Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
65s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2024, 00:28
Behavioral task
behavioral1
Sample
FireFoxSetup.exe
Resource
win7-20241010-en
General
-
Target
FireFoxSetup.exe
-
Size
171KB
-
MD5
014b0ea8fe05df0fdea1710537dabe57
-
SHA1
91b47cd15009aceba1040cadabf3aa7cd6279a48
-
SHA256
340830c7cba818a4e94a7791432f6a3e29bf103ebb47c70a6cb61e53c0ee5b2a
-
SHA512
8503e8cd78442535226f41ba5d12dc0a20732940a24f865eb156ab9e75d6b4330bfdd10abba8add37713447317280f7b30f8c30bfb9f8642d15506a17e4d12d0
-
SSDEEP
1536:qDEV10wHVJKuuwhSMEFv9by6POwWTCs6se7llqn17KineXd2wVKtivEYoNRh8RXt:dfjhaFv9bjOwFsgbcUieNJqKoPC5+Ls
Malware Config
Extracted
xworm
5.0
147.185.221.22:43768
2bRkaANDDdoPipKE
-
Install_directory
%AppData%
-
install_file
FireFox.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/memory/2444-1-0x0000000000240000-0x0000000000270000-memory.dmp family_xworm behavioral2/files/0x0013000000023a7c-256.dat family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4004 powershell.exe 2544 powershell.exe 4512 powershell.exe 4852 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation FireFoxSetup.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FireFox.lnk FireFoxSetup.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FireFox.lnk FireFoxSetup.exe -
Executes dropped EXE 1 IoCs
pid Process 6140 FireFox.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FireFox = "C:\\Users\\Admin\\AppData\\Roaming\\FireFox.exe" FireFoxSetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 768 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4004 powershell.exe 4004 powershell.exe 2544 powershell.exe 2544 powershell.exe 4512 powershell.exe 4512 powershell.exe 4852 powershell.exe 4852 powershell.exe 2444 FireFoxSetup.exe 5084 msedge.exe 5084 msedge.exe 4000 msedge.exe 4000 msedge.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 3500 identity_helper.exe 3500 identity_helper.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe 2444 FireFoxSetup.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2444 FireFoxSetup.exe Token: SeDebugPrivilege 4004 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 4512 powershell.exe Token: SeDebugPrivilege 4852 powershell.exe Token: SeDebugPrivilege 2444 FireFoxSetup.exe Token: SeDebugPrivilege 6140 FireFox.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2444 FireFoxSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2444 wrote to memory of 4004 2444 FireFoxSetup.exe 89 PID 2444 wrote to memory of 4004 2444 FireFoxSetup.exe 89 PID 2444 wrote to memory of 2544 2444 FireFoxSetup.exe 93 PID 2444 wrote to memory of 2544 2444 FireFoxSetup.exe 93 PID 2444 wrote to memory of 4512 2444 FireFoxSetup.exe 95 PID 2444 wrote to memory of 4512 2444 FireFoxSetup.exe 95 PID 2444 wrote to memory of 4852 2444 FireFoxSetup.exe 98 PID 2444 wrote to memory of 4852 2444 FireFoxSetup.exe 98 PID 2444 wrote to memory of 768 2444 FireFoxSetup.exe 100 PID 2444 wrote to memory of 768 2444 FireFoxSetup.exe 100 PID 4000 wrote to memory of 3664 4000 msedge.exe 109 PID 4000 wrote to memory of 3664 4000 msedge.exe 109 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 4948 4000 msedge.exe 110 PID 4000 wrote to memory of 5084 4000 msedge.exe 111 PID 4000 wrote to memory of 5084 4000 msedge.exe 111 PID 4000 wrote to memory of 3892 4000 msedge.exe 112 PID 4000 wrote to memory of 3892 4000 msedge.exe 112 PID 4000 wrote to memory of 3892 4000 msedge.exe 112 PID 4000 wrote to memory of 3892 4000 msedge.exe 112 PID 4000 wrote to memory of 3892 4000 msedge.exe 112 PID 4000 wrote to memory of 3892 4000 msedge.exe 112 PID 4000 wrote to memory of 3892 4000 msedge.exe 112 PID 4000 wrote to memory of 3892 4000 msedge.exe 112 PID 4000 wrote to memory of 3892 4000 msedge.exe 112 PID 4000 wrote to memory of 3892 4000 msedge.exe 112 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FireFoxSetup.exe"C:\Users\Admin\AppData\Local\Temp\FireFoxSetup.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FireFoxSetup.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FireFoxSetup.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\FireFox.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FireFox.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FireFox" /tr "C:\Users\Admin\AppData\Roaming\FireFox.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:768
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2712
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa284c46f8,0x7ffa284c4708,0x7ffa284c47182⤵PID:3664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,2214467534637940597,7421216317413124818,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:22⤵PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,2214467534637940597,7421216317413124818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,2214467534637940597,7421216317413124818,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:82⤵PID:3892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,2214467534637940597,7421216317413124818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:4864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,2214467534637940597,7421216317413124818,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:1804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,2214467534637940597,7421216317413124818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:12⤵PID:1936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,2214467534637940597,7421216317413124818,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:12⤵PID:3008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,2214467534637940597,7421216317413124818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 /prefetch:82⤵PID:4756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,2214467534637940597,7421216317413124818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,2214467534637940597,7421216317413124818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:12⤵PID:2036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,2214467534637940597,7421216317413124818,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵PID:4984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,2214467534637940597,7421216317413124818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:12⤵PID:5236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,2214467534637940597,7421216317413124818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:12⤵PID:5344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,2214467534637940597,7421216317413124818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵PID:5588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,2214467534637940597,7421216317413124818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:12⤵PID:5892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2016,2214467534637940597,7421216317413124818,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5628 /prefetch:82⤵PID:6052
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4484
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4360
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x33c 0x4c01⤵PID:6092
-
C:\Users\Admin\AppData\Roaming\FireFox.exeC:\Users\Admin\AppData\Roaming\FireFox.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6140
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
Filesize
6KB
MD57250f36c5ffcebe7bb99b2710b54a14a
SHA1b9e5d9b6856ebfa39a740561d6deb0360e4fe33f
SHA25646a9e28074a5af75c2142f6032b1228dde52c9d326cbef879a84351aacde4335
SHA512d19a2daf909f11572f15bf81ee7b7f2ba5e54191cd0515edd472e6d3a4029c306a1da196c224f946a10b196c91191c9d0770c6f1f3d9270d9541f2b01a1666c5
-
Filesize
5KB
MD546e9c44782a9316883af8a3790652808
SHA162f6efe5c5ac3c23411f79b090bc436fbe8b0cfe
SHA256a6f8419b02e9a970daf4f611a48d686865096f37ee3848d7b40d4bf0093188b4
SHA51253c2ad55f70961e40463f84409c73fa992ba5992e72b633d0f6e5857c83aefd9858cd18c75d7d6eda63a4744cf649a4d4d0c24c1d9b7eef214c9522bb810d412
-
Filesize
6KB
MD56af332c9c753dd569f896983242fdd8a
SHA12b1d1682d0c0b2c95f6b70087b61aaab978382bf
SHA2562058d4befe21e278f4a7f82de6edcb241357b751c286347f71de316bf8e87062
SHA512482f985f7400e6f6bedf7032fdfb6c143f5191813e49ca6ebca83bb07ad91b6a3e27f8bc27c8c688b40346b9130c3cdcbb3ec2ab68e586b26cb9727866b0b827
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5f323c86791a159b2cd4a47e93fa45b7e
SHA1f92f64c45fb4facc004cff51fe20e851a0a0a15f
SHA256ae68d6b044cccf81fc97fcd2440f3ea43ef83d50403a3c3d118216cbb158b878
SHA512fafdd029490b022e38e78e13f8f223e129604f6001e35aebe5c39f0501605bec67052bdaa9a03bc36835c8989e617051c1386ddc0e59d3d2da1f84c9899bafdd
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD596e3b86880fedd5afc001d108732a3e5
SHA18fc17b39d744a9590a6d5897012da5e6757439a3
SHA256c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294
SHA512909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d
-
Filesize
944B
MD55cfe303e798d1cc6c1dab341e7265c15
SHA1cd2834e05191a24e28a100f3f8114d5a7708dc7c
SHA256c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab
SHA512ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
171KB
MD5014b0ea8fe05df0fdea1710537dabe57
SHA191b47cd15009aceba1040cadabf3aa7cd6279a48
SHA256340830c7cba818a4e94a7791432f6a3e29bf103ebb47c70a6cb61e53c0ee5b2a
SHA5128503e8cd78442535226f41ba5d12dc0a20732940a24f865eb156ab9e75d6b4330bfdd10abba8add37713447317280f7b30f8c30bfb9f8642d15506a17e4d12d0