Analysis
-
max time kernel
298s -
max time network
258s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 11:24
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation 5b4acbdd60cf4f80b0d353a4f1d3e2da6999d1ca4998ebd2b9b3a354c1b75de7.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation ipsyk.exe -
Executes dropped EXE 3 IoCs
pid Process 4232 5b4acbdd60cf4f80b0d353a4f1d3e2da6999d1ca4998ebd2b9b3a354c1b75de7.exe 4712 ipsyk.exe 2052 xyhug.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2516 msedge.exe 2516 msedge.exe 1628 msedge.exe 1628 msedge.exe 4688 identity_helper.exe 4688 identity_helper.exe 2704 msedge.exe 2704 msedge.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe 2052 xyhug.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 5824 7zG.exe Token: 35 5824 7zG.exe Token: SeSecurityPrivilege 5824 7zG.exe Token: SeSecurityPrivilege 5824 7zG.exe Token: SeDebugPrivilege 4420 firefox.exe Token: SeDebugPrivilege 4420 firefox.exe Token: SeManageVolumePrivilege 2764 svchost.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
pid Process 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 5824 7zG.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe -
Suspicious use of SendNotifyMessage 27 IoCs
pid Process 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 1628 msedge.exe 4420 firefox.exe 4420 firefox.exe 4420 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4420 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1628 wrote to memory of 2112 1628 msedge.exe 90 PID 1628 wrote to memory of 2112 1628 msedge.exe 90 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 1636 1628 msedge.exe 91 PID 1628 wrote to memory of 2516 1628 msedge.exe 92 PID 1628 wrote to memory of 2516 1628 msedge.exe 92 PID 1628 wrote to memory of 3672 1628 msedge.exe 93 PID 1628 wrote to memory of 3672 1628 msedge.exe 93 PID 1628 wrote to memory of 3672 1628 msedge.exe 93 PID 1628 wrote to memory of 3672 1628 msedge.exe 93 PID 1628 wrote to memory of 3672 1628 msedge.exe 93 PID 1628 wrote to memory of 3672 1628 msedge.exe 93 PID 1628 wrote to memory of 3672 1628 msedge.exe 93 PID 1628 wrote to memory of 3672 1628 msedge.exe 93 PID 1628 wrote to memory of 3672 1628 msedge.exe 93 PID 1628 wrote to memory of 3672 1628 msedge.exe 93 PID 1628 wrote to memory of 3672 1628 msedge.exe 93 PID 1628 wrote to memory of 3672 1628 msedge.exe 93 PID 1628 wrote to memory of 3672 1628 msedge.exe 93 PID 1628 wrote to memory of 3672 1628 msedge.exe 93 PID 1628 wrote to memory of 3672 1628 msedge.exe 93 PID 1628 wrote to memory of 3672 1628 msedge.exe 93 PID 1628 wrote to memory of 3672 1628 msedge.exe 93 PID 1628 wrote to memory of 3672 1628 msedge.exe 93 PID 1628 wrote to memory of 3672 1628 msedge.exe 93 PID 1628 wrote to memory of 3672 1628 msedge.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bazaar.abuse.ch/download/5b4acbdd60cf4f80b0d353a4f1d3e2da6999d1ca4998ebd2b9b3a354c1b75de7/1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa8a146f8,0x7fffa8a14708,0x7fffa8a147182⤵PID:2112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,13306667756601427117,13399081510611746084,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:22⤵PID:1636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,13306667756601427117,13399081510611746084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,13306667756601427117,13399081510611746084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:82⤵PID:3672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13306667756601427117,13399081510611746084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:3488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13306667756601427117,13399081510611746084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13306667756601427117,13399081510611746084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:12⤵PID:3940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13306667756601427117,13399081510611746084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:12⤵PID:4332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,13306667756601427117,13399081510611746084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:82⤵PID:556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,13306667756601427117,13399081510611746084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13306667756601427117,13399081510611746084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:12⤵PID:3920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13306667756601427117,13399081510611746084,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵PID:2956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13306667756601427117,13399081510611746084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵PID:5220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13306667756601427117,13399081510611746084,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:12⤵PID:5228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,13306667756601427117,13399081510611746084,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1748 /prefetch:82⤵PID:1248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13306667756601427117,13399081510611746084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:12⤵PID:3408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13306667756601427117,13399081510611746084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2716 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2704
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4812
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3132
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5788
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\5b4acbdd60cf4f80b0d353a4f1d3e2da6999d1ca4998ebd2b9b3a354c1b75de7\" -ad -an -ai#7zMap19020:190:7zEvent62011⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5824
-
C:\Users\Admin\Desktop\5b4acbdd60cf4f80b0d353a4f1d3e2da6999d1ca4998ebd2b9b3a354c1b75de7.exe"C:\Users\Admin\Desktop\5b4acbdd60cf4f80b0d353a4f1d3e2da6999d1ca4998ebd2b9b3a354c1b75de7.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\ipsyk.exe"C:\Users\Admin\AppData\Local\Temp\ipsyk.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\xyhug.exe"C:\Users\Admin\AppData\Local\Temp\xyhug.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2052
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:1012
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:2052
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4420 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.0.488951904\571653219" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {600001c1-985f-429e-bdf6-16eb78b265cc} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 1964 216a6c05e58 gpu3⤵PID:2472
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.1.1487744164\189619966" -parentBuildID 20221007134813 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {285c4eec-3f4c-42b1-9889-374b6ed4f1b9} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 2364 216a5533858 socket3⤵
- Checks processor information in registry
PID:212
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.2.503557911\2122692428" -childID 1 -isForBrowser -prefsHandle 3100 -prefMapHandle 1600 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd593e0e-1a5c-4f7c-8fc9-02a8be43e066} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 2924 216a9ab9958 tab3⤵PID:1924
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.3.1020120835\1015715019" -childID 2 -isForBrowser -prefsHandle 3588 -prefMapHandle 3584 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02d8a76b-627f-45b1-abbd-213f51713681} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 3596 216a86dae58 tab3⤵PID:5268
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.4.668215557\1259478146" -childID 3 -isForBrowser -prefsHandle 4152 -prefMapHandle 4148 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68becc4e-3979-428e-abba-8073f257b6d5} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 4164 216ab016558 tab3⤵PID:1324
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.5.519422990\2023554929" -childID 4 -isForBrowser -prefsHandle 5132 -prefMapHandle 5128 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f3be6e1-7d81-41a0-a1d2-59bb15172476} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 5144 216abcb3158 tab3⤵PID:4884
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.6.1105131979\991706533" -childID 5 -isForBrowser -prefsHandle 5284 -prefMapHandle 5288 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62974147-4859-4176-aa1a-53d99f24c82f} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 5276 216ac0b3558 tab3⤵PID:5760
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.7.781619235\1648993583" -childID 6 -isForBrowser -prefsHandle 5472 -prefMapHandle 5476 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8409d69c-1e26-4630-bfdf-9a23a7708b28} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 5556 216ac0b4458 tab3⤵PID:4204
-
-
-
C:\Windows\System32\F12\IEChooser.exe"C:\Windows\System32\F12\IEChooser.exe"1⤵PID:5284
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:1688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
Filesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
Filesize
194KB
MD5f5b4137b040ec6bd884feee514f7c176
SHA17897677377a9ced759be35a66fdee34b391ab0ff
SHA256845aa24ba38524f33f097b0d9bae7d9112b01fa35c443be5ec1f7b0da23513e6
SHA512813b764a5650e4e3d1574172dd5d6a26f72c0ba5c8af7b0d676c62bc1b245e4563952bf33663bffc02089127b76a67f9977b0a8f18eaef22d9b4aa3abaaa7c40
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize264B
MD5aed4e3c9effdf136eda1e37579715aa2
SHA117a1687c18519d29cfa52b500c075aec995623e9
SHA256a9d1f3c5bcc5be74e7bcf1bdeaa2135331a94ab1c028956d6691e617b858898b
SHA512363b19d75bbb27352e49e77c938b2bf13200273e3984e787278094f37f9c2fa25e8994b680aea8dc17a9664700dbec654c312d4d7f9acc3a533665773558a360
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD5858c75b9e8b1cd592848d8a31e95734b
SHA1ff77522efcb6761c9d1018d052e6a486712facba
SHA256e33e4dd669de0d41a23e7f6d1332c1ead92f6dcc7821ea585ef500060c684382
SHA51260a1a694bbe7cfeaf6b4b03f3ae4c33ba28c3f3c3a17992514f35077f8305c22fe365f443f60c58fd068fbc9d6c9f371469b470a1ed943309b90f1bdc78e6289
-
Filesize
1KB
MD5978da6a1f5b9576b5971377b061d0078
SHA1d07e99d5ffbb1aaae2f6789ef2d62994f4ce8a56
SHA256b9bbe4602c4d1aae55984e56663ba3f34ebbe779b0bb6fa3be3c0d41b92270a0
SHA512be3ea61c905fa1023cda65324c5670e8efde303099dd69189f37c1bb0947621b350d97e46dada90426b84bb8ee4f8c28299a106dece5b2da636f06cf4ea3c29d
-
Filesize
6KB
MD5dc970c46beaeacadeb8be42299171f8b
SHA1a3ca1a15e1f4da7157096da4b0af377048520f44
SHA256256ea3934c82d3b64656c9b79353a883f5a6df8c079a123e4fcc51ea74fef394
SHA512e9aa3fc81b010ba7627d0c591cc3d068066c9fce615cf9eb2a595ca45c7144408dba5d78af1ff81424ad7d7a220a97163fa1dc486ea3bcdfa0f204a0c98aaca5
-
Filesize
7KB
MD5a383935146832e8cfd27e8f501b7f304
SHA1546221997dfb0a91006f31dadb44b2684b48f5f1
SHA256129c352b7a6d2a0a9391b37c76b15cc9cbfe84706fdef03d3a6e711afb640902
SHA512398e4ceb5019046d5e2b3a7f86c67dda1bb28d50f1608b3e43292b60f6c6fabf8ba9a2d996517aea0abe40f772ef5fc4630c301d0e3dc0f54cc55fad7ef48465
-
Filesize
6KB
MD565d6da952c2a4b608f2ea8b89da03a4a
SHA14e4629231c60cb96c3603bd826b107ae64914cad
SHA2566dd40cb70f0b85af3ede8a9465bee56742d02646c893d601ce85e6585f59b070
SHA51295d40b43e17cf632aec6bfa59db88c836e799a552c6c31ce100f6c1599d49fe1fea8349c5f0e46413ba7754d9c25a0522a12fcea74ece0ca9b5f6ce37baf711b
-
Filesize
6KB
MD5921b243b7d70e73cf22560bda42458a3
SHA1a143743510600c7cb8118e53f5541a25f835c44e
SHA2563afdb4b9610ee6b9be50ec151a70ba18ec9ba59dca1233641874b226fa30897b
SHA5123dd3819398c87bfd3ea4d4f95503cfde2e233584ab4cda3644e42c5e96a33b336e8f9f2c4a7cfedf3ed652c9813a953eae9d32044876b9d76ecd1565578c605a
-
Filesize
368B
MD5eff44e4d16be945a83c5a40a16446a73
SHA1d89a34a0d14d97c4ddf5cf9253000abdfb332219
SHA256159eb17a7dd5961c7a41f6ce979e6f70a9a973a8fe40be0272fbb6d638957b3b
SHA5123fbe43abc0bc18158263f184a051427f11740141e8bfaabb1baabaefbf2bc2a15a88a23ac8ffa1dbbc8dedd1e1d188916e00236f4e98d5d82450f0f269dd1146
-
Filesize
370B
MD5c7cc3679267490f5f21cc71418680ed8
SHA18b06e6974c2c2118935d298ffa631e7fb60c7cb8
SHA256da8197d9b768306e0a4b7048b4d876fb70f8710729dfd077f830818271c6a647
SHA512c31184e9e0ba79dafec63c6e1ced8a8f09e43486473f82da385687cffe20371f0c09248c0bc82ca05f20415dd037f92ac40e3a7de2db4336e953522234554b4f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5c29be4b24861a58bae8051836f0a2e65
SHA1c147ea78a5cb902ed95f160590174da4ddc61082
SHA2569057cfe0d444ac5b1e06ae5ad2df18ceff0235eafc02b28ac3fc1b421e9ed297
SHA5120f94984e51e455ea003de2696edfd46af1c72832afa0c0ec331348f776d7a4312d5d1e2084eb67b4e11b1923f691bdda9fbb44bdb862764fc9ba5c34c6d6fc56
-
Filesize
12KB
MD51cfb30cc29855e4e85760d867aef497b
SHA11be80944d1faf6f91d2009a15a727ebe3f421c01
SHA256315f56b06c506bb92da64739852d34c8dcf45889169d81d42acaee36c0548b78
SHA512b9a6a94d2fcf3ef09985d668b26e6c92b7667db61eac4034cbecf3e354eb940f299bd670508a7a35bc042e8078e16018aa4aea75841254a0d275d6d4c8b66a79
-
Filesize
307B
MD55eadafa92b9f33bb6115d6ac1329ac1c
SHA167b411883d4a45a0fa2bdea70c9c2ead4591702a
SHA256d04525b4852c28dd4c33f619f291bed72e1dd4d58b2fb56aed2de32a9620685d
SHA5126f562ca170fbdda98188bf533b72194be8fc2ca39ffd0a9a6069b23b2f057b60850fe33ecb705dfd7e15c78a594e056c3651412a3fbf3370f178fdb417103168
-
Filesize
512B
MD5e6c802fe898b6cdb658ca7efd1c1d387
SHA163958d4d945e63db3341aeae148f45230d43b91e
SHA256ad662a12ea4c4f6e3a8c9faa915c9713259cc9f85b42f73c8ce215fb4aab0e07
SHA5128fa651ec337f2c2434ba37c031e9b12dc7c13d5c29773701ccdc924545d8cc375f1ac4ac26fc91032b1c37ac22be6165eed59c5ace7d16967e50b5f7779ac738
-
Filesize
479KB
MD57e41574c35da23c15d3aff849c880894
SHA1e5283e562e4017a0138e26cf26d57327b334ebfb
SHA2569f089c1db56e4223a6716ba40d2c8f09d43ccfc339ed69e5944d672a869ee479
SHA512d7d73eda854e1dddf0e7fc16963e9e9606c1f2c2c7ad7877f4779f3bf44997f504d5f1d6f4aa2cd2bca3536512bfd9e76e659cfe527f18de29cb044a504c30d1
-
Filesize
179KB
MD54b6018ace4099a79c789cd706bfa59f7
SHA1c7f20829f360353d4095d749e905eaea66483ce5
SHA2562c6817aa1173b5af6436104479fc5a7f77e8998ec7b8f4434deadb1bb0bab1dd
SHA5127a7b2610b2ff7cbceca7720f2023ad37324962502b2c917f41ae2c3b23fc9c9f0a097976129bf5c2ef6b3156f8f1dd8e7386a4bebdb52bcd82d55f88f0ec2d43
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD54775ce0d86d0a0c825c5ee2c0b441900
SHA109d07f8fa3052bf1c6eb256033b11b8c9f679c7e
SHA256c7fb210f3c8735d26a11d653a087254002164c0f9c97fa9031f3a3c50358d141
SHA512a2a71c508cb49eb3e6070fb64add59397316f7e7d3c75892f77556c5db18981bb03ddb7f2d60376f951b48676e8c815d8d2c87e1f80f52d3b65eed4806c852a9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\68144209-4b32-444e-bc8e-5dd30c08354f
Filesize746B
MD5b2e7bdf8ee002a905a2f81bb6fd88567
SHA1f6aa2afbf20f0476c27a1d0dafc8ee321426df50
SHA2560fc869e12b3348ddb0b774ae3fa7b2f501d5247af841ac0a513a2174e620b3d0
SHA512a1c5ac59728bc9a0136bc10b71369ad092e3051b00505561a58ebe63125f3754b8fca163d57ab1df176e00e9e08108964d63051416e53adeaa062469b56fa664
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\e986dabb-ff4c-4cf2-bf4b-0f2b5a013791
Filesize10KB
MD54d0260305d80093035d1dd6ee73648f5
SHA1a02a679b93f46d98d12301060b39acce808005fe
SHA25681cdea4516e1092f9d6774a1fec2428079ee19320ebaba1012183f34dd9e8810
SHA51282ea118a246e2f086a5eff1c504226166860e110e34e01734876321e7b53c899c268909fd5c99d194c41d5fcf481ff7350664975019f7be4a484896ab84f0041
-
Filesize
6KB
MD5a4fc750ffa9b810d6ec3f902baf3957b
SHA19154dd19ccdb914c8c31946456b8eca619a4799a
SHA25672cfb92a16adf2bdb59c15491a6614ee936df30bdacad4e912393fd7863de1b6
SHA51281bd86662344cf144daaaa3243733d4d478522ae0cd7c488821b823ed34da6263120159aea4b59e3641484644f3fc7f684436de44e7563299d037f294337e578
-
Filesize
6KB
MD57f9cd1beb3e87dfa4897299db2e232b7
SHA1b5f7418d644edb1297ab5ff8574ad61605cf1da0
SHA25695f09a0f44d0b5f70e4e30a1e87168f057b61e48d57da09cae2cd7bf056e768d
SHA512453dad7c5adb27006376c5dcd3f039e8e24ef9434e815b5fe4970ad7b3b2fa6ee27faa3ad311e8c4c03151b81e16be884e5380c6b1844a3a688473176140a8d1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore.jsonlz4
Filesize886B
MD5ac0c6f024a662c216551fb8da95618d7
SHA1318af1d67c022c16bbb11ab993b61a272b23dce7
SHA256a6f0f7da043385393c7a1b86cb4afd49bb2b11a04580fec8e06a5adb6e858282
SHA512497e98cd1d7ee52b693d20d367adff87f794a251827a48f50f2cb1862574fe5ecc9a7d3e33ab4a785326d869fe48b0d59dfc05e3bd4fb5fadc3541309cbb2e3f
-
Filesize
479KB
MD569b1d3eb6bee78b21a1b0ccae90bd42d
SHA1f54069bb3a595145cf110aaea85e2c42c8945145
SHA2565b4acbdd60cf4f80b0d353a4f1d3e2da6999d1ca4998ebd2b9b3a354c1b75de7
SHA51241addacc8c073de2f94df3c2cc2df9e6fc170ccdd8a454385b1f28661e6e15dea3840afbc3977252312059d77f6717f8ae32857ca7098bac4ba572ad33fbdc24
-
Filesize
295KB
MD50dfc82ac4e61f4e1259266d35bbff1e9
SHA103403f9f0e831370929bc78778940a95272bf891
SHA2569f3b8fa3c04145267a7a9da84b8365a96ae72befc8fbf74fa9e6263c251fe44e
SHA5120ed830b76e04299b2a54eff5b0aa355051aa5ec19d3eee520df47010dd4fc95c3d40ab7e38e96e6f7d1d58468389623ab82b0a58fae6e06b438f636c565a9e5a