Resubmissions
Analysis
-
max time kernel
405s -
max time network
406s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
11-04-2024 21:51
Errors
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
3fdc51227758ce53069116625341569d
-
SHA1
ee099a8afcab18d69cf2c3c2f5193ab5af33fa78
-
SHA256
356fcec1d7e8ef7c51fa311d1e3013915aca1a44a586cf872abd5bcb927f6319
-
SHA512
807b4a0f993672d07c580572fdf8dfeb4c443545449aa27c1e595850f2dda73ea7265844f6f9e53baa0a50b723160cfdaa244ef8464ebf032b8cbf28ac1a33ba
-
SSDEEP
49152:HvnI22SsaNYfdPBldt698dBcjHWDQ0Dmzt0oGd6HTHHB72eh2NT:HvI22SsaNYfdPBldt6+dBcjHcQ0J
Malware Config
Extracted
quasar
1.4.1
Office04
us1.localto.net:44771
abf2fea6-bc08-449e-9ce0-142ecb0a54c5
-
encryption_key
93B883D530A44E5A4457CCB3F463B613FCE53505
-
install_name
Google.exe.exe
-
log_directory
Log
-
reconnect_delay
3000
-
startup_key
AntimaIware Core Service
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1020-0-0x00000000001C0000-0x00000000004E4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Google.exe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation Google.exe.exe -
Executes dropped EXE 1 IoCs
Processes:
Google.exe.exepid process 924 Google.exe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 6 IoCs
Processes:
taskmgr.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 756 schtasks.exe 4912 schtasks.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 2428 ipconfig.exe -
Processes:
MicrosoftEdgeCP.exebrowser_broker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.roblox.com\ = "77" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.roblox.com\ = "54" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "110" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2b03cc8a5b8cda01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\roblox.com\Total = "56" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\roblox.com\Total = "13185" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{A03AA32E-FB53-43C5-BFFC-43F25F82F720} = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f4f2ec835b8cda01 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 35edfe835b8cda01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "21" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\roblox.com\Total = "21" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "54" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\roblox.com\Total = "54" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\roblox.com\Total = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.roblox.com\ = "56" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.roblox.com\ = "13185" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "13185" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 058913845b8cda01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe -
Suspicious behavior: EnumeratesProcesses 63 IoCs
Processes:
taskmgr.exeGoogle.exe.exepid process 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Google.exe.exepid process 924 Google.exe.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
MicrosoftEdgeCP.exepid process 3548 MicrosoftEdgeCP.exe 3548 MicrosoftEdgeCP.exe 3548 MicrosoftEdgeCP.exe 3548 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
Client-built.exeGoogle.exe.exetaskmgr.exefirefox.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeshutdown.exedescription pid process Token: SeDebugPrivilege 1020 Client-built.exe Token: SeDebugPrivilege 924 Google.exe.exe Token: SeDebugPrivilege 4996 taskmgr.exe Token: SeSystemProfilePrivilege 4996 taskmgr.exe Token: SeCreateGlobalPrivilege 4996 taskmgr.exe Token: 33 4996 taskmgr.exe Token: SeIncBasePriorityPrivilege 4996 taskmgr.exe Token: SeDebugPrivilege 4932 firefox.exe Token: SeDebugPrivilege 4932 firefox.exe Token: SeDebugPrivilege 4932 firefox.exe Token: SeDebugPrivilege 4932 firefox.exe Token: SeDebugPrivilege 4932 firefox.exe Token: SeDebugPrivilege 3384 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3384 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3384 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3384 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 6652 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 6652 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2400 MicrosoftEdge.exe Token: SeDebugPrivilege 2400 MicrosoftEdge.exe Token: SeShutdownPrivilege 7956 shutdown.exe Token: SeRemoteShutdownPrivilege 7956 shutdown.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
Processes:
Google.exe.exetaskmgr.exefirefox.exepid process 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4932 firefox.exe 4932 firefox.exe 4932 firefox.exe 4932 firefox.exe 924 Google.exe.exe 924 Google.exe.exe -
Suspicious use of SendNotifyMessage 42 IoCs
Processes:
Google.exe.exetaskmgr.exefirefox.exepid process 924 Google.exe.exe 924 Google.exe.exe 924 Google.exe.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4996 taskmgr.exe 4932 firefox.exe 4932 firefox.exe 4932 firefox.exe 924 Google.exe.exe 924 Google.exe.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
Google.exe.exefirefox.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeLogonUI.exepid process 924 Google.exe.exe 4932 firefox.exe 2400 MicrosoftEdge.exe 3548 MicrosoftEdgeCP.exe 3384 MicrosoftEdgeCP.exe 3548 MicrosoftEdgeCP.exe 8092 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Client-built.exeGoogle.exe.execmd.exefirefox.exefirefox.exedescription pid process target process PID 1020 wrote to memory of 756 1020 Client-built.exe schtasks.exe PID 1020 wrote to memory of 756 1020 Client-built.exe schtasks.exe PID 1020 wrote to memory of 924 1020 Client-built.exe Google.exe.exe PID 1020 wrote to memory of 924 1020 Client-built.exe Google.exe.exe PID 924 wrote to memory of 4912 924 Google.exe.exe schtasks.exe PID 924 wrote to memory of 4912 924 Google.exe.exe schtasks.exe PID 924 wrote to memory of 3812 924 Google.exe.exe cmd.exe PID 924 wrote to memory of 3812 924 Google.exe.exe cmd.exe PID 3812 wrote to memory of 3176 3812 cmd.exe chcp.com PID 3812 wrote to memory of 3176 3812 cmd.exe chcp.com PID 3812 wrote to memory of 2428 3812 cmd.exe ipconfig.exe PID 3812 wrote to memory of 2428 3812 cmd.exe ipconfig.exe PID 5084 wrote to memory of 4932 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 4932 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 4932 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 4932 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 4932 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 4932 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 4932 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 4932 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 4932 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 4932 5084 firefox.exe firefox.exe PID 5084 wrote to memory of 4932 5084 firefox.exe firefox.exe PID 4932 wrote to memory of 2632 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 2632 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe PID 4932 wrote to memory of 3712 4932 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "AntimaIware Core Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:756 -
C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe"C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "AntimaIware Core Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4912 -
C:\Windows\SYSTEM32\cmd.exe"cmd" /K CHCP 4373⤵
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\system32\chcp.comCHCP 4374⤵PID:3176
-
C:\Windows\system32\ipconfig.exeipconfig4⤵
- Gathers network information
PID:2428 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /s /t 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:7956
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4996
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.0.1400313502\813861642" -parentBuildID 20221007134813 -prefsHandle 1712 -prefMapHandle 1700 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1da5833-7381-4f6f-a6c7-45ebc221f67c} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 1796 14da26e1358 gpu3⤵PID:2632
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.1.605949834\1685684191" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5610aaa-7a24-46b6-b0e6-f341b46bf0ee} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 2152 14da25fa158 socket3⤵PID:3712
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.2.777629894\900811024" -childID 1 -isForBrowser -prefsHandle 2952 -prefMapHandle 2808 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da460588-37e6-412d-9e67-1527b1d7aadd} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 2704 14da66bf258 tab3⤵PID:4216
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.3.1508426383\596075535" -childID 2 -isForBrowser -prefsHandle 3488 -prefMapHandle 3484 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d64cf5e8-7a32-4b3e-9398-e9708c507766} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 3492 14da513de58 tab3⤵PID:212
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.4.1368444818\1880599983" -childID 3 -isForBrowser -prefsHandle 3208 -prefMapHandle 3204 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bd2e6db-3ef9-4bac-ad5d-732c2d7423e1} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 3864 14da7bfc658 tab3⤵PID:1372
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.5.1793533430\1973727474" -childID 4 -isForBrowser -prefsHandle 4884 -prefMapHandle 4888 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0874998e-6d2b-478f-a5a2-986495d23dca} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 4896 14d97668458 tab3⤵PID:2848
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.6.1228192944\1205408542" -childID 5 -isForBrowser -prefsHandle 5032 -prefMapHandle 5036 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d761117-5167-4674-81bd-9f48176e5916} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 5024 14da8b08e58 tab3⤵PID:3592
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.7.335325029\2130908228" -childID 6 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae9ed82a-fc6f-49e1-89bd-801b54f3ce2b} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 5208 14da8bf4558 tab3⤵PID:3152
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2400
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:1920
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3548
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3384
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3164
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6652
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ab3055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:8092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C
Filesize13KB
MD55d136ead44b1a404d24dd70f92cd186c
SHA1cbe66516bf0a542c54aa5b56d7df0b6857bcde2a
SHA2564ddcafc749a28bc4400c868de5a1a96f06eaee9baf4182ea21d8544a3d5f71fb
SHA512ab66914f7c36a468f52efa6f8499815be1934867e3b6c015553d49ee346358dbcd6c5e3e8b4cf4ff7dfd496b086c51ca78cc080108010a5b011308b17dda2643
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\DUVNV5WB\www.roblox[1].xml
Filesize95B
MD5d8b60678056a64ed93b2b927b37b47a7
SHA1e7e544d2deb5e36fe8507fe90abf21263aa16635
SHA2569d78291ba6d4fd24b27c9fd88b84fff48d08b67b0bf39cbdda536beea73f5dba
SHA512b57c099b6ab8302fbdd570f126d9c651250d5934e141fd426364fc8e0a2052632ec65c08408a05aaa2e52530bab28216a7e445c7167b3f215f0ea0a37e528a43
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\DUVNV5WB\www.roblox[1].xml
Filesize209B
MD5f7589e7c48fa15a6fd8f876dbd2b7b5a
SHA123b35dd49b2a62f554f8fe57e8e6398c182bf235
SHA2561575623c642a1b19c9f9227b4160dca7763eee6baa15c6342524c90f10374849
SHA51280bc258debd628df9a5da9f632120cec6a3489b0cfed0424a5e60c3ffb4e99160dc19b6388fa1f3c89a37d1fc0e60e64e6d887612f137323a6fd88c2bd523056
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\BLZJPBB5\7bba321f4d8328683d6e59487ce514eb[1].ico
Filesize4KB
MD57bba321f4d8328683d6e59487ce514eb
SHA1ae0edd3d76e39c564740b30e4fe605b4cd50ad48
SHA25668984ffee2a03c1cdb6296fd383d64cc2c75e13471221a4bcb4d93fcfa8dab54
SHA512ed6a932f8818d5340e2e2c09dcc61693e9f9032c7201e05a0ce21c6c521b4ac7dd9204affbbfffd3bcebbebe88337fbd32091eaa1e35469b861834f2523c800d
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFABA2D217E8503BC5.TMP
Filesize64KB
MD58f37a0aace174d0e9de2e4f5fabca6b6
SHA124675a4632f9e84ffcb0be26f2e7b67a930403ce
SHA2566a0804c3c3341e14f3819e57f261859a4211ae2c2e78f682b6fad1bff79781ca
SHA51269a9e18c6d56d08023c0a78b1d3d4bf65cea5839ba068c43a0401132a4e2ddacef28431787264ce97a29ce49b4d80a45ee9701ec8f890277a9a9dc38bfbf4ce1
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5c75c9cda99312e5af04cabe3149f5254
SHA1fe4883426b1af13c35453ecd7bbadf09b336c7d5
SHA256594a8e9702d0b6f564eff7777bc12506139811358743e093c22e3a0f29363978
SHA512065d076000ac4f8e0bc45e52236bfd119d179d5f3c1cc41b91c382e116fe755157550c76f386e1265049f6dafb2cad612a135513a27bf20971fa4f4644c6aa0d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\58e8ff93-298d-470d-af4c-45d8e03356c4
Filesize9KB
MD584e9f8230c5a7ed110083ed9ec4a02d2
SHA167fed37058574a5a8e3330fd9f7b8183d1650a90
SHA2565ce8498a479fa36069d2c612af769b9731ce14c2c0e3d47d0604a8309a70b0db
SHA5123146b07039809e546d787bd7f9fe66bad4e8bd158254abc575777a14ccaf120b33da0efb81da1932d8d05ee7be4446656c45717fb666c580608ba6bef4ce59f6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\736fc4aa-2aaa-48e9-a2ce-b1f30ab97141
Filesize746B
MD5083e3ed2be4cc8c7fc2637f9aeef2b35
SHA1868e2f2b79f0e65c040091ed6e5cf24e4828ce15
SHA2567cfa7789e2669d085f3d68bb2d917c8e1436872cf888e59a06406bed6f35a641
SHA5126e22281bf1dcd904192bef1eafb252c16ce3886cb67b866921d7c96d231d1d70a2a73c86384d5e12f1c86bac10760e05074d427584f4c143dfc75dc8f2233e4b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
9KB
MD54277099fe50015520ffbf47d747bd693
SHA1b2f959305147eb1ebbd04425d5aa40b81891a192
SHA25696820fd03b033d7c5ea63d0eee4be947cd078a73818841368d53fc1cd68be811
SHA512d2c810de28d3de63e94d52568ff32f776ebced195720a36919ba8bad18c0ac2afc26b5daef394dfd93f9703f67056c788b34ae9d8a7e87a1fcce0ecc5d6bbbb8
-
Filesize
8KB
MD5fc2958dce61bac2e34b0dbf3a7b7a1ab
SHA17d16c3da50edc5a0ec06f27dee64c26f7cd9a538
SHA2565eed25359754a062f3a30c818f69ac703b7145ee55c8d57332ba42030cc767de
SHA512e0447fdc8f3bb8af67f3a6ecc7b70ee3020eebede2532c3ebe6c4c493958bfc9397b1a6ad151c4e9691859114330e00765f236b9b7834e2ae5d686760bccff1b
-
Filesize
9KB
MD5a7ad91947fe763fb2029d003840f3fd0
SHA1b8c8cbf3fe4b56fa91304a2cc5d7b38352bce1fe
SHA256f5d53683e306a312664b2cdcb765f3d288ceb1f74d5efa455eeaac1585159f8f
SHA512d3319a6df7c8dc4d1a4fb10c2396447ba7985891eb32797b3c244b93027e6fa64d21570c68b954b29b78de040aa3321eecea50105061d6d4c1695ccca35fa4ce
-
Filesize
6KB
MD5de71340a16a628bfbe99639534869e41
SHA180d86cc45208202bcd6b1e581e585f17cc9e897d
SHA256addfd9239638f0e183df5ccb0fc435ec2708cc661dee09c4939c57c86d989b94
SHA51234edf4e91700ec2eafd71dea7211509422aa984bba3354d591cc9b376143596ca06d2b12bb8d81f968a29f35e6ba90b9605eae9025059b09a28054acb8812ea2
-
Filesize
6KB
MD54e65737be3b4d8aa9bb7740f0e8fd5c7
SHA129ccbbfd1bea764379cbfe2451a1a13f1c51c763
SHA256e5793423087c2977351e23a16bddb5197077c9c2d58e1a7e944bc4ba0ab7234e
SHA5120f4d1087bdc047e4ecde6a406ebb3e6404bfb6291a04f65ff6d2137ba75db76a4c40f7c42bde7afa68807fb2ff08c48a3dc4a6e49eff2889f86577ae330923b7
-
Filesize
6KB
MD59bad0e85bc14a28e807bf5520a6d9f00
SHA1fa9d00a2f4d9f5cc252599310230448ce2d00d92
SHA25681070c2b40c67c42d7a743bb77342f368e189a29a8265b4255aba355263ae752
SHA5124a60d6a8020d9443258dc8f9c2b06bd0a1008ad4a23eb61609ee4268354a1481a251dba2f931ead1c8f151836cd0e1c56c1ffe2880d3961f1eaac6ca2389730d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.json.tmp
Filesize259B
MD5c8dc58eff0c029d381a67f5dca34a913
SHA13576807e793473bcbd3cf7d664b83948e3ec8f2d
SHA2564c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17
SHA512b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5d7a4ca31be2272b65598c616443894c2
SHA13c3dc5c5de07faf6d869ca1881b09efe75ed6d69
SHA2562860b71ea7c914020fccd0bc3496938f309f4e3c3572a735d2463841d6d03b31
SHA51288a650728d6d0e9440826a3a74de0e3c158c53944b1bbf34209fb11c8ec9fe4705b910e76bb6a37e34fa7892f7641dd54d11072dc409e867073dd63fcc0254de
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4
Filesize891B
MD5da4525bc510bd8d7394bd04ca66ed61f
SHA1ecc2763bb3f7ba57407113cf8f53dc4993c23ebb
SHA256176728324a367280780374290656f1cff3ccefbfec1edb966d3714948af22fc2
SHA5128619c9ffa9d8206cc48ece7c064995a74bcae36eb570b16dfeaa97325787fda5601b9be01129d0e923c551766ab1bb9abf96e535bd0205807a254b2587d09e7a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize7.9MB
MD50381ab672892f89de5ca3f817e76c3cb
SHA1b458a26ef7ff52b50677f6c56f9e432969a4cf35
SHA25669dea2c59b528b967b7ac15233f6c7192789a8542ca7bd6535af6dc135ea6942
SHA51236bfd49f70217dad07c823e1e8bb06a992a369723933c0bf12d4384b13d7e62f590a93427e3d98c67bf503c1fbf60f746d8ec076043e57b2f9a6cc2ea79e8e10
-
Filesize
3.1MB
MD53fdc51227758ce53069116625341569d
SHA1ee099a8afcab18d69cf2c3c2f5193ab5af33fa78
SHA256356fcec1d7e8ef7c51fa311d1e3013915aca1a44a586cf872abd5bcb927f6319
SHA512807b4a0f993672d07c580572fdf8dfeb4c443545449aa27c1e595850f2dda73ea7265844f6f9e53baa0a50b723160cfdaa244ef8464ebf032b8cbf28ac1a33ba