hxxps://codeload[.]github[.]com/Dfmaaa/MEMZ-virus/zip/refs/heads/main

Analysis

max time kernel
97s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240508-de
resource tags

arch:x64arch:x86image:win10v2004-20240508-delocale:de-deos:windows10-2004-x64systemwindows
submitted
11-06-2024 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://codeload.github.com/Dfmaaa/MEMZ-virus/zip/refs/heads/main

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626036310786154"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2792	chrome.exe
2792	chrome.exe
4888	msedge.exe
4888	msedge.exe
4492	msedge.exe
4492	msedge.exe
3088	identity_helper.exe
3088	identity_helper.exe
6012	sdiagnhost.exe
6012	sdiagnhost.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeDebugPrivilege	6012	sdiagnhost.exe
Token: SeDebugPrivilege	3632	firefox.exe
Token: SeDebugPrivilege	3632	firefox.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
1300	msdt.exe
4492	msedge.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
3632	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 3596	2792	chrome.exe	83
PID 2792 wrote to memory of 3596	2792	chrome.exe	83
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 1364	2792	chrome.exe	84
PID 2792 wrote to memory of 3600	2792	chrome.exe	85
PID 2792 wrote to memory of 3600	2792	chrome.exe	85
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86
PID 2792 wrote to memory of 3704	2792	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://codeload.github.com/Dfmaaa/MEMZ-virus/zip/refs/heads/main
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb33deab58,0x7ffb33deab68,0x7ffb33deab78
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1884,i,15370489453797364469,1039810534153577361,131072 /prefetch:2
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1884,i,15370489453797364469,1039810534153577361,131072 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1884,i,15370489453797364469,1039810534153577361,131072 /prefetch:8
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1884,i,15370489453797364469,1039810534153577361,131072 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1884,i,15370489453797364469,1039810534153577361,131072 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4360 --field-trial-handle=1884,i,15370489453797364469,1039810534153577361,131072 /prefetch:8
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 --field-trial-handle=1884,i,15370489453797364469,1039810534153577361,131072 /prefetch:8
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3924 --field-trial-handle=1884,i,15370489453797364469,1039810534153577361,131072 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3288 --field-trial-handle=1884,i,15370489453797364469,1039810534153577361,131072 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4396 --field-trial-handle=1884,i,15370489453797364469,1039810534153577361,131072 /prefetch:1
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4392 --field-trial-handle=1884,i,15370489453797364469,1039810534153577361,131072 /prefetch:1
  2⤵
  PID:1952

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb33aa46f8,0x7ffb33aa4708,0x7ffb33aa4718
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,11401785991310670542,8880042221340458397,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,11401785991310670542,8880042221340458397,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,11401785991310670542,8880042221340458397,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,11401785991310670542,8880042221340458397,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,11401785991310670542,8880042221340458397,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,11401785991310670542,8880042221340458397,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,11401785991310670542,8880042221340458397,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,11401785991310670542,8880042221340458397,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,11401785991310670542,8880042221340458397,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,11401785991310670542,8880042221340458397,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,11401785991310670542,8880042221340458397,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,11401785991310670542,8880042221340458397,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,11401785991310670542,8880042221340458397,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,11401785991310670542,8880042221340458397,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,11401785991310670542,8880042221340458397,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,11401785991310670542,8880042221340458397,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,11401785991310670542,8880042221340458397,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,11401785991310670542,8880042221340458397,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:4016
- C:\Windows\system32\msdt.exe
  -modal "262680" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF2BDD.tmp" -ep "NetworkDiagnosticsWeb"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1080

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6012
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:956

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4464
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  PID:5692
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=22348DAC2DAFB47574703516CEA4934F --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5464
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=62D3C4605FB12B1BA4D516F1B06C26F8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=62D3C4605FB12B1BA4D516F1B06C26F8 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:5020
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=841304C4643FDC204EDD037629529C04 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3164
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0D675E54D55D6C00D4D5B700C4BDDF3F --mojo-platform-channel-handle=2408 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1144
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1EA9BC64FFDD3D694D79CB7EB644C7D0 --mojo-platform-channel-handle=1988 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3264

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4736
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3632.0.110010099\314050224" -parentBuildID 20230214051806 -prefsHandle 1776 -prefMapHandle 1768 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0da1ae5-7f5a-4cb3-8759-f8239938f6de} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" 1868 1e6ecfe9458 gpu
    3⤵
    PID:2440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3632.1.1456264391\944829578" -parentBuildID 20230214051806 -prefsHandle 2416 -prefMapHandle 2316 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55d5107e-2a2b-41fd-9974-e9ef0a981591} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" 2436 1e6e118a258 socket
    3⤵
    - Checks processor information in registry
    PID:2808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3632.2.1211673953\1315669709" -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 3012 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2152690-0d59-4cfd-aad4-4eadd47e1918} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" 2852 1e6f0d0c958 tab
    3⤵
    PID:2148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3632.3.485492552\402576263" -childID 2 -isForBrowser -prefsHandle 3572 -prefMapHandle 3568 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17ad3270-f858-4a24-9bfb-576db3f92a3d} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" 3584 1e6f2755358 tab
    3⤵
    PID:2416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3632.4.526673307\1656932781" -childID 3 -isForBrowser -prefsHandle 4928 -prefMapHandle 4924 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6269b274-1370-4d74-a979-a221ee714abe} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" 4964 1e6f458c158 tab
    3⤵
    PID:3988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3632.5.701138051\2040839576" -childID 4 -isForBrowser -prefsHandle 5112 -prefMapHandle 5116 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e5f3879-c8c8-4146-ab0a-894472692652} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" 4992 1e6f458bb58 tab
    3⤵
    PID:3664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3632.6.2117427278\1139996270" -childID 5 -isForBrowser -prefsHandle 5384 -prefMapHandle 5388 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39e8ed86-5811-4a19-b4c7-8090a1792494} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" 5372 1e6f458e258 tab
    3⤵
    PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061118.000\NetworkDiagnostics.debugreport.xml

Filesize
71KB

MD5
ea2b8c4fd1fa6938ae193a54bff45a34

SHA1
feab867b314e96583643d5851fe47f0ab7494040

SHA256
fced438757fb61af702626bf948b54322888d00640c189c1938fc57754deaae3

SHA512
b21c89149ae5bbb64f71a7a650cbdcb538289784a14bed1102cbe8249f59540e392ff2e93f47b64e0c94b3c07a2e5812511d9afdd461a266c351ca103b0f32e6

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061118.000\results.xsl

Filesize
47KB

MD5
b5a2bad3e7cb13b4d9e1c074af59938d

SHA1
d7c9f310e8215c064dcae86de99b0ad1bd153e7d

SHA256
cbda26c2343e5060ad19d629a6fe4395815ea1c9493e70623f1f0c48387e1e18

SHA512
a3ca2c65dc3c87d10a50b1e3558d0d12b935b9e681fa939b78bcbfbcbef4c455564ab3ba41bf13e166e2880a27a9b5caf64c46e746ea486e57a9f4bbd0e9f2ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
810B

MD5
fed0a1ed66367e0a548f5cef9db1200c

SHA1
0e41e4a56897847fb67d6dce49df8c85d4e7f792

SHA256
19e8303d0671869c4a1fcf3a18d732b9737d1a2924227af339ec7b4100da83fc

SHA512
95ba2cb5fc3f0fa431c1581f1b3259963f34c70dd47f2e45138565ecc112119801c44bb62eea5c95bef17cbf08d89de0632c76eafcf85a2c6e59e67180e6f75f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2d9efa7f7ffecd5e031ef654bebc335a

SHA1
0efc4dad24f6a10dadd507a91e9a7af80a87a890

SHA256
8a9df961eb172bbd9441a8e90a2281425b444a97f154f53ad8c69b19eef41e4c

SHA512
c69321e0269220ca9e33f91a623683986edb4eb6d7218e70125ec9f9ea464486381f1a0d0bf4332bba91b1376443086f92ab98552f4d39adfdda1ebf63b9534b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5a4587f873f209031ff10324efcd6beb

SHA1
c94e0795c4b3ff3becbf8fd30f95cbbbe8000ba8

SHA256
02f3c19aa3b60b1c2ee16501f1a9c6854a6debb1558539499ee5fc70ca3628f9

SHA512
741c215fbf7ace177f4ff38de6288c4fbe937621d781e9924a9bdf54560a2a181a86d1fe1168f09b1270b01d39a48f7db20746c36c1ff5f4a64cbc7cc32a255e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6fed4c21f8d21d6a291fde94fce92dc3

SHA1
908d1350e2fd5169bcf3f6f4e0206bb051658c6c

SHA256
fe6332ff051f434ec4bba40b79568ca32e85b204b570e5233b8b8fc52f09071e

SHA512
f688156d1ef457dd4ca8f756cedbd9a2af47de841b7243ab47a30aa15a6801f7b56b0a1c5258f16cab45be5479642ddbc684814500f71e7c65e9078aaac80f68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
93805ed52be67280a2d87f7eab6701b0

SHA1
6a558105fe481400a0bc439f44bbab611892d3ee

SHA256
1b40e8e32224e7fda736b5255e106d227097b9bbb36989e483ed7713f8a3e28d

SHA512
173ecfc0aac97e83a580b19b3140fc640e1e00154d91b1cd05a511990ff0b8caa88c6e024ff6f23301de6f465061e37045cae80c326d9679896683471de6635a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d6c764cc-4cfd-4959-a7fb-1691b71bbe28.tmp

Filesize
129KB

MD5
48bac79a0124f79a439a7061329aeabb

SHA1
028e191fdf9818f75c84802f899eed78dc0d9de2

SHA256
859e27f7cf693a1a812859d0ab20231ebcc6c2bb16c070a619acd17a17d7b7d9

SHA512
fcf821d89fcae7c774eebb77d2e625722842fb5efbff2a00bab4e273b94d25dc4a224cde0fb983d2c876507433af97905f82892c6d4f87d5d0748e38cd09090d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
146119c32cf5d5f94966a83ffd06f0c8

SHA1
fd750d11eb666d68eef09775ee3e2b7bcfaae148

SHA256
d690a85f567b3e4b3be493809bd4802d8d55972b0d7939726f7c2e4ce3fb3b77

SHA512
fd912a243d7cbd24ff15170a020d5a490994abd51aa71846e7f4ae0a0c85e2c45ed28a071a0b59b424ddf61db351b46375d4c4fd9474a0c5711b30460ec28f7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9a0e8cf07cb2d67d889fda81e60b34ed

SHA1
479c0078d9cf01f430ed40b83124d8d394d116ac

SHA256
760133c263be4449caf853dab0dce36abd52fa56c5d9fabfca7107988e3bcfb1

SHA512
f0b57b0036248bb1e1cd2c6919bfcc600b78dc24d1c9d62215ea37ccbd405036d282012688edfd8d6a4ce97cd7b4432efb7653947d0865e99a9a27ba747d3ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a7fdc163d0605c2cea8a987c36437bd9

SHA1
cbbd063b37f1ef48e8a43d3ed2fd1217f9b66c85

SHA256
3a9a2e02c1251028571eea17c538cdccab7ffc7927d6e106536a0391bf2ba549

SHA512
76bb513b6164555900e1b194a9256bf9ea60da5561941fb72ea9cce2004bff2a285d33e4222af94a6c5fdffcc97449b44cdaa56fad75a37a9542bfefdb4b4481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
2e05aec8538a4d4cb368b9a9da3c4e23

SHA1
2d39cb7a40ddb82cba34ed6413341b3a1b4b860c

SHA256
e7fb7aacbd7bd289a8679e9b996efe419ea48a98fea1ed656af5a0157e973c6d

SHA512
8e79ca531e0f0d9f3dee184e9fb3901cc4c2a9b6742b1176c1213b226867b78cf244e4d3a1a3a8becf6809805d46359547342255b182556e568d2d7a6193d940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
d3438c939f32b54a0cf85385cfff0f0e

SHA1
4665d691c0897d6b17fe391cb2067d29f440d892

SHA256
193fc3108138776e38057b106caef2bb71b970b511c640c02a128f0d8476f282

SHA512
8c369d3ac565f2570866ea8601fba9e9be1b1c7f75e979602609e4ee6f0659e0583576480bed1c22bc89e7720f5f1f705f139090a273e14a60ef4ecc612740eb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
0eee79d06b8d72408060e5381a4ca03a

SHA1
687c69ed055a9fab85439bcafeb5d7b5f30c6c17

SHA256
734869f70a8d6f98b4e5c872c22a196134aa45318ff8fd0ed9f22b7042a6f2fd

SHA512
97abb0ec3fff8b8ef6bf8875b7addbedfd31097591dcd5c9ad00f621e10d11ecc7d3514ad42fe6e6dac7eb52c30f399112fbf1b479fb0b00ba971dfaeb50c716

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDF2BDD.tmp

Filesize
3KB

MD5
a9e92c50084c7d056e4a6b76677aa295

SHA1
5307c3d356a57f1f074abdc0743ba9d33c5062c3

SHA256
fcec1b1431322148abc8157c8cfcaaa7da3d8df971e91a3ed26790813b877638

SHA512
70e78f42d4bc51c4b30d61c88ff5593da42c58d3cceb5c1082619a9ca0af460e600e496c41a0a6163e06eef853bcd51df19278c6e3409b7edbec50574ecb9e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gvxakzrb.kgo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\prefs-1.js

Filesize
7KB

MD5
70b15f17613d6d5a22230df28bbe8e9b

SHA1
9d5568005bc3a6fc68a98f5cfec2abf7563f45f7

SHA256
b5920e7b44048b91252c310aac40d245e1f74d676430e4e86b2f282e251e85ac

SHA512
675746c1436cb009138ece8c1090d11ac3460683ef3e6165c9dcdf9081aec2a13e39c95b2ca0d90c7d4f23d681d53ebd035d970b8a09f4fd7b98c2bab743474e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\prefs.js

Filesize
6KB

MD5
4d74123931ec7b6c976d6e8f24a0e926

SHA1
23cf0a6e13bcbfe77e0227f799eba31b8b55cd46

SHA256
c82f51aa9b1a6590c58e812da6f1b3b03793fdefdff13d4a05a9351c6cd41d1f

SHA512
5ada96db02074cdf62881da44990c1f44d019155ece61255807cb5de4ae093548317648e174de0480d17f5152cec35a52e9be684622af094413ed9319d3f2b5b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\sessionCheckpoints.json

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\sessionstore.jsonlz4

Filesize
904B

MD5
ec268ac6d0febfd277c210964862c2e3

SHA1
99ef9c926c43324c1e1864b2e3763cf51a2b1952

SHA256
9b9a2dfa8afbd808de4cb5259b00b4e68fa2859a95a9529d33c07bfc4a957e2b

SHA512
a65630bc9f0487519eadb649419c1b9d288c3dc422e0580dda6af74683bb4e82066a9a04b1d2727bb899da97f316d10a0909bef428993d5ba3a6d0524fc644d2

Download Submit
C:\Windows\TEMP\SDIAG_f0f2f777-55b2-4fc8-8356-32b5c6abe400\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_f0f2f777-55b2-4fc8-8356-32b5c6abe400\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_f0f2f777-55b2-4fc8-8356-32b5c6abe400\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_f0f2f777-55b2-4fc8-8356-32b5c6abe400\de-DE\LocalizationData.psd1

Filesize
5KB

MD5
2a84af152808d55f163e70520cf1236b

SHA1
5e80d8bced4cd2208ffde0ffdab168cf10fab11c

SHA256
105ed480e2460eb232b756787759a10b687558df57494e478da5dff686879a68

SHA512
2b6f6076b69607bf59c48d022d1f670bf7af30f4d6e494cb5fc93e573e2ed42015eb302971c59f66b46c6a555220824da60b66e568e98eb82f10249a40a1c811

Download Submit
C:\Windows\Temp\SDIAG_f0f2f777-55b2-4fc8-8356-32b5c6abe400\DiagPackage.dll

Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_f0f2f777-55b2-4fc8-8356-32b5c6abe400\de-DE\DiagPackage.dll.mui

Filesize
20KB

MD5
77b23ba6c15fd1d7d86ff41cb8346a95

SHA1
6e0668984b1b603fcad6989fca442569c7d70167

SHA256
7dc4211f399e8b9beb3130ea54db4d8c9a776710e5079ce0550c521241389657

SHA512
2d42a2f809d8db7baa5fd1b04c80d63fd6ff258be8378d1e1189e0ca4e54531c4c20d3d018aecb090ba77657acbcdb96d953992548a8b8915a79c41bc6e8de0e

Download Submit
memory/6012-596-0x000001D96C290000-0x000001D96C2A6000-memory.dmp

Filesize
88KB

Download
memory/6012-591-0x000001D96BB70000-0x000001D96BB7A000-memory.dmp

Filesize
40KB

Download
memory/6012-590-0x000001D96BB60000-0x000001D96BB6A000-memory.dmp

Filesize
40KB

Download
memory/6012-589-0x000001D96BCF0000-0x000001D96BD12000-memory.dmp

Filesize
136KB

Download
memory/6012-588-0x000001D96C3A0000-0x000001D96C4A4000-memory.dmp

Filesize
1.0MB

Download
memory/6012-578-0x000001D96C100000-0x000001D96C186000-memory.dmp

Filesize
536KB

Download