5bacd470aae61821c09162380318c6f9df4250534b7347f326e04e2b67585cc7

Analysis

max time kernel
149s
max time network
132s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
12-02-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wurst-Client-v7.39.1-MC1.20.1.jar
Size

1.6MB
MD5

a733830d08415b6f8a9184ac5dde2fb2
SHA1

fdcdae43e71e46fbfca3fadaba2faddc2467c6af
SHA256

5bacd470aae61821c09162380318c6f9df4250534b7347f326e04e2b67585cc7
SHA512

9c7b7d533abf1d199c4875fe08de4fcf6ade6c6fb3b8c2341909fb75c261179e841a4b413d151ebe436c3394cc0011eb0e32091893b7e1915eabf1714169614e
SSDEEP

24576:fVq9Hu5uIV30IemgmAH1fnTps+x+PB/eMvNQVha79U3H6zN4zxnzC8JSssC2b0:m+lV30IfW17pJYXQVhMq3a2zxFFsBb0

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1304 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

59 discord.com
60 discord.com
57 discord.com
58 discord.com

pid	process
1304	icacls.exe

flow	ioc
59	discord.com
60	discord.com
57	discord.com
58	discord.com

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133522343263802871"	chrome.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\Local Settings firefox.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2752 chrome.exe
2752 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2752 chrome.exe
2752 chrome.exe
2752 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\Local Settings	firefox.exe

pid	process
2752	chrome.exe
2752	chrome.exe

pid	process
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exeAUDIODG.EXEchrome.exe

description	pid	process
Token: SeDebugPrivilege	1904	firefox.exe
Token: SeDebugPrivilege	1904	firefox.exe
Token: 33	532	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	532	AUDIODG.EXE
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

firefox.exechrome.exe

pid	process
1904	firefox.exe
1904	firefox.exe
1904	firefox.exe
1904	firefox.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

firefox.exechrome.exe

pid	process
1904	firefox.exe
1904	firefox.exe
1904	firefox.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

1904 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

java.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3588 wrote to memory of 1304	3588	java.exe	icacls.exe
PID 3588 wrote to memory of 1304	3588	java.exe	icacls.exe
PID 700 wrote to memory of 1904	700	firefox.exe	firefox.exe
PID 700 wrote to memory of 1904	700	firefox.exe	firefox.exe
PID 700 wrote to memory of 1904	700	firefox.exe	firefox.exe
PID 700 wrote to memory of 1904	700	firefox.exe	firefox.exe
PID 700 wrote to memory of 1904	700	firefox.exe	firefox.exe
PID 700 wrote to memory of 1904	700	firefox.exe	firefox.exe
PID 700 wrote to memory of 1904	700	firefox.exe	firefox.exe
PID 700 wrote to memory of 1904	700	firefox.exe	firefox.exe
PID 700 wrote to memory of 1904	700	firefox.exe	firefox.exe
PID 700 wrote to memory of 1904	700	firefox.exe	firefox.exe
PID 700 wrote to memory of 1904	700	firefox.exe	firefox.exe
PID 1904 wrote to memory of 5000	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 5000	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 4644	1904	firefox.exe	firefox.exe
PID 1904 wrote to memory of 812	1904	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Wurst-Client-v7.39.1-MC1.20.1.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:1304

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:700

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1904.0.2114332104\1660011412" -parentBuildID 20221007134813 -prefsHandle 1736 -prefMapHandle 1720 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76585f99-300a-4efe-829f-aa6116c04c00} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" 1828 2b33bfd0158 gpu
3⤵
PID:5000

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1904.1.46180727\1088115830" -parentBuildID 20221007134813 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {482ebf6b-6acc-4f05-ba6f-a1d9cacab08d} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" 2184 2b331072b58 socket
3⤵
- Checks processor information in registry
PID:4644

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1904.2.1604819840\7678189" -childID 1 -isForBrowser -prefsHandle 2924 -prefMapHandle 1556 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {869d5b2b-1d4d-466e-b04a-c7a22edc4b62} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" 3064 2b33bf60f58 tab
3⤵
PID:812

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1904.3.2072905851\682632553" -childID 2 -isForBrowser -prefsHandle 3572 -prefMapHandle 3568 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {56ab41f8-c577-416c-94eb-223320fb2040} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" 3552 2b3410b8e58 tab
3⤵
PID:4784

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1904.4.317981071\326186419" -childID 3 -isForBrowser -prefsHandle 4260 -prefMapHandle 4256 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f642097f-cfb0-4a1c-b2c9-9639df790aef} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" 4268 2b341dd1b58 tab
3⤵
PID:1296

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1904.5.1793713794\1150147586" -childID 4 -isForBrowser -prefsHandle 4720 -prefMapHandle 4744 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4c50140-0d09-45e4-ad6c-ff99c25b8700} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" 4268 2b3426afd58 tab
3⤵
PID:700

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1904.6.1302690303\1510668177" -childID 5 -isForBrowser -prefsHandle 4876 -prefMapHandle 4880 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b1725e2-5368-42f8-8d11-9d0135031e84} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" 4868 2b3426aeb58 tab
3⤵
PID:532

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1904.7.1587814591\706484900" -childID 6 -isForBrowser -prefsHandle 5068 -prefMapHandle 5072 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb7e65ad-a553-453b-9a09-c9c0636c7431} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" 4968 2b3426afa58 tab
3⤵
PID:2280

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1904.8.1617486203\1543428939" -childID 7 -isForBrowser -prefsHandle 5584 -prefMapHandle 5580 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {84fb1d40-fabe-4366-81da-6e7bd48bacea} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" 5596 2b344327e58 tab
3⤵
PID:2980

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1904.9.685649469\14321250" -childID 8 -isForBrowser -prefsHandle 5736 -prefMapHandle 5740 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf972485-ead7-4bd1-9a93-2eb4ae7342d9} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" 5728 2b344324258 tab
3⤵
PID:1576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1904.10.439315444\1296385905" -childID 9 -isForBrowser -prefsHandle 2556 -prefMapHandle 4832 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4f2463b-15b6-4608-b698-911eecadb966} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" 4712 2b341dd0358 tab
3⤵
PID:3656

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1904.12.1232953621\665194707" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5960 -prefMapHandle 5768 -prefsLen 26424 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90cdc356-3dd1-4e2b-8701-92e6483454a4} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" 5028 2b3423e3458 utility
3⤵
PID:3648

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1904.11.1956412359\1748609412" -parentBuildID 20221007134813 -prefsHandle 4828 -prefMapHandle 4840 -prefsLen 26424 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {05458f01-cb0f-4ce0-9688-d4db91306824} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" 4804 2b3423e5558 rdd
3⤵
PID:2788

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1904.14.1719839616\914534720" -childID 11 -isForBrowser -prefsHandle 10640 -prefMapHandle 10636 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bca2dcba-bfa4-4d56-99ef-f51a1b8c49ab} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" 10648 2b346ee3458 tab
3⤵
PID:5536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1904.13.1170862832\649590350" -childID 10 -isForBrowser -prefsHandle 10704 -prefMapHandle 6368 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {81aa0731-e875-4242-91f5-b04ff38a87d4} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" 10700 2b346ee2b58 tab
3⤵
PID:5524

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1904.16.1749425555\637404792" -childID 13 -isForBrowser -prefsHandle 9536 -prefMapHandle 9532 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e34dc315-b33d-461b-95c3-aae578f9d296} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" 9880 2b347116a58 tab
3⤵
PID:5236

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1904.15.792910230\744316503" -childID 12 -isForBrowser -prefsHandle 10548 -prefMapHandle 10552 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58969952-e7e4-408c-8ba3-d11d28db1b95} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" 6708 2b346ca5858 tab
3⤵
PID:5228

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1904.17.2026141856\1731586204" -childID 14 -isForBrowser -prefsHandle 9988 -prefMapHandle 9984 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82db6023-cb76-48fd-94da-426d54f484ff} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" 3992 2b34263c558 tab
3⤵
PID:5448

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff84d769758,0x7ff84d769768,0x7ff84d769778
2⤵
PID:1236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1768,i,6937996684209375608,13537161123627182245,131072 /prefetch:8
2⤵
PID:32

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2960 --field-trial-handle=1768,i,6937996684209375608,13537161123627182245,131072 /prefetch:1
2⤵
PID:5328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1768,i,6937996684209375608,13537161123627182245,131072 /prefetch:1
2⤵
PID:5308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1768,i,6937996684209375608,13537161123627182245,131072 /prefetch:8
2⤵
PID:5248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1768,i,6937996684209375608,13537161123627182245,131072 /prefetch:2
2⤵
PID:3636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4468 --field-trial-handle=1768,i,6937996684209375608,13537161123627182245,131072 /prefetch:1
2⤵
PID:5660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1768,i,6937996684209375608,13537161123627182245,131072 /prefetch:8
2⤵
PID:5388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 --field-trial-handle=1768,i,6937996684209375608,13537161123627182245,131072 /prefetch:8
2⤵
PID:5412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1768,i,6937996684209375608,13537161123627182245,131072 /prefetch:8
2⤵
PID:4840

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
549a751a63c8585602c3c8f62c3d0976

SHA1
40f90942a36d24228f10e92c9d3aa06bc640fd91

SHA256
fb82c80cf3b76558181783fd7c92a14521a4ed31643228f27352f5b7b3066457

SHA512
9b84d02e03cdb99055435545f31626dc4430292ffe96e3e6d45c7c17a8a9ac22b7c1a260e78d6749ef10a92e1363eb81068c0ccebbc7862f0210a19d4238592b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
b2915f1a1917f127ba56d0cc70328a16

SHA1
ca5909f08fa4be8c56b3a1062bf381bf583e258e

SHA256
2701a1046b021384a8d60ffecbeff39732e80c26cb704d84d2c5d9310439b36b

SHA512
238f54fede717f2f80aee14066cca7c808592bf25b563ee218530c02752ec9f5428c262c4032d0b96d289d0aa58f9ee656b56c89380a3e29d5081cd517e1d629

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
01386a6b5ea52f891b1dd54aa30c568e

SHA1
ca401ef10918df33a2b1517a1a25d24c4738bd95

SHA256
06236d3c7c95a4aa1c23df1e165d17d651164ae31fe14d96bdebc548a2a88bb0

SHA512
e4ec5e936c2856e9dc0e1a92dee345c7730266274197ee5965d5f65b957f166f4c9cd3cbebf4f25ce0abb140245c764a22c87f4559ed017e8e96d0b648315f66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
885f39228588c1f6847a35467da7fc03

SHA1
e73572ca8aef88a907d3c40e47fa41ff177880d4

SHA256
fe2ac0cc68afdaac1658905d2645a190bc552c222de6080948efe5150c47c5ae

SHA512
7d1dac247028c8b3f8f77c5c5ca0eccd706f78cd77bf61ce83bcc587ab81fb07de0edf3f093ff142bec847161831709ed1607f5d22e66168769a20fa7634f74d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
238KB

MD5
415065545eec96cde426ebca854272d9

SHA1
2910792d78030391ea0ce5d060acaab385cf3aae

SHA256
48c4ba7ccab21a15592b328e970fb5127337d3e80f3ae96abdebed5fb9f932fc

SHA512
3ecf1aa362df89265a5a1db93d9d5278b158a3a6d7bb3958a6894095b2d0176d568d2277b5d88a93539f7dd3cbc0546c6c15c691aab99bc5f0407fbb18f9bb20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_DEA5342C4C8C4AA89FF03B44E765BE5B.dat

Filesize
940B

MD5
64422c18cacb257d368f951e59f39076

SHA1
dfa9248c2e70ff413e81e2b763eed0eb5508af59

SHA256
1ec5c48956e7d217956d4eb1e180c5b9b59a50f77de96058e22f2baf6b9cb5d3

SHA512
a9bc27bd528dcc4d88b9644ca2ef7b64e24d802d9cb8ded36f41e8f6ba37010be2e05a296ef974dbeb9f44fbd545d326b9f09ad1f93e5b84b32eef371330b97f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
a16ef5fc6076dc09c0abda81086e6ee2

SHA1
c86e2f773ae7270f154e20421f8f8d083a3fcf44

SHA256
fb373b2c28d63905b52a9960f581d40de06efb819622d45236d29fa42bed0ee9

SHA512
0a678a84f63c0428794557bac01d2d4d6cd3a9a516a3d2837d1555c6a7869425862fccdca43383631841abaa855e3d95239c5f902a8820ea1cb693152e8bac70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\datareporting\glean\pending_pings\43d8b0bc-f316-4672-85c1-867c6d527d45

Filesize
746B

MD5
2fdc6203a1f04dd1a8cde13c1b62d21f

SHA1
44d2271029649256b00fe7c0f9bbc58caec99a73

SHA256
403e383673ac7a0aaab9749f708fe102a72cdfd2221e30447d94970343a640bb

SHA512
8696ec62aa0eb9d1bd813350819f621a220d0c1fd647b711ff4ed42a0e91cc6f49ca6f69da49d1f62352479130a118790bc2a82a7f6624039740929a5b724b73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\datareporting\glean\pending_pings\9b66d668-f47f-4975-880a-0dc6fc244caf

Filesize
11KB

MD5
ca46e802d4b346a3b352e1be6b9e4198

SHA1
5ea3d3a424fa6412d41471e556c0d85fd8b15f42

SHA256
e653bbf6f0c640c5d58055e1e871e978ff027514f74be3b198fcd8c8f9e12921

SHA512
0604499504fce6a06083db18b3992f49419c3ff7b7e56a2adf474f33a7d2467546119a6b5a195518ec2bc84094899a337925c5bbbc9c8f22a95076e051bcbc61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\prefs-1.js

Filesize
6KB

MD5
27dcdd22a4bb347197d8ab6aaab140a3

SHA1
c8adfdd0b13623e8b7ed403df37f4b377faa9ea2

SHA256
6f4e470ff5849e917082d670d3cd46748784956460482393e930f0b2ab24b3b4

SHA512
75f06205ad096202fbc3de17403c4cf80efee37306cce090f6dae68141af006dc11f083cc9ef6eb24074b8247eeceb38453a658939ac25aa3133aec233ce6087

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\prefs.js

Filesize
6KB

MD5
2a79c09b2e93578a7af3bb7e4427f393

SHA1
75f619da1d793624d7b9b3427a15100417da53c3

SHA256
3e862fab995f92ec90d6b637f123296735a1fc39e0cf3506527b7fd1a4c2b74f

SHA512
24658ed83b145c997886b686759ca80005b9eecf0eb2e6a41316152d796924f05f7910fc3a2d15359e72d1d943282dcacef2a513a1083645ff38fb9d64a6536b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\prefs.js

Filesize
6KB

MD5
df9324eb2af9d0fc836d021abcaca969

SHA1
5a893849ff06b8bf1171b1bc4a45a832eba4fd92

SHA256
3d61ca5a0f03f9d97467cfe1d103ca9fc76a734b2d227d7a98d1706f44a16ac8

SHA512
50bd4b8d9386816e0762b3a62cc2641842eab1db8c9b2e1abc985468208893c27c86da108ee2ae81c21638fbdd80992419251e6197d7b2f05e1abef30dda9903

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
dc3d88eca79c277cbe616efc3d32c5d1

SHA1
81647a976092ea92359caf2310743e13f2cff934

SHA256
3ef212003a4701f87946fc2238a3b17a62fffd94e920739f9b8211c5f52b74ce

SHA512
16a38286d9f62ab3acb62f648abe25cdce3cd38676429f776820079cbdfc8e083f3a3114858dc6e857cfa6bb5c15dc57676c2658b652b89d657bd81fd41c96a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
183fca1100d76ec7c33c0d7cda9e0539

SHA1
1e15099dcfc9eedf3045884d56fa8267c20a1d79

SHA256
327f551efa18352a1ebe35b92cf378df73ea02d0afd1305567afe751e5b9a54b

SHA512
ed7856708ed93cce52914ebc23eba99397922f6f87c535b8f92978f7ab14fd5be0dbb5159b30594bc6bcd4b7cde66fc36cbbb9584f122aae30c5fb7371681fe2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
67a49aa8c1143ef9c55852250f89392b

SHA1
d27b7b25a0bbc5cf390087f9ff47978641e55260

SHA256
903ad93eb266343c7b9d374353c96ca2d007e1bb05bcf1b136e020dcca9be5e1

SHA512
efd8c6e11f8a5290dccd275b673f2ca38813896d85a5d192ccd440dd3ec6ce30a4a0ae881b6c70f5e5285613e79bf75b42db31510ffc269b7378bbbeb178b339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\sessionstore.jsonlz4

Filesize
2KB

MD5
6c7822b83429a14f535aca84e12adc9a

SHA1
87a78667aa08fe3bc9f6ab2991fc54a27015b6ec

SHA256
e301ec63d607f589708004472bb3c84df94f15d2f68ffa43d64e3aa7434d8d12

SHA512
90eb004d1b59c828e2270b20e1d62d1a8bf26cf893b7f1885ed93180ca743f09cd86ed80c8f9d6827ba98a165d899c6fb6c75a1b11ac15c0938d246be04c139a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
5f60b1bfd123c7a4d0b08e789398913b

SHA1
94cfa3d3a809e734b41b790926b3cd5599ff098f

SHA256
b340adccfe5fc90dc4cce44e21bb54e2a375b786240b2dd8e33779be9a9ccc22

SHA512
465eac2f35298674f0ebf9b65cf682459f72b5fba1d920a5bb43aac819450ba437c3350003241d7cea032547fb1d77d80c4d5b05c16727ef9af4b2c5242c9a6d

Download Submit
\??\pipe\crashpad_2752_XOQCRBYAUUVKSRYU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3588-4-0x0000015DB19F0000-0x0000015DB29F0000-memory.dmp

Filesize
16.0MB

Download
memory/3588-13-0x0000015DB19F0000-0x0000015DB29F0000-memory.dmp

Filesize
16.0MB

Download
memory/3588-11-0x0000015DB03B0000-0x0000015DB03B1000-memory.dmp

Filesize
4KB

Download