73ed5505a3f172ab204d58320a8470736ce3190d2ddda4065a7a3ca514c335bf

Analysis

max time kernel
213s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Diamond-Service Spoofer ImGui Base.exe
Size

1.4MB
MD5

b9d1bfa51f0d66f62b660fb01a11ca39
SHA1

74372810c692c94daf466317cd0b2c61498fed6c
SHA256

73ed5505a3f172ab204d58320a8470736ce3190d2ddda4065a7a3ca514c335bf
SHA512

fbc0f9fa5b8204f9c087c248ec4a01e539f0edf1b9922765f87c31ed80c005df4b617c1ac3b850dfdcd860735c4a922d4f39965e97ebd5e1d3ad384be60a4283
SSDEEP

24576:A69pzSnMGWu0b/5nPMI99VvKe1Wk/jtw2uGKFzFTSpkPcnn:xue/xPH99VvKaWkJsFTFKn

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4264	msedge.exe
4264	msedge.exe
1312	msedge.exe
1312	msedge.exe
3724	identity_helper.exe
3724	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	firefox.exe
Token: SeDebugPrivilege	2976	firefox.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
2976	firefox.exe
2976	firefox.exe
2976	firefox.exe
2976	firefox.exe
1312	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
2976	firefox.exe
2976	firefox.exe
2976	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2976	firefox.exe
5696	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 5068	1312	msedge.exe	98
PID 1312 wrote to memory of 5068	1312	msedge.exe	98
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4936	1312	msedge.exe	99
PID 1312 wrote to memory of 4264	1312	msedge.exe	100
PID 1312 wrote to memory of 4264	1312	msedge.exe	100
PID 1312 wrote to memory of 1800	1312	msedge.exe	101
PID 1312 wrote to memory of 1800	1312	msedge.exe	101
PID 1312 wrote to memory of 1800	1312	msedge.exe	101
PID 1312 wrote to memory of 1800	1312	msedge.exe	101
PID 1312 wrote to memory of 1800	1312	msedge.exe	101
PID 1312 wrote to memory of 1800	1312	msedge.exe	101
PID 1312 wrote to memory of 1800	1312	msedge.exe	101
PID 1312 wrote to memory of 1800	1312	msedge.exe	101
PID 1312 wrote to memory of 1800	1312	msedge.exe	101
PID 1312 wrote to memory of 1800	1312	msedge.exe	101
PID 1312 wrote to memory of 1800	1312	msedge.exe	101
PID 1312 wrote to memory of 1800	1312	msedge.exe	101
PID 1312 wrote to memory of 1800	1312	msedge.exe	101
PID 1312 wrote to memory of 1800	1312	msedge.exe	101
PID 1312 wrote to memory of 1800	1312	msedge.exe	101
PID 1312 wrote to memory of 1800	1312	msedge.exe	101
PID 1312 wrote to memory of 1800	1312	msedge.exe	101
PID 1312 wrote to memory of 1800	1312	msedge.exe	101
PID 1312 wrote to memory of 1800	1312	msedge.exe	101
PID 1312 wrote to memory of 1800	1312	msedge.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Diamond-Service Spoofer ImGui Base.exe
"C:\Users\Admin\AppData\Local\Temp\Diamond-Service Spoofer ImGui Base.exe"
1⤵
PID:4620

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9de6346f8,0x7ff9de634708,0x7ff9de634718
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,8440428152694188138,1214975892597901649,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,8440428152694188138,1214975892597901649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,8440428152694188138,1214975892597901649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8440428152694188138,1214975892597901649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8440428152694188138,1214975892597901649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8440428152694188138,1214975892597901649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8440428152694188138,1214975892597901649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,8440428152694188138,1214975892597901649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3468 /prefetch:8
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,8440428152694188138,1214975892597901649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8440428152694188138,1214975892597901649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8440428152694188138,1214975892597901649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8440428152694188138,1214975892597901649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8440428152694188138,1214975892597901649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8440428152694188138,1214975892597901649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8440428152694188138,1214975892597901649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8440428152694188138,1214975892597901649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:3320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6108

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1656
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2976.0.1853101658\466273705" -parentBuildID 20230214051806 -prefsHandle 1776 -prefMapHandle 1768 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e416ef17-08f3-449a-a3a4-93fa89f4e6dd} 2976 "\\.\pipe\gecko-crash-server-pipe.2976" 1868 1baf9d12758 gpu
    3⤵
    PID:5304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2976.1.2040308663\935418040" -parentBuildID 20230214051806 -prefsHandle 2424 -prefMapHandle 2412 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e471f1cf-69e6-4f5f-8324-bea373c5c7e5} 2976 "\\.\pipe\gecko-crash-server-pipe.2976" 2436 1bae5b89358 socket
    3⤵
    - Checks processor information in registry
    PID:916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2976.2.1500944690\472024291" -childID 1 -isForBrowser -prefsHandle 3000 -prefMapHandle 2996 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bad34a0d-37eb-4db4-bae7-d2e01c584273} 2976 "\\.\pipe\gecko-crash-server-pipe.2976" 3012 1bafc6e0c58 tab
    3⤵
    PID:2080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2976.3.1393584885\1454339722" -childID 2 -isForBrowser -prefsHandle 3680 -prefMapHandle 3676 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {565ee761-8cbe-48a8-bdf2-db5a460bf1a4} 2976 "\\.\pipe\gecko-crash-server-pipe.2976" 3692 1bafe9ce358 tab
    3⤵
    PID:3820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2976.4.1290629337\2016014051" -childID 3 -isForBrowser -prefsHandle 5000 -prefMapHandle 5056 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e025f5b-454d-407c-9005-22c34e75e005} 2976 "\\.\pipe\gecko-crash-server-pipe.2976" 5128 1bb0194f758 tab
    3⤵
    PID:3052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2976.5.257903648\970802156" -childID 4 -isForBrowser -prefsHandle 5360 -prefMapHandle 5356 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15b8a6b7-b2fb-4a5d-9afe-f64217bc3563} 2976 "\\.\pipe\gecko-crash-server-pipe.2976" 5368 1bb01950358 tab
    3⤵
    PID:1796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2976.6.807670619\1565047479" -childID 5 -isForBrowser -prefsHandle 5264 -prefMapHandle 5268 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69a0e21d-3c43-4298-bea9-f68c36b209c4} 2976 "\\.\pipe\gecko-crash-server-pipe.2976" 5152 1bb01950c58 tab
    3⤵
    PID:468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2976.7.2142793759\2079819720" -childID 6 -isForBrowser -prefsHandle 5824 -prefMapHandle 5820 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2427d872-7bc2-4f5d-be7a-4338e861b075} 2976 "\\.\pipe\gecko-crash-server-pipe.2976" 5836 1bae5b79058 tab
    3⤵
    PID:4812

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b56675b54840d86d49bde5a1ff8af6a

SHA1
fe70a1b85f88d60f3ba9fc7bb5f81fc41e150811

SHA256
86af7213f410df65d0937f4331f783160f30eaeb088e28a9eef461713b9a3929

SHA512
11fc61b83365391efee8084de5c2af7e064f0182b943a0db08d95a0f450d3877bde5b5e6a6b9f008e58b709bb1a34f7b50085c41927f091df1eea78f039402e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
48cff1baabb24706967de3b0d6869906

SHA1
b0cd54f587cd4c88e60556347930cb76991e6734

SHA256
f6b5fbc610a71b3914753feb2bd4475a7c77d0d785cc36255bf93b3fe3ccb775

SHA512
fd0c848f3f9de81aca81af999262f96ea4c1cd1d1f32d304f56c7382f3b1bb604e5fbe9f209ad6e4b38988d92357ef82e9668806d0727f2856c7dc1f07aae2b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
63061d80f5f10b3f50856c140cc1e9ec

SHA1
028238d14a0e35d8bfc75dc6341d5302c011c0c2

SHA256
6ae657c0bbda622f63c5fac8ba4da683af43b437d4c029bce2b83cb9a8e17089

SHA512
f9c262e14270e6581da0d118abbb05d6f749c71e740fda92a975823c8d67c6ed4a2aeda1536c3ce46fa0bedb6b068cb36527078e7aa4bb5088224a54f3535989

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d76134ef3f4e6403ff96343f5dc7e30a

SHA1
b7b61c6a7a035dc96b9928b9e3e39551d5f8fd41

SHA256
c1b9c63823ce36578a4ed0b286d9d8b36a638163990ca8c690125d7e3f6382af

SHA512
36b142150826e4ebc5149f38fb2f059b0f4eb6426ede2451ec1b2d7e5dc18db392fd46d959e3da7c133cae30403489800b1564e8e18bccb3c4a9972e1761c65b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
93a5cbf94d70241b8ee8a53b633f1c8b

SHA1
f61671bd722ce0b16d65891832a3073b9f7022c5

SHA256
06ad93a2e19dcce736ffe1040e61eaecffd1b87f30d2762493a7c831c2069be1

SHA512
25d99f0f0f68d3462bfe7f0eafe95afc6fb0ae203d970ddef0b825fca930d855912716420bf92b27eca21b10ad4dc0b54dbba8b22f2add848801bb3c167b7697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a68b168066fbefb66d92807e868701b5

SHA1
1eca12c714f7d4bf76b61427f85c47105bf14686

SHA256
5593c0084afca7062f29d8089f5650f7f243a87f80b04508a847e9f5f9eac644

SHA512
fea806bf10599d2b385a010b750da09de83876da12644e855709e256560dcd713cf76de9a0f6343e7a1834c1b3a82ee272c3d5969ea4ca7f36ed950febcce5d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f13c3af6-caa1-4c00-a7f0-597bdab90ce4.tmp

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
900bc1e56ca6c303b45fbdda57183bfd

SHA1
4d633f7f4d227431aafda5c07b0e847008db0eda

SHA256
6fb2984d8c9791236f7eb2197f3ab0768d0961c8759a6e6ba478f442b17ea23b

SHA512
abdbf7077f5855d3bcfaa85b99b7f841f7dfe9cdb95bcd79952c372321b1c01d22034af691ced6c74b5a38372950a856e7b28282cd852c7f1d31109e0723d579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3d7ddbf9d822ef7c93c1a1d6c151d658

SHA1
8a3c6201205754213ae0bda10ad8c6147afd5a0e

SHA256
c2ee68c00d6804b0a1e021953a95fb2b0f781752dc12d46cf5784a4c835373d0

SHA512
1bdd414f0569b2514e0503748a5142681667cb741445687b9a6340dafff8d692c7aaf703df841ecbd450c4e171a61a947bbaad8b30adf263130f6f33f7d293f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
63ce05fea1ac323c9fa6115c54b002e8

SHA1
840cfc447574ee36241db7a4512013aebeec4a08

SHA256
70a79affac0f082123c0cda058da38193a8c44abb06e84de535fe08c1c3efc9d

SHA512
cf0aa6e8d66f6fb8e88b6cd1aa2b9c1839231190c362caef830d1d2180bb792e4bf678f9a5a0f67e837c7cc33e81375ad9f2824e30b0a329f5136eed0b189898

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ossp351b.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
fec5b10161dd6893397d5faf3d33097b

SHA1
49d63753b12e7257b8694bdef0e371aa22a35e9a

SHA256
937eac24dec7ebdb3c97b41f4aa32ce57cdee460c173f414fe24378b1d242832

SHA512
da02b03c78500d1db6d394cd9e23e2d73619bcbc0e7c327466b146022b66e8e226411b0843d29a7ca9c8963ef5ff9ea33759a13902125dede584707564b2c956

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ossp351b.default-release\prefs-1.js

Filesize
6KB

MD5
ff662dd573dd30f08475eb42c09f20eb

SHA1
9d5c1fcec4985f2f367dc82943f972170b366e32

SHA256
02ea5081a1d05d23ba799847dcdda863a8cd2f4c2717fde0d5ebb33414a27136

SHA512
d0661ae4f098c13f75f185723f77a2896b03908b9adb78dd29f903ef265fcbe2051c1dc86b0179ef7a140f0d4f109f5bd7f0c10ff70e62a0263a1b1aba689218

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ossp351b.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
be934216e42c566ab377a18c2807a463

SHA1
9ce12175d620f7b0cb26abbce710ae26715c9f6c

SHA256
86a037db1c0e9a36c2ca49f733f66cb22ed865a57a4f5d49c1169a697b13743e

SHA512
c45bd99553f1f70650281ece496b7b1c02539d44a6fe6e4cf1f4d9cef449e66b725b61d1a8e7e9e0520ac2debdc62ac4ed67f2866a961bc76cb20225adbe4f48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ossp351b.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
8af0d639071baee571a9b4fab540e5ab

SHA1
a2c5fa4f7606bf44947fb87863adf5e84913c598

SHA256
126e24ed36bd2bf22e34a249e996a1b95b91a682ec25679bce11fc5a455b924d

SHA512
76cde3a0360e32a79a4fea05b2e2666e3b4196c88a2057239b1c4721f991ef56c432a57fe038bcb2ab95a5c0bc3775ae345efd405823f2c41c24b8146cad584e

Download Submit