hxxps://cdn[.]discordapp[.]com/attachments/1180735084303745045/1262059805263138857/AetherX[.]rar?ex=66953849&is=6693e6c9&hm=0d1a3c2d1ba982d02b9ccc9a7098720400b2242e138a7f41cc40f44154ad9c66&

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2024 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1180735084303745045/1262059805263138857/AetherX.rar?ex=66953849&is=6693e6c9&hm=0d1a3c2d1ba982d02b9ccc9a7098720400b2242e138a7f41cc40f44154ad9c66&

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2344	msedge.exe
2344	msedge.exe
4388	msedge.exe
4388	msedge.exe
2820	identity_helper.exe
2820	identity_helper.exe
1596	msedge.exe
1596	msedge.exe
5936	msedge.exe
5936	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4836	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4376	firefox.exe
Token: SeDebugPrivilege	4376	firefox.exe
Token: SeDebugPrivilege	4376	firefox.exe
Token: SeDebugPrivilege	4376	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe
4376	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 884	4388	msedge.exe	84
PID 4388 wrote to memory of 884	4388	msedge.exe	84
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2276	4388	msedge.exe	85
PID 4388 wrote to memory of 2344	4388	msedge.exe	86
PID 4388 wrote to memory of 2344	4388	msedge.exe	86
PID 4388 wrote to memory of 4456	4388	msedge.exe	87
PID 4388 wrote to memory of 4456	4388	msedge.exe	87
PID 4388 wrote to memory of 4456	4388	msedge.exe	87
PID 4388 wrote to memory of 4456	4388	msedge.exe	87
PID 4388 wrote to memory of 4456	4388	msedge.exe	87
PID 4388 wrote to memory of 4456	4388	msedge.exe	87
PID 4388 wrote to memory of 4456	4388	msedge.exe	87
PID 4388 wrote to memory of 4456	4388	msedge.exe	87
PID 4388 wrote to memory of 4456	4388	msedge.exe	87
PID 4388 wrote to memory of 4456	4388	msedge.exe	87
PID 4388 wrote to memory of 4456	4388	msedge.exe	87
PID 4388 wrote to memory of 4456	4388	msedge.exe	87
PID 4388 wrote to memory of 4456	4388	msedge.exe	87
PID 4388 wrote to memory of 4456	4388	msedge.exe	87
PID 4388 wrote to memory of 4456	4388	msedge.exe	87
PID 4388 wrote to memory of 4456	4388	msedge.exe	87
PID 4388 wrote to memory of 4456	4388	msedge.exe	87
PID 4388 wrote to memory of 4456	4388	msedge.exe	87
PID 4388 wrote to memory of 4456	4388	msedge.exe	87
PID 4388 wrote to memory of 4456	4388	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1180735084303745045/1262059805263138857/AetherX.rar?ex=66953849&is=6693e6c9&hm=0d1a3c2d1ba982d02b9ccc9a7098720400b2242e138a7f41cc40f44154ad9c66&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaaefe46f8,0x7ffaaefe4708,0x7ffaaefe4718
  2⤵
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3472 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,928547753113811181,12670864347658287859,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4688 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1260

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4836
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\AetherX.rar"
  2⤵
  PID:5856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\AetherX.rar
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4376
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4376.0.201118038\814171832" -parentBuildID 20230214051806 -prefsHandle 1712 -prefMapHandle 1744 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a759d30-c8ee-424e-b47b-cd57e0c567be} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" 1828 2043982da58 gpu
      4⤵
      PID:1684
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4376.1.1718343734\1789918985" -parentBuildID 20230214051806 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbc21d0e-22d2-4b7f-b427-1fabf16b549a} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" 2460 20425586c58 socket
      4⤵
      PID:388
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4376.2.1971782490\7081778" -childID 1 -isForBrowser -prefsHandle 2952 -prefMapHandle 2948 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1020 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61c6bbdf-16b2-4ca3-983d-ad2c8bd5bdcb} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" 2976 2043c21e958 tab
      4⤵
      PID:5228
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4376.3.1431560471\1359324710" -childID 2 -isForBrowser -prefsHandle 3592 -prefMapHandle 3588 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1020 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6709d21e-b048-4d05-8590-934894fe1f63} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" 3604 20425577e58 tab
      4⤵
      PID:5380
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4376.4.643514474\1245478690" -childID 3 -isForBrowser -prefsHandle 5476 -prefMapHandle 5472 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1020 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1078e978-0d4d-4a25-91e7-9ca10ea85d99} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" 5484 20425575458 tab
      4⤵
      PID:4996
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4376.5.1010941399\1888404905" -childID 4 -isForBrowser -prefsHandle 5424 -prefMapHandle 5420 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1020 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5875b8e7-0fb6-4b27-bd07-36528e5dcebb} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" 5432 2043f016b58 tab
      4⤵
      PID:3584
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4376.6.1467768398\1790200500" -childID 5 -isForBrowser -prefsHandle 5708 -prefMapHandle 5712 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1020 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a3380c2-ce77-43f8-a505-b3a7dfd82362} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" 5700 20440d3bc58 tab
      4⤵
      PID:3200

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\AetherX(1).rar"
1⤵
PID:5892
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\AetherX(1).rar
  2⤵
  - Checks processor information in registry
  PID:5528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:1156

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5116

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\AetherX (1).rar"
1⤵
PID:2556
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\AetherX (1).rar"
  2⤵
  - Checks processor information in registry
  PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
210676dde5c0bd984dc057e2333e1075

SHA1
2d2f8c14ee48a2580f852db7ac605f81b5b1399a

SHA256
2a89d71b4ddd34734b16d91ebd8ea68b760f321baccdd4963f91b8d3507a3fb5

SHA512
aeb81804cac5b17a5d1e55327f62df7645e9bbbfa8cad1401e7382628341a939b7aedc749b2412c06174a9e3fcdd5248d6df9b5d3f56c53232d17e59277ab017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4e6521c03f1bc16d91d99c059cc5424

SHA1
043665051c486192a6eefe6d0632cf34ae8e89ad

SHA256
7759c346539367b2f80e78abca170f09731caa169e3462f11eda84c3f1ca63d1

SHA512
0bb4f628da6d715910161439685052409be54435e192cb4105191472bb14a33724592df24686d1655e9ba9572bd3dff8f46e211c0310e16bfe2ac949c49fbc5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8c3b2043-0376-4cec-afae-42b156dc4094.tmp

Filesize
6KB

MD5
7e7ebb851c69ee33f58a046a1b00dd50

SHA1
c21e3b19dfafd4094d42a17a4e9d387a527b3a2d

SHA256
52bb98548cc92552795cac05e706cff5a3da0cb0c728c0aac9e2d72be8bc8e40

SHA512
faedc60ce924923dc1e21e3874bd06d34276f8c52201c1312f194e455dfd277ae2c68650754627b21bb8b646a981b7cdda9337196bcd2e00f00dd3dbc14fe31e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
242ed8feb352aaf372bb3ad3d27e27a0

SHA1
7dd8a131064601e057dfcbfd1a0913128d4f23a4

SHA256
9a572d3159c15bb34c163db2a369faa4876d724dd0bf95c96fcaca1f6c1d819e

SHA512
eac8bcfe55d6b15f09008288b468ae618685b0b399381e1273c549b014296927367aec36565b199d319d4075fa003d7f08f57fd43c23b126b2ff1b8075e1a664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3abc21432d1fced39bd181341939397

SHA1
ce45bdfa6a4a0215ec14ed9b777e91ed48f551f0

SHA256
8257f4a7c34d35e3ab9cf770ddb551136a83546f6dae4e007d15d0a0673dfc1b

SHA512
6c90f2aa8450061756dddfb51ea4e04583a6b7b365235338677adfbe59658aaeabcdcc12aee356d0bec45a8c956e22d80560d057284f01682559a8b19ab4713d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
579494bf408e07ca754d5034f3ef7408

SHA1
142f72ae8bc86d953a1ba34480859b44ad1b4c67

SHA256
4dfc1e5391656aebc4b402c36d1365331ebad9047ba84bbc9329e1703d6f94f2

SHA512
89dd3f380ecc9bf258c981a5b22bf7a241d69cc5d5492e6c3b5697de6c6a66af3fe34abd525fe8bd84f2b8aec5cfe5b5982a8d755ad13e4de929db0ab6d4be2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3144aec5500fc31996f8b6910ecd5646

SHA1
a0b62ada368a79dbd617be9b33c5b3ce90b4fd83

SHA256
2d476e8bbb9cba22e03e1c6af0d8b3834c5e6ad0574af8a714df8d4b9b00047a

SHA512
0884a966d0c551acbaf053828b6586573b3031e12e5522f839f332527f804e121cc525db3a5fdded00c822172df23699023027be8a4efc9f642dc9012382b33f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
02ebe7ba383e7b605c088246d9c1b9ec

SHA1
14a4dcac50ce63e3280010b4545ca2848b22b44b

SHA256
82cc305a587a7197befbe65d2ae8587542a66c08cd84f8dc3ea205715490f89e

SHA512
b1b32af906a6b2e04faf66e0c1c3f1c8d43d5ea2e1f10fbeb1a05054ef7d3b80b4bd4d8b5c79f6305e9823cacb2847ef466dd51f782cb77ee93d27f1df6af9f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7a9d6bee3daa581651b401d64a3b274d

SHA1
292cedbab355c5c74c3abf6912759ba1d4296ffe

SHA256
fccb85997e0bf6c87150f8c142245b5d20e1a18881785b2734199a11267cba22

SHA512
f868bef572d69b0625091e8dbf36745c7572a6e2a65c47a63ef05cb8abcea71c1ae47ab308c6456ec3db2726fc9e110603b6cbf60d7cf02db1075e8d3df75454

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\activity-stream.discovery_stream.json.tmp

Filesize
32KB

MD5
981103202c08cabd20ce24f850cfdc9b

SHA1
308b0943058b38b3225b396267f1c86337fbd747

SHA256
e9f25bca1708c2f719f8325b6be58ef865cb17326c412724c42201b6f999d62f

SHA512
89444a6373c4a20764998e779b801defb430fd2e0aaccd454384e42a8dfe84053c621a48b3987df1b3a9d5a0f01c748771899487b803cd1ca3beac5f0dee72c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs-1.js

Filesize
7KB

MD5
6f672cbbc86d127a92d50f686b99af9d

SHA1
64f45f3fa476d5997de880157e53d0a25b8c81e9

SHA256
f3919d03e534e94b4ad3182725c3278e2737eeb8cd75e48fa5708efc3a283afb

SHA512
2fac972eebf1643cc5e6c1bf3ce8163f25a7720922a2abd1623d9f5cb1ba29674557ddba60e0cda69245e71163b73bc0b2179ba88e88d11cd48f5890d4af5baa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs-1.js

Filesize
7KB

MD5
79310fb3b2d76b23dd1248121fb11b11

SHA1
7665b8992718ac90e09c0b930b315989f868a7b5

SHA256
8b76c45c67b0524cc23f956d3081b5495e315f2b26b5558e70f568900ba9cb04

SHA512
6e505d922ca151dae283cef68408273a0aab7c135f32310daf03f283428b9353672c260df960eab110b42baffb71798fd90a2c32e89223c9bd6013827e458412

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
fd9c5e3e26c1860654682969cae2b38d

SHA1
3c769ce450ba4a548ba4127128660d3bb82559b4

SHA256
950f279d82de041e8a5ee6d3ca1967244cadfa4c6c6d1b6dd58ca7e763cab2c9

SHA512
8a72d0a11a79455bb7d980c022b23006bac8d86f41c8b136605befdcac2c6031787d8e89ea066aaf94c382a942e96c6467ecf23e225f5e82c2e4ca040971de3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
1869824cbfe9c8fec6d87483f17147ef

SHA1
9c90081bc34d7361928804925a70b7dc1f2b22c4

SHA256
716b2e0be52ee70129fd90989dddba3896464d79cf737792ae308c7b234bbf79

SHA512
547fe1ede58c8ee61883f4be0a7c5efe88390e06986e3741d23a0e181764ebc3591bd9cdf2b88aa215da59e74cde001aed8f6f52ac9b688194f4c4f5bc4a877d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
1469eb20424bb70e549a42429dd64bbf

SHA1
7d300710a4a161b3cc91d3cb4823a3fb4e23cd69

SHA256
58ec736ab596315c0004958b4132dc3790e60bcdfcb6c0fe927d8694748dc9e1

SHA512
aa14fd6d53e81a95d36e105b77d760d607a62f9405215284d41884c2b9d8b41f46b95d2ab0be8c09c158c7e3673e2f95f9bbc0c74181f256ab57ea30052a61a9

Download Submit
C:\Users\Admin\Downloads\AetherX.rar

Filesize
2.5MB

MD5
21062d8315cb6566c5d84dd33d953802

SHA1
c664ca0dc681e9e29c212e0cc8022c136e1c4d5e

SHA256
2375afc41938113688e63a5c7f5d6bddcfeb87cf41404e8e6bea7b3922759f06

SHA512
549663d95cd9d996e81c092d66ed1358bb8aebdb7fced40e81776248f55673ce1b5b1dab219ba4af83dec11c64cf01c8bf494c3317e97490703666305a8bc832

Download Submit