace2dfe1} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 6084 14f7908ee58 rdd
    3⤵
    PID:3004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.10.954627923\1437289127" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 7080 -prefMapHandle 7072 -prefsLen 26770 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f1842cb-f32e-4c39-b36b-1d3c6bb95d18} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 7096 14f78da9358 utility
    3⤵
    PID:5804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.12.399189820\1877384856" -childID 9 -isForBrowser -prefsHandle 6940 -prefMapHandle 4924 -prefsLen 27114 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd79dd9f-d3ed-42f0-bb49-f2fa4299322e} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 6924 14f793ba058 tab
    3⤵
    PID:6172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.11.898955848\275269596" -childID 8 -isForBrowser -prefsHandle 4648 -prefMapHandle 4616 -prefsLen 27114 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4374d4d5-3af6-42ef-be62-51780a75a60e} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 4980 14f64762e58 tab
    3⤵
    PID:6156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.13.1784565667\442170321" -childID 10 -isForBrowser -prefsHandle 6748 -prefMapHandle 6792 -prefsLen 27114 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9472206-0cfd-4b6f-961b-e384d79048a1} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 4520 14f76044458 tab
    3⤵
    PID:6868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.14.621815921\1852488687" -childID 11 -isForBrowser -prefsHandle 10048 -prefMapHandle 10056 -prefsLen 27250 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b9542e8-d1e8-4ffc-999c-983172b49373} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 10072 14f7b6a9d58 tab
    3⤵
    PID:5728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.15.1086197424\625359999" -childID 12 -isForBrowser -prefsHandle 6384 -prefMapHandle 6372 -prefsLen 27250 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b13451bc-55b2-444c-9d27-bfad0b101805} 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 6396 14f78d2e058 tab
    3⤵
    PID:6472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2040 -s 2080
1⤵
- Program crash
PID:1768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault9a0ad2bdh6809h4c29hb030h07ba4e45e4be
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffde9f646f8,0x7ffde9f64708,0x7ffde9f64718
  2⤵
  PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,8880156591438543826,1192593981856249935,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,8880156591438543826,1192593981856249935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,8880156591438543826,1192593981856249935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:5252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
78c7656527762ed2977adf983a6f4766

SHA1
21a66d2eefcb059371f4972694057e4b1f827ce6

SHA256
e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296

SHA512
0a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
1a589af3180a23b6a4a7e9ca456bb33a

SHA1
d8623d1d8310646851cf591beda1b51613111fe5

SHA256
22a8e6eb6e6d5c8eb9d54f90d3234848120b3ce1021a24484d634766aec0f917

SHA512
64b348316a73ac7965f15da26de093159cbd9833d1bf69257f139e25681aa9faae1a2ff57504e8ac2c62d27aedb661e98944e1c8631d60b2a65895d41f15577a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
3KB

MD5
94f4d0d4128e3fa3b05ea8db82094782

SHA1
4154fb1d3821d02ebd8489fb6cf9ad5b912f3e83

SHA256
7affc55b3a65f93e23dcb279b865a0b22a40ad7e5ac6607212209eb4e09e79b3

SHA512
77087730ec7edd49316db0ce01496a588baa21e1ff23b3f38b4e5b5bc1f1d4f31f7776bc46199aa62c43ac2057b83146e3679b0076e01999d193e9541730fdba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
02e666a561fad38e531487c0fc95d40d

SHA1
7678de57ffd8d84a25f818ff59675714b6b5a6f3

SHA256
03ff58bf260cf5d0acd7e642fb0f522fd02f2bcc5ec000e6d1a43447d50eddcc

SHA512
e2b24d34d7e8451bd7453882ac7d9c955343e1c53d3e6cc6ddde24c6a09e46a45105c67378c95d66a6dde0e51fb877d8728b4f462e17800794d5c58df23f1048

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
02e666a561fad38e531487c0fc95d40d

SHA1
7678de57ffd8d84a25f818ff59675714b6b5a6f3

SHA256
03ff58bf260cf5d0acd7e642fb0f522fd02f2bcc5ec000e6d1a43447d50eddcc

SHA512
e2b24d34d7e8451bd7453882ac7d9c955343e1c53d3e6cc6ddde24c6a09e46a45105c67378c95d66a6dde0e51fb877d8728b4f462e17800794d5c58df23f1048

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\activity-stream.discovery_stream.json.tmp

Filesize
147KB

MD5
6e5d53cf8b0b057fbe5d24bef038b974

SHA1
6843c4f08c3bb4bff27819e2a4d4cac7bf333d9b

SHA256
020bc9904ec8cbcf7e01296d41f2431234117b3c687331e5d01ff7138dc7431a

SHA512
5c4e31a6bdb63eabc0e58f911ceed991898221bcefef44b08f79f73175617bc98bfc9b5b833e97831b263851ae1fb03ac40df81158df42d45d5cde2f612bd397

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\cache2\entries\F11204829CC13571614E3D775BD59227FBDA48CF

Filesize
113KB

MD5
254e529e27f9a432a582a8f15a803920

SHA1
e86bb27d5fd9803fc09d1ac0bd1bd1b5f72e0ca9

SHA256
954fc8518fb3710bd9d3a3280ad80a47306121ca2d16a1775327c431c603bdb7

SHA512
bbcec2134c85927e23105c4510ae21089488cf1f6ae18e61fa867f2a27f709c281e9846b38d04cb64ac597e56d57799ea15d672c28c7540627c43f2f43830b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-18467

Filesize
1.8MB

MD5
d925113f6256ad53ee770e89a6ec6e63

SHA1
6da9010d635c5a4c2d1df8507dffd0015428c636

SHA256
9d98d2d140403059862b6ea01d5dc681708349bd6387a7d80c3329b2b0ea0d87

SHA512
58d045ca202ec2b360ea8ae23c8c8d1ef2c17cf4c73335c801269aa9bd3523b5f9181a36dc187a72055e10b88b7fa60440d418b3bacffa3b81859bcab0dd017c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
6KB

MD5
134da0b01ef0b25db994b0fb57c0f745

SHA1
923af19fb88696a2f382bcd3d04997e172d63b26

SHA256
5afa898053edf80120a23d624603a385eeeac167b8cf05e7d6c7801591432536

SHA512
dacd45484741f81d0bff33969feb9079f739dbb4c4e8cb1531b44a6c8e984cf43442ebdae4f5d92ac67d897c67ff29db1d88266a97235efdb49fd8fbd528641b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
6KB

MD5
21bf2d940e283d02189bfa3d6e0184a9

SHA1
cc3b3c82f902a66316f5584747ea40042cb76df8

SHA256
8f095306547861ecd740591cb537f57515910091585611a2445bc557680bde97

SHA512
15b21bd9ffbc1be92e6b488a997db0989d62a482ee6938cf2dbf7630cee0f1fe29a7de44aa1ff7af2526f215302c0394704b48f23061118a1387dcfec5e2250f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
7KB

MD5
052f1e703616892a9e77908ebc13cd2f

SHA1
cf020f98cef0b2be1d2e455df95a61dbc7793cdc

SHA256
1fc4e8e4b8c6ddaaf7e5f89988e1767d5559bbdf37d6d1e37fb787f810eebd28

SHA512
bf0d0c38f844d5def9f8dfbd15e026a32bc9e3bb0b1f159859317e9b792e56ee190d9ed604eba1880b1962984285d61d77010ed90db99f380323f76d0e0f0b69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
7KB

MD5
3c65c2907e3b61039d7e241c7e8d5466

SHA1
9d5c9f1f623712e1b54e8f0725c88f0bfc0ac388

SHA256
75e46660006f9df680f22de91fab0a84e8200a05f0ecc6f23039b26e2d5284f0

SHA512
9ca76d246fd1c705cf3566512a4b283f581ae15f7a5dbae4b4b91646e6e47e1ddb369c4a593dfdf9344bc31df36a4c3de1cfb00766ee8ff2a1189c8d0f87b6f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
7KB

MD5
fdf3c1e58b50902d2a0d943b4efb2ca4

SHA1
ffba08fda34e70ec6eb3568da1571046d9ba755f

SHA256
b373f18e68aafa84ca5d4103768798eb4f394314d6f5eae42808cdf7323a359a

SHA512
34776a182f35e9b5d0052fe90373d626bbd71bfce0a70eec5d0a97088ec5aff120a87b9b5813b944add7668bd0bef093e6626358ce5c123cf1121f25042ac243

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs.js

Filesize
6KB

MD5
feb8a52858c8167a58f36caa1b37f116

SHA1
7ae7f9d2721ae3c579f9e18e4fea679e8c848158

SHA256
adbc4c7b5e775c3d401ae811d5be5a69b844f5937e3d0a416d374dd5a7ec227a

SHA512
109d42ec5b9744b3561d29a9cabdcf2ffb81233935fa5c2d80c39f27b92ae55366c3c51ae3d26cc1a8936635662acbd11af89e54efac374aceaa279f13e7dc16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
78bfcbc16ea4510fc86a339cfb2d5773

SHA1
f08f6affe62517cd89975237006405c7d8b3d219

SHA256
7cd08bd47f28eab1576d7d6b46c5f849dfe9e7530324f00c97095f75f0bacc05

SHA512
ab056ccf5fd2435f7b54b5a28b88463d54b5da243284a254a1a9056fcd98f10cb5b9abfb174cd4979e7be82253e7d3e690b86b36e650469d2868cd84ce3c9828

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
a2031f1ae1ccfe51eceb5305707d240d

SHA1
209c1cd56a13e75d932d9e6ef2223a05307f3564

SHA256
aae75922782f9ef637e6256120de4ca8d6ca573da16fa2c92146f9e9d596ab28

SHA512
0c0b9d3f798624503a5149d080af39eea0b492d6bccdcf5fda336b6956c375f3a0940b0677498492d6a2c2e4fac943733c164cfea89b8848abd70aa5da346eb0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\storage\default\https+++app.element.io\cache\morgue\100\{c3d88120-d368-4eaa-ad34-a2da8e75d464}.final

Filesize
62B

MD5
05fe6ebc57dc338abc76afdc1cb901ba

SHA1
e4fcb93310967de11b8e117bf5a74715445becd2

SHA256
1eaeb69764d49ed43bd8e8f66dabf2692760491414b3c79b735fae082de63647

SHA512
76cef1a07044e4745fde1afe2510b1bf6f06bffa9ad76cd5670d5c124b49578974038b4d0a58bfd579e1cfd990b32eed259fd188d4faa2fcfa2b71b361fa1aaf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\storage\default\https+++app.element.io\idb\1121647440mcantyrsi-xb-ejws--ts.sqlite

Filesize
48KB

MD5
7637f13fa3873605714b45ab0204a913

SHA1
e7f7844eabc883d1c58eb3d922ebfcff88c7da48

SHA256
958884b4f16fb951dbe754737358189c99163d4fac678fe33cb74c2724079b40

SHA512
d491dde0a1e03eaeaa7dfca7d2fc5a5b91b2c9c1024453576cd28292c58bf4f25c1f6c96d24f0aa6be0b1137b86a40bd424e13a79b193ec1bdcfff79436b7aab

Download Submit
memory/1796-180-0x00007FFDCA7F0000-0x00007FFDCA800000-memory.dmp

Filesize
64KB

Download
memory/1796-137-0x00007FFDCA7F0000-0x00007FFDCA800000-memory.dmp

Filesize
64KB

Download
memory/1796-138-0x00007FFDC8620000-0x00007FFDC8630000-memory.dmp

Filesize
64KB

Download
memory/1796-133-0x00007FFDCA7F0000-0x00007FFDCA800000-memory.dmp

Filesize
64KB

Download
memory/1796-136-0x00007FFDCA7F0000-0x00007FFDCA800000-memory.dmp

Filesize
64KB

Download
memory/1796-139-0x00007FFDC8620000-0x00007FFDC8630000-memory.dmp

Filesize
64KB

Download
memory/1796-179-0x00007FFDCA7F0000-0x00007FFDCA800000-memory.dmp

Filesize
64KB

Download
memory/1796-181-0x00007FFDCA7F0000-0x00007FFDCA800000-memory.dmp

Filesize
64KB

Download
memory/1796-134-0x00007FFDCA7F0000-0x00007FFDCA800000-memory.dmp

Filesize
64KB

Download
memory/1796-135-0x00007FFDCA7F0000-0x00007FFDCA800000-memory.dmp

Filesize
64KB

Download
memory/1796-182-0x00007FFDCA7F0000-0x00007FFDCA800000-memory.dmp

Filesize
64KB

Download