72f466e2b9157fd8d615cb2132adb823814b6ed8c86ac8825881e9b491e76f6e

Analysis

max time kernel
78s
max time network
87s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 15:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PhantomSolutions.exe
Size

4.2MB
MD5

8d2401533111cc9f68adc7cbd8cb3a64
SHA1

e8ba09c59470a5c99deeeae28c88b67df55f8b6c
SHA256

72f466e2b9157fd8d615cb2132adb823814b6ed8c86ac8825881e9b491e76f6e
SHA512

2eea6b499d281cb5e105bf4b13319627e2999e4d218bfad01f595e51411b3d74f334b150013798c928159712d6ec38713959683512e208838bc787ac92e88de6
SSDEEP

98304:Kd7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6K:p+y4ihkl/Wo/afHP

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3668	sc.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
1944	taskkill.exe
1896	taskkill.exe
4676	taskkill.exe
64	taskkill.exe
3104	taskkill.exe
2556	taskkill.exe
3292	taskkill.exe
4368	taskkill.exe
4312	taskkill.exe
2588	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3558294865-3673844354-2255444939-1000\{9C94BCE3-30E9-4F38-A1A7-1D05D19D2139}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5688	msedge.exe
5688	msedge.exe
5440	msedge.exe
5440	msedge.exe
5984	msedge.exe
5984	msedge.exe
5400	identity_helper.exe
5400	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

pid	Process
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	1152	PhantomSolutions.exe
Token: 33	1152	PhantomSolutions.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3448	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 1752	1152	PhantomSolutions.exe	87
PID 1152 wrote to memory of 1752	1152	PhantomSolutions.exe	87
PID 1152 wrote to memory of 1752	1152	PhantomSolutions.exe	87
PID 1752 wrote to memory of 64	1752	cmd.exe	89
PID 1752 wrote to memory of 64	1752	cmd.exe	89
PID 1752 wrote to memory of 64	1752	cmd.exe	89
PID 1152 wrote to memory of 1964	1152	PhantomSolutions.exe	91
PID 1152 wrote to memory of 1964	1152	PhantomSolutions.exe	91
PID 1152 wrote to memory of 1964	1152	PhantomSolutions.exe	91
PID 1964 wrote to memory of 1944	1964	cmd.exe	93
PID 1964 wrote to memory of 1944	1964	cmd.exe	93
PID 1964 wrote to memory of 1944	1964	cmd.exe	93
PID 1152 wrote to memory of 3500	1152	PhantomSolutions.exe	94
PID 1152 wrote to memory of 3500	1152	PhantomSolutions.exe	94
PID 1152 wrote to memory of 3500	1152	PhantomSolutions.exe	94
PID 3500 wrote to memory of 3104	3500	cmd.exe	96
PID 3500 wrote to memory of 3104	3500	cmd.exe	96
PID 3500 wrote to memory of 3104	3500	cmd.exe	96
PID 1152 wrote to memory of 4732	1152	PhantomSolutions.exe	97
PID 1152 wrote to memory of 4732	1152	PhantomSolutions.exe	97
PID 1152 wrote to memory of 4732	1152	PhantomSolutions.exe	97
PID 4732 wrote to memory of 2556	4732	cmd.exe	99
PID 4732 wrote to memory of 2556	4732	cmd.exe	99
PID 4732 wrote to memory of 2556	4732	cmd.exe	99
PID 1152 wrote to memory of 208	1152	PhantomSolutions.exe	100
PID 1152 wrote to memory of 208	1152	PhantomSolutions.exe	100
PID 1152 wrote to memory of 208	1152	PhantomSolutions.exe	100
PID 208 wrote to memory of 1896	208	cmd.exe	102
PID 208 wrote to memory of 1896	208	cmd.exe	102
PID 208 wrote to memory of 1896	208	cmd.exe	102
PID 1152 wrote to memory of 4920	1152	PhantomSolutions.exe	103
PID 1152 wrote to memory of 4920	1152	PhantomSolutions.exe	103
PID 1152 wrote to memory of 4920	1152	PhantomSolutions.exe	103
PID 4920 wrote to memory of 4676	4920	cmd.exe	105
PID 4920 wrote to memory of 4676	4920	cmd.exe	105
PID 4920 wrote to memory of 4676	4920	cmd.exe	105
PID 1152 wrote to memory of 404	1152	PhantomSolutions.exe	106
PID 1152 wrote to memory of 404	1152	PhantomSolutions.exe	106
PID 1152 wrote to memory of 404	1152	PhantomSolutions.exe	106
PID 404 wrote to memory of 3668	404	cmd.exe	108
PID 404 wrote to memory of 3668	404	cmd.exe	108
PID 404 wrote to memory of 3668	404	cmd.exe	108
PID 1152 wrote to memory of 3936	1152	PhantomSolutions.exe	109
PID 1152 wrote to memory of 3936	1152	PhantomSolutions.exe	109
PID 1152 wrote to memory of 3936	1152	PhantomSolutions.exe	109
PID 3936 wrote to memory of 3292	3936	cmd.exe	111
PID 3936 wrote to memory of 3292	3936	cmd.exe	111
PID 3936 wrote to memory of 3292	3936	cmd.exe	111
PID 1152 wrote to memory of 1620	1152	PhantomSolutions.exe	112
PID 1152 wrote to memory of 1620	1152	PhantomSolutions.exe	112
PID 1152 wrote to memory of 1620	1152	PhantomSolutions.exe	112
PID 1620 wrote to memory of 4368	1620	cmd.exe	114
PID 1620 wrote to memory of 4368	1620	cmd.exe	114
PID 1620 wrote to memory of 4368	1620	cmd.exe	114
PID 1152 wrote to memory of 3896	1152	PhantomSolutions.exe	115
PID 1152 wrote to memory of 3896	1152	PhantomSolutions.exe	115
PID 1152 wrote to memory of 3896	1152	PhantomSolutions.exe	115
PID 3896 wrote to memory of 4312	3896	cmd.exe	117
PID 3896 wrote to memory of 4312	3896	cmd.exe	117
PID 3896 wrote to memory of 4312	3896	cmd.exe	117
PID 1152 wrote to memory of 3312	1152	PhantomSolutions.exe	118
PID 1152 wrote to memory of 3312	1152	PhantomSolutions.exe	118
PID 1152 wrote to memory of 3312	1152	PhantomSolutions.exe	118
PID 3312 wrote to memory of 2588	3312	cmd.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe
"C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:64
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Kills process with taskkill
    PID:3104
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    PID:4676
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3668
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3292
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4368
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4312
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4988

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1856
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3448.0.1931384442\404096489" -parentBuildID 20230214051806 -prefsHandle 1804 -prefMapHandle 1796 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c285788-76fc-49ec-b6b1-6ab7f1690d9a} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" 1884 1aa5250c058 gpu
    3⤵
    PID:4136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3448.1.2086450044\278741573" -parentBuildID 20230214051806 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbc72a99-a52d-4bd0-88b0-4777deee3080} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" 2452 1aa45889f58 socket
    3⤵
    - Checks processor information in registry
    PID:320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3448.2.748088791\2144483015" -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2956 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cfb51d5-3b34-4e7b-9f24-21253b80c6b0} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" 2972 1aa550f4b58 tab
    3⤵
    PID:2736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3448.3.922233337\1303435892" -childID 2 -isForBrowser -prefsHandle 4228 -prefMapHandle 4224 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18a87138-cafd-427d-b652-5a21b8aeb22f} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" 4240 1aa57ad4858 tab
    3⤵
    PID:1748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3448.4.1748056295\1489841419" -childID 3 -isForBrowser -prefsHandle 5044 -prefMapHandle 5016 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3afd223-8de8-487a-aa75-f4c2bbd01bd8} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" 4992 1aa59c4a358 tab
    3⤵
    PID:3204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3448.5.116726895\1467563644" -childID 4 -isForBrowser -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f491c7db-0dcd-4777-8a4b-50f9eb53e017} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" 5160 1aa59c48b58 tab
    3⤵
    PID:4452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3448.6.1136399323\50621368" -childID 5 -isForBrowser -prefsHandle 5372 -prefMapHandle 5380 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {408f2b9e-84b5-44bf-944a-341d9365f7be} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" 5360 1aa59c4a658 tab
    3⤵
    PID:4636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3448.7.529394287\2080626805" -childID 6 -isForBrowser -prefsHandle 5892 -prefMapHandle 5888 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54ef46a3-421d-4b72-8a98-c98ad651f1c4} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" 5884 1aa5b6e4858 tab
    3⤵
    PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc64db46f8,0x7ffc64db4708,0x7ffc64db4718
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:5664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3732 /prefetch:8
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3736 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
  2⤵
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:6300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:6336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:7080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:7088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
  2⤵
  PID:6716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:6808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:6880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:6484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7372 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7380 /prefetch:1
  2⤵
  PID:6488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7600 /prefetch:1
  2⤵
  PID:6412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7756 /prefetch:1
  2⤵
  PID:6496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8504 /prefetch:1
  2⤵
  PID:7448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8660 /prefetch:1
  2⤵
  PID:7520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8892 /prefetch:1
  2⤵
  PID:7592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8452 /prefetch:1
  2⤵
  PID:7896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=8888 /prefetch:8
  2⤵
  PID:8096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14796514070416079154,15489796432834274843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9132 /prefetch:1
  2⤵
  PID:7892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6128

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x528 0x4f8
1⤵
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\335d0259-fc23-4d57-9497-8a57dade494b.tmp

Filesize
11KB

MD5
fb4784997e3262ee89f02c0a490b91e5

SHA1
317f92ce559c79e8da857f94e651551f0202db10

SHA256
5260e6bf2e5c3650ea68aa03a3fffa2a893762a074cd9aea886eb981a87a2d51

SHA512
1830f2525cebd82c739a21517126411123acbca9ef8494b5278eb984cf9aeb4e9ece90c29e6d9c6e09f18e26efc894f87c815c4139eec81319c50ffdd93525fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003e

Filesize
1024KB

MD5
73a49743661adebd35e4a2ef3ebc3652

SHA1
e863cf598797e5ad3f94668de8fc40496934a3dc

SHA256
a58625e8184af4781b5ab593dc75ffc309ee17062e572c2e14768b0b19e8b296

SHA512
0a5a13c4a3a1cfb0821104431729014243745d020797ae95b9f20778a1e5194e6b92b8460e6181783bfa343acc92d8ebee5d7f0eaadf418957ba1116d4bd6d42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b77c0bfb3013d7ee202e1dee7318dbd7

SHA1
6a94e6eb4848c634bd2a2163913cf4d8b93b493a

SHA256
530fdbe054448d1bd07f72aa017d1c1f54f4bf92291c4dbd791100a0baf5562b

SHA512
7be02631cb90231b45478e4b201c0c057d04a2e3a14fd0c9342b19e346b6c5f147f75dd3109d34e62acbf87e5b601db07006eb608aaf43da783e82009d25aacc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
12KB

MD5
0339f766a364227c06d97e36dac920d1

SHA1
37d404dc00fc99d595fb2a1e15bd35a37ef188d9

SHA256
159e8cea2ed7602106d7b755696d70fba467ed266e3009ea68ce82713faa7d16

SHA512
7e2811db28453525c814e6c7b315bb2b68e8011289ae5e014062af97482eda5d0913b91f42e20e7df80eeeb10ec430b8942b20c87d85246841057dadb4c02e43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2a3b30f64ed643e1e6b8ba6397702d8a

SHA1
5428323423c6eed945eb4ae7979fa5a9c99db2fc

SHA256
0ec5cd5427661f8790a536fa597e75aef729981074d5f0db7a1461f68b338ea9

SHA512
2d4abd3c6400ee161915d7deaaa9991bf5f2447c49485fab731b362d79a2020ab844664aa111106360d7b04675c1e286346a85e3e9e4cad227ae2eac8a105e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
26cd2b43eee65d5b6038cca35d536743

SHA1
4dee33d683c55ba2b45bfb8fdbe801d44d7d43d0

SHA256
9095d66bc5c09c70d760221f9f5bd9faf24789abe0210a0b9e4a3d1b051a2315

SHA512
b98c5c0b72eb51cb8ae633cdf2b4da8a478336463ceb5b02f9abc56403ce4ee08961dbd98f425fb8af7e6696186ac61b331948f41778255923b12cf4b144211c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
290fdb905f9b12e01e887788da1c549e

SHA1
de346435498deca683b2156f8813b30fc79a0fe3

SHA256
757a821d0e3cd8a1bee915f3a317ff543a714bc5a1c8ac96f96bbc9a0d303b44

SHA512
db0a9cc2e33b5e32d15a832e5bd56ae64d41375f5f49ddf7a7ff332b0b1b705f061ca2a0ba7f1f282a2666ed3d1f696af1392c1ce4fe882725268d5673ca5c04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
1f3f364649e65816dabe06ea2a29df66

SHA1
ea45cf20beb1e8ec301bca3545f0948225ddfb05

SHA256
82a78ff1d05ffccc0c4d95aff35d9a9dc88ef6a5f39010a6293641872570889d

SHA512
0cf1af66a19fad743d78d88fe0c62468dbc83e5135e79c839eaf7158917f89134783ac90c16ac05ed42e503d9eaffae5621f02d43b05e31f8723284d0e74e1e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
55225ea52a9d8e51a168838fbdb1f944

SHA1
40579e57d0c01e08091c4fe43183b9e2b91e9248

SHA256
9a4dc0ab5d36a473898d124326910353036a2207f30ff88a16961c9e7ae0c507

SHA512
b8628b67e960886803d282e7cdc9266fb8e25444cf8e53c78d4a58c860f5380aed74407574c2f853d08d6dedb9110e6bf07295a36040a291ee04d2c5d4fea749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
a53da8d406cbe819039ae4e251f98514

SHA1
3fadfad0db362904cc5b6178bc31eb25bf297ff2

SHA256
5156464c341cefc561afdb4aa328a2a7e49d970107a21346ee20094434642c9f

SHA512
362186eaeab8cb8ba6d132ee6794098349ad4aa5dca8411b6f59455975907eb576f8f9b7fd67b7bfd16e461df040366552b5d6cbfe884dbae8822e7864a5bb52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
d8dca6fe2c94ca3f8b5edaef6004aeb0

SHA1
2fcb2e6b977ebbe28d3b2387a2466973ca6c17e7

SHA256
34035a66e0997a56da745683be1f0c96dcd83e70e072b5d4d41fc88ba2488206

SHA512
1b740bdef520c33e40c2e02a947ed1ea95a298ee8a7604e2d8194ae117aadec92a36208a31ea45c8f89675d2fd05dd43e112aa32756f985b1ecea319d0de90db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
f10be2795f4fd7ca8e35a1fa0a92c2eb

SHA1
6c3854d26dedcc629b4efa0c7e01f7d909d6adcd

SHA256
e48ecee2f38cac1d30cb4468241d31b79129a21b236d06fd1aff59662b1ee2fd

SHA512
8b478f7943096bd3611c89f41021dcb816bae4bc1b4658f6abb529622c6b452850cb66e8d243da6cb40fca0be92db2f695185d2d4caf49973fcc1a039f7fb149

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5830fe.TMP

Filesize
706B

MD5
f992ca5b898faf224b4771963ddc5f1f

SHA1
7383d7c51333e78fd84b2e2be2538d31c0f624b2

SHA256
ba36a2cc03011e19c3cf952f75ec2293087315600489d7bf8a40b50beea7ad22

SHA512
ec7c0add0661698cc6c1a1a86121855b920be5f9589341f5e16ab588652553aff930db17bc9109a3ab1cbf57a51c4215619c4025b411ad6c1d06f18b6bb7ef6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
81ebffc996fec3fc9d458987e7f57817

SHA1
6041c90acda289cbcbfaf52d9a898186d6be452b

SHA256
dc7a076276ea60b83d6a73bcac223dcd36985d1ff3e011314f5251cc56c25616

SHA512
a1c1e053cba8bac79c020e9f7da4a6e05398145b54adb932428e9ee520a2435f618040833dc875a67aee791114fd8e068797a904f31c94866d82e6d32befdf10

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
877133f557f281c6058fb37f23ca7166

SHA1
011ebd8f7a79187d6db1252ba9cc3dd082a7dbf3

SHA256
237c266a4f84e938b17fe2a11ba945c139d0201bd58cd1c95164d3eef4bbf8b6

SHA512
5f7f41001fa64977c7c395773d9249979d02aae10f8a9575c4c9ec5240bc69aa1bc17f1cf36916955ec3e9a5b1e026930c8f826f402383d6afdf9bc191c5f8a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\prefs-1.js

Filesize
7KB

MD5
c0eef8202f37eb15bb0e2d80c56006cf

SHA1
64a980ff886e56fd61505805337e4d6eb0908184

SHA256
dea369fa7406d4a2ce0e00b4d15b4e30400047c24d6d51f3579ab99ed0158846

SHA512
768d71e4982c5eb7be7c6e1e2087376726aefac97bdb2be6f15a89ef29e785b6321ba5f18edb0d510835a1a5fee29bbd177697161f253e7ae0803e0a87e41fbd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\prefs-1.js

Filesize
7KB

MD5
92e1e9a8190eeb87ddb5b31b6f84c4de

SHA1
48b3c43708ea7c06cc310edfb61d77d607719ae3

SHA256
9759dd9fbb7bbab350df0b094ce7aaaec14b5f5cda7d365e294ad65dc8753472

SHA512
827e8e4255d58c88870ee174e291674d4abb1af157187396c93028a8b0dfd216955e996ce2827ace6f1d8a099594c656aa14c8d4a6fff4b6ee226c1308c62b15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
810d79d67e4449b5f5233a5231b4bce7

SHA1
8f07e73364a33153316f15e7f8fd498e1c18d1ef

SHA256
498000d4b6bf2fc0ffe0476d7f0e77526b7635ec1a8e9d8824f0dc4d3d730dba

SHA512
97feb36522143bd07708026d239acee1f141e9ca2f3f25dab0eab4f9cd72c18f43d5228e2dd505c7829bb0840b20bcae1cf32528c0bccc42c861ba63c8335613

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
bbdaed4ba5cecc54ae4d23940c987b1e

SHA1
d4801c22910c68441f186888608244f1b19352e5

SHA256
6591d40a0fcf404ab4ab6f1ae766e48a0e3473ed2329fc024fcfe8e54d342bdd

SHA512
1630004e54add524c934e715e0607b872764728c4c9ef58cedfbb852a4b9e2a27dba872452af53cda410f6844aaf40593b57e4fc602c32e373c0c4425bd4a8ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
201fa062bb44698db47b05f9544195ab

SHA1
4b405e2ed1a15a000096d010f4ad9f5827602750

SHA256
8fc9884eb57cabb9ca42e9574786222083d795e93712c8c37856632ffbabc9ef

SHA512
583a577bd0eec29f54837caa8c5ae16007f37821ea88e8d2aac6f670d2bd9a473adb7bd477c06693bc53aeee3d987ceafb1d469baba6851fd76b65b7c5b9a221

Download Submit
memory/1152-83-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/1152-4-0x00000000065A0000-0x00000000065DC000-memory.dmp

Filesize
240KB

Download
memory/1152-3-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/1152-2-0x0000000005C30000-0x0000000005C42000-memory.dmp

Filesize
72KB

Download
memory/1152-1-0x0000000000F40000-0x0000000001372000-memory.dmp

Filesize
4.2MB

Download
memory/1152-54-0x000000007458E000-0x000000007458F000-memory.dmp

Filesize
4KB

Download
memory/1152-0-0x000000007458E000-0x000000007458F000-memory.dmp

Filesize
4KB

Download