Analysis
-
max time kernel
58s -
max time network
60s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 18:42
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://www.ers3d.com/home/index.do
Resource
win10v2004-20240611-en
General
-
Target
http://www.ers3d.com/home/index.do
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exechrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133627777889511023" chrome.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
chrome.exemsedge.exemsedge.exepid process 4996 chrome.exe 4996 chrome.exe 5828 msedge.exe 5828 msedge.exe 5588 msedge.exe 5588 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
chrome.exemsedge.exepid process 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 4996 chrome.exe 5588 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe Token: SeShutdownPrivilege 4996 chrome.exe Token: SeCreatePagefilePrivilege 4996 chrome.exe -
Suspicious use of FindShellTrayWindow 55 IoCs
Processes:
chrome.exefirefox.exemsedge.exepid process 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4392 firefox.exe 4392 firefox.exe 4392 firefox.exe 4392 firefox.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe -
Suspicious use of SendNotifyMessage 51 IoCs
Processes:
chrome.exefirefox.exemsedge.exepid process 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4996 chrome.exe 4392 firefox.exe 4392 firefox.exe 4392 firefox.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe 5588 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
firefox.exepid process 4392 firefox.exe 4392 firefox.exe 4392 firefox.exe 4392 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 4996 wrote to memory of 648 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 648 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 1576 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 2248 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 2248 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe PID 4996 wrote to memory of 4220 4996 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.ers3d.com/home/index.do1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d78fab58,0x7ff8d78fab68,0x7ff8d78fab782⤵PID:648
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1904,i,5900281483316746265,4969398841400008323,131072 /prefetch:22⤵PID:1576
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1904,i,5900281483316746265,4969398841400008323,131072 /prefetch:82⤵PID:2248
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1904,i,5900281483316746265,4969398841400008323,131072 /prefetch:82⤵PID:4220
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1904,i,5900281483316746265,4969398841400008323,131072 /prefetch:12⤵PID:2116
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1904,i,5900281483316746265,4969398841400008323,131072 /prefetch:12⤵PID:1032
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1904,i,5900281483316746265,4969398841400008323,131072 /prefetch:82⤵PID:1964
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=1904,i,5900281483316746265,4969398841400008323,131072 /prefetch:82⤵PID:3736
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5020 --field-trial-handle=1904,i,5900281483316746265,4969398841400008323,131072 /prefetch:12⤵PID:3152
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5032 --field-trial-handle=1904,i,5900281483316746265,4969398841400008323,131072 /prefetch:12⤵PID:4652
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4140 --field-trial-handle=1904,i,5900281483316746265,4969398841400008323,131072 /prefetch:12⤵PID:4772
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:2408
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:2084
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4392 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4392.0.389919297\995983130" -parentBuildID 20230214051806 -prefsHandle 1768 -prefMapHandle 1760 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93b323e4-efc2-4619-a6b5-b719231c7484} 4392 "\\.\pipe\gecko-crash-server-pipe.4392" 1848 206dbd0e058 gpu3⤵PID:32
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4392.1.1407501166\1698070367" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c04072f5-f65a-45e9-9fa8-6253baa7d154} 4392 "\\.\pipe\gecko-crash-server-pipe.4392" 2420 206c798ab58 socket3⤵PID:60
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4392.2.246453214\1380270137" -childID 1 -isForBrowser -prefsHandle 3000 -prefMapHandle 2748 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f96fee7f-7e95-4f43-b42e-f7ad95641600} 4392 "\\.\pipe\gecko-crash-server-pipe.4392" 3012 206de4edb58 tab3⤵PID:3064
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4392.3.1251226654\740301841" -childID 2 -isForBrowser -prefsHandle 3688 -prefMapHandle 3684 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d4f198a-5d20-4b96-a797-18d63ac5a235} 4392 "\\.\pipe\gecko-crash-server-pipe.4392" 3528 206df172c58 tab3⤵PID:2260
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4392.4.662759708\995417246" -childID 3 -isForBrowser -prefsHandle 5012 -prefMapHandle 5008 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e03921fa-cb3a-4e3f-8bde-da0deeaaffda} 4392 "\\.\pipe\gecko-crash-server-pipe.4392" 5020 206c7941858 tab3⤵PID:2008
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4392.5.1058683740\1760404619" -childID 4 -isForBrowser -prefsHandle 4684 -prefMapHandle 4772 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {efd35667-6b05-4efc-93fa-bdce3af714c2} 4392 "\\.\pipe\gecko-crash-server-pipe.4392" 4676 206e2943a58 tab3⤵PID:4648
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4392.6.887952283\546119907" -childID 5 -isForBrowser -prefsHandle 5372 -prefMapHandle 5368 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {388036d5-20ea-477b-9121-fafe8a78952c} 4392 "\\.\pipe\gecko-crash-server-pipe.4392" 5288 206e2944058 tab3⤵PID:2552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5588 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8c53846f8,0x7ff8c5384708,0x7ff8c53847182⤵PID:5608
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,13463465725458010225,1164077885781090071,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:22⤵PID:5820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,13463465725458010225,1164077885781090071,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5828 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,13463465725458010225,1164077885781090071,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:82⤵PID:5876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13463465725458010225,1164077885781090071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:6036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13463465725458010225,1164077885781090071,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:6048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13463465725458010225,1164077885781090071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:12⤵PID:5560
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13463465725458010225,1164077885781090071,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:12⤵PID:452
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13463465725458010225,1164077885781090071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:12⤵PID:320
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6124
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
6KB
MD5eb88a83d9a6817b871fcfb78e197d718
SHA1b7e2ac4ec271e36e6acacfc0c384db19e4c02f59
SHA2566bfad7f8bd97f37c25686a6dd7a344ff3745d7676d6b841a089551fc8414ab8f
SHA512860c44e18033e0551447ef8856396a0dad5710ed42b907116b32ed1aa540c52353347c8c2eff9a58706eea1f0f7f4ce478f8f8761fd3ad9891b27952daf0e982
-
Filesize
7KB
MD561854e9bdf4bb43ad41302144fea3aa6
SHA11ed222fbe2e16145edb2fad799eeeb97e8c883d9
SHA2565f84afbb091bc45a68b5e173bef5f717bbcf2330f820deaa84bd72c58c9c46c5
SHA51292069eb50b19892d6c049143a8b7e9ed066ccc97e9bbcc8a147d9e2958957ec4c7c0fa6f58a2dcf6a484587a7f449f6a4ae8539a8791d3dde1af50ab44233203
-
Filesize
138KB
MD55dfb3cdb9be3a87265b2afbe78951669
SHA1e3b904412a9701349339ec50422e7e4508ed85b8
SHA25603ea8157f944a47848abde4208082ef9cf233fc6d183de348794b53306fa13eb
SHA512570d046172f392ecb887769e4e7e74b8cb86f113d11255d455c3a64a486c491c0afc57a6b3e8ce27683cf5dc8398afd37c6b1ae104a04680c9f9148c5c0a8630
-
Filesize
152B
MD5b4a74bc775caf3de7fc9cde3c30ce482
SHA1c6ed3161390e5493f71182a6cb98d51c9063775d
SHA256dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280
SHA51255578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f
-
Filesize
152B
MD5c5abc082d9d9307e797b7e89a2f755f4
SHA154c442690a8727f1d3453b6452198d3ec4ec13df
SHA256a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716
SHA512ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c
-
Filesize
6KB
MD57b43ecf6c5b4f326b30c907815d60608
SHA17e164918c33939beea251203ccc0db50117ddfcf
SHA25643b60231ed82609ef315acc22a8f4d65e066e4e71cdcd9fccb8100eed2e99f2d
SHA512d7ddbce15137a12c471cbefade50eacdb117ca0d392c2172c42b96921049fad381b2e1aa629a9e755fbe3acc2386a228e02d1a0334d994ef4e65d9f21cb6af67
-
Filesize
6KB
MD530445907b401bcd577b5d95291bfb820
SHA1f0d30b3bb1f068a13fa561097423ec9d30ce0d8e
SHA256275b2682ab1dd2ffb0e2c797b821af2c944acfb704541e7afc99fdec8ea287d2
SHA51206a0951d070d961774b84cc4731b95412c66e3c18aa70a48293279ae53049bc03088ccdd368d654b7d7d6da86c7b5d819057920905433edae522e0b50e39b1d3
-
Filesize
11KB
MD55738706b0432ad2bc8a7a890ed6d00d6
SHA16adefb7f88464c42a7175017eaad5c65d884bd9a
SHA256006e1eb8c5f2704fd586b85d6150d681794046ef6269eb513fa5ae413cb9f546
SHA512b013376a48301419b158d2ebcc4346af72f8fa22e1f8a09b672a8939ccfaacaa4e2a8e9e2beadf1021615627cd4939ca34098e843c675f468088ede55b0cee17
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jhlyxaos.default-release\activity-stream.discovery_stream.json.tmp
Filesize26KB
MD5f36f9683ea2faf786d58adac971ede43
SHA1e49c1f6b4dbde0fd64e29543c4d3991a2ae134e4
SHA256b5163306f5f4a00487ab2e57dd0ed2232e624c53e53c5b9cca030884c1f64b7d
SHA512be0fba1b9939118ac77981b62236ec0c245e3b081eb377986b4d2a769cfc3791e037bf840f56f75107e1c09300aa59b970ee65f8995a0f44634ec77f220c88c9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jhlyxaos.default-release\activity-stream.discovery_stream.json.tmp
Filesize26KB
MD5527c868aa00b47729bdded3ccbf7937f
SHA1d0d1773df7390d8f4fa09cc0e9897de33b44f308
SHA256a323b34e36ac2eca7f0de2e929e7c62caeec5d66eaef2456852705f545fc9396
SHA5129168a602883df3f80286b4f71cc3d521c248553b7b8d165b6d3af1b4f4c006b66d9da54fdc3b98c40988ee6d7862ee016ab4f8b7a84ad139fa1d49fcf9edcff4
-
Filesize
6KB
MD53ced5af9c343c0cb3277184ef353d9df
SHA1bafc2c65a56b5a86f51736dfeab9443bd1806f8a
SHA256bce09ea61ad94cd5ca34df975a116a5b7483163f2823657d159a0daf402cfbb8
SHA512b843014b1e525193c24032fd2014b4a8055a256ae2f073b73e6c1c51794ed42f96d18b127c1220b9adcc5ea7d18523f6a9f0fd02a5675ec7b721142c3d5d574f
-
Filesize
6KB
MD52a5031b20a135a9fb335994638dd59a8
SHA107447062ec5b320a2363232d55dc40901624a8d6
SHA25640a5f27e355679e4060af71b6441d6ce7d0a251fe8b2a23610f986bf94f67ef8
SHA51244a4f3b0ab687bdbdd783600c9d642ab028e939786f83e4f8dc160b95d1accb693b8f11638d14875948e676274465bd17bb066e4d47a78baf5b41c2996703545
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD50adc1d3cf4972cdafc63edb594fd05a0
SHA1ebcc72f82ecc8bf63889c8d6a50a6b489fc2f7d3
SHA2569b9e916d97a06737efb472266804cf672febbdc076d0dd6939a24e9ad144a3b0
SHA512202c4099708ebdec87f3a0c276c6a464796c58ec7ebd269c807d41cedb9de47645b5d0cdb63dfc4fecf056e4c216565a0589f798982555375a1fb643cf4d032a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e