hxxp://www[.]google[.]co[.]uk/search?q=what is a QCCP&safe=active&sca_esv=6655eff7308ddb2c&ei=tRQxZt3CCradhbIPhI6_sA4&ved=0ahUKEwid8eXRpuqFAxW2TkEAHQTHD-YQ4dUDCBA&uact=5&oq=what is a QCCP&gs_lp=Egxnd3Mtd2l6LXNlcnAiDndoYXQgaXMgYSBRQ0NQMgUQABiABDIGEAAYFhgeMgsQABiABBiGAxiKBTILEAAYgAQYhgMYigUyCBAAGIAEGKIEMggQABiABBiiBDIIEAAYgAQYogRIvRJQ4AdYng9wAXgAkAEAmAGZBKAB2wyqAQkyLTEuMS4xLjG4AQPIAQD4AQGYAgWgAvkMwgIOEAAYgAQYsAMYhgMYigXCAgsQABiABBiwAxiiBMICCxAAGLADGKIEGIkFwgIIEAAYgAQYsQPCAgsQABiABBixAxiDAcICBxAAGIAEGAqYAwCIBgGQBgOSBwkxLjAuMS4xLjKgB6kU&sclient=gws-wiz-serp

Analysis

max time kernel
36s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 18:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://www.google.co.uk/search?q=what is a QCCP&safe=active&sca_esv=6655eff7308ddb2c&ei=tRQxZt3CCradhbIPhI6_sA4&ved=0ahUKEwid8eXRpuqFAxW2TkEAHQTHD-YQ4dUDCBA&uact=5&oq=what is a QCCP&gs_lp=Egxnd3Mtd2l6LXNlcnAiDndoYXQgaXMgYSBRQ0NQMgUQABiABDIGEAAYFhgeMgsQABiABBiGAxiKBTILEAAYgAQYhgMYigUyCBAAGIAEGKIEMggQABiABBiiBDIIEAAYgAQYogRIvRJQ4AdYng9wAXgAkAEAmAGZBKAB2wyqAQkyLTEuMS4xLjG4AQPIAQD4AQGYAgWgAvkMwgIOEAAYgAQYsAMYhgMYigXCAgsQABiABBiwAxiiBMICCxAAGLADGKIEGIkFwgIIEAAYgAQYsQPCAgsQABiABBixAxiDAcICBxAAGIAEGAqYAwCIBgGQBgOSBwkxLjAuMS4xLjKgB6kU&sclient=gws-wiz-serp

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4988	msedge.exe
4988	msedge.exe
5132	msedge.exe
5132	msedge.exe
6052	identity_helper.exe
6052	identity_helper.exe
5712	sdiagnhost.exe
5712	sdiagnhost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5712	sdiagnhost.exe
Token: SeDebugPrivilege	1124	firefox.exe
Token: SeDebugPrivilege	1124	firefox.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
3604	msdt.exe
5132	msedge.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1124	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5132 wrote to memory of 1484	5132	msedge.exe	85
PID 5132 wrote to memory of 1484	5132	msedge.exe	85
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 1420	5132	msedge.exe	86
PID 5132 wrote to memory of 4988	5132	msedge.exe	87
PID 5132 wrote to memory of 4988	5132	msedge.exe	87
PID 5132 wrote to memory of 4648	5132	msedge.exe	88
PID 5132 wrote to memory of 4648	5132	msedge.exe	88
PID 5132 wrote to memory of 4648	5132	msedge.exe	88
PID 5132 wrote to memory of 4648	5132	msedge.exe	88
PID 5132 wrote to memory of 4648	5132	msedge.exe	88
PID 5132 wrote to memory of 4648	5132	msedge.exe	88
PID 5132 wrote to memory of 4648	5132	msedge.exe	88
PID 5132 wrote to memory of 4648	5132	msedge.exe	88
PID 5132 wrote to memory of 4648	5132	msedge.exe	88
PID 5132 wrote to memory of 4648	5132	msedge.exe	88
PID 5132 wrote to memory of 4648	5132	msedge.exe	88
PID 5132 wrote to memory of 4648	5132	msedge.exe	88
PID 5132 wrote to memory of 4648	5132	msedge.exe	88
PID 5132 wrote to memory of 4648	5132	msedge.exe	88
PID 5132 wrote to memory of 4648	5132	msedge.exe	88
PID 5132 wrote to memory of 4648	5132	msedge.exe	88
PID 5132 wrote to memory of 4648	5132	msedge.exe	88
PID 5132 wrote to memory of 4648	5132	msedge.exe	88
PID 5132 wrote to memory of 4648	5132	msedge.exe	88
PID 5132 wrote to memory of 4648	5132	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.co.uk/search?q=what is a QCCP&safe=active&sca_esv=6655eff7308ddb2c&ei=tRQxZt3CCradhbIPhI6_sA4&ved=0ahUKEwid8eXRpuqFAxW2TkEAHQTHD-YQ4dUDCBA&uact=5&oq=what is a QCCP&gs_lp=Egxnd3Mtd2l6LXNlcnAiDndoYXQgaXMgYSBRQ0NQMgUQABiABDIGEAAYFhgeMgsQABiABBiGAxiKBTILEAAYgAQYhgMYigUyCBAAGIAEGKIEMggQABiABBiiBDIIEAAYgAQYogRIvRJQ4AdYng9wAXgAkAEAmAGZBKAB2wyqAQkyLTEuMS4xLjG4AQPIAQD4AQGYAgWgAvkMwgIOEAAYgAQYsAMYhgMYigXCAgsQABiABBiwAxiiBMICCxAAGLADGKIEGIkFwgIIEAAYgAQYsQPCAgsQABiABBixAxiDAcICBxAAGIAEGAqYAwCIBgGQBgOSBwkxLjAuMS4xLjKgB6kU&sclient=gws-wiz-serp
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1f8c46f8,0x7ffa1f8c4708,0x7ffa1f8c4718
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,6308509676851517097,12671531689564217064,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,6308509676851517097,12671531689564217064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,6308509676851517097,12671531689564217064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6308509676851517097,12671531689564217064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6308509676851517097,12671531689564217064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,6308509676851517097,12671531689564217064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,6308509676851517097,12671531689564217064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6308509676851517097,12671531689564217064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4400 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6308509676851517097,12671531689564217064,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4436 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6308509676851517097,12671531689564217064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6308509676851517097,12671531689564217064,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6308509676851517097,12671531689564217064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6308509676851517097,12671531689564217064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:3320
- C:\Windows\system32\msdt.exe
  -modal "328058" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF760B.tmp" -ep "NetworkDiagnosticsWeb"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:3604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5248

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5712
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:4196

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1768
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b67fd1e-ea54-47c4-a7b4-ec841bd6729b} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" gpu
    3⤵
    PID:5540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2388 -prefsLen 25493 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d463fd7f-ca6e-49dc-8d9b-2940dd7cffd1} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" socket
    3⤵
    - Checks processor information in registry
    PID:1504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3088 -childID 1 -isForBrowser -prefsHandle 3120 -prefMapHandle 3016 -prefsLen 25634 -prefMapSize 244658 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62701cde-ff0d-491a-bbdb-949631a302cb} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" tab
    3⤵
    PID:3648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3860 -childID 2 -isForBrowser -prefsHandle 3852 -prefMapHandle 3836 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {977f1964-dcd4-47b6-98e8-4ee993051af4} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" tab
    3⤵
    PID:4572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4556 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4612 -prefMapHandle 4608 -prefsLen 30867 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc888c3c-9bff-4373-b74b-133de9fa6a6b} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" utility
    3⤵
    - Checks processor information in registry
    PID:4400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5104 -childID 3 -isForBrowser -prefsHandle 5100 -prefMapHandle 5096 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b24f9901-000b-4cbb-bc89-14273ad89ec8} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" tab
    3⤵
    PID:4664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -childID 4 -isForBrowser -prefsHandle 5252 -prefMapHandle 5256 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5402ecd-0078-4237-a788-7ee83cb7bd18} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" tab
    3⤵
    PID:664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -childID 5 -isForBrowser -prefsHandle 5528 -prefMapHandle 5524 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee90a31d-1ccd-4dd0-9491-545cb5ac1096} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" tab
    3⤵
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024043018.000\NetworkDiagnostics.debugreport.xml

Filesize
6KB

MD5
3d1bafc46e6220238505dd63cde1e28e

SHA1
2caee2e44e5e7041719d3c68f62491d82de22445

SHA256
b28ef60ef734a0353d31d726cf94c6f1da87a879360c62e13d6ff4398519124e

SHA512
7c25944467242b666ddab448d5e79d3894820249ef103f83c7d934ceaaab091b829d0a79ac189ebe6034b257080da4be1c777c9f7c08ff626a6c5c0d3c6b7e02

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024043018.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4e96ed67859d0bafd47d805a71041f49

SHA1
7806c54ae29a6c8d01dcbc78e5525ddde321b16b

SHA256
bd13ddab4dc4bbf01ed50341953c9638f6d71faf92bc79fbfe93687432c2292d

SHA512
432201c3119779d91d13da55a26d4ff4ce4a9529e00b44ec1738029f92610d4e6e25c05694adf949c3e9c70fbbbbea723f63c29287906729f5e88a046a2edcb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1cbd0e9a14155b7f5d4f542d09a83153

SHA1
27a442a921921d69743a8e4b76ff0b66016c4b76

SHA256
243d05d6af19bfe3e06b1f7507342ead88f9d87b84e239ad1d144e9e454b548c

SHA512
17e5217d5bf67571afb0e7ef30ac21c11ea6553f89457548d96ee4461011f641a7872a37257239fa5f25702f027afb85d5bd9faf2f2f183992b8879407e56a0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1b7cbfd9b66e6097ec8f2744a4642db9

SHA1
ec0ca9720978932cdf7441ca7b1eb8118ea41609

SHA256
b3185f58f14fa15d5e8e936308b13696285b43a13a3b3d5df4618af568c5a809

SHA512
ab16f6c4945b0695d266bb9d76b8314ff42a1310642e13361c32fde9a8d849c8e24f061d55320ce502202d87dc8c619497141ea92ab40b0976071d53979f4d8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
443e01562ce0c4ec965bf11c5dc7871c

SHA1
6f3e075d4f48144f6914026a6b02a13ded694c1b

SHA256
e1500162341e2318b5b7ee3c256d6ab5a17c957406f9ce88b5df0e23bab41ce7

SHA512
68be10400ad2e5fa89c77f6b1043f17cee834fcb7ae8d942cc9573a1863a1fca081a4d235349e8c75d7ee726b8e8ea36406df7d211ff1773ee7d574afa64dd93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
bf5c228721fa32a4dd1b5445af1859e7

SHA1
048390bcd86989cc103eb206ef6f516d272e68fb

SHA256
4114b74c4b0ca32e851c12fae2960429fd3a46f1199a8d7b56c7bcd2c7c9b061

SHA512
5e7ec7cb020fa62a095407274788583305ce2256b6033e117fe1c8fe51bfdc4b4875c09a2c3256464f38be2178b30ef57747be27472704507e746f9fec4e1d92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\a7d013e7-772c-47c6-9cd1-0e7b82c4e24a.tmp

Filesize
8KB

MD5
a8d87fbe6dd353bbb350843cf6943c7b

SHA1
d0c393d419a563e17a5a8a1492edb97b46a16e1e

SHA256
f36919c9545ff68afee1f2aef9608436e0a5bb283315a9d2d399f4d0306f5384

SHA512
e3eefe11e9c77721cd926867939e9c9d3c933aed7b12f578d7017378b0a7a8f7ff4c44ba27699621193258c16ee5e718cc7e4c8690e2277a2e66df948f2bba72

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
c07f07b4a80a029f4ad498ef2c46ba35

SHA1
e6f2e5ce528bf8cf9c885005b1d9f622a7380d89

SHA256
b22b657538bff39447ec1c945970ed7da178ea0cffa7224f1b7d66e7a526dc95

SHA512
60e23344d912b0f21faf43bc8d19d20329e47828aacaf0c0473f4bf775765ac77102f6452b6e15872021179e226bdeb026aec706518b6ad9f6806072f7382c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDF760B.tmp

Filesize
3KB

MD5
6853f00ab1006eecc635269460a7005c

SHA1
a5d9cdace70086033c65ac232998ade36fa3231a

SHA256
ab646186912a293daa92f84e55b968ac8cdbffab55cf04b06599031693e06e42

SHA512
cb2d57754118cd9a49bca48b2403eff04646a739a34b3a46dc68918aa5d1063e25808c85f2f512a073ea37a7ccb6b7ae32c911da8af15ed7a1e86482347ff9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_14gtae4n.esr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e0a69e047d772b4d56ec7d9a8a34119e

SHA1
a549f29edfeccfd39d9cc4f493b9e33c8dbf940d

SHA256
4f66261f7b33555d885ab058ad8b9636f5bba2576942f2c4167e1a34f6d5c8f5

SHA512
30c85836596fedfc88961f36df199c35230aff3cb7a1aee559748b8aae79b149f27c043383aaf2630d9ebd4c25a05d1f0788e69f296c8378185a68c270351ff0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\datareporting\glean\pending_pings\425153d4-c80d-42b9-adc4-dd8bb0646452

Filesize
982B

MD5
6ebb3b19410f1d28440250f2a58182c4

SHA1
ef17ccaff9b53c4ef2a3035781de68368ae00721

SHA256
7bbef1c159376f882c8ccf9dbb244ae39c77b720982d93a39c7e39a87ade96f8

SHA512
773fc3d7a83b06ad3cfb079b137e2f8a92d87dd435892ab1ccd86e6623e1b9b3b56c809267e845f27ec44e9979aa7cf6ec501855e12de5064e789dd2d1c24783

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\datareporting\glean\pending_pings\5714bc6e-5456-40e3-a6c0-140d28f0a8ae

Filesize
25KB

MD5
1c16c812b5224fb8be57165858a31a92

SHA1
6504e7a512070b83a58c1913510a8429455ce90b

SHA256
6dc9c5f4315140f361d5a518e88472682d27986a3ce790cbb98c0464d17575dd

SHA512
fd844bf9b5735b95003e030e35137c09aa60bf3f8e4ac74acce4e8f5e67f327d815908ad53071ae2daefe7d9ab841e4f4b41d854d759d7024faf0ded044b3f15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\datareporting\glean\pending_pings\7dc44c3a-4364-4818-aa1d-17ca26471809

Filesize
671B

MD5
c14400824c1221f5633dd22961dfad4d

SHA1
dc420722f5e7a93406b744fdb65476810f1f06a4

SHA256
ea30b9d3ed09e7ada71e479c3d68df395dbe7df7defa31441b3e5408d3bcde5a

SHA512
e616bbe31d632266b2d34c93b345325987166401aa0fae6512605e471f1c30c87bd6ce920b9af6aed627628f8c33a9e07daa5756d18c6cc5ea433fbd99658b33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\prefs-1.js

Filesize
8KB

MD5
d04c18857fdbda54075aa0ec53968484

SHA1
3d5ec264817907caa23d65d0838a59a5a44c3b7a

SHA256
c6d9916dbbcec3ccd95baa930433e132075dd8d051257e09cd0ffdec4ed093cf

SHA512
9a1c382fd86eb49a0dc3abba725e68eb7b18c8e9a0ce5f7a2116fe90790304546077ac603d69346cfe4cdce3744baf6933fab155e3550cd2ff5265230356a23c

Download Submit
C:\Windows\TEMP\SDIAG_70a5e1df-f5b8-4539-94d3-c4cb291f9f6a\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_70a5e1df-f5b8-4539-94d3-c4cb291f9f6a\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_70a5e1df-f5b8-4539-94d3-c4cb291f9f6a\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_70a5e1df-f5b8-4539-94d3-c4cb291f9f6a\en-US\LocalizationData.psd1

Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
C:\Windows\Temp\SDIAG_70a5e1df-f5b8-4539-94d3-c4cb291f9f6a\DiagPackage.dll

Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_70a5e1df-f5b8-4539-94d3-c4cb291f9f6a\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
memory/5712-425-0x000001A9B9650000-0x000001A9B9672000-memory.dmp

Filesize
136KB

Download