Resubmissions
12/09/2024, 17:31
240912-v3wn7swajq 312/09/2024, 17:29
240912-v2w9cawakf 812/09/2024, 17:28
240912-v2g5eswakb 312/09/2024, 17:11
240912-vqej6avfjg 812/09/2024, 17:09
240912-vpczyaveqb 312/09/2024, 17:08
240912-vnjq4avenc 3Analysis
-
max time kernel
78s -
max time network
78s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
12/09/2024, 17:29
Static task
static1
Behavioral task
behavioral1
Sample
obraz_2024-09-12_190801491.png
Resource
win11-20240802-en
General
-
Target
obraz_2024-09-12_190801491.png
-
Size
626KB
-
MD5
d395a4791b4ef58425cf268f12c6a53e
-
SHA1
6e56ad53f72a10fea5ec528d18c485e9571e1798
-
SHA256
3b1f9ee1e664702e254e6d05e00e489676ab196a56ff3a6904926e7b9dddd0c3
-
SHA512
5c8bc703790cf75d3c37539c6f2df7b95ef4fdfe717218d663f51f5a919a68c31ab25f09a43f230ab23559b7ca711b065727a89e8092748f2d26f9970236aed4
-
SSDEEP
12288:ytJJ2MRpKe1n5DEJVC5qiX8lypQ0hFCnjg7hX/mim/w:ydn5wzCgiXo4pMP4
Malware Config
Signatures
-
Downloads MZ/PE file
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 raw.githubusercontent.com 80 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1287768749-810021449-2672985988-1000\{D2E01158-D1EF-42A4-B8C5-5CFE35D4BCF9} msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 274625.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1608 msedge.exe 1608 msedge.exe 2660 msedge.exe 2660 msedge.exe 956 msedge.exe 956 msedge.exe 236 identity_helper.exe 236 identity_helper.exe 5004 msedge.exe 5004 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
pid Process 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3568 firefox.exe Token: SeDebugPrivilege 3568 firefox.exe -
Suspicious use of FindShellTrayWindow 55 IoCs
pid Process 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3568 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4828 wrote to memory of 3568 4828 firefox.exe 86 PID 4828 wrote to memory of 3568 4828 firefox.exe 86 PID 4828 wrote to memory of 3568 4828 firefox.exe 86 PID 4828 wrote to memory of 3568 4828 firefox.exe 86 PID 4828 wrote to memory of 3568 4828 firefox.exe 86 PID 4828 wrote to memory of 3568 4828 firefox.exe 86 PID 4828 wrote to memory of 3568 4828 firefox.exe 86 PID 4828 wrote to memory of 3568 4828 firefox.exe 86 PID 4828 wrote to memory of 3568 4828 firefox.exe 86 PID 4828 wrote to memory of 3568 4828 firefox.exe 86 PID 4828 wrote to memory of 3568 4828 firefox.exe 86 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4592 3568 firefox.exe 87 PID 3568 wrote to memory of 4640 3568 firefox.exe 88 PID 3568 wrote to memory of 4640 3568 firefox.exe 88 PID 3568 wrote to memory of 4640 3568 firefox.exe 88 PID 3568 wrote to memory of 4640 3568 firefox.exe 88 PID 3568 wrote to memory of 4640 3568 firefox.exe 88 PID 3568 wrote to memory of 4640 3568 firefox.exe 88 PID 3568 wrote to memory of 4640 3568 firefox.exe 88 PID 3568 wrote to memory of 4640 3568 firefox.exe 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\obraz_2024-09-12_190801491.png1⤵PID:2536
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fdf7c56-5bab-48d3-98a7-3129e1b1b605} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" gpu3⤵PID:4592
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 23636 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df47334d-a193-4ebc-87c9-e88511fa7058} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" socket3⤵
- Checks processor information in registry
PID:4640
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1632 -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2696 -prefsLen 23777 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {210d9d18-8519-49fe-8d17-57833854fd31} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" tab3⤵PID:3224
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3244 -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 3656 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a144d1bb-ccf1-4eea-9bb7-23ffe3c3e557} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" tab3⤵PID:2460
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4796 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4764 -prefMapHandle 4772 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5631d9da-ebce-406b-bf53-daaf3c45e7ea} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" utility3⤵
- Checks processor information in registry
PID:2392
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5376 -childID 3 -isForBrowser -prefsHandle 5372 -prefMapHandle 5336 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6f3012a-bd88-4571-aa11-7533b5535091} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" tab3⤵PID:4444
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 4 -isForBrowser -prefsHandle 5556 -prefMapHandle 5564 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a5d0552-19a8-4eba-97b4-3c8731adb219} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" tab3⤵PID:1008
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5740 -childID 5 -isForBrowser -prefsHandle 5816 -prefMapHandle 5812 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd985bfe-dd9f-4600-967b-46bbe96bf8b2} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" tab3⤵PID:4472
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6256 -childID 6 -isForBrowser -prefsHandle 6248 -prefMapHandle 6244 -prefsLen 27068 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8996aac-4f9d-4e5e-ab70-02163acea50f} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" tab3⤵PID:1884
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2660 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffed6183cb8,0x7ffed6183cc8,0x7ffed6183cd82⤵PID:4612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:22⤵PID:1980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:82⤵PID:1148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:4384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵PID:3772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:12⤵PID:1012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:12⤵PID:4860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:12⤵PID:1740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:12⤵PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5184 /prefetch:82⤵PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3624 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:12⤵PID:4624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:12⤵PID:1364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:12⤵PID:4124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:12⤵PID:2548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:12⤵PID:2208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:12⤵PID:388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1232 /prefetch:12⤵PID:1888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:12⤵PID:1876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1936,3596761863298016796,10606066769970102094,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6444 /prefetch:82⤵PID:2148
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1764
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2032
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD503a56f81ee69dd9727832df26709a1c9
SHA1ab6754cc9ebd922ef3c37b7e84ff20e250cfde3b
SHA25665d97e83b315d9140f3922b278d08352809f955e2a714fedfaea6283a5300e53
SHA512e9915f11e74c1bcf7f80d1bcdc8175df820af30f223a17c0fe11b6808e5a400550dcbe59b64346b7741c7c77735abefaf2c988753e11d086000522a05a0f7781
-
Filesize
152B
MD5d30a5618854b9da7bcfc03aeb0a594c4
SHA17f37105d7e5b1ecb270726915956c2271116eab7
SHA2563494c446aa3cb038f1d920b26910b7fe1f4286db78cb3f203ad02cb93889c1a8
SHA512efd488fcd1729017a596ddd2950bff07d5a11140cba56ff8e0c62ef62827b35c22857bc4f5f5ea11ccc2e1394c0b3ee8651df62a25e66710f320e7a2cf4d1a77
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5911fa63ad52c12ba631975bfce244691
SHA1816bd7d615f6bb3e3e3cb3ec852a25e87eb66ecf
SHA2569d651144aa24835466c86049b648811eec3172e99f6d0a56d6b65538c2a5566d
SHA5128fa67ae831ff9c474211a60a0a5d96c47234fb283db9f3c84d73e4670bba4b9a0d7393e86e810dd0bc6926f9b299f2cf1a09301dbccf959f6955659461749800
-
Filesize
6KB
MD56038c92ce6b6bc8e9148cbabb89b3ab6
SHA1bd5e34e57b61bab2e9162554905e786fe5b9e105
SHA2567ed1c9790d54b84549ebbedb846f9daf0022ace68559b640aba73851eca9100d
SHA512742a44aa38cbe336afadd22adb165d0ddd1f0e1a2f62405fc0b0106481f9d1214b77327b8ed45fb189918dc4f8f6c3a2bfcd00ecc5b63dc06a71cd95758c03ce
-
Filesize
6KB
MD501f8a598701845ddb0c5dc86a7112ff0
SHA161c8c627398fba3d4a903123ff52e80ac867432d
SHA256a2fe5aef0063e55a9775e5a07f76f6b9c6f099985a3a8bb6f1d7ed9f1dd52c4f
SHA512d66d8a229d19c1070147ceb089dfe73d3d1aaa59816efa3f0afaac2cd861ae1b1c2be8424086c812954802d35c895bcda39f5ddcc13e44523d0c8261c9156ddf
-
Filesize
5KB
MD57a4ab335c147a481b4d93e3331b754f2
SHA16572c35e519c444f2e9e2076b281c314ec25087e
SHA2561f8367c046c4af404ff836d2e9eec26f923ab7b5d493427cad6a51b0d71e41af
SHA51289679f081e2f1d2bc09dee89ca983d021b917c181da906e1f78f9f33f37497b5a224c2ec76d415b83b28a221a9d8a21dcb80b76bd4cfa0e97f8d4f917969ae40
-
Filesize
6KB
MD5c61b6e38be467ba4946d270f4b339f53
SHA15c0bb318c96dd963bdea452ab5d5ce273ad2310e
SHA256e91cdbfb79c630cebb8e435a22d8b5a74b59c7935bd8095c1b53f2b32e0dd75e
SHA512398dfc55c6420bc5d0a12d23bd4dbf2e681b854909aeec542ce45e1b7e096f161a4ccd6b6dedd0977cecfd05f697dd74c3879f6ea6d7cc595de511594eb79816
-
Filesize
1KB
MD54f846c0370bd33a5c3c08356c1b1eee5
SHA1a4bbef87a3a1d68b5c3b26fee5e0ad626b43a070
SHA2562060473b06540181eb8bb82e61acfba8a9995bf677989562e1aa0be24fc67322
SHA5120c93dd137cfe8b7edfeece37c3e1cf93d530f8c7c1c9dfcfec754c448cf4a8f434f3203a679d6db21b20a7d9ed4021f50aaeb31df17c0c4455fc23f4108cd09d
-
Filesize
536B
MD5a68c35275eb2d5b3f8d21bba60c42956
SHA1b0d0012b9827bebe24ffc06bda50fa76a186ec52
SHA25651b20067014f5260354dbf7e8fcace339f1d847ae5c52418c76fb6e3cb653fbf
SHA5120d20bc6b1bde0716468a2acadb90f052f74bb26f883cc96d6bc16653933fad6bce6a05a7e9e89e31207d853323db7a683a9414cecca765934cec9983b2d75bd3
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD57e90095a503a00f68c00d18578b4e588
SHA13380cacb58853d31d277760d3b667c83fd39b23f
SHA256040ea281fea46b91b8fa5257befd6e90c32cc2afbd40dd8f0f3e49a9e7d091c5
SHA5122a79573f4381fdb706f7613446e986adcb02a7bb169c94ad4eb9438688eb05464ee2b142f742dc891a13a4c09666bcafa02d97e90276b0b6576ad32dbd08af37
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin
Filesize8KB
MD53fd886f85d42257db5f0cdc0815aed88
SHA1a5681dd92491cec707b22cce1b4db78e850f336a
SHA25692f54b98789034c157291c984a4d8eac86c0bfce09dcbf5e8f40ef3159e85ce9
SHA512ea29924cbf8963293b59270393cb8d209ecf4bc6c72c35a5bc602107ebdadcba04d4b19cd50ac2aa5a01209c4cde321d6677f5e1764aaedc2a6bb0999e1206cb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize30KB
MD5e4a917ca53485cf6731c675b21e5efce
SHA1a3db4723f457f5548129874943d9200ad70fdefa
SHA256911be998d1cb7de7016f28de1e22cab1f228757e82d4d8bab0e666b0be2a74cd
SHA512781e61791c6b3db8684e041e3e7663f96e9f33fd0e1e59667e0d0beba5068a5e9aa54fbb44ad99755258efc5d6a95159ace47bc7a2eb14bf23277c4e256003d0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5486b61fe3547fd3e363a168b8b81a56a
SHA18deefff0cd00ecde1bd9627a1841154fad4215da
SHA256d5d123f2a2f6a21d59ba8f698489461419a97d9e76e5f4a6647fa9c8f916a155
SHA512547116d885800cbe7f7c7d8410ce8ae5d6e64608c512796d737a9f6043d8057cd17f85da8b97769c867ba74efb073403bb43941ffb3d1078f96316eed743b2a6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5f68227828124561c72d1c64986e7da4e
SHA1f15289e08e10231d505a3f7ed2dc1b7ed04a7eb8
SHA256545a27b345a2937492a2e179fd5673286ffcb473df46f38e9233ba48e7f805cd
SHA512eff1ebbb844ed1a69a3aa1cda79736039fb3db9ec544c7071cd5bf420c6fd706a7e69b7075eb840463a0b3d29de834ce25b8fe7ac97c8625619b19da4ec4f81e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5b1354403fd07cb03af2f286cb1e97b7e
SHA11fc9f741f1561b901fbed0b86f5cdcabb432cc9b
SHA256e95b7b4b11a67c534963fba825bd74cb36d128f55614656d9fafb91fabe79f03
SHA512aa1eb5df71911e068d8a08af46301e266e2d99922359994ab918e489223619c093508c01c3c4ef56bd2d9d7bd4b236f4a8004f7c5d5787161df70fd863ace33a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD54cf70f260ce345125c4d0132e2278a2e
SHA1946659c82d72966c11aed6703dde878a726c15b2
SHA25643b8797710d1cb7d1f28772c9303d1b2812440b28427d632e1cfa7123d78016e
SHA512cbd0606f23a1627ba818b3bcdbd1114289999418d6188307090973a7984e4cb5e21b47be79a9775a90bfb8574977b5db5a3191e75e477f824566c3dbcb847d74
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\80a7105a-0c89-4a26-bfd5-44b17f7f66a5
Filesize671B
MD57bc6fcdab1e64a0faa2b415c35b9589a
SHA12b53b3ec804867503c5a73746190ec1fb576112a
SHA2566880f14518844f2d797d9e13b90f0ced4172b73108ee34f32c442a94d7e75b52
SHA5125e7265e36c6bef53ee0835375e013b0e0a4bac19b9fb4401123fcf7a7374626cd925d30ce1b15b175135209d5f00d3c87f3723ef322c60ddaf8ea618c51640a0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\8336880b-0acb-4195-bddb-b2894bedaa0a
Filesize4KB
MD51775ef9bf7c0bbaac4812712d2187335
SHA1f7e0177686d39c6ce70b131cd7b56597466cef7d
SHA2561137d5b9a62f7ea541236f93fab3740d5cd48a71e3169b4259292b73b5b8dbe9
SHA51291aa2f446dea241dece10fd9af5cec8407ca7f3fb898263876dff1df2f5325e89777b54a5adadf33f0141f17e85677b6080021d118aff8d10ab1e555606c8936
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\ebc71182-8236-4f42-9b21-24b9930bc2da
Filesize27KB
MD51e7d28c0767d8bf0c8c5961b44487f12
SHA14b533c2173250e6b722e81333c31f327bffc2385
SHA2560cbd058c676816a09b5581d4d2d301afebae1a621bcf8f6b2823603e60281ad0
SHA5121685f665917e021deff002149773dd49f7384b2cd32cd3ef5f1746da703b526e36da468ec9e4a42973242df923699ec3241ce3afa7dcc40f095c5318170f79ac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\ee2309ed-231f-4982-b5f9-af6e5eabf56f
Filesize982B
MD5a45f7d7c3b625f9842d24b7c3804acf7
SHA181d28c8e757f592e9c42644107c76310e79e4cdd
SHA256b584564367b6b983b9374ff406717bbc46825af616ebee8623306d5fddced366
SHA512fed7ddbec016127a4133749a509b8e9101027979effc24107d669a04204877739f5daa77103d484274a25d846ebdb447fe029062dc5edba386001a988da5c3b5
-
Filesize
10KB
MD52a7ff2e087b9563ec01e79f27f436d7f
SHA1775162b5998622231a861186fb50b590a876b559
SHA2561b038793a2ef934c5a769a93060d50db368325b3920b909fefd2c50fd7fa102f
SHA5124cb108322e243c06822b782e5bcb272e391b678f4c0b24ba7fad1d04939b47ae4a60ba8615913d7f2bc128b514615073d1118491100f31fc420f470c5ead54a5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\sessionCheckpoints.json.tmp
Filesize288B
MD5948a7403e323297c6bb8a5c791b42866
SHA188a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA2562fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA51217e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize368KB
MD589f57808e16dbb6ac520d1b7e5f8d7c3
SHA1b1a85eeefda42b9347e841b0a0642bbfc9b669aa
SHA256035fb45365a1154067c3f90c98f4dbca8af79b03264e3e0c61c2a91f6166dc39
SHA5121df693e70d06e63618c406e1c1a94b6f2c45007c395627e9e5fda295a185ad1d5ce44076e5689cd3b39f4a9e12843bce750007688fc79cf5f6e7fd7a1c562029
-
Filesize
2KB
MD5a56d479405b23976f162f3a4a74e48aa
SHA1f4f433b3f56315e1d469148bdfd835469526262f
SHA25617d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a