Resubmissions
08-09-2023 19:19
230908-x1zdesfa2w 1008-09-2023 19:08
230908-xtd4xaeh7t 608-09-2023 19:07
230908-xs5kgaeg85 308-09-2023 18:58
230908-xmy6haeg56 708-09-2023 17:30
230908-v3hscaea96 8Analysis
-
max time kernel
368s -
max time network
368s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2023 18:58
Static task
static1
Behavioral task
behavioral1
Sample
Captura de pantalla 2023-03-05 184332.png
Resource
win10v2004-20230831-en
General
-
Target
Captura de pantalla 2023-03-05 184332.png
-
Size
47KB
-
MD5
c662c6bef8d03268babc40558500c421
-
SHA1
33881cac944362c415ce1c000d0e6c43e7b8fd57
-
SHA256
1be92987b9ab334d25c940577da37ccbbd417b2e4e52b97b668347d90e1eeabb
-
SHA512
4f7f75247e717337309d73004a79a0986911fa0525f36f41dc5be3ca3a0ed2033575737ceded69895a77626cb6e90152bdb0ea16655e6a8048731301e11802be
-
SSDEEP
768:UZ+vjsWKoGWORUYGnBAPmxVU68vKbLxY0OKZY+S7SaLeP2MeqrsP4/jx4Lbf2:UnRofGoLJ8ib75a+kSaLK2Z+sA/eO
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4852 f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe 5376 f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4852 set thread context of 5376 4852 f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe 145 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 4852 f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe 4852 f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe 4852 f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe 4852 f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeRestorePrivilege 812 7zG.exe Token: 35 812 7zG.exe Token: SeSecurityPrivilege 812 7zG.exe Token: SeSecurityPrivilege 812 7zG.exe Token: SeDebugPrivilege 4852 f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe Token: SeDebugPrivilege 4224 taskmgr.exe Token: SeSystemProfilePrivilege 4224 taskmgr.exe Token: SeCreateGlobalPrivilege 4224 taskmgr.exe Token: 33 4224 taskmgr.exe Token: SeIncBasePriorityPrivilege 4224 taskmgr.exe Token: SeDebugPrivilege 5376 f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 812 7zG.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4852 wrote to memory of 5376 4852 f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe 145 PID 4852 wrote to memory of 5376 4852 f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe 145 PID 4852 wrote to memory of 5376 4852 f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe 145 PID 4852 wrote to memory of 5376 4852 f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe 145 PID 4852 wrote to memory of 5376 4852 f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe 145 PID 4852 wrote to memory of 5376 4852 f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe 145 PID 4852 wrote to memory of 5376 4852 f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe 145 PID 4852 wrote to memory of 5376 4852 f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe 145
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Captura de pantalla 2023-03-05 184332.png"1⤵PID:4504
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.0.124885495\1410374192" -parentBuildID 20221007134813 -prefsHandle 1840 -prefMapHandle 1832 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cd9bb91-f6d7-46eb-8a50-e179c20966b9} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 1920 224bbddf858 gpu1⤵PID:1684
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.1.942831960\596213116" -parentBuildID 20221007134813 -prefsHandle 2284 -prefMapHandle 2196 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0e1f81c-15e5-4636-b9de-f2843116040a} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 2320 224bbd03858 socket1⤵PID:988
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.2.268674254\560260207" -childID 1 -isForBrowser -prefsHandle 3544 -prefMapHandle 3540 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d932697-8510-4efd-bbd6-c8d3935c76b3} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 3532 224bf80b558 tab1⤵PID:1864
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.3.1779302404\201969702" -childID 2 -isForBrowser -prefsHandle 2996 -prefMapHandle 3292 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03ee9cd1-75c6-41b2-bbed-fcc55fc4cd3f} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 3412 224af362b58 tab1⤵PID:3300
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.4.770212386\31487187" -childID 3 -isForBrowser -prefsHandle 2696 -prefMapHandle 2808 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecf3ce81-8c46-4ea0-acbf-d8da1ac236aa} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 2692 224c078e058 tab1⤵PID:4260
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.7.1106882379\1366741003" -childID 6 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68981f25-4f49-45f0-b920-c7aa4dc58763} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 5216 224c1dee558 tab1⤵PID:2932
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.6.1434437423\1523413726" -childID 5 -isForBrowser -prefsHandle 5028 -prefMapHandle 5032 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2db7532-6a6f-47d5-9bed-ec5d2c6f5188} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 5020 224c1df1258 tab1⤵PID:2692
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.5.607924088\1238268273" -childID 4 -isForBrowser -prefsHandle 4924 -prefMapHandle 4888 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dc6968a-5e3b-4935-8875-946bf4da7262} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 4908 224c078f858 tab1⤵PID:2172
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.8.195535328\955542575" -childID 7 -isForBrowser -prefsHandle 5744 -prefMapHandle 5716 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e2ae136-8d26-45a9-8685-924fc8348a4c} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 5748 224c397fb58 tab1⤵PID:5236
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.9.128505770\856099543" -childID 8 -isForBrowser -prefsHandle 4216 -prefMapHandle 5744 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e85c8ff0-0537-40b6-b58a-abec9ac766d0} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 3884 224c1a51558 tab1⤵PID:5428
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.10.758945952\1655479474" -parentBuildID 20221007134813 -prefsHandle 3920 -prefMapHandle 5716 -prefsLen 26752 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18ba07a7-a253-452f-97db-018597dd5e72} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 3828 224c1a54e58 rdd1⤵PID:5472
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.11.1881627105\370288970" -childID 9 -isForBrowser -prefsHandle 5108 -prefMapHandle 5428 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92a0711c-eaeb-49f5-85c2-789f702e5342} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 5188 224c1df1b58 tab1⤵PID:5676
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.12.1654118739\1277086762" -childID 10 -isForBrowser -prefsHandle 6296 -prefMapHandle 8616 -prefsLen 27153 -prefMapSize 232675 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {676a1c98-d071-4fe7-b8f2-d2c54abc2f64} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 8608 224c3f32858 tab1⤵PID:5280
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.13.1962885070\905080752" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 8360 -prefMapHandle 8364 -prefsLen 27153 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e8e46ac-25f9-4a8f-8160-d7fe11c2edde} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 8348 224c4b06758 utility1⤵PID:912
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.14.1224285305\348855115" -childID 11 -isForBrowser -prefsHandle 3864 -prefMapHandle 4712 -prefsLen 27153 -prefMapSize 232675 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38fd676e-0255-4afa-a05a-4720cf4edb90} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 5776 224c1a52158 tab1⤵PID:3224
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.15.1662776810\182458477" -childID 12 -isForBrowser -prefsHandle 8420 -prefMapHandle 6104 -prefsLen 27153 -prefMapSize 232675 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {294f85ef-8f5d-4e5d-ab16-376feefd568f} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 6096 224c1defd58 tab1⤵PID:3320
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.16.1814885900\1099882102" -childID 13 -isForBrowser -prefsHandle 5812 -prefMapHandle 5232 -prefsLen 27153 -prefMapSize 232675 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cf53989-fdb2-4207-af75-d5ddfa2fc6d5} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 5816 224c3ae1558 tab1⤵PID:5388
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5328
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap22205:190:7zEvent263911⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:812
-
C:\Users\Admin\Downloads\f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe"C:\Users\Admin\Downloads\f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Users\Admin\Downloads\f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe"C:\Users\Admin\Downloads\f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5376
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4224
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.18.825411977\1610165825" -childID 15 -isForBrowser -prefsHandle 9572 -prefMapHandle 9568 -prefsLen 27211 -prefMapSize 232675 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7df58d1-f558-4cbb-80de-83ccc9048679} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 9580 224c1def458 tab1⤵PID:4860
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.19.409873234\1261648034" -childID 16 -isForBrowser -prefsHandle 9464 -prefMapHandle 9460 -prefsLen 27211 -prefMapSize 232675 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae3a6536-a830-457f-9392-138d06af2a9c} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 9476 224c22fc058 tab1⤵PID:3856
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.17.2015453214\298592376" -childID 14 -isForBrowser -prefsHandle 5392 -prefMapHandle 2692 -prefsLen 27211 -prefMapSize 232675 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33704a61-7d2f-4d4f-b7dd-2c6144c99f66} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 3924 224c0b41258 tab1⤵PID:5380
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.20.402428770\2116524929" -childID 17 -isForBrowser -prefsHandle 9408 -prefMapHandle 4692 -prefsLen 27290 -prefMapSize 232675 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffea52b5-0826-4541-828b-495576ab540f} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 9396 224c34ce258 tab1⤵PID:4324
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.21.1655858538\532229364" -childID 18 -isForBrowser -prefsHandle 8236 -prefMapHandle 8244 -prefsLen 27290 -prefMapSize 232675 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30124444-bb9c-4834-a56c-b586315b1f0b} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 8228 224c3b9b458 tab1⤵PID:1856
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==1⤵PID:6024
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422.exe.log
Filesize1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.1MB
MD5f5f13d296ccbe05f3b4236e58e130ac3
SHA182df76a9a4602932b58862e22ce3bdd51f9871ad
SHA256f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422
SHA5124f42cc3e9d7de0a2d3d7b135403af42d3e015df125dbbdcea13afb319e0c9a7333195ba9ba4e8c64eddb30da37f2a9a5234311493634f0bc6852fe21469b8d06
-
Filesize
1.1MB
MD5f5f13d296ccbe05f3b4236e58e130ac3
SHA182df76a9a4602932b58862e22ce3bdd51f9871ad
SHA256f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422
SHA5124f42cc3e9d7de0a2d3d7b135403af42d3e015df125dbbdcea13afb319e0c9a7333195ba9ba4e8c64eddb30da37f2a9a5234311493634f0bc6852fe21469b8d06
-
Filesize
1.1MB
MD5f5f13d296ccbe05f3b4236e58e130ac3
SHA182df76a9a4602932b58862e22ce3bdd51f9871ad
SHA256f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422
SHA5124f42cc3e9d7de0a2d3d7b135403af42d3e015df125dbbdcea13afb319e0c9a7333195ba9ba4e8c64eddb30da37f2a9a5234311493634f0bc6852fe21469b8d06