f548d1ad81af9ffb56e07ae96aef96702160d06a84db8802679686ef2b51d85e

Analysis

max time kernel
382s
max time network
388s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.msi
Size

25.2MB
MD5

be2a13cfa57db16d3f654c5e444c360b
SHA1

7f45d2a4debbbca678cc5c300c59af01ca197bca
SHA256

b086cb6063a6fe194342b3dbe7639aebab02513305c95a914d052e87b54e0523
SHA512

978f4fb1e9df0785bbcd2734d4a7b32d3acab4a215075f0860ccc879bf65714e2c6eabba41ee7c38c0394a9a08b60757544034b21c336c2a3f233a411744953e
SSDEEP

786432:++aMGdE4CF4EgcHxa3pS58g0nfZ3AOnr:++aMGrCKEg+xwS5MGOr

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e575cb6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5D24.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5FD8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI76DC.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI772B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Installer\e575cb6.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5E2E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5E7D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EDC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5F6A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA754.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CFA551BC-936D-4E76-9637-B181E28B5AC5}	msiexec.exe
File created	C:\Windows\Installer\e575cba.msi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
4944	UnRAR.exe
1000	steamerrorreporter64.exe

Loads dropped DLL 9 IoCs

pid	Process
2184	MsiExec.exe
2184	MsiExec.exe
2184	MsiExec.exe
2184	MsiExec.exe
2184	MsiExec.exe
2184	MsiExec.exe
2184	MsiExec.exe
2184	MsiExec.exe
1000	steamerrorreporter64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

pid	Process
1600	msiexec.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3440	msiexec.exe
3440	msiexec.exe
2528	msedge.exe
2528	msedge.exe
2460	mspaint.exe
2460	mspaint.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1600	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1600	msiexec.exe
Token: SeSecurityPrivilege	3440	msiexec.exe
Token: SeCreateTokenPrivilege	1600	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1600	msiexec.exe
Token: SeLockMemoryPrivilege	1600	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1600	msiexec.exe
Token: SeMachineAccountPrivilege	1600	msiexec.exe
Token: SeTcbPrivilege	1600	msiexec.exe
Token: SeSecurityPrivilege	1600	msiexec.exe
Token: SeTakeOwnershipPrivilege	1600	msiexec.exe
Token: SeLoadDriverPrivilege	1600	msiexec.exe
Token: SeSystemProfilePrivilege	1600	msiexec.exe
Token: SeSystemtimePrivilege	1600	msiexec.exe
Token: SeProfSingleProcessPrivilege	1600	msiexec.exe
Token: SeIncBasePriorityPrivilege	1600	msiexec.exe
Token: SeCreatePagefilePrivilege	1600	msiexec.exe
Token: SeCreatePermanentPrivilege	1600	msiexec.exe
Token: SeBackupPrivilege	1600	msiexec.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeShutdownPrivilege	1600	msiexec.exe
Token: SeDebugPrivilege	1600	msiexec.exe
Token: SeAuditPrivilege	1600	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1600	msiexec.exe
Token: SeChangeNotifyPrivilege	1600	msiexec.exe
Token: SeRemoteShutdownPrivilege	1600	msiexec.exe
Token: SeUndockPrivilege	1600	msiexec.exe
Token: SeSyncAgentPrivilege	1600	msiexec.exe
Token: SeEnableDelegationPrivilege	1600	msiexec.exe
Token: SeManageVolumePrivilege	1600	msiexec.exe
Token: SeImpersonatePrivilege	1600	msiexec.exe
Token: SeCreateGlobalPrivilege	1600	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1600	msiexec.exe
1600	msiexec.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2460	mspaint.exe
2460	mspaint.exe
2460	mspaint.exe
2460	mspaint.exe
3304	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 2184	3440	msiexec.exe	83
PID 3440 wrote to memory of 2184	3440	msiexec.exe	83
PID 3440 wrote to memory of 2184	3440	msiexec.exe	83
PID 3440 wrote to memory of 4944	3440	msiexec.exe	84
PID 3440 wrote to memory of 4944	3440	msiexec.exe	84
PID 2792 wrote to memory of 4332	2792	msedge.exe	101
PID 2792 wrote to memory of 4332	2792	msedge.exe	101
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 3088	2792	msedge.exe	103
PID 2792 wrote to memory of 2528	2792	msedge.exe	104
PID 2792 wrote to memory of 2528	2792	msedge.exe	104
PID 2792 wrote to memory of 4856	2792	msedge.exe	105
PID 2792 wrote to memory of 4856	2792	msedge.exe	105
PID 2792 wrote to memory of 4856	2792	msedge.exe	105
PID 2792 wrote to memory of 4856	2792	msedge.exe	105
PID 2792 wrote to memory of 4856	2792	msedge.exe	105
PID 2792 wrote to memory of 4856	2792	msedge.exe	105
PID 2792 wrote to memory of 4856	2792	msedge.exe	105
PID 2792 wrote to memory of 4856	2792	msedge.exe	105
PID 2792 wrote to memory of 4856	2792	msedge.exe	105
PID 2792 wrote to memory of 4856	2792	msedge.exe	105
PID 2792 wrote to memory of 4856	2792	msedge.exe	105
PID 2792 wrote to memory of 4856	2792	msedge.exe	105
PID 2792 wrote to memory of 4856	2792	msedge.exe	105
PID 2792 wrote to memory of 4856	2792	msedge.exe	105
PID 2792 wrote to memory of 4856	2792	msedge.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1600

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DC0FED92582D4D3C9EFBF6AA9C9F04AD
  2⤵
  - Loads dropped DLL
  PID:2184
- C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\UnRAR.exe
  "C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\UnRAR.exe" x -p "C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\ruw9eigh.rar" "C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\"
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\steamerrorreporter64.exe
  "C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\steamerrorreporter64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault28baf602h4ca6h40cah818fh4d9e721d060b
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd04ba46f8,0x7ffd04ba4708,0x7ffd04ba4718
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,9293173282931930355,16081332875600055189,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,9293173282931930355,16081332875600055189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,9293173282931930355,16081332875600055189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:4856

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\SplitGet.wmf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:2144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3240
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3304.0.1365914863\243469386" -parentBuildID 20230214051806 -prefsHandle 1780 -prefMapHandle 1772 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd052465-51f6-48e5-a22a-52fa1395360c} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" 1868 23d40a2d458 gpu
    3⤵
    PID:1160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3304.1.451216926\254605575" -parentBuildID 20230214051806 -prefsHandle 2424 -prefMapHandle 2412 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e92823f3-a93d-4669-a3de-fc1deb345629} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" 2436 23d33c89058 socket
    3⤵
    - Checks processor information in registry
    PID:4636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3304.2.709547513\1198545651" -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 2976 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9590c234-dd98-4a71-8b24-c76caf53f7fc} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" 2992 23d4360ab58 tab
    3⤵
    PID:4084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3304.3.2138388462\896784841" -childID 2 -isForBrowser -prefsHandle 3880 -prefMapHandle 3876 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8064283c-0ed3-42ef-9675-97208051c410} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" 3892 23d455ddd58 tab
    3⤵
    PID:4920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3304.4.291802784\2120969191" -childID 3 -isForBrowser -prefsHandle 5096 -prefMapHandle 5116 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b46ecb6-e22b-4a48-b9f7-847af3550f96} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" 5080 23d47648458 tab
    3⤵
    PID:5236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3304.5.907563690\1083196647" -childID 4 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {327b5236-f018-4dc7-8a0d-14cadf83de83} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" 5212 23d47648d58 tab
    3⤵
    PID:5244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3304.6.156728527\136641946" -childID 5 -isForBrowser -prefsHandle 5500 -prefMapHandle 5496 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0621ea4-5b27-4a8f-bcfa-8795384dd855} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" 5508 23d4764a558 tab
    3⤵
    PID:5252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3304.7.342407740\1698086343" -childID 6 -isForBrowser -prefsHandle 5636 -prefMapHandle 5904 -prefsLen 27771 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {efffeb6a-a341-4b1f-a1f5-1784f5289857} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" 2868 23d45d2ed58 tab
    3⤵
    PID:5840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e575cb9.rbs

Filesize
22KB

MD5
d0bbe98421211198a2b5fe2d708b9fb8

SHA1
37ba16af1ee0c5506372bfdffedeaa948004a193

SHA256
06ffc23061476c5801d179c914e0bd9d4df0a625106271d74a34e7835c96f66d

SHA512
f43d8d0b11839bcc56bf7402b538a57024f5b1a2f723e8f595fe1f824e224fe2d0fae83c3b85b04b5ddb4180f0fcd363cc4d4c5215fff95be101d125e58fa113

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
101cc037381eaa36637f2b53744ff7b6

SHA1
dbb4abac03965c5036241840fd28732b790ac936

SHA256
15303771bf691f4a14aa995627257890840669ff553c945366650d607ee5a1da

SHA512
0633f1d875e39043e8446428c0e59331640e1cef7ce2d863d775dceae24fbf287dae450b62ad7b9007200a526fe98fd849f5938741db73545b22d5b20d87491c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
0913af17efc3bdb7e9fa5afb4468929c

SHA1
4141483f079cfc01f32354745256dabc4d7d1880

SHA256
ff95034c4d22b1c9ebcbeb2f1e91c7701d2c539a3a85f57a1a5375ea24ce0ce8

SHA512
2c112f7c31d0fea0ba434584bf5924c40b40883cc6000bb69694b87fbfc82d0ed95812f2d0c844e0c43d28d8285d4e8b07c145b127c6b7ae3fc7eb5f001e5405

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
b3fa830f2e4aa2475ee1b3f828cfe217

SHA1
8c17c73d1554d34a0b23fbe9c8c6d433cd2c4b86

SHA256
4a9dd6158cf9ad0e4f8d249a238b3b0bc56ad94f5b7526dfcb134bd8ad605560

SHA512
1295a35424b8f90878970bfe0507652c7d6217b83034d9d5069f6c004fafe0def79cd288a500725c0768f8eda7044d97743a2396f9e410b45f6c944f78c41959

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\prefs-1.js

Filesize
7KB

MD5
c7d1ad915ffde9285d81e87aaf705ca5

SHA1
fc2032d0d9211c05ec697d64bf10ef886dea9e8d

SHA256
6f56f4d04bb0cde0e1eceff943f85346bd35ec8fc29c4b2ef515679afd9eb4df

SHA512
0d03f51e87f88629e5223d3e92815ab979cca6f9abc881a996c5345bcececb45719f9624fc8ac2b1971dce9f3ad42414a5aee008fe112dd7ef64b67608a203be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\prefs-1.js

Filesize
7KB

MD5
841d81f77105b899d2ec22199a7a0b26

SHA1
d3ef752488fbdbd205b3d117ce84145789f2cadd

SHA256
94daa4bb7186150918eb3703ad18f82bce83e959b8183989b0450c0305f2f77d

SHA512
56106a862297a1bc3ed4e14f132e7cd9b7ad02ddd1b19370cf7e47135ada3812ce8257a5e00701e9a0af29f1e5116b722483b6678f058a8c370eb2120e34f9cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
0a7516cd72fdc4be6904eeafdbb7df70

SHA1
f4433a92d0fa506e3fe2a4066bda5292ea7fec21

SHA256
754131e49719f7c2693ae0f17e1c76c2e69c38717b45d626931b867796a79d09

SHA512
f30f2c9be18062cef1cbefadfef9977ca6df69c319edcaec96267e92b85b8ddcaa72f4ed370321454fcf3a5790228ccdf8e6b973d3f6adf4418840e6a0d98e6e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
9a2328eb0694f9e5ebe8000b0558cad2

SHA1
52a1c4135b09ad967675e5597c0341a4d348df15

SHA256
e157cc4d809d099ee367c34601e4ced17c61cacfea2c76a248868347216c738b

SHA512
cf713cf0be907fe402734f614acbe2c464668a4c37bfa970def33fd80b481efeda8e5beceecc568dd5b4464fd63a0d7ddcb8fbfd877b3fa81dc64fffc1c5eb00

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
b3864b50640d4e226986b0b4f2c1530f

SHA1
8879861f715bfc4b84c4fff4ea0e4d12bdfb7ad1

SHA256
4599fb99b02ea360077e95da611a03b5234411e9f44a9b3f008ae73d99e4432a

SHA512
6a2f2d737515844af0db5b031d71ee6eb4f654c9050395d960318c2a152a360156f9324083ee6acab5fb825ce842b6bf421a28461eed27f587a795d45bc6aba2

Download Submit
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\UnRAR.exe

Filesize
494KB

MD5
98ccd44353f7bc5bad1bc6ba9ae0cd68

SHA1
76a4e5bf8d298800c886d29f85ee629e7726052d

SHA256
e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b

SHA512
d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

Download Submit
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\ruw9eigh.rar

Filesize
378KB

MD5
35af121e2e55c85b99cb7daf396fb523

SHA1
f2b073afafa04d96f0bc191e280ac3b658afb404

SHA256
c64353f1e6327254ba4813d246e591f435a6f599bff9f8deb303557a73cd4257

SHA512
24bbaa40c6c5c349dabb9c132fbf1113bc0d8116bf97229ad275d198ae05505699a9f33f9926d2147a6a036f849b928970f18aad6e8837c82f5dcc23cb28dcb0

Download Submit
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\steamerrorreporter64.exe

Filesize
639KB

MD5
fd3ce044ac234fdab3df9d7f492c470a

SHA1
a74a287d5d82a8071ab36c72b2786342d83a8ef7

SHA256
0a0c09753b5103e86e32c2d8086dd1399f0d97a00e1525ec9c390067cdb242ba

SHA512
86d7e805fab0e5130003facbb1525ee261440846f342f53ae64c3f8d676d1208d5fd9bd91e3222c63cc30c443348eb5ddedab14c8847dae138fba7e9be69d08d

Download Submit
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\tier0_s64.dll

Filesize
386KB

MD5
7e60404cfb232a1d3708a9892d020e84

SHA1
31328d887bee17641608252fb2f9cd6caf8ba522

SHA256
5a3e15cb90baf4b3ebe0621fa6f5f37b0fe99848387d6f2fd99ae770d1e6d766

SHA512
4d8abd59bd77bdb6e5b5e5f902d2a10fa5136437c51727783e79aed6a796f9ee1807faf14f1a72a1341b9f868f61de8c676b00a4b07a2a26cfb8a4db1b77eb3c

Download Submit
C:\Windows\Installer\MSI5D24.tmp

Filesize
738KB

MD5
b158d8d605571ea47a238df5ab43dfaa

SHA1
bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

SHA256
ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

SHA512
56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

Download Submit
C:\Windows\Installer\MSI5F6A.tmp

Filesize
1.1MB

MD5
1a2b237796742c26b11a008d0b175e29

SHA1
cfd5affcfb3b6fd407e58dfc7187fad4f186ea18

SHA256
81e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730

SHA512
3135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5

Download Submit
C:\Windows\Installer\MSI772B.tmp

Filesize
364KB

MD5
54d74546c6afe67b3d118c3c477c159a

SHA1
957f08beb7e27e657cd83d8ee50388b887935fae

SHA256
f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611

SHA512
d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

Download Submit
C:\Windows\Installer\e575cb6.msi

Filesize
25.2MB

MD5
be2a13cfa57db16d3f654c5e444c360b

SHA1
7f45d2a4debbbca678cc5c300c59af01ca197bca

SHA256
b086cb6063a6fe194342b3dbe7639aebab02513305c95a914d052e87b54e0523

SHA512
978f4fb1e9df0785bbcd2734d4a7b32d3acab4a215075f0860ccc879bf65714e2c6eabba41ee7c38c0394a9a08b60757544034b21c336c2a3f233a411744953e

Download Submit