hxxps://www[.]softonic[.]ru/download-launch?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9[.]eyJkb3dubG9hZFR5cGUiOiJhZmZpbGlhdGlvbkRvd25sb2FkIiwiZG93bmxvYWRVcmwiOiJodHRwczovL3d3dy5pbnN0YW50LWdhbWluZy5jb20vZW4vNDQyLWJ1eS1taW5lY3JhZnQtamF2YS1hbmQtYmVkcm9jay1lZGl0aW9uLXBjLWdhbWUvP2lncj1zb2Z0b25pYzEiLCJhcHBJZCI6IjRiZmQxNDk0LTk2ZDUtMTFlNi04MGM4LTAwMTYzZWM5ZjVmYSIsInBsYXRmb3JtSWQiOiJ3aW5kb3dzIiwiaWF0IjoxNjk3MjAyMzA1LCJleHAiOjE2OTcyMDU5MDV9[.]V3EQkhIdAykarkKjTlaCIMZLYZZH_oIYpuyrKAXd9UY

Analysis

max time kernel
151s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.softonic.ru/download-launch?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkb3dubG9hZFR5cGUiOiJhZmZpbGlhdGlvbkRvd25sb2FkIiwiZG93bmxvYWRVcmwiOiJodHRwczovL3d3dy5pbnN0YW50LWdhbWluZy5jb20vZW4vNDQyLWJ1eS1taW5lY3JhZnQtamF2YS1hbmQtYmVkcm9jay1lZGl0aW9uLXBjLWdhbWUvP2lncj1zb2Z0b25pYzEiLCJhcHBJZCI6IjRiZmQxNDk0LTk2ZDUtMTFlNi04MGM4LTAwMTYzZWM5ZjVmYSIsInBsYXRmb3JtSWQiOiJ3aW5kb3dzIiwiaWF0IjoxNjk3MjAyMzA1LCJleHAiOjE2OTcyMDU5MDV9.V3EQkhIdAykarkKjTlaCIMZLYZZH_oIYpuyrKAXd9UY

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2332	msedge.exe
2332	msedge.exe
2416	msedge.exe
2416	msedge.exe
6124	identity_helper.exe
6124	identity_helper.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid	process
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

msedge.exefirefox.exe

pid	process
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
1964	firefox.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
1964	firefox.exe
1964	firefox.exe
1964	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

msedge.exefirefox.exe

pid	process
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
1964	firefox.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
1964	firefox.exe
1964	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

1964 firefox.exe

pid	process
1964	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exefirefox.exe

description	pid	process	target process
PID 2416 wrote to memory of 1064	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 1064	2416	msedge.exe	msedge.exe
PID 1964 wrote to memory of 2424	1964	firefox.exe	firefox.exe
PID 1964 wrote to memory of 2424	1964	firefox.exe	firefox.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3352	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 2332	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 2332	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3404	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3404	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3404	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3404	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3404	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3404	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3404	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3404	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3404	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3404	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3404	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3404	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3404	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3404	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3404	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3404	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3404	2416	msedge.exe	msedge.exe
PID 2416 wrote to memory of 3404	2416	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.softonic.ru/download-launch?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkb3dubG9hZFR5cGUiOiJhZmZpbGlhdGlvbkRvd25sb2FkIiwiZG93bmxvYWRVcmwiOiJodHRwczovL3d3dy5pbnN0YW50LWdhbWluZy5jb20vZW4vNDQyLWJ1eS1taW5lY3JhZnQtamF2YS1hbmQtYmVkcm9jay1lZGl0aW9uLXBjLWdhbWUvP2lncj1zb2Z0b25pYzEiLCJhcHBJZCI6IjRiZmQxNDk0LTk2ZDUtMTFlNi04MGM4LTAwMTYzZWM5ZjVmYSIsInBsYXRmb3JtSWQiOiJ3aW5kb3dzIiwiaWF0IjoxNjk3MjAyMzA1LCJleHAiOjE2OTcyMDU5MDV9.V3EQkhIdAykarkKjTlaCIMZLYZZH_oIYpuyrKAXd9UY
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffc75a546f8,0x7ffc75a54708,0x7ffc75a54718
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,7339842281403341736,8949450949568472802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,7339842281403341736,8949450949568472802,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,7339842281403341736,8949450949568472802,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7339842281403341736,8949450949568472802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7339842281403341736,8949450949568472802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7339842281403341736,8949450949568472802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7339842281403341736,8949450949568472802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7339842281403341736,8949450949568472802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7339842281403341736,8949450949568472802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,7339842281403341736,8949450949568472802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 /prefetch:8
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,7339842281403341736,8949450949568472802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7339842281403341736,8949450949568472802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7339842281403341736,8949450949568472802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7339842281403341736,8949450949568472802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7339842281403341736,8949450949568472802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7339842281403341736,8949450949568472802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7339842281403341736,8949450949568472802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7339842281403341736,8949450949568472802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,7339842281403341736,8949450949568472802,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4952 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3728

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1964.0.1202142087\317219699" -parentBuildID 20221007134813 -prefsHandle 1824 -prefMapHandle 1820 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4633173-4987-461b-9031-4125548adc68} 1964 "\\.\pipe\gecko-crash-server-pipe.1964" 1988 13a50bd9b58 gpu
  2⤵
  PID:2424
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1964.1.931542243\1749775532" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2344 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {460c83ee-2dad-46aa-90f2-0e3cc6911133} 1964 "\\.\pipe\gecko-crash-server-pipe.1964" 2392 13a50739558 socket
  2⤵
  PID:2936
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1964.2.774592398\1449444571" -childID 1 -isForBrowser -prefsHandle 3636 -prefMapHandle 3632 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7982195-0f84-4f7c-ab75-e54cdf636537} 1964 "\\.\pipe\gecko-crash-server-pipe.1964" 3648 13a54825758 tab
  2⤵
  PID:3968
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1964.4.859120836\1756323638" -childID 3 -isForBrowser -prefsHandle 3388 -prefMapHandle 3312 -prefsLen 21118 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0db1b1ca-1e07-44e1-98e7-0073355f1a9e} 1964 "\\.\pipe\gecko-crash-server-pipe.1964" 3860 13a5522d058 tab
  2⤵
  PID:524
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1964.3.82681443\498047086" -childID 2 -isForBrowser -prefsHandle 3164 -prefMapHandle 3396 -prefsLen 21118 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4d53d9b-3923-46fc-ac04-be9894fdde8d} 1964 "\\.\pipe\gecko-crash-server-pipe.1964" 3824 13a5522c458 tab
  2⤵
  PID:4348
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1964.5.1910706378\266763661" -childID 4 -isForBrowser -prefsHandle 3992 -prefMapHandle 3996 -prefsLen 21118 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84c33bea-20e7-4892-bf50-a196eab354e3} 1964 "\\.\pipe\gecko-crash-server-pipe.1964" 3980 13a5522d658 tab
  2⤵
  PID:1992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4028

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv EslRlj8fkEubI+R+XGHjYA.0.2
1⤵
PID:5384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d5af55f794f9a10c5943d2f80dde5c5

SHA1
5252adf87d6bd769f2c39b9e8eba77b087a0160d

SHA256
43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

SHA512
2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
272617022cebf60830d6b47f77f8567e

SHA1
57236e07d9d6337e09f70e8d141aa29359c9bbe7

SHA256
019d362911812626acb8c8a1513f538e86c2aa1a61a7ee06ec8d14e0f96f74b8

SHA512
9c179631e0f3d3ca0be7459b4ce80258eb032c131ee856bbf1c14cd907914dafc4b4a35fef978601f749eb537ab6124a7e2706cf3bee9f7e66eaf221eb0de025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
965c3e83b11bab8b0f8f1fa388f199bc

SHA1
a3f5bead0efd14096bff89aceb225110fa863adc

SHA256
8c7ed1783c189b165e86a2922112ee6f614eac7452b825104f335f628d723fe0

SHA512
fa2fcc6ad111fc9cc1f0e492ecd71373630dc7534b7794d2afba8f0872c9b7665be450ac41b0dcea362a39a8bec161d3e693de30cf54e93d9bcdef9bfa194236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
371727c16d0c6b054dd769cdbd49253f

SHA1
20746116e14c52fe9c46f28f7a41d7b2a3cd973f

SHA256
5ecd2f18d4a4d01b02db3e1d44c26efccf9581008b6c1b494f550f44111075f7

SHA512
b1486aa290be52d3158c6a988401ac0f6c0bb9e9ae8889e0d2d9e4f270ce4e686a4cfe9723fb1c00013a4d17ae8ca600dfd7f88d8a8ba5785c59208a73217f51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
46a58dd4907b7862796e41afb79edef6

SHA1
2e96d08490d31f7486695f5f344fc8bc3cc20efa

SHA256
5e5c848c4ca72ba70e39ca5cb30e5d089e903ee752be15e71373127d53eec40b

SHA512
4f073315a0e7d7c1454d9a2f07433f7f9707fb0e49a9d5702d47e6880d4204211bde6f0f4b93f23357c5a0e4b4b6b726f9a38c5f9a51c0a6c59033c8d336222b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
23a3ec3b4e1cd30ee8863fc5ef74a7dd

SHA1
9e2443076cb34a746605a0e45f931d357aa2900f

SHA256
69863c1fc9bf4f8dbdfe7ddf3070e4497a8d7b7b8646feb296f17e8513dd0ad7

SHA512
916bca0426906dd1fa0dd8c5244e804436f1906920d869989ab4b237e1f84fab74c5edaada59dd03c1c7388c395d4350bafafa0b57741f765e64d68dc780dc8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
10f5b64000466c1e6da25fb5a0115924

SHA1
cb253bacf2b087c4040eb3c6a192924234f68639

SHA256
d818b1cebb2d1e2b269f2e41654702a0df261e63ba2a479f34b75563265ee46b

SHA512
8a8d230594d6fade63ecd63ba60985a7ccd1353de8d0a119543985bf182fdbb45f38ccc96441c24f0792ea1c449de69563c38348c2bedb2845522a2f83a149db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
094aa9baf8a3377be8abb6baf3bad1f1

SHA1
8036232717280e3a6fed0c983b974b540c6771fa

SHA256
7045f6c38cd28b4fb50a8bcb08e555ef2383296d0f9575b801e7f2d87939d21d

SHA512
3f37929433a6d5623efb4290b1272fb5ad1d0cceff94cce2c3f18fac593552490f3a11875dd6f8a0a8606b6b6e58d141cff5bd65f9bf7d2e6119413af92f80ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586906.TMP

Filesize
3KB

MD5
b77a7a02ffbff46553239e85981e1c56

SHA1
aa6b99fb083c41a65f529e84d313b1aed900f137

SHA256
a60d1d5d4632d2ee4d93367598a3526699a14c44c1d7bc6733d8f0e71acdffda

SHA512
a816ca3b453236a6be78ce3410736c9b5b86771c52096d60ac22dec5906c2c177d8758802a45d03818fbcd75a7c13bbc761f633eb287191a40cf17d1bacd897e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
936cf97af8696014a832375cac8603e1

SHA1
1314ff427df73d9be59542fdd87709b992343d70

SHA256
82432d98ce7ca646a821ea998ee90539651e3017baecb3953664c641b1b2fd17

SHA512
1de38a26af39d13925efe79b57daed2bfc960a0c1cd32b1bd3ea192d4c3320e593d4bb7fa8085b132e3f06fe61b8735f47e93b6958402eb24907b9b86ff006c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
235b23c221a1a497b205b3dc32628776

SHA1
ef9e70fa69c3763fd7d7d0d67677a967a9e6a1cc

SHA256
619397c9e40ae6e71b9d638eab6b36fa1e924ffd472ab1e4ae5bf246fd38efeb

SHA512
6570319dea44d2452741ee5877cbc796df763893b821c5cd3c5ffd4a5ff0b44226b4c818231d54284dfe36f952eeaee1d8db2cb91b8ddba5b7a8c32eb6640cf0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob75hbeb.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
271B

MD5
f50cacab83b2ed957ede45cf5233aa30

SHA1
99df31432ddfc9388889d98e47c17dfb744a1c8e

SHA256
7a4592b5511cf88615e86801b9d489d72c2cd86d9266c3c2be68ceb895d8593a

SHA512
2c8273e97b0cb11ac0592839f634e332b7c9a1b1ec5346091c9eb910d1c65c8284dfb29c75ea1a25b2a022919d4a736d31d3b516be133ac2ef97bb215b583bf6

Download Submit
\??\pipe\LOCAL\crashpad_2416_LVNRAKWPOMLNEMAW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit