Overview

overview

10

Static

static

10

03b5a7ffe1...82.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    113s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231222-en
  • resource tags

    arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12-02-2024 07:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe

  • Size

    122KB

  • MD5

    979635229dfcfae1aae74ae296ec78c8

  • SHA1

    b4e0d9256b62868eb5c6f651ac4a154c6d71eb14

  • SHA256

    03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482

  • SHA512

    6303685d772ec6760ef4cbb952c5fd11658b4d066e8c02ee0f491382f19650197b2c1e47ae01119f51d358252ed66a7934ca0865b82c356b03f8b323719a1d43

  • SSDEEP

    1536:uhxOUyl20w8bVZQ40iMSO1fY+iUyQs2r8t5p1ySotICS4A6Udoah5Dta66GDReU6:yMhQNDEtb3AioaheW8NR

Score
10/10
sodinokibievasionpersistenceransomware

Malware Config

Extracted

Path

C:\Recovery\6cm98-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 6cm98. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B9300DE1818877D3 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/B9300DE1818877D3 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: iJiaDd5vyvwjZjNodRkz3+r7Wrjq6N1h1+VflbvHCIrW31jWb8QoVHXMEllMKrtu Hw7SQw3HDWoxgOc8cMNssripYxvFbo90a3Yp+bGwiWhkNjynHPxaf4BaJd/YCjVn +UAP0CkRGMdI9V895WC0GDlIPT+nEVYyTFcQsFgiNTob/THkRzzZg6xXQ0M4MGb1 rvdhReejWdIdl1apz4tZrq8JeBsJz0L1tWr/Aj/FOhjJtB4/+xKjh10bW4MSKpRk qQaVY0aVqAN7u6mA1uTwT1dfA0xYlllagXbEqaHE9Jcr0xrgbYxOUiMSs/yOF+2N I4dNlDqwftSgdbS0/QE0dMmmMusjRaTlBFGv78mtO/nIt6YE6H8OJvNTjhvqPg1O QpSwS+DFzWTttvSjLcwuJwpY+XFtDp2tyouzC3Ye/buIJ9wAIuzCBNfQikI8UYPx jfri3rgT1kpdJSag9IDKubN4jHXE9hnMLQUdnIJBsOgo+U1brgn5VPaLm7T6e49O Cnk2hr9XQAZ8O8RTPhkKqM3F14IViYvnDNz7Q9ex5eyaGXLPQR4ytD3uTVVd+IT+ VDpwcVappDFvTkp86YfjGwYQgW09LgvpfalNIRleJh8xXhwKFHVrlAR4pvQetWkn EyLBNfCrUmyDSfxMumQPXBwV936YnGcxJQ6SMkujZAVTUfMZ6CCuXoZhXK23F7m2 JBGMCySHM1959Zk7DrsORvpO5GTpa7p8Crumk6Is4h40RvjO8vhnEkvebbp61lnB JcBSSUYHp9+aAqH9HplF3mrCz56vyhp0ae/vR/CQR2BNN0L3D9VS5xxgCJKmCuPP DHWNyyvYnoWHEZq5IGoZ6zwwnYqu+DnXnbYO95G4KH+E7BXIen2A8HYxmuNabkwy FK0EhxhFYPFgEUxzWAe1sMxKOVxqTF8nOoKGW1XjmIqvY25enid0jq5xDF5BpBkf Edi9nNK4/RS9c1q8pRi1ivJyWk6mkGxbMZLNYK3p5fmaeQ5jWBJhhcvbOj/OPjEM Ox+vx2zfZVrRBK2TA/xzGoteVOJp4o1IrbziM/hlQF8kphwyGXCTtG2wdYWqeOBJ oSPu/GHuiYtN1LpyELrbDpqPM2uWvJaEJjCYAU9wt6Df9AWoABctrn5SOCnGmxlA zJBdjVEvKnpFWK1Q6fKNyg6MKSFMUtmEDaSJsD7K3NoW04P98Y1J6UrEZ4ku/G75 xrprFpu+far+G1gZdRDZgdZqELsscKrEfRosU8wnuKr0PiUcbrMWyGPO5WjEplvr zr1HbKrzxZv/eEX5AG69J5AEcl65R8JtCXRGrLmYxSlSSuySERzkvKWKiJTykvc5 TtGEdwQyACJ5KcGSOtXNae1uYOklxfSLm0o= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B9300DE1818877D3

http://decoder.re/B9300DE1818877D3

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 26 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 45 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe
    "C:\Users\Admin\AppData\Local\Temp\03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4744
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
      2⤵
      • Modifies Windows Firewall
      PID:4976
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3972
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:2704
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
        1⤵
          PID:1528
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          1⤵
            PID:3948
          • C:\Windows\system32\OpenWith.exe
            C:\Windows\system32\OpenWith.exe -Embedding
            1⤵
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:4056
          • C:\Program Files\VideoLAN\VLC\vlc.exe
            "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SetRename.mpa"
            1⤵
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:1784
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
            1⤵
            • Checks processor information in registry
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:344
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:928
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=20972A6EC855B8A0542394077E51E438 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=20972A6EC855B8A0542394077E51E438 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
                3⤵
                  PID:4860
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=475F648EB459EB016BC046310BE4587E --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                  3⤵
                    PID:3504
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0EA59AF5440D03BF1A130088245CFE3A --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                    3⤵
                      PID:312
                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D186714FE471DC7F7D6A71463F6D1818 --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                      3⤵
                        PID:4512
                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C67F02DBCB694B488857E59EC6746FD3 --mojo-platform-channel-handle=2540 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                        3⤵
                          PID:1428
                    • C:\Windows\System32\CompPkgSrv.exe
                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                      1⤵
                        PID:1020
                      • C:\Windows\system32\NOTEPAD.EXE
                        "C:\Windows\system32\NOTEPAD.EXE" F:\6cm98-readme.txt
                        1⤵
                        • Enumerates connected drives
                        PID:2464
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe"
                        1⤵
                          PID:788
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe"
                            2⤵
                            • Checks processor information in registry
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            • Suspicious use of SetWindowsHookEx
                            PID:1852
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1852.0.51402750\1252941364" -parentBuildID 20221007134813 -prefsHandle 1792 -prefMapHandle 1772 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1aaf37c4-3f68-432b-95ee-6cf5b46dc5a3} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" 1872 240a0208c58 gpu
                              3⤵
                                PID:4824
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1852.1.130700011\1955102260" -parentBuildID 20221007134813 -prefsHandle 2236 -prefMapHandle 2232 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f1a2b58-1008-4ea1-90c3-ccf492a3590f} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" 2248 2409effb158 socket
                                3⤵
                                  PID:1952
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1852.2.2047609184\1085185313" -childID 1 -isForBrowser -prefsHandle 3260 -prefMapHandle 3148 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f18f8ae5-3024-47ee-a725-40819a9d8d6d} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" 3028 2409f05f058 tab
                                  3⤵
                                    PID:4216
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe"
                                1⤵
                                • Checks processor information in registry
                                • Modifies registry class
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of SendNotifyMessage
                                • Suspicious use of SetWindowsHookEx
                                PID:4920
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4920.0.1501504043\1427044457" -parentBuildID 20221007134813 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 20747 -prefMapSize 233496 -appDir "C:\Program Files\Mozilla Firefox\browser" - {359f7dd1-6a0a-427f-a2e2-a97e09e5bef9} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" 1836 2079e8f5b58 gpu
                                  2⤵
                                    PID:2936
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4920.1.377733387\156135328" -parentBuildID 20221007134813 -prefsHandle 2200 -prefMapHandle 2196 -prefsLen 20783 -prefMapSize 233496 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b97bb59-451e-4e5b-98db-08f1b0345f9b} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" 2212 2079daddb58 socket
                                    2⤵
                                      PID:1056
                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4920.2.653053214\2100765554" -childID 1 -isForBrowser -prefsHandle 3028 -prefMapHandle 3024 -prefsLen 20886 -prefMapSize 233496 -jsInitHandle 988 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e86c253-f00e-4389-9b13-531960c86f96} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" 1620 207a3bf0558 tab
                                      2⤵
                                        PID:3736
                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                      "C:\Program Files\Mozilla Firefox\firefox.exe"
                                      1⤵
                                        PID:2556
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
                                        1⤵
                                        • Enumerates system info in registry
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                        • Suspicious use of FindShellTrayWindow
                                        • Suspicious use of SendNotifyMessage
                                        PID:3272
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff13683cb8,0x7fff13683cc8,0x7fff13683cd8
                                          2⤵
                                            PID:2436
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1812,6581436770508738375,11675135126453808959,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
                                            2⤵
                                              PID:4340
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1812,6581436770508738375,11675135126453808959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 /prefetch:3
                                              2⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:4936
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1812,6581436770508738375,11675135126453808959,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1836 /prefetch:2
                                              2⤵
                                                PID:3304
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,6581436770508738375,11675135126453808959,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
                                                2⤵
                                                  PID:396
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,6581436770508738375,11675135126453808959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
                                                  2⤵
                                                    PID:2756
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,6581436770508738375,11675135126453808959,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
                                                    2⤵
                                                      PID:3296
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,6581436770508738375,11675135126453808959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
                                                      2⤵
                                                        PID:2764
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,6581436770508738375,11675135126453808959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
                                                        2⤵
                                                          PID:3784
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1812,6581436770508738375,11675135126453808959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:8
                                                          2⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:2684
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,6581436770508738375,11675135126453808959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
                                                          2⤵
                                                            PID:3480
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1812,6581436770508738375,11675135126453808959,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5084 /prefetch:8
                                                            2⤵
                                                            • Modifies registry class
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:4912
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1812,6581436770508738375,11675135126453808959,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5016 /prefetch:8
                                                            2⤵
                                                              PID:4644
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,6581436770508738375,11675135126453808959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
                                                              2⤵
                                                                PID:4236
                                                            • C:\Windows\system32\LogonUI.exe
                                                              "LogonUI.exe" /flags:0x4 /state0:0xa39c7055 /state1:0x41c64e6d
                                                              1⤵
                                                              • Modifies data under HKEY_USERS
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2160

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Recovery\6cm98-readme.txt
                                                              Filesize

                                                              6KB

                                                              MD5

                                                              2874e05dc7788e5997143dc0e2b455c3

                                                              SHA1

                                                              cc2f4e4a5bcb7e8c8ad185ee1f4676d27d06b937

                                                              SHA256

                                                              9846a9e13a17a0a4cf98a8721cfa09ddb7e0420c6ca72c0b6f642108e1e38208

                                                              SHA512

                                                              ca19754741e5158524c31cbadf125fdd905ada97e925c6fb15847c82959575f80855bf827a682d36dcdf1afcd198ab8b16ea334f81557b35dcf6d01be329b7b6

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                              Filesize

                                                              152B

                                                              MD5

                                                              6dbe72a1f5827efc08f70d06ef815d46

                                                              SHA1

                                                              6aacd61519fce53ecb92e5e61207a6c29c01f47b

                                                              SHA256

                                                              dd673404dd6deb2d2b331316370fd05e47c01b9dc489640f05b50898d536a6e3

                                                              SHA512

                                                              2e6115ca818df5f5b7985caf3ce2324e266b376f6180f84b44e9ae725e037a8456c2cd63e22b9750e2ba27f4c7460dfa429ce9910517a728b056e5f1e730e25a

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                              Filesize

                                                              1KB

                                                              MD5

                                                              5baa6a0f6b8df7ecb8ccbf04d9c78b47

                                                              SHA1

                                                              f8c499c5c2aa42c21704051f0f3d987dbb7c0752

                                                              SHA256

                                                              fe22b1b16c91391f46a4fba366ae9dc1f3e90b52820edc4113199c7a3c290ebc

                                                              SHA512

                                                              00417b97ac7978a0d0a1e3063c871eb8c6a1e7c7f2bbdc522e840ef30f648095fb816cd3a33aeb4bc7c792ea314eadf87a965c211c406f6339d409f138c72c53

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                              Filesize

                                                              396B

                                                              MD5

                                                              022e2ea4f3ad8922c2cf2a9aa95cc7fc

                                                              SHA1

                                                              ad8bdeadd8dc7931b8e4702ae6525f5c52f53960

                                                              SHA256

                                                              efd7c8585c0741c6d63ff4e5ee7d40e327ab22792945be4c3815414ce878c912

                                                              SHA512

                                                              b4610ea6ae58a7838d8cb290746061954f4bd6ed0765f9579ac58892af5ee41857ccb3851718d09847a5114022a2a7187c10d90d9baa16e1eb825a9ccd8bb3cb

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                              Filesize

                                                              4KB

                                                              MD5

                                                              22170f8125a079afb3c16c8e783d509a

                                                              SHA1

                                                              861a081ac23b5efb6b488da62a6649ceab6db883

                                                              SHA256

                                                              7cde6e1c89465ab4811d58a41df3aaea48218f87e5d2f0930b82bef08ce01738

                                                              SHA512

                                                              1929b25fa82d3c0f70465e7ad00c45f9e645714ac4c48f03176d597dccac3fc78f60e581dad86ed2d61d9fa4013e9a0e42c9ad2d61d4f2c8c2240acc5641e4b5

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                              Filesize

                                                              6KB

                                                              MD5

                                                              0c829e92e59c9709fc2c2300533c9a67

                                                              SHA1

                                                              f18faa2dfc20af1a06bfeb86e32a6083a867c74d

                                                              SHA256

                                                              4e07d24bfc3669670e4cd1fc6267fa2d6cf3356b6e2c972183846a2ecd16598f

                                                              SHA512

                                                              b84bc976682b5e0b5e716af8af73c6fd32f5c623ae1bf2457534764917045f634e5a5e2fdc057c81849936981276f0665efd2098782a946a0e3f5ac185361454

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                                              Filesize

                                                              25KB

                                                              MD5

                                                              53aaef8445daaff16df13bf2b61d3990

                                                              SHA1

                                                              1d8721c761b5ca414529d9a9dace3228fb27b5ec

                                                              SHA256

                                                              fbcd85a94e87665a524a1ac08c00610687cc9ff2bcbdf406ab2c9dfedf9a9084

                                                              SHA512

                                                              838e6ea65ebcebd32c3d0e13562c9082f17e29e1028dff892a10f8c3a88d5833a7d6cef8a1f16c76eae2e6e1ddd87777351d09f708fcf0c6623dd58d87718856

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                              Filesize

                                                              10KB

                                                              MD5

                                                              fdee72226f043a876961d77f7a6c88f6

                                                              SHA1

                                                              12b97281a41970fbf1a551671fd02041a577c676

                                                              SHA256

                                                              eca5fd7c926ce46c4a9ba807306743eef999fe56178ba62e8f28ca69ad095082

                                                              SHA512

                                                              9dd366d10badd8e7eccd978baa01e8fc481f7016cf84f01654b273b1cc4317000e31014021bb736f1e9385508a28953939dede3437394489c652119d54bad015

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6fd8mnze.default-release\prefs.js
                                                              Filesize

                                                              6KB

                                                              MD5

                                                              1ced127b65a088bc5c6410304b33d7d4

                                                              SHA1

                                                              af398b7930422f3c929d71f41837fc05d4610ace

                                                              SHA256

                                                              2975b889a382f55fcc81ed96c26c7166fa750c4cfd926530a9fcfd0ab010e7e1

                                                              SHA512

                                                              f7d17a005485b62171bb247ef506cbd44c0b10645a49b784802eee340848facf0eb66fee8b594197580abae8016587c54f94954cc8a300a4105b23e2ea99f834

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6fd8mnze.default-release\prefs.js
                                                              Filesize

                                                              6KB

                                                              MD5

                                                              ffc6fb93f01ffb0d97c693e674b7c036

                                                              SHA1

                                                              a7831e4ca7feeadc9cfb82e04ebb2da40998078b

                                                              SHA256

                                                              95ffe9c9077419e2b9d0944c48008d2008f9667fcc882f707acf22c55297ccf9

                                                              SHA512

                                                              de6d1ceaabcd9d6ea085ed505e735d8008583dbc2a4ffc9b745e737389b8cc24643688f186bbcece53a1c6267d2b93d365267f018be79100625f15e0627baa7e

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6fd8mnze.default-release\sessionCheckpoints.json
                                                              Filesize

                                                              53B

                                                              MD5

                                                              ea8b62857dfdbd3d0be7d7e4a954ec9a

                                                              SHA1

                                                              b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

                                                              SHA256

                                                              792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

                                                              SHA512

                                                              076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

                                                              Download Submit

                                                            • memory/1784-372-0x00007FFF04210000-0x00007FFF04322000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                              Download

                                                            • memory/1784-371-0x00007FFF04570000-0x00007FFF0561B000-memory.dmp

                                                              Filesize

                                                              16.7MB

                                                              Download

                                                            • memory/1784-370-0x00007FFF131A0000-0x00007FFF13454000-memory.dmp

                                                              Filesize

                                                              2.7MB

                                                              Download

                                                            • memory/1784-369-0x00007FFF174D0000-0x00007FFF17504000-memory.dmp

                                                              Filesize

                                                              208KB

                                                              Download

                                                            • memory/1784-368-0x00007FF713B00000-0x00007FF713BF8000-memory.dmp

                                                              Filesize

                                                              992KB

                                                              Download