65eafad4d7c7808676f40dbd8b59aeebb0390a2538986cb21f092678b638b93a

Analysis

max time kernel
135s
max time network
150s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12/08/2024, 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tq3fqbvf 5qnf.exe
Size

94KB
MD5

a7643575616364073bd6d1f0b45bb7fe
SHA1

b01979dc3ca697f0d66b77d8d9b5718a79ad5e1c
SHA256

65eafad4d7c7808676f40dbd8b59aeebb0390a2538986cb21f092678b638b93a
SHA512

1203a7da63f4a7c471aa61a0c5ecfcaddc1997de006455faab3ed6b643a0103d8ae834e886ad0e1c03831ee593ede609575bd1a5b762de17b23934980fe4eb2e
SSDEEP

1536:R0sJp/WPtmzgTWsWz8iVBWAXgKvKAlEsu/LrgKf7t2NixSrmRUaGsIKBj:Ks//sTWDlvPKAr8P7t5pUf4j

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3112	powershell.exe
4888	powershell.exe
4580	powershell.exe
5216	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows host process.lnk	tq3fqbvf 5qnf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows host process.lnk	tq3fqbvf 5qnf.exe

Executes dropped EXE 2 IoCs

pid	Process
5932	Windows host process.exe
5592	Windows host process.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows host process = "C:\\Users\\Admin\\AppData\\Roaming\\Windows host process.exe"	tq3fqbvf 5qnf.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5548	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3112	powershell.exe
3112	powershell.exe
3112	powershell.exe
4888	powershell.exe
4888	powershell.exe
4888	powershell.exe
4888	powershell.exe
4580	powershell.exe
4580	powershell.exe
4580	powershell.exe
4580	powershell.exe
5216	powershell.exe
5216	powershell.exe
5216	powershell.exe
5216	powershell.exe
4880	tq3fqbvf 5qnf.exe
4880	tq3fqbvf 5qnf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4880	tq3fqbvf 5qnf.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeIncreaseQuotaPrivilege	3112	powershell.exe
Token: SeSecurityPrivilege	3112	powershell.exe
Token: SeTakeOwnershipPrivilege	3112	powershell.exe
Token: SeLoadDriverPrivilege	3112	powershell.exe
Token: SeSystemProfilePrivilege	3112	powershell.exe
Token: SeSystemtimePrivilege	3112	powershell.exe
Token: SeProfSingleProcessPrivilege	3112	powershell.exe
Token: SeIncBasePriorityPrivilege	3112	powershell.exe
Token: SeCreatePagefilePrivilege	3112	powershell.exe
Token: SeBackupPrivilege	3112	powershell.exe
Token: SeRestorePrivilege	3112	powershell.exe
Token: SeShutdownPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeSystemEnvironmentPrivilege	3112	powershell.exe
Token: SeRemoteShutdownPrivilege	3112	powershell.exe
Token: SeUndockPrivilege	3112	powershell.exe
Token: SeManageVolumePrivilege	3112	powershell.exe
Token: 33	3112	powershell.exe
Token: 34	3112	powershell.exe
Token: 35	3112	powershell.exe
Token: 36	3112	powershell.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4652	firefox.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeIncreaseQuotaPrivilege	4888	powershell.exe
Token: SeSecurityPrivilege	4888	powershell.exe
Token: SeTakeOwnershipPrivilege	4888	powershell.exe
Token: SeLoadDriverPrivilege	4888	powershell.exe
Token: SeSystemProfilePrivilege	4888	powershell.exe
Token: SeSystemtimePrivilege	4888	powershell.exe
Token: SeProfSingleProcessPrivilege	4888	powershell.exe
Token: SeIncBasePriorityPrivilege	4888	powershell.exe
Token: SeCreatePagefilePrivilege	4888	powershell.exe
Token: SeBackupPrivilege	4888	powershell.exe
Token: SeRestorePrivilege	4888	powershell.exe
Token: SeShutdownPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeSystemEnvironmentPrivilege	4888	powershell.exe
Token: SeRemoteShutdownPrivilege	4888	powershell.exe
Token: SeUndockPrivilege	4888	powershell.exe
Token: SeManageVolumePrivilege	4888	powershell.exe
Token: 33	4888	powershell.exe
Token: 34	4888	powershell.exe
Token: 35	4888	powershell.exe
Token: 36	4888	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeIncreaseQuotaPrivilege	4580	powershell.exe
Token: SeSecurityPrivilege	4580	powershell.exe
Token: SeTakeOwnershipPrivilege	4580	powershell.exe
Token: SeLoadDriverPrivilege	4580	powershell.exe
Token: SeSystemProfilePrivilege	4580	powershell.exe
Token: SeSystemtimePrivilege	4580	powershell.exe
Token: SeProfSingleProcessPrivilege	4580	powershell.exe
Token: SeIncBasePriorityPrivilege	4580	powershell.exe
Token: SeCreatePagefilePrivilege	4580	powershell.exe
Token: SeBackupPrivilege	4580	powershell.exe
Token: SeRestorePrivilege	4580	powershell.exe
Token: SeShutdownPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeSystemEnvironmentPrivilege	4580	powershell.exe
Token: SeRemoteShutdownPrivilege	4580	powershell.exe
Token: SeUndockPrivilege	4580	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4652	firefox.exe
4652	firefox.exe
4652	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4652	firefox.exe
4880	tq3fqbvf 5qnf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 3112	4880	tq3fqbvf 5qnf.exe	76
PID 4880 wrote to memory of 3112	4880	tq3fqbvf 5qnf.exe	76
PID 4356 wrote to memory of 4652	4356	firefox.exe	78
PID 4356 wrote to memory of 4652	4356	firefox.exe	78
PID 4356 wrote to memory of 4652	4356	firefox.exe	78
PID 4356 wrote to memory of 4652	4356	firefox.exe	78
PID 4356 wrote to memory of 4652	4356	firefox.exe	78
PID 4356 wrote to memory of 4652	4356	firefox.exe	78
PID 4356 wrote to memory of 4652	4356	firefox.exe	78
PID 4356 wrote to memory of 4652	4356	firefox.exe	78
PID 4356 wrote to memory of 4652	4356	firefox.exe	78
PID 4356 wrote to memory of 4652	4356	firefox.exe	78
PID 4356 wrote to memory of 4652	4356	firefox.exe	78
PID 4652 wrote to memory of 3536	4652	firefox.exe	79
PID 4652 wrote to memory of 3536	4652	firefox.exe	79
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 1732	4652	firefox.exe	80
PID 4652 wrote to memory of 984	4652	firefox.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tq3fqbvf 5qnf.exe
"C:\Users\Admin\AppData\Local\Temp\tq3fqbvf 5qnf.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\tq3fqbvf 5qnf.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'tq3fqbvf 5qnf.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows host process.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows host process.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5216
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows host process" /tr "C:\Users\Admin\AppData\Roaming\Windows host process.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5548

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.0.1885592154\1981893983" -parentBuildID 20221007134813 -prefsHandle 1696 -prefMapHandle 1684 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6805cfa3-aaaa-4332-aa6e-4c21c73174e4} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 1788 1f93a7d5458 gpu
    3⤵
    PID:3536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.1.2102554181\1199298823" -parentBuildID 20221007134813 -prefsHandle 2148 -prefMapHandle 2144 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b257e44-47e4-49fc-a6c4-e5d010458dc6} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 2184 1f92f7e2458 socket
    3⤵
    PID:1732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.2.1919002206\2015542897" -childID 1 -isForBrowser -prefsHandle 2864 -prefMapHandle 2860 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {70203157-dd42-45c9-9c49-ee738a2f2e5e} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 2836 1f93e99c158 tab
    3⤵
    PID:984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.3.198202940\960944965" -childID 2 -isForBrowser -prefsHandle 3024 -prefMapHandle 3020 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ff1ba76-9ea0-492a-b4af-e3640e8ac357} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 3060 1f93e0c9e58 tab
    3⤵
    PID:4612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.4.1748025614\1929754695" -childID 3 -isForBrowser -prefsHandle 3692 -prefMapHandle 3792 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d25b1a65-d503-4321-b371-e495736672aa} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 3652 1f93fc91058 tab
    3⤵
    PID:5080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.5.1716379306\1902473618" -childID 4 -isForBrowser -prefsHandle 4960 -prefMapHandle 4952 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0e2fed4-dfe2-44e6-918b-84f65892ffaa} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 4816 1f92f766858 tab
    3⤵
    PID:4984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.6.268840941\1854761481" -childID 5 -isForBrowser -prefsHandle 5072 -prefMapHandle 5076 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5824b18c-b2c3-47e4-8252-06fffffb5bb8} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 1628 1f93f770258 tab
    3⤵
    PID:2052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.7.1906439352\1363745373" -childID 6 -isForBrowser -prefsHandle 5220 -prefMapHandle 5224 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8931d37f-6279-44e6-a355-cef400cab930} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 5212 1f94105cb58 tab
    3⤵
    PID:3900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.8.1357105658\728478465" -parentBuildID 20221007134813 -prefsHandle 5736 -prefMapHandle 5720 -prefsLen 26328 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96264400-495e-4398-98ba-baaa9cc3a1c8} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 5748 1f943049958 rdd
    3⤵
    PID:5964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.9.1141197065\1665215743" -childID 7 -isForBrowser -prefsHandle 5896 -prefMapHandle 5868 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4788a0ba-815c-4106-af86-ea2e5f3b3e35} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 5684 1f942f96558 tab
    3⤵
    PID:6044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.10.1941864941\2079548792" -childID 8 -isForBrowser -prefsHandle 5896 -prefMapHandle 6048 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a78ccc87-0ccc-4d50-952a-97e76639fbac} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 6104 1f9432e6558 tab
    3⤵
    PID:5472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.11.1605218017\1837341632" -childID 9 -isForBrowser -prefsHandle 6268 -prefMapHandle 6272 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d226e2b3-318e-493c-bfa9-ccd260b326fe} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 6252 1f9432e6e58 tab
    3⤵
    PID:5488

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:4580

C:\Users\Admin\AppData\Roaming\Windows host process.exe
"C:\Users\Admin\AppData\Roaming\Windows host process.exe"
1⤵
- Executes dropped EXE
PID:5932

C:\Users\Admin\AppData\Roaming\Windows host process.exe
"C:\Users\Admin\AppData\Roaming\Windows host process.exe"
1⤵
- Executes dropped EXE
PID:5592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows host process.exe.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3d72db63dec8b8e84e8a1155e8e0ca96

SHA1
b4728a0fc4a47592806b3da1d30eb0291c4d05d1

SHA256
a1e91ce3b1f6b419c88a0b371225a6fac03881b39c8184bf2ff65129a00ed6d2

SHA512
5aef675942f6157ab2d678c7ce800360488c0948be42577574afec0486c5ce903802e4971b80ede2fddb131b8ac8c81b022233f88b0210cdc7835739465f1c1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8454db355d4fa6f4375ee256c3cb8815

SHA1
f61eef4cb532963ca394fe38710caf1d39c417b5

SHA256
343bed0045799d025c180d186c51e2163d58bb431f82b54470d54bc21f97b35e

SHA512
cf7f8c08985d8fd3b747a592da6609c18abcac3481acd06444d234857a37346ed6113c436ab4628f48219b065bf0e8ad4ba0b4b15a97518a55132c754a5a39f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f44d140050ae99e104da8b6bbf0709a0

SHA1
1654c1da883e97e7434bd824515dc98e7652c344

SHA256
31d26e2a0f6702379aba30c1b1cb43ffbbc366ab4cc1b44116bc7885e8a24e27

SHA512
c751a27af615bd4ffb2d78d68e20764545d39723a0e4d3560b86ddf572e6b76256270241ba1f060bfe1da47248ddfc765c72ce2fff681c1eac2ffd98dbe5ca03

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_320kgsvf.zlt.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
e1295c804378c62fc7ab6fdf10b1c2a1

SHA1
3ae330d5944c58ce688314937e5d505d7c3de7cc

SHA256
83d7b0552a6b04f5c915b29be1da1cbacaac5f5d7d698ba36829a9e26bd489f2

SHA512
05458c0b31897aca4df5e8a01591d03071b4063fd6f99c8c74e4835d52fab72414cc94973940d8e9b8a09c8a3ebe6c1318615fe7884b7d57d3475ed2702e1d81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\55b64933-b754-4ec9-8efd-70b1c34ef754

Filesize
746B

MD5
36f403a7366e55f4fd10a217f0a99cfd

SHA1
8b244aa0601365637e740b791f2fbcadf01ad45a

SHA256
b90b047ba761539e401307af3633eccfe8806a0a868c1e9976208fa0fd830c8d

SHA512
29c31cd5f06de0043f3fca8464de11b97885da15524caded6d3b161c7edcbe6ff9a387b2bed162e32450a0807690e6a4899196e69bcb5fa0a29c446f7d616b51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\7ecc5f55-9e1d-415c-b05f-aa732813cc2b

Filesize
9KB

MD5
7f2dc432193681e57202a58f6bf41c89

SHA1
9ba79980c4b894f7141d1f3df276cc51d2d8221e

SHA256
adda99903e6562a7c207f10e218cf85f8aa94afc1ac47491298f7099c4a6d335

SHA512
2f646199a0e4671e8f7c86a567008d6834b0f1874a63b933819f25808eb760ac486a4822c85370eecfbcd5eb9efd38c20ff71fbab3fe11b0f80a344dc28d786d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
12fe201ee49ebce003aa68830ca7118c

SHA1
61047a5e6be8dea545e6ca529111d2f73d24fd6c

SHA256
d474d70d3391b1b77f1f97f1fe48fc7386de231af0a1448143007578969cd451

SHA512
4c23e358d5adbdd5e10896365c47cee3fc1267ee38caf31cd7a2b7ccd911fb04517fadebffec52ba13cea1bfb4bfd0eaaedd7f26cfb1de19dd4cd22592226d48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
480e4d077eb4a49c601dbfb9a18679d7

SHA1
35eb8670e8ba061a0d30157cd2c05f14fc084e43

SHA256
0434b12a470f98713b37934ec5d21e6dd40dcaf020556f24575011b6bb72cb41

SHA512
1dbd74d682658a583220b17c57db06eaf71898d374b0062e8cbf014534f792708c293071f64e1f9d7cfb2d4f9314b087c8e00b652d305a8dffc989a2bc7f59d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
804ca9d40cf64f15ed382c3920f4b4ea

SHA1
46c67a516378127cc767f0d98bfcfd87c2591b1a

SHA256
4b5f5234536164db4a7ca30b785b8ba60957e6c9871a5d46d046c4df21a28d18

SHA512
52ca6a9ce165799bb821560cf26233552aff71321c5d6acba2067ae419d964de56e34923be86af59c1c2d03b1a652f97416f5fb8bf38773d81af72f9531122ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
0f2ec4e568586d3411bbea08dfdc65a2

SHA1
d2b2cdc89526a8483e87f7ea353a1f6700ed6f47

SHA256
399bd62550b05df4877ca63407b0a77212165b3cf4d14330b0883315112804e1

SHA512
f7f70337aa7e44d729717586f0e7acd4403d17f0ab4edef3dc621c48bc7bf0161772381af63bccc89537fd39e457e0b12dd530577e69181be6313c9e28aef8b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
59b7dd86bf13c429bac6410140953772

SHA1
d924dcc446e3adbf490757c3aaf47d383a227a3a

SHA256
7c33bd1221447352b6252f44bf4a6833a5ca95c5656cb0f1a1e6c44d89ae6541

SHA512
9825dd8813a07178f4ea92053db170480403319f10ae0dacb029303bf9506d0cf6078044a222c9bebc80e9924c158e03ec7326a89f7b0a793ab62a128e3e9667

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
5a72533a39a5401872a2bacde9b39c8c

SHA1
d9eeea4e6d16084abcf9a201414c946ed76bfd29

SHA256
dd34e62b91ac4b0cd5f0d836ca340d7fabfae48dca5c9c97a2005e42cd8217dd

SHA512
95f643841c5ff28c2c2a917cdfedf2cf5dbfe0a457c4db551db0ed702080305befb9d81519ac7d310a1f0635e07b2b466ae6ec34aeb0571dfb152ca5e2cefa87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
53e8150d1e73a73de2b8ced3cfee311c

SHA1
ddc3520a499fac444f72116a7149cd8ab3edc891

SHA256
1b694088a3e2bed083760a229d767849cda28d3dc34afce0b0b34a285b67695b

SHA512
274e6bfec2501c828df056878004fc0f1d03d8ca7438209c37cd4262a2418854948f7d12068529f47f2535a4fc5dc1eb797853f0040cd3b978f0c019685b7fb2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
cff01c8a3c3b13770e0529fe781c3dc3

SHA1
5916f19bbbc8edb0ef81377785b479a5a5e3f52f

SHA256
3fe693d5b8701b6e0030aab797ce44838853d1b767339a6743eff6abe36eac8f

SHA512
7899a69465e35e2dbdf327ac176b5d7add416f54e575c2c6b9e9a1fdbbffd3a66b2aca844d0b81ef22641ba8aec32780359ef234603114d12c6638d3914effcd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
ab9c2e33957626fb1d66b17bba15495f

SHA1
a01d6c155641aab825a9382ca084e8d426d5a037

SHA256
689b93b2dd475128ca0803841d462d8de87c06d1ef0429ee708f36d373c79aee

SHA512
9c820bdc66c906a65e1f4e8be31be676a4cc060b36466e7b0583828cd434d053b2212972988cd7e20ac8b71c90bdbcf8112d9576aad56019c3019f0ef35b84ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\default\https+++www.pornhub.com\cache\morgue\195\{ac2b0cbc-de4e-4c9a-8bd8-18f8f81fd5c3}.final

Filesize
456B

MD5
4849126d62348e96de9f534891ee372c

SHA1
04208116ad7cb0edcb2c7c754042554104172d10

SHA256
92930e52c17a5e42a09f648d090ba0e48384fe2b6f4f6b3e3fc70bd8a0e6ac5d

SHA512
bd7769637a8707a21027e442faf6911019a2c731bff17fc11b9da0b74490162ea4eba2fca41942a7c114cc75ab1941f208c1fcc789bdc0a594b5ed269f6e6f25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
7f868e557b098795d645df9ea302427f

SHA1
001f3306144559b4049a8ab139b4139f51e59c0e

SHA256
b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5

SHA512
56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a

Download Submit
C:\Users\Admin\AppData\Roaming\Windows host process.exe

Filesize
94KB

MD5
a7643575616364073bd6d1f0b45bb7fe

SHA1
b01979dc3ca697f0d66b77d8d9b5718a79ad5e1c

SHA256
65eafad4d7c7808676f40dbd8b59aeebb0390a2538986cb21f092678b638b93a

SHA512
1203a7da63f4a7c471aa61a0c5ecfcaddc1997de006455faab3ed6b643a0103d8ae834e886ad0e1c03831ee593ede609575bd1a5b762de17b23934980fe4eb2e

Download Submit
memory/3112-19-0x00000260A1A90000-0x00000260A1B06000-memory.dmp

Filesize
472KB

Download
memory/3112-12-0x00000260A19E0000-0x00000260A1A02000-memory.dmp

Filesize
136KB

Download
memory/3112-11-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp

Filesize
9.9MB

Download
memory/3112-9-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp

Filesize
9.9MB

Download
memory/3112-10-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp

Filesize
9.9MB

Download
memory/3112-128-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp

Filesize
9.9MB

Download
memory/4880-2-0x00000000020C0000-0x00000000020F2000-memory.dmp

Filesize
200KB

Download
memory/4880-0-0x00007FFA64193000-0x00007FFA64194000-memory.dmp

Filesize
4KB

Download
memory/4880-4-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp

Filesize
9.9MB

Download
memory/4880-3-0x00000000020F0000-0x00000000020F6000-memory.dmp

Filesize
24KB

Download
memory/4880-441-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp

Filesize
9.9MB

Download
memory/4880-437-0x00007FFA64193000-0x00007FFA64194000-memory.dmp

Filesize
4KB

Download
memory/4880-1-0x0000000000170000-0x000000000018E000-memory.dmp

Filesize
120KB

Download