b04914e58b8c6bd0061eab918d2c4f09071c5931070e25b90d51a62bb4ae17a2

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DIG DUG.exe
Size

35.0MB
MD5

97a5c7dd08a6f636c013350318b678c5
SHA1

a62795f6dd8f12a84fc66f4df533e55ef590d0ea
SHA256

b04914e58b8c6bd0061eab918d2c4f09071c5931070e25b90d51a62bb4ae17a2
SHA512

f711b52ce89929e5f971d35ce188aca971e6e085c420fd25f4e5255c7a35db5eb51c5ea17e4664bdaf3b0cca9a2d40cad89d7fb7a3cf37ef14e4e9617e7422c9
SSDEEP

196608:Mbm1heRm3bg0EuLuuBGuWrlrSVNc3rR/h0L3EgWXzPaPEO75vQj/Xg99oWAuYFqz:gvmrZeRocb1h0L3EgaPIgj/g9ODuUm

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3054445511-921769590-4013668107-1000\{E4260FFF-2B25-40BF-A122-3E5B0E33A18E}	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3068	msedge.exe
3068	msedge.exe
752	msedge.exe
752	msedge.exe
4624	msedge.exe
4624	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	384	firefox.exe
Token: SeDebugPrivilege	384	firefox.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
384	firefox.exe
384	firefox.exe
384	firefox.exe
384	firefox.exe
384	firefox.exe
384	firefox.exe
384	firefox.exe
384	firefox.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
384	firefox.exe
384	firefox.exe
384	firefox.exe
384	firefox.exe
384	firefox.exe
384	firefox.exe
384	firefox.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1832	DIG DUG.exe
384	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 384	4932	firefox.exe	96
PID 4932 wrote to memory of 384	4932	firefox.exe	96
PID 4932 wrote to memory of 384	4932	firefox.exe	96
PID 4932 wrote to memory of 384	4932	firefox.exe	96
PID 4932 wrote to memory of 384	4932	firefox.exe	96
PID 4932 wrote to memory of 384	4932	firefox.exe	96
PID 4932 wrote to memory of 384	4932	firefox.exe	96
PID 4932 wrote to memory of 384	4932	firefox.exe	96
PID 4932 wrote to memory of 384	4932	firefox.exe	96
PID 4932 wrote to memory of 384	4932	firefox.exe	96
PID 4932 wrote to memory of 384	4932	firefox.exe	96
PID 384 wrote to memory of 3168	384	firefox.exe	97
PID 384 wrote to memory of 3168	384	firefox.exe	97
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 4008	384	firefox.exe	98
PID 384 wrote to memory of 3024	384	firefox.exe	99
PID 384 wrote to memory of 3024	384	firefox.exe	99
PID 384 wrote to memory of 3024	384	firefox.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DIG DUG.exe
"C:\Users\Admin\AppData\Local\Temp\DIG DUG.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1832

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="384.0.201607872\1796908259" -parentBuildID 20221007134813 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c255bb3-40a5-4807-91a8-ca64480bb490} 384 "\\.\pipe\gecko-crash-server-pipe.384" 1988 20ac2ef2e58 gpu
    3⤵
    PID:3168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="384.1.1095932643\323133114" -parentBuildID 20221007134813 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dde4ca86-791f-4095-b5cc-a546e5c51dda} 384 "\\.\pipe\gecko-crash-server-pipe.384" 2392 20ac27e4758 socket
    3⤵
    - Checks processor information in registry
    PID:4008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="384.2.1709534860\1956339344" -childID 1 -isForBrowser -prefsHandle 2888 -prefMapHandle 3068 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2a27e20-0de1-4d22-a1d4-c00a57abeec4} 384 "\\.\pipe\gecko-crash-server-pipe.384" 3032 20ac69aec58 tab
    3⤵
    PID:3024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="384.3.1560381918\53722470" -childID 2 -isForBrowser -prefsHandle 3548 -prefMapHandle 3544 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97d8e768-dff8-4e41-89f9-71345770e2a4} 384 "\\.\pipe\gecko-crash-server-pipe.384" 3560 20ab6063e58 tab
    3⤵
    PID:4000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="384.4.1624543665\1881324851" -childID 3 -isForBrowser -prefsHandle 4284 -prefMapHandle 4280 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eed409c8-d045-4c3f-a314-b690a2d311d3} 384 "\\.\pipe\gecko-crash-server-pipe.384" 4224 20ac52f6e58 tab
    3⤵
    PID:3536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="384.5.630512135\984533988" -childID 4 -isForBrowser -prefsHandle 5048 -prefMapHandle 4424 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e90d1d82-da9f-4e97-b364-4555a9c061f1} 384 "\\.\pipe\gecko-crash-server-pipe.384" 5044 20ac52f6558 tab
    3⤵
    PID:3108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="384.7.2098569240\713946849" -childID 6 -isForBrowser -prefsHandle 5484 -prefMapHandle 5480 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c0b54d5-c6c4-4ec0-879c-ce3045f0df33} 384 "\\.\pipe\gecko-crash-server-pipe.384" 5492 20ac8daa658 tab
    3⤵
    PID:220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="384.6.591285512\957411937" -childID 5 -isForBrowser -prefsHandle 5200 -prefMapHandle 5204 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80b43c56-69fa-47a0-874c-946d6d802b0d} 384 "\\.\pipe\gecko-crash-server-pipe.384" 5192 20ac8da9a58 tab
    3⤵
    PID:3544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="384.8.1451789799\979006805" -childID 7 -isForBrowser -prefsHandle 5964 -prefMapHandle 5960 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b33011b2-db9d-4a6e-95c5-ac6ed01e3fdd} 384 "\\.\pipe\gecko-crash-server-pipe.384" 5976 20aca7e5c58 tab
    3⤵
    PID:3844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffbf0ed46f8,0x7ffbf0ed4708,0x7ffbf0ed4718
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,4641937536458280831,5712242037008041797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,4641937536458280831,5712242037008041797,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,4641937536458280831,5712242037008041797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4641937536458280831,5712242037008041797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4641937536458280831,5712242037008041797,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4641937536458280831,5712242037008041797,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4641937536458280831,5712242037008041797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4641937536458280831,5712242037008041797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4641937536458280831,5712242037008041797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2160,4641937536458280831,5712242037008041797,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2160,4641937536458280831,5712242037008041797,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3528 /prefetch:8
  2⤵
  PID:2928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3782686f747f4a85739b170a3898b645

SHA1
81ae1c4fd3d1fddb50b3773e66439367788c219c

SHA256
67ee813be3c6598a8ea02cd5bb5453fc0aa114606e3fc7ad216f205fe46dfc13

SHA512
54eb860107637a611150ff18ac57856257bf650f70dce822de234aee644423080b570632208d38e45e2f0d2bf60ca2684d3c3480f9637ea4ad81f2bcfb9f24d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
58670ac03d80eb4bd1cec7ac5672d2e8

SHA1
276295d2f9e58fb0b8ef03bd9567227fb94e03f7

SHA256
76e1645d9c4f363b34e554822cfe0d53ff1fce5e994acdf1edeff13ae8df30f8

SHA512
99fe23263de36ec0c8b6b3b0205df264250392cc9c0dd8fa28cf954ff39f9541f722f96a84fbc0b4e42cfd042f064525a6be4b220c0180109f8b1d51bbdef8ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
611d58518a24361a0524a769bfa7d5b5

SHA1
3c0c46269f6a8b7a3e3436b8f7236123e2e56226

SHA256
b30258ee2e169dc291d126a5414293930f38183a22f8312872c922382bb9de2f

SHA512
4f5bf27a7486ac9239513c475a375ee64f3c6910879177fdc2a8a164071965e611bbdce324a1ea597d254425188fcec10d9d1eb35756ee9f70fbe35d962c36a5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\cache2\entries\166F2232D21D568AF4700252B7B75E876BF9C981

Filesize
57KB

MD5
7b55348da14f9f61b4e1d6b94707431a

SHA1
b901ee40ec2df486ca04e18accfd3ba386dad00d

SHA256
27339f22788069fa52783f0389c6643d2f67196684a0f2419b057a81a634a9e6

SHA512
ae8a1a580370ea8ff98bbc068f5636313584d76f0fa46ec3406385379b21e6d76cd1ae8ff39cac7d0a52d8983c3e6224abb73abadd98a474b7954ceee6deff7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
f64d94833e5e477673cb7a6a6df98827

SHA1
0112253551953eebaba2ecd176bd37b3fbc48905

SHA256
566cca517e963840561086bf5d7176abd973435bb378db882455858aa4a9c564

SHA512
773efbd5c95d05c11ac13f6f1c773fc31337a055258979198157c20f7bb4af1c2d2bfbf4b5bf4c504c37f8b48bf854f053584e566d605b64d9e06e3f65716b63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\datareporting\glean\pending_pings\efd387a9-5b2f-44f4-acdb-816e1c239fb8

Filesize
11KB

MD5
97103b0f52a2fffe00bfabe0bc6c4ac8

SHA1
169a3fbd3538d19b977c0cf8d2104c244e6bf75e

SHA256
30c6809b041d5e06f4c5b8971e7a6e8550bb89aa23956eb27a47c88119770477

SHA512
0a94e04ff020667d733534152fff00e466afb3025c348e0ed363fbeabfeed04ff62ce446de826f2ba9943a8c198c3a6151f82da5db6df1ecc20f5daa9f0183ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\datareporting\glean\pending_pings\f954f3d9-06da-4ced-971e-a88e5a56e4b7

Filesize
746B

MD5
e1450cd32e65db13b6416291cf3d335d

SHA1
89efad5e3104d222e40c25986361e57d532ea24d

SHA256
7880219468018ead693a709061d2df0442bbff255bda555831f218d6d330c2d4

SHA512
1479300e7ea3c02401b562d76b5c20d76cff9918090831462d8a377ed167fe935e7794735a9da3328073f13033a106f1230a603e65c7f0ba4692100e4587e34b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\prefs-1.js

Filesize
6KB

MD5
98cd6765fdd7e79a729a1e0711ba37b1

SHA1
97e1045d7daa36a85b73a1a402c80a2c726b7f9b

SHA256
28b20575366acc57f75bbfb7eb1b2fe1291b47fce035d34d425e631565594e56

SHA512
c7918e6c161ecda61620dc57176a2e56662fbd609af15bdc5e68b1c89e08ac76235642e5e6e1f538dcc619eae910e7170be7ed50f1dfcd31a73ae01b9b9b6eca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\prefs-1.js

Filesize
6KB

MD5
aa040885942e3e755c09ab7953754cd4

SHA1
4f53ededf4a2f9005b03b566e0e74af9523c6ac7

SHA256
81b46c449ff5d5dd9cd207ccae87decb9069f8df8e6dace4a27fb300c8c58dd3

SHA512
4a735cd60af67b829cbab92b1d22c1afd8dea93c7779992f0549d1173829b704c1259e2e4009167664accd9457247940f77537a3d7a44fe19a9266811625a873

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
f50ec25b2758181cb4b7b3714ef62446

SHA1
0197d457d26cd02cc76911b6f70f626769292983

SHA256
aa8d7aa61746c81e20c9092ab88214e163f96256ed4e165e88bcbbd5f1bd1b8f

SHA512
d5e093779945d4166aab2c356bfecf3b274ce6129fad2c4df06db0adc3eb782815d2c751f5f3659424514306633ec67eddce6f7f1a680bffc17b543f239d8490

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
6d5e38c47755cf3064cccd32eafa1fae

SHA1
b59f06c44efdd4366dc62d2e384018d007b8615c

SHA256
d9afa44f6b5d1644eb450a8556928f8fde9425a11d6396815f571b5a1131d5d2

SHA512
c3001dec84540e3431fcc560aa4e6cda201f5d903fa2831f09515da427883921f089b7e3399c7afb55e42c779201f19ed73f6b611eff0bd65be775198f9f08e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
4411ef61bed43612cb529e179dec3d0a

SHA1
207d926c5eac6ff65e4fbeff7641a5150feba5ce

SHA256
4d55550bc289638b54418ea738ef0930ee0f41de86f25269822a6e1c46ae32f7

SHA512
8a3cd5a716d94b96ea478247384e2063c398f94fd9f729806ffcaf1b10bbfefbe837cc11ab59abe1cb14224ea638763cec3637242b682f32b437e6b43e15b5e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
582dbdd8463dae2aa0730285caacaf1c

SHA1
b2d21888aefcbb59bdefc3392c921b93a22fcb17

SHA256
2df114a88da633ddb903b4377cc6df820bf61ac2e3f5c8ebcc0d211aa37feb73

SHA512
2437223be7b970c20cb7bb2b61dbdd3c6b250f5ed65e25fdc2630fb358e0c4b7e58296d2b3a6f534899864146d1dcf18c3d22239c621df610663da04dd64389a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
90f5ee204df574cc93eaba6069318bb0

SHA1
171c652eaab8542aba77d21b78101806183a3e26

SHA256
edb4865fc49bd9d1a640e5266e26bd3ead9f086239d164a8c46bfff5b712814f

SHA512
e0e7fb61d15b97efd3fe79ca8213d047d6ffebbc96400bb35ec17cc100900cbc3643b34c509292fbf60d739ca5d7fcd0f5f43b051ca8e30669a7e4880c5c78bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
eaa566516e614d205b8929aa64c7b6ca

SHA1
b836ca283fcdcd3f281671ba36a3de6ddb423bf6

SHA256
7e4811346782134ad51890592aad44958aad882997045bd6066366db795fad6a

SHA512
13a6021cb01eb8b27920e7952d53641a54e809a88bc3d4b7a9939e1900faa7a34200c68b31a84dc8c567e0606550ff6c4c0f063a5991089bf37e3aee2b083b33

Download Submit
memory/1832-0-0x0000000000400000-0x0000000002715000-memory.dmp

Filesize
35.1MB

Download