500d0c1f457ab162b7ea0f1d31c32757d70421b8c9bc7b0083a5e3567441ed37

Resubmissions

12/10/2023, 09:17

231012-k9jccaae7t 7

11/10/2023, 09:08

11/10/2023, 09:00

11/10/2023, 08:53

05/10/2023, 08:00

05/10/2023, 07:52

05/10/2023, 06:28

Analysis

max time kernel
300s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2023, 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

500d0c1f457ab162b7ea0f1d31c32757d70421b8c9bc7b0083a5e3567441ed37.exe
Size

727KB
MD5

3bd2bc1fb2ed7ce223505556ee150890
SHA1

4cfd2d4f3c8c7359164eb79cf0830480d4793f1d
SHA256

500d0c1f457ab162b7ea0f1d31c32757d70421b8c9bc7b0083a5e3567441ed37
SHA512

374eae32c1e803f468ed248d7828ea98b438d1377e21775beb5e0a477b593816ffa543d7dd3da94613d7e448a9d5557269f2c1b27d30726c85cf0a73f89883de
SSDEEP

12288:TcTn6DzlAr6n1X+R1vXAMk8Bm+r7uobOJ6+ShsoaqEkgOsS5:ATn0e6gA0w+3uVzShRag2S5

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	perfmon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	perfmon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
4324	msedge.exe
4324	msedge.exe
2316	msedge.exe
2316	msedge.exe
2516	identity_helper.exe
2516	identity_helper.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
4832	perfmon.exe
4832	perfmon.exe
1044	taskmgr.exe
4832	perfmon.exe
1044	taskmgr.exe
4832	perfmon.exe
1044	taskmgr.exe
4832	perfmon.exe
1044	taskmgr.exe
4832	perfmon.exe
1044	taskmgr.exe
4832	perfmon.exe
1044	taskmgr.exe
4832	perfmon.exe
1044	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4892	firefox.exe
Token: SeDebugPrivilege	4892	firefox.exe
Token: SeDebugPrivilege	1044	taskmgr.exe
Token: SeSystemProfilePrivilege	1044	taskmgr.exe
Token: SeCreateGlobalPrivilege	1044	taskmgr.exe
Token: SeDebugPrivilege	4832	perfmon.exe
Token: SeSystemProfilePrivilege	4832	perfmon.exe
Token: SeCreateGlobalPrivilege	4832	perfmon.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4180	500d0c1f457ab162b7ea0f1d31c32757d70421b8c9bc7b0083a5e3567441ed37.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
4892	firefox.exe
4892	firefox.exe
4892	firefox.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4180	500d0c1f457ab162b7ea0f1d31c32757d70421b8c9bc7b0083a5e3567441ed37.exe
4180	500d0c1f457ab162b7ea0f1d31c32757d70421b8c9bc7b0083a5e3567441ed37.exe
4892	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2320	2316	msedge.exe	108
PID 2316 wrote to memory of 2320	2316	msedge.exe	108
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 1568	2316	msedge.exe	109
PID 2316 wrote to memory of 4324	2316	msedge.exe	110
PID 2316 wrote to memory of 4324	2316	msedge.exe	110
PID 2316 wrote to memory of 536	2316	msedge.exe	111
PID 2316 wrote to memory of 536	2316	msedge.exe	111
PID 2316 wrote to memory of 536	2316	msedge.exe	111
PID 2316 wrote to memory of 536	2316	msedge.exe	111
PID 2316 wrote to memory of 536	2316	msedge.exe	111
PID 2316 wrote to memory of 536	2316	msedge.exe	111
PID 2316 wrote to memory of 536	2316	msedge.exe	111
PID 2316 wrote to memory of 536	2316	msedge.exe	111
PID 2316 wrote to memory of 536	2316	msedge.exe	111
PID 2316 wrote to memory of 536	2316	msedge.exe	111
PID 2316 wrote to memory of 536	2316	msedge.exe	111
PID 2316 wrote to memory of 536	2316	msedge.exe	111
PID 2316 wrote to memory of 536	2316	msedge.exe	111
PID 2316 wrote to memory of 536	2316	msedge.exe	111
PID 2316 wrote to memory of 536	2316	msedge.exe	111
PID 2316 wrote to memory of 536	2316	msedge.exe	111
PID 2316 wrote to memory of 536	2316	msedge.exe	111
PID 2316 wrote to memory of 536	2316	msedge.exe	111
PID 2316 wrote to memory of 536	2316	msedge.exe	111
PID 2316 wrote to memory of 536	2316	msedge.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\500d0c1f457ab162b7ea0f1d31c32757d70421b8c9bc7b0083a5e3567441ed37.exe
"C:\Users\Admin\AppData\Local\Temp\500d0c1f457ab162b7ea0f1d31c32757d70421b8c9bc7b0083a5e3567441ed37.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaaf6d46f8,0x7ffaaf6d4708,0x7ffaaf6d4718
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1770148498498794095,6989935283756538613,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,1770148498498794095,6989935283756538613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,1770148498498794095,6989935283756538613,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2988 /prefetch:8
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1770148498498794095,6989935283756538613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1770148498498794095,6989935283756538613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1770148498498794095,6989935283756538613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1770148498498794095,6989935283756538613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1770148498498794095,6989935283756538613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1770148498498794095,6989935283756538613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3748
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4892.0.1350411728\630699812" -parentBuildID 20221007134813 -prefsHandle 1868 -prefMapHandle 1864 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {89dcac7b-98b0-4b8c-8ff1-929746f12efa} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" 1944 1bdedfd8358 gpu
    3⤵
    PID:1668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4892.1.351637725\1573608614" -parentBuildID 20221007134813 -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0c729fb-1a9a-4c36-aa8c-f4f25f09179f} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" 2336 1bdedefb758 socket
    3⤵
    - Checks processor information in registry
    PID:4956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4892.2.2055720871\30833836" -childID 1 -isForBrowser -prefsHandle 3112 -prefMapHandle 3108 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62e2fe5c-e95d-4655-8958-1d6ec7ed5245} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" 3124 1bdf229ce58 tab
    3⤵
    PID:3372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4892.3.1701377214\1598328687" -childID 2 -isForBrowser -prefsHandle 3560 -prefMapHandle 3556 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b774ad09-d856-47a1-8e83-1e9a14420f10} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" 3568 1bde1762858 tab
    3⤵
    PID:3368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4892.4.1235044269\1339600074" -childID 3 -isForBrowser -prefsHandle 4008 -prefMapHandle 3996 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1985fa35-27d4-4cce-888a-7d2337d4e3ad} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" 4020 1bdf371f558 tab
    3⤵
    PID:3520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4892.5.825108920\1014228610" -childID 4 -isForBrowser -prefsHandle 5004 -prefMapHandle 4960 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecd0b1ff-7e81-4804-a23d-d94ffb114609} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" 5032 1bdf3720a58 tab
    3⤵
    PID:1064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4892.7.227322162\76063084" -childID 6 -isForBrowser -prefsHandle 5356 -prefMapHandle 5360 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fe20aeb-d274-4379-9f12-1f709a7b09b4} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" 5348 1bdf4484b58 tab
    3⤵
    PID:3036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4892.6.1930265469\916531270" -childID 5 -isForBrowser -prefsHandle 5164 -prefMapHandle 5168 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25486e4f-0ee1-45b1-9822-97f12ee44463} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" 5156 1bdf4484858 tab
    3⤵
    PID:4876

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1044
- C:\Windows\system32\resmon.exe
  "C:\Windows\system32\resmon.exe"
  2⤵
  PID:4628
- - C:\Windows\System32\perfmon.exe
    "C:\Windows\System32\perfmon.exe" /res
    3⤵
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bbec68478778aa23a5ad88cddc78c4a0

SHA1
5fe25ecbd981560a1f59f9e880ea77d894b48086

SHA256
60a161e76c09003a63dbaf18a656834d501c7fd717464795932c2987c97ab75e

SHA512
dc078bd6d2478dfa5ff674ca9cbdb330bd00dfe544b9be65e51c2d99383f9393d4817069f03eb7c5a4f0a63aead698c09e430e3e86dbf5d3ed73d23829d3a865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
36bf38ee958c20d27b7841362fb1aea5

SHA1
17e5f39b88102bdbf30119c11480c2d0e4d05e0b

SHA256
8b326a880f863cc727d2bd32823363cbb564582d8b270f63c5538e7dd15aa4ea

SHA512
2979bd2c83ca601ffb6d3271b7184804ede87a627af6ccd33bd64371e0f175714da7a9e57f27de4e845af29a19100899d9ef6348f841f9ac257feca145f1c71f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
491ce2c8d7bc10ae270262269bfe5461

SHA1
501a0f49242c948752c3002d0fc876b445705034

SHA256
bc1fde08c39a4d4d342dfbb3849b9fb258f90f09404b7971245030e08ad93851

SHA512
f5b1d96f825110a5665e0c6e3df87f6ffdb999f59e19419412d2197145e2572ff31b9d062fc9e1f8457bc1f1ebab9cf02220120331b601a08b8d47ac7be27003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
4KB

MD5
157f6e424ee1f4508713ace5d899476d

SHA1
143a44ad2704b4781118d91a23c33c9a2bbfe6d3

SHA256
d60e95da718d5db963934ce5ffcefb8ac4c80b85a615c393541ada6de39d144f

SHA512
288b862b0f2c8dd53c2779c967ce3120b0094cb288790a446d2b36c156b33ace283560488f02ccbb625a18051d9a599f6287aeec801f3189b1f1203af6a92dda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\b7jtu2fw.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
255e405a10bc22bbcb58602d07a3d3cb

SHA1
bdc58efe87a7460d96a7037d58dd24897f7b4ec4

SHA256
718a3abb20d3a3f8c4bc2923cd53d140508e16a4a9a49b59779a93f715745722

SHA512
2300836f8193f5c479040a2fd1dc90cbcb484be2cfe48a3f54e37e3931ed0f798135a36fec14ce90f6f65ad1c930bf647a2c608390a5ba0087f3ec3cdceb49f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b7jtu2fw.default-release\prefs-1.js

Filesize
6KB

MD5
67a09ece60f0b404cc4cf69036491e6a

SHA1
ece56d2651e93495a017cd4ce33c3e57dcc1bc7f

SHA256
1f7107fd1efe6d46a268586813c35ec2ccca3626d10ca4997a82ec83cd3dbd58

SHA512
c747fe1155c509fb9a9f82d2b62214f9a08557200822dae0bd39af066459f3a7f450598cd280bfae08ee88d33ed9be481fc3cf4afe354dadd979d104f5b840b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b7jtu2fw.default-release\sessionstore.jsonlz4

Filesize
882B

MD5
3749a1a7c5d17a6c5aed9e29ed72aa2b

SHA1
abd965eb9e481c5a21aa468a55cf5763e0dd2b81

SHA256
fe5788f0b5c2455f3079b2e0d3f8877711aa4320463322692f55c503ccd1fd0c

SHA512
eaae92eecb5a571cb279839c453491adf12bd9f861f297cc94b4700b005b64682abb0cb26856fddedb77d9ce1832a930e05f5b995bdf1300bfc10e3332603c7c

Download Submit
memory/1044-272-0x00000269E16A0000-0x00000269E16A1000-memory.dmp

Filesize
4KB

Download
memory/1044-273-0x00000269E16A0000-0x00000269E16A1000-memory.dmp

Filesize
4KB

Download
memory/1044-276-0x00000269E16A0000-0x00000269E16A1000-memory.dmp

Filesize
4KB

Download
memory/1044-275-0x00000269E16A0000-0x00000269E16A1000-memory.dmp

Filesize
4KB

Download
memory/1044-274-0x00000269E16A0000-0x00000269E16A1000-memory.dmp

Filesize
4KB

Download
memory/1044-271-0x00000269E16A0000-0x00000269E16A1000-memory.dmp

Filesize
4KB

Download
memory/1044-270-0x00000269E16A0000-0x00000269E16A1000-memory.dmp

Filesize
4KB

Download
memory/1044-264-0x00000269E16A0000-0x00000269E16A1000-memory.dmp

Filesize
4KB

Download
memory/1044-265-0x00000269E16A0000-0x00000269E16A1000-memory.dmp

Filesize
4KB

Download
memory/1044-266-0x00000269E16A0000-0x00000269E16A1000-memory.dmp

Filesize
4KB

Download
memory/4180-3-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4180-4-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

Filesize
4KB

Download
memory/4180-0-0x0000000000720000-0x0000000000722000-memory.dmp

Filesize
8KB

Download
memory/4180-2-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4180-7-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

Filesize
4KB

Download
memory/4180-6-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4180-1-0x0000000000730000-0x0000000000735000-memory.dmp

Filesize
20KB

Download