cffa40c46db190657b166915bc25c91b9417fc650256806b70eeb0dc2ac9feef

Analysis

max time kernel
902s
max time network
1511s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
24/05/2024, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cheadle-62c5792bcc6af.txt
Size

101B
MD5

5c2266dd6ac454b9a3313fd67730fa77
SHA1

adc1921cc920e2f2b825da87bdc9fe6e3fcdca1d
SHA256

cffa40c46db190657b166915bc25c91b9417fc650256806b70eeb0dc2ac9feef
SHA512

29f9665e382bd0367804cea0719762a2b3e93b8c48dd3e510c459a216e0013e35058ba6db2dd2d2c7c51a6920083f9ab13906eece48994d0e8e64f06ea96b8c7

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2468	msedge.exe
2468	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	firefox.exe
Token: SeDebugPrivilege	2100	firefox.exe
Token: 33	2960	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2960	AUDIODG.EXE
Token: SeDebugPrivilege	2100	firefox.exe
Token: SeDebugPrivilege	2100	firefox.exe
Token: SeDebugPrivilege	2100	firefox.exe
Token: SeDebugPrivilege	2100	firefox.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2100	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 2524	3492	cmd.exe	79
PID 3492 wrote to memory of 2524	3492	cmd.exe	79
PID 4856 wrote to memory of 1956	4856	msedge.exe	84
PID 4856 wrote to memory of 1956	4856	msedge.exe	84
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 3704	4856	msedge.exe	85
PID 4856 wrote to memory of 2468	4856	msedge.exe	86
PID 4856 wrote to memory of 2468	4856	msedge.exe	86
PID 4856 wrote to memory of 4916	4856	msedge.exe	87
PID 4856 wrote to memory of 4916	4856	msedge.exe	87
PID 4856 wrote to memory of 4916	4856	msedge.exe	87
PID 4856 wrote to memory of 4916	4856	msedge.exe	87
PID 4856 wrote to memory of 4916	4856	msedge.exe	87
PID 4856 wrote to memory of 4916	4856	msedge.exe	87
PID 4856 wrote to memory of 4916	4856	msedge.exe	87
PID 4856 wrote to memory of 4916	4856	msedge.exe	87
PID 4856 wrote to memory of 4916	4856	msedge.exe	87
PID 4856 wrote to memory of 4916	4856	msedge.exe	87
PID 4856 wrote to memory of 4916	4856	msedge.exe	87
PID 4856 wrote to memory of 4916	4856	msedge.exe	87
PID 4856 wrote to memory of 4916	4856	msedge.exe	87
PID 4856 wrote to memory of 4916	4856	msedge.exe	87
PID 4856 wrote to memory of 4916	4856	msedge.exe	87
PID 4856 wrote to memory of 4916	4856	msedge.exe	87
PID 4856 wrote to memory of 4916	4856	msedge.exe	87
PID 4856 wrote to memory of 4916	4856	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\cheadle-62c5792bcc6af.txt
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cheadle-62c5792bcc6af.txt
  2⤵
  PID:2524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb70733cb8,0x7ffb70733cc8,0x7ffb70733cd8
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,8092048053150622360,3687430603257777112,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,8092048053150622360,3687430603257777112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,8092048053150622360,3687430603257777112,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8092048053150622360,3687430603257777112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8092048053150622360,3687430603257777112,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:3668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:760

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2444
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1932 -parentBuildID 20240401114208 -prefsHandle 1844 -prefMapHandle 1832 -prefsLen 25459 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ed8ac45-e311-4d08-8fe0-955fef9e344c} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" gpu
    3⤵
    PID:1588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2332 -parentBuildID 20240401114208 -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 25495 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbe14ea9-e4fd-4441-824e-8a2ca56c9efe} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" socket
    3⤵
    PID:2488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2840 -childID 1 -isForBrowser -prefsHandle 2864 -prefMapHandle 2652 -prefsLen 25636 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd9ba67c-3965-4dc7-ae1e-78ad72ed774c} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" tab
    3⤵
    PID:3624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3468 -childID 2 -isForBrowser -prefsHandle 3592 -prefMapHandle 3588 -prefsLen 30869 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {293ba4a8-8ce0-4cd5-b856-f5d85ca1b720} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" tab
    3⤵
    PID:4444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4624 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4620 -prefMapHandle 4616 -prefsLen 30869 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7f999eb-9cfc-485c-9db3-4b230de6bb50} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" utility
    3⤵
    - Checks processor information in registry
    PID:1080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5392 -childID 3 -isForBrowser -prefsHandle 5432 -prefMapHandle 5412 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e7b584c-719e-4636-a3c4-878edf588ffe} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" tab
    3⤵
    PID:3848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5548 -childID 4 -isForBrowser -prefsHandle 5556 -prefMapHandle 5560 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {264ce9e8-73bf-4524-badc-fb4c905c230d} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" tab
    3⤵
    PID:2348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5760 -childID 5 -isForBrowser -prefsHandle 5836 -prefMapHandle 5832 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38539c28-004a-453f-aa42-3c543584571c} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" tab
    3⤵
    PID:832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6224 -parentBuildID 20240401114208 -prefsHandle 6208 -prefMapHandle 6192 -prefsLen 31338 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0c2870c-7510-48b2-983d-926f504ccdd8} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" rdd
    3⤵
    PID:1548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6232 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6220 -prefMapHandle 6216 -prefsLen 31338 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f832050-5e8c-434f-80a1-daf3c5aaa2ce} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" utility
    3⤵
    - Checks processor information in registry
    PID:2448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6576 -childID 6 -isForBrowser -prefsHandle 6568 -prefMapHandle 6564 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0611d50-8e25-484b-bf81-e3f6d15307da} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" tab
    3⤵
    PID:3096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6020 -childID 7 -isForBrowser -prefsHandle 5652 -prefMapHandle 5640 -prefsLen 28543 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63da815d-3cb6-4ffc-9e3f-10cb01be4e3b} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" tab
    3⤵
    PID:2780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6868 -childID 8 -isForBrowser -prefsHandle 4520 -prefMapHandle 6544 -prefsLen 28543 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adc1585b-9605-4670-8a8d-89359c3b5ee4} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" tab
    3⤵
    PID:2888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7000 -childID 9 -isForBrowser -prefsHandle 5820 -prefMapHandle 6012 -prefsLen 28543 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab5838e6-40d5-4e71-99b8-119f65af896a} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" tab
    3⤵
    PID:904

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004D8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ade01a8cdbbf61f66497f88012a684d1

SHA1
9ff2e8985d9a101a77c85b37c4ac9d4df2525a1f

SHA256
f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5

SHA512
fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d0f84c55517d34a91f12cccf1d3af583

SHA1
52bd01e6ab1037d31106f8bf6e2552617c201cea

SHA256
9a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c

SHA512
94764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
508fa45ca9a4b930bc275bf960bb3152

SHA1
764ab0da6a3ba846f88ae34b003df6e3e87f9dec

SHA256
8e7f64861cbcc0a4a7e534735c3b27ac018d3c8a759aca95d6002486e49f1726

SHA512
c92204e9eee1ba8db940d05c6412e5d0ca0840868d9c67393b237cf77fc620910a50d63d0dc9fe3c2eea3579ac6292e750cf41e35eb9cb2f8f4f9a47530efaca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
30c39646527ddaef19d3b94b5d11f4cf

SHA1
53559e79cf1ab9905ad2ab21e85ff56958ca8ced

SHA256
ee670184c8714850494e31d392e6f9228addf2ee277ce8c47d255247726dd0ef

SHA512
f286c1e3a998f95b361f7056ba7732c57a1e0fbd5cc1a3b4241e36c493fbc91541b2db3484c556fd747b181a154c446fb324af9a6037d5d2757e58fa2a065880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
82686afdaf0c28bb234e264bdb7c28af

SHA1
f95e73115cb98c285cfd7d0093d3da155cb5c3ea

SHA256
969ce828ae1a355fbf8f8495aafd823db89f6db5703aa1e592921afeffea5619

SHA512
5a39dbd3841e977d66715ebde4d3f7124a4c2947cdb832fc6fd5b815b526c59c5a067a93cef961344f5a642bdbb1f9504a441df0dcf1aed18d34a69e42f5589e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A6NZ3KQNWIBNTV4FXVYC.temp

Filesize
7KB

MD5
978cba6dfaad47717d9c9575773a56ff

SHA1
534ebf68b2b51c64ec2f011dfd8683fbba5cfcc9

SHA256
2bde54258cc8fa6501da024620e418fbcdbf1a239497fa38976c4e82b6ae6733

SHA512
bb9ad1a65e993c8da7d1a1117f4de8e1ba4182e2a13359d52c0a0275e9aca253acbc6430015a1005c8bb8a3f9d476d5d734073a379a22d8aad1467d295158b2f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\AlternateServices.bin

Filesize
7KB

MD5
72c9bfdfd2855ddd94e6cef840167819

SHA1
b22a726f9f760bbabecff007814541eee7d806b4

SHA256
07bd2b117b69bc3b67f2ccdabdcdaf2f5d63e7e232819509a3319e0e9c07b17d

SHA512
c2a9f34089ec08b953364f7e46721b94ea2540e268f466a1c4c0fb792ce030aa31c8d6f36094bb7863710da0d60236039a9400c7f0d5652bf78ec40d9a322ca3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\bookmarkbackups\bookmarks-2024-05-24_11_jd9W0U2wg3PE4xPg7hhnCQ==.jsonlz4

Filesize
1001B

MD5
0f3e2acd1b261424e80d39a04c33068a

SHA1
edc5da8aa7768415db3b557178b2724d902afdf6

SHA256
ec0c1654120720f01e638c22acf8de4796ca2015745b2d3652d0e8071d362c9b

SHA512
d9fdcb0466588dcd52120b05912aa91ff24e5f99b2944212b512e7ee295326eeb694f7ced7b886782a0f303b1b0e0507de4eda7fdeba21424d22e15101231078

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
33KB

MD5
58d5bca76f293baaa4c2a584943e945b

SHA1
565b22772df2b7416a325e20d04c7f1035decf54

SHA256
4f9aa2a494133d656579fe30a76b365f9bc8546109f94fd1cf092b051e29a49b

SHA512
5dd898075054d0c489d71b77287cfa062b213c70ad7e0a681c3c4a0d16e860a9a0829f96ca8ddb937273c21afe4fa560d88fd6ab4145ece9e10eaf2c7165d2c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
928cdd4b383da5390febf0073823fcdf

SHA1
7fff7206d64d6b429feda3818691fc3e00305f98

SHA256
d63fc511e91007c3a4f74128ccce6ca7deca13e85babb5efeafb2b2f8077bd6a

SHA512
431e0a1471a365ef87837021d60814cf4fcfd29a3a81721f67d4def71be2768d15d38375f0aa4a819baa25a94fbc635e79b5ce48f4295bfca17d6523431d19d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
b25df8943c1ebaacb04f8c966cd98398

SHA1
f04edd00a35d8bfab8d53a34e89cddc92539beb1

SHA256
84b7bd6dc2e908fb3921f86870325b17158bf771e896988e63d6ff0d2d7a18c2

SHA512
51ec437df07805ee52d3efbb6fb0862432c2cfd979e39260a4eef891608af137533e8d125bb07e670997f8442740ece74f716014eb30c1cb1612c699b5759dee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\3b1f0d63-2a84-4c42-bc37-c77a5638afd5

Filesize
26KB

MD5
c7817cdc43af24236a8d37ce0dad3d8b

SHA1
2f8241b12d032b58da5e819e8deb9f68e00847c3

SHA256
59ac01069a7c02e8c6c9dd267fe40937cfa913fa1c476e8cf5e22677295f9d92

SHA512
2e3fb59991a645fd86ee1a23ee7d71512c81f848efede2c1b324c53eb8dc970b916ff09e08fbb2a3d155e2e039d72a15bd177840941af43828872ca22828b013

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\9ed45a66-f91d-445e-abc9-5f0a504ced22

Filesize
671B

MD5
160807ad443f412435ba670680ed5373

SHA1
44b801eeb3084aafdc5d6d4495ca84866e12da8d

SHA256
a26ce31bcc84150dd99b2bde96ba306ac6f7be26b593360c83894ca35a28c789

SHA512
705370863bf0644d847e11143a5d929972bc45b0bd87550cce5aa92565640369a4c45b6f49fd2d8a9866749cf1ea20bfe1d5828e6d29977bdddd640778c83649

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\c46f502b-33d1-433f-a3d1-d06c2e2b56f6

Filesize
982B

MD5
7dbc65bba117497099652c26c555bead

SHA1
814e9d830c600963c7d6617b8e0fad91ac19b3ae

SHA256
8f22a6518d7b525f9ff2d23e6b908e844803f1a61f343316178463d46da15552

SHA512
524c289ca5eef479a30a25eba48e3f6706f711a36240e74d3c5d43a3d304a7f80249da7f1eb5c8960cc902d78dfdc5212acbe4c23cc752d5bc110666e8af3b0b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\prefs-1.js

Filesize
10KB

MD5
4ea8fdcee02baddab3f02da408efb8ce

SHA1
2d434b0244078d743d4128e98f8371096471f10f

SHA256
d8e91691fde82498445fc416b85f1f27d8f087c623d4d095fc66cdd71377d24e

SHA512
12b270769091eb7e5403b8d5f810326318c869408442a4020f18b9a2cd59c02cffd39b6df40382e73c5f6f4bd324103bdf39503b89025a5a0486f15c88ff3e1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\prefs-1.js

Filesize
8KB

MD5
84f8fa478ecf2519259f2aa748d01d79

SHA1
7a0866867eca4fbab12424195adaff9589aac935

SHA256
184bd55b28d7dc68e58c954fa6c16c20f0221914198072bbb535e3dd97dd9e84

SHA512
762e1ad9635e886537ea10f8a26525b4a9bdc212882b89b8f30f2a4817fc9ca81bdb2f09bafe92f46087bf7014c8de626022c122f785c2a484cb5b8e9666ff56

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\prefs-1.js

Filesize
8KB

MD5
fd618c481f59744391b2fde30f6caf71

SHA1
e4abec6ed59852b9e79852e6eff93b60b2b49988

SHA256
f7fe476beb5e14678496124847dabd4c28f664e4a5e9645153e94163f293d7e8

SHA512
4fe2b74d9473f624e6c4b4aafa67b16da116d619f3616cfc9651921a292cda01cd7ac4bb58978fc8f42c53344242301ee43bb702a78ea98560acefb21c00f0a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\prefs-1.js

Filesize
9KB

MD5
a474fa972e59c87f35bbaee2a47c2b69

SHA1
b6d56281cb915b1b28c2878307886a804fc4953e

SHA256
be1c6187bf2cfbb6e3cdfc419e33b1435441dc6055bd55b6b6286817340e0019

SHA512
0098c0899d15950b12563287e3900202fd7fcf2859f5d3c35f36fda5c634fb59423b2ba3a284125b0625f1dd4a9e6217f5a4e371e8ff36161c229474acbeb8ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
28a01a1ed8e654eb1006028ce7865599

SHA1
8b9df16e0af1d978c0fabf1f957b1c966684fb84

SHA256
ef610268b346ed04943210534b17ef39487be41b04063d6237e26ba6ca21f461

SHA512
4aa7272658183dd3e46c00f4fb8617ba131d63ed2cab6ad4cc8454056aff5833b9df684934e4fd566f0ae87de7c7116f7051bb99a7678c3e297d7b9029ddb7ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
200KB

MD5
25e4300c801bfbb00dae8ba999e0d755

SHA1
06700161a74442f11b6b0950118dd670cdef8f44

SHA256
5292592931a8ccf65291aaee6db2f9ed380219dcb864f297df87cdd8c7668f90

SHA512
8cad74782f2e338bf1ba5dc907c4a031e86728d4d54d8efd6e3516c2c95b8b3ea5aea2c2b30e38447256dffe3038e7e5a119793f4d62281d9e719f1ff9775a36

Download Submit