9b2b902f5fd53b72cabfcc0e0191c876c92c1c748bcdbb7c00f9d62d7ba76914

Resubmissions

11/07/2023, 14:12

230711-rjckfahd79 3

11/07/2023, 14:11

230711-rhr9hahd78 3

10/07/2023, 12:51

230710-p3ykxaad52 5

Analysis

max time kernel
36s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PLAYWITH Inc.exe
Size

443KB
MD5

202cfd201273c29373d1ad70a470135a
SHA1

f5bb852e9880bbccd7c41e75d2741d06a8a28085
SHA256

9b2b902f5fd53b72cabfcc0e0191c876c92c1c748bcdbb7c00f9d62d7ba76914
SHA512

544a716fab4f517de6ffdb3aff025557444b3377a4d63665ca05b0e63058a00d217528daa4b4c6ff2ec466efbfd952d9951f80b60af74ffc3eb7dc1af1f79fc1
SSDEEP

12288:OeWWYgeWYg955/155/vHqbV6+ZvuS6/wgksMo3/rdv:OefqLul/wgkZadv

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1416	4252	WerFault.exe	87

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0 = 5000310000000000e356d76510004c6f63616c003c0009000400efbee3562663eb5685712e0000008fe10100000001000000000000000000000000000000991392004c006f00630061006c00000014000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\NodeSlot = "2"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 5600310000000000e356266312004170704461746100400009000400efbee3562663eb5685712e0000007ce10100000001000000000000000000000000000000b7e7bf004100700070004400610074006100000016000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = 00000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\MRUListEx = 00000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 7800310000000000e35626631100557365727300640009000400efbe874f7748eb5685712e000000c70500000000010000000000000000003a0000000000575fd50055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 5000310000000000e556ddb6100041646d696e003c0009000400efbee3562663eb5685712e00000071e1010000000100000000000000000000000000000078501501410064006d0069006e00000014000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	firefox.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3860	firefox.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3860	firefox.exe
3860	firefox.exe
3860	firefox.exe
3860	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3860	firefox.exe
3860	firefox.exe
3860	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3860	firefox.exe
3860	firefox.exe
3860	firefox.exe
3860	firefox.exe
3860	firefox.exe
3860	firefox.exe
3860	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 3860	2308	firefox.exe	90
PID 2308 wrote to memory of 3860	2308	firefox.exe	90
PID 2308 wrote to memory of 3860	2308	firefox.exe	90
PID 2308 wrote to memory of 3860	2308	firefox.exe	90
PID 2308 wrote to memory of 3860	2308	firefox.exe	90
PID 2308 wrote to memory of 3860	2308	firefox.exe	90
PID 2308 wrote to memory of 3860	2308	firefox.exe	90
PID 2308 wrote to memory of 3860	2308	firefox.exe	90
PID 2308 wrote to memory of 3860	2308	firefox.exe	90
PID 2308 wrote to memory of 3860	2308	firefox.exe	90
PID 2308 wrote to memory of 3860	2308	firefox.exe	90
PID 3860 wrote to memory of 1924	3860	firefox.exe	93
PID 3860 wrote to memory of 1924	3860	firefox.exe	93
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 4924	3860	firefox.exe	94
PID 3860 wrote to memory of 1316	3860	firefox.exe	95
PID 3860 wrote to memory of 1316	3860	firefox.exe	95
PID 3860 wrote to memory of 1316	3860	firefox.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.0.1312373480\316393294" -parentBuildID 20221007134813 -prefsHandle 1812 -prefMapHandle 1804 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f7ab747-b82c-4fc3-b884-f6973f2e0565} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 1908 1a7d53cc158 gpu
    3⤵
    PID:1924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.1.2053371294\419540396" -parentBuildID 20221007134813 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88d21e1b-eb53-44dd-93ad-110b38ebfd5f} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 2360 1a7d4ee3e58 socket
    3⤵
    PID:4924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.2.1513028748\289750554" -childID 1 -isForBrowser -prefsHandle 3280 -prefMapHandle 3276 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {594daa06-a680-44d9-927d-bce175f3065a} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 3168 1a7d8d98158 tab
    3⤵
    PID:1316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.3.1012990482\846121982" -childID 2 -isForBrowser -prefsHandle 1052 -prefMapHandle 1000 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b28d69b-f2cb-4383-8806-d8f37e041d62} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 2828 1a7c8667e58 tab
    3⤵
    PID:540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.4.2048561244\2065317180" -childID 3 -isForBrowser -prefsHandle 4380 -prefMapHandle 4524 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49e45f5a-6cbf-4fac-8946-142b86794ce1} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 4580 1a7d920de58 tab
    3⤵
    PID:2192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.5.1241051363\46328015" -childID 4 -isForBrowser -prefsHandle 5080 -prefMapHandle 5076 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c93f6f0-c9b4-4ef3-a871-c06263c2680b} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 5088 1a7da6f8658 tab
    3⤵
    PID:3356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.7.264907923\2103059263" -childID 6 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {090890b9-28cb-4aaf-ae7d-7011c46c27a0} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 5400 1a7db87f458 tab
    3⤵
    PID:5028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.6.86844677\223255644" -childID 5 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cff42bf5-11e3-445c-a143-939bd30faf0a} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 5208 1a7db87ee58 tab
    3⤵
    PID:3364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.8.933345813\309918891" -childID 7 -isForBrowser -prefsHandle 4668 -prefMapHandle 5220 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac3dc39f-dcca-4ecc-bf5b-8979458a013d} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 4580 1a7c8672e58 tab
    3⤵
    PID:3080

C:\Users\Admin\AppData\Local\Temp\PLAYWITH Inc.exe
"C:\Users\Admin\AppData\Local\Temp\PLAYWITH Inc.exe"
1⤵
PID:4252
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4252 -s 240
  2⤵
  - Program crash
  PID:1416

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4252 -ip 4252
1⤵
PID:4548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\activity-stream.discovery_stream.json.tmp

Filesize
154KB

MD5
405fecba9505a603c6b144c63f7b6ec8

SHA1
753bb99c9a72eeb6494ec3d19f7029158b5a2839

SHA256
cc74bdebb027d349db332530457bd2bf61d92a319c7b8bbeeffccb318185489e

SHA512
0c0caed807ab218f3e1449a9d4c046faad835ac30aed298bab86b01947ab6c67c2db33f087e4afc4cae5092cb52fc0c090e9fd3e8e726ae171bcb9c550d35f02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\prefs-1.js

Filesize
6KB

MD5
902ed801d7468eed5f917740ed6475b0

SHA1
e23ebf4f3ff8043e869f857bafb720223f643755

SHA256
f6dfb0bbc00fac07b7e9808a2f4f01439187cd7a798fdec96f125e361a8502ec

SHA512
3fc35c8e8c8f33079c8e8c7fbce0bd0ebc3dcbe12a530c788f192b00a4c6a6251333c6f914431f3cb4502b27ae114c764a6d167b9cf8680f1661d89f47b898dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\prefs-1.js

Filesize
7KB

MD5
788147046dbe8436df80491724c2781e

SHA1
338ccb8bf577035ea599e0d6148542b589014c23

SHA256
eb113cdc4c6d91fe57e8aff81fa99a95d3650db29367be7b0cbbb34dbbd49343

SHA512
d267fde60d237dfa28016122cf26dbdef03717086d74a3c4b99049487345904c64d6fa10ff20cf23039c261b80f1407ca16258bb93c7e8c5e8382f2585652479

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\prefs.js

Filesize
6KB

MD5
c646962790fa756edc04ae1e5085319a

SHA1
22df0d5a13f458d723f022588589ab0309f57db0

SHA256
55773724868c92790f2eaf3446228167f7409f44d5f11abebf2d3a6c54ea434c

SHA512
0aa46b04a5383f118681a600999b1f50ece8b827e690579afed2a28daaa0dd0c3bf3bf188d9a414eb706a039ac6681d8a30b166f290969469b85070e2a5d4760

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
b3dc5e23cf8f65106cb0afcf772c7bdf

SHA1
3b9b3eda216f8e754eba6f66bb2d0362de842c35

SHA256
8beec1b3348867357c188e753994bc76cc29c91c66cbd5a927910c792d4a5850

SHA512
89484ef76ffa5f67915d67aeecd5b658fa0f0ccf4823ab184a1c3e85bf454c5dc7ee1f690c1dc12215046ffd7acfeb1a2f9b35c59287b75703b62e850a02cb8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
c7946b138cd4f6312f123766714b0ce9

SHA1
cd222f91958b4e07b5e87d595cc9791442610145

SHA256
1c59d59256da21b7b61752efe024e0340b27ee19b65ba90859a4a07a8637594f

SHA512
0ac19d017a9a43cc6a0216de9e8f9ee177c6bb75b4686aab93771d22386426b460ddbe8eb8e1a8df6474821c11ae9e9d821ce28c6a208c428ec1d25429434ef1

Download Submit
memory/4252-133-0x000002C9C3750000-0x000002C9C3753000-memory.dmp

Filesize
12KB

Download
memory/4252-139-0x000002C9C3750000-0x000002C9C3753000-memory.dmp

Filesize
12KB

Download