2e29359adc345fbef1d0a2f082d441d600d9c616586303938609d025e8ac98fb

Analysis

max time kernel
148s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-11-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FreeSpoofer/AppleCleaner [I DO NOT OWN IT].exe
Size

3.6MB
MD5

f96eb2236970fb3ea97101b923af4228
SHA1

e0eed80f1054acbf5389a7b8860a4503dd3e184a
SHA256

46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172
SHA512

2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7
SSDEEP

98304:z7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6Ko:e+y4ihkl/Wo/afHPb

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AppleCleaner [I DO NOT OWN IT].exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AppleCleaner [I DO NOT OWN IT].exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AppleCleaner [I DO NOT OWN IT].exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 63004f00640048005300200020002d002000330000000000	AppleCleaner [I DO NOT OWN IT].exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1132-0-0x00007FF712050000-0x00007FF7129F2000-memory.dmp	themida
behavioral1/memory/1132-4-0x00007FF712050000-0x00007FF7129F2000-memory.dmp	themida
behavioral1/memory/1132-3-0x00007FF712050000-0x00007FF7129F2000-memory.dmp	themida
behavioral1/memory/1132-2-0x00007FF712050000-0x00007FF7129F2000-memory.dmp	themida
behavioral1/memory/1132-5-0x00007FF712050000-0x00007FF7129F2000-memory.dmp	themida
behavioral1/memory/1132-6-0x00007FF712050000-0x00007FF7129F2000-memory.dmp	themida
behavioral1/memory/1132-171-0x00007FF712050000-0x00007FF7129F2000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AppleCleaner [I DO NOT OWN IT].exe

Checks system information in the registry 2 TTPs 1 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	AppleCleaner [I DO NOT OWN IT].exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1132	AppleCleaner [I DO NOT OWN IT].exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1820	cmd.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 21 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	AppleCleaner [I DO NOT OWN IT].exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	AppleCleaner [I DO NOT OWN IT].exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AppleCleaner [I DO NOT OWN IT].exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	AppleCleaner [I DO NOT OWN IT].exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	AppleCleaner [I DO NOT OWN IT].exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AppleCleaner [I DO NOT OWN IT].exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	AppleCleaner [I DO NOT OWN IT].exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	AppleCleaner [I DO NOT OWN IT].exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	AppleCleaner [I DO NOT OWN IT].exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	AppleCleaner [I DO NOT OWN IT].exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	AppleCleaner [I DO NOT OWN IT].exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AppleCleaner [I DO NOT OWN IT].exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	AppleCleaner [I DO NOT OWN IT].exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "4d93c25d-0a9b85a4-7"	AppleCleaner [I DO NOT OWN IT].exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	AppleCleaner [I DO NOT OWN IT].exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion	AppleCleaner [I DO NOT OWN IT].exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	AppleCleaner [I DO NOT OWN IT].exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "9fc118b5-ac1e72b2-f"	AppleCleaner [I DO NOT OWN IT].exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4324	taskkill.exe
3764	taskkill.exe
1104	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1132	AppleCleaner [I DO NOT OWN IT].exe
1132	AppleCleaner [I DO NOT OWN IT].exe
3044	msedge.exe
3044	msedge.exe
4748	msedge.exe
4748	msedge.exe
748	identity_helper.exe
748	identity_helper.exe
4688	msedge.exe
4688	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3764	taskkill.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	4324	taskkill.exe
Token: SeDebugPrivilege	4240	firefox.exe
Token: SeDebugPrivilege	4240	firefox.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4240	firefox.exe
4240	firefox.exe
4240	firefox.exe
4240	firefox.exe
4240	firefox.exe
4240	firefox.exe
4240	firefox.exe
4240	firefox.exe
4240	firefox.exe
4240	firefox.exe
4240	firefox.exe
4240	firefox.exe
4240	firefox.exe
4240	firefox.exe
4240	firefox.exe
4240	firefox.exe
4240	firefox.exe
4240	firefox.exe
4240	firefox.exe
4240	firefox.exe
4240	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4240	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 3564	1132	AppleCleaner [I DO NOT OWN IT].exe	81
PID 1132 wrote to memory of 3564	1132	AppleCleaner [I DO NOT OWN IT].exe	81
PID 3564 wrote to memory of 3764	3564	cmd.exe	82
PID 3564 wrote to memory of 3764	3564	cmd.exe	82
PID 1132 wrote to memory of 1820	1132	AppleCleaner [I DO NOT OWN IT].exe	84
PID 1132 wrote to memory of 1820	1132	AppleCleaner [I DO NOT OWN IT].exe	84
PID 1820 wrote to memory of 1104	1820	cmd.exe	85
PID 1820 wrote to memory of 1104	1820	cmd.exe	85
PID 1132 wrote to memory of 1764	1132	AppleCleaner [I DO NOT OWN IT].exe	86
PID 1132 wrote to memory of 1764	1132	AppleCleaner [I DO NOT OWN IT].exe	86
PID 1764 wrote to memory of 4324	1764	cmd.exe	87
PID 1764 wrote to memory of 4324	1764	cmd.exe	87
PID 1132 wrote to memory of 2312	1132	AppleCleaner [I DO NOT OWN IT].exe	88
PID 1132 wrote to memory of 2312	1132	AppleCleaner [I DO NOT OWN IT].exe	88
PID 2312 wrote to memory of 4748	2312	cmd.exe	89
PID 2312 wrote to memory of 4748	2312	cmd.exe	89
PID 4748 wrote to memory of 4352	4748	msedge.exe	92
PID 4748 wrote to memory of 4352	4748	msedge.exe	92
PID 1132 wrote to memory of 3940	1132	AppleCleaner [I DO NOT OWN IT].exe	93
PID 1132 wrote to memory of 3940	1132	AppleCleaner [I DO NOT OWN IT].exe	93
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 788	4748	msedge.exe	94
PID 4748 wrote to memory of 3044	4748	msedge.exe	95
PID 4748 wrote to memory of 3044	4748	msedge.exe	95
PID 4748 wrote to memory of 2748	4748	msedge.exe	96
PID 4748 wrote to memory of 2748	4748	msedge.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FreeSpoofer\AppleCleaner [I DO NOT OWN IT].exe
"C:\Users\Admin\AppData\Local\Temp\FreeSpoofer\AppleCleaner [I DO NOT OWN IT].exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Battle.net.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://applecheats.cc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa039d3cb8,0x7ffa039d3cc8,0x7ffa039d3cd8
      4⤵
      PID:4352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,9443703844998930219,13741049998889974674,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
      4⤵
      PID:788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,9443703844998930219,13741049998889974674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,9443703844998930219,13741049998889974674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
      4⤵
      PID:2748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9443703844998930219,13741049998889974674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
      4⤵
      PID:2336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9443703844998930219,13741049998889974674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
      4⤵
      PID:832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9443703844998930219,13741049998889974674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
      4⤵
      PID:1764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9443703844998930219,13741049998889974674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
      4⤵
      PID:2872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9443703844998930219,13741049998889974674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
      4⤵
      PID:1428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,9443703844998930219,13741049998889974674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,9443703844998930219,13741049998889974674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:3940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:552

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4404
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e03a825d-3698-465e-9e62-c24aeb9c8e98} 4240 "\\.\pipe\gecko-crash-server-pipe.4240" gpu
    3⤵
    PID:1120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {197bf3ed-b94e-4eed-8aed-fe583bd713dc} 4240 "\\.\pipe\gecko-crash-server-pipe.4240" socket
    3⤵
    PID:988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3100 -childID 1 -isForBrowser -prefsHandle 3200 -prefMapHandle 3152 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14bcf4d8-77e2-4394-b7c0-3fef959bfb4a} 4240 "\\.\pipe\gecko-crash-server-pipe.4240" tab
    3⤵
    PID:4620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3596 -childID 2 -isForBrowser -prefsHandle 3600 -prefMapHandle 2672 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e3548a6-facc-42c9-9935-3f6e5cb21289} 4240 "\\.\pipe\gecko-crash-server-pipe.4240" tab
    3⤵
    PID:3580
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4672 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4664 -prefMapHandle 4660 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c636e0f2-de4a-4101-a69e-34c3a0382b58} 4240 "\\.\pipe\gecko-crash-server-pipe.4240" utility
    3⤵
    - Checks processor information in registry
    PID:4924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 3 -isForBrowser -prefsHandle 5388 -prefMapHandle 5384 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8872d2ac-a9ec-4ebb-a6e9-19c8ddc1239c} 4240 "\\.\pipe\gecko-crash-server-pipe.4240" tab
    3⤵
    PID:2616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 4 -isForBrowser -prefsHandle 5516 -prefMapHandle 5416 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7020507c-f442-4827-a659-49b35f5614d8} 4240 "\\.\pipe\gecko-crash-server-pipe.4240" tab
    3⤵
    PID:4528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 5 -isForBrowser -prefsHandle 5736 -prefMapHandle 5740 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d9000d6-8a8c-469a-968f-3748b77b1d07} 4240 "\\.\pipe\gecko-crash-server-pipe.4240" tab
    3⤵
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
73368a7dac2c911dd47755717dfc73de

SHA1
78d2f791bedd781d5e0f0e5f953a332256d44bec

SHA256
46389b40069b441878d3628c57b387ec504e208ac52aeda910e334bb0d8226e3

SHA512
902ba17b1f63169bbae6dae9158235701f23172df1d04c51e62b0faa6046a5a7dddf9ce0c34d897820a86ac4c7544f66dc256430a5273e3d492fd49da57d48a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
554B

MD5
cd0f2441cdd06dc6392722d580d289ae

SHA1
1411048ae2ac8630747abf1be7c914ea1e5580a1

SHA256
8d101475153f1642627779aa281e15d9581e6b914686e711b80ef8f2c42de658

SHA512
8eb876b4a8a7ca4eb3d3bd78397241ae3b1cdf37c28058ddefb1f0aac06022456345a9fd43eb10c32b6547297a8cc26a2baaaf085715a1f4df7f915a49b90ac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9fc312ff96f328d1a7943064f1c83305

SHA1
533939539463d9647e82b0264a9c319e92fc78de

SHA256
d215ae4fe5304c8643c218e281e3bcd28088c37c8455467a516d219fb8efeaf2

SHA512
0b42bf44e785708c1403973f5203947a888ba18c462806fdb4156bb81b1521ea1657dd3505a05f79a41118ec0cc967871e7ddd09ddb994a728fcc036a59e2975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e148b53fa3ffe7f7e1f24034eb518a11

SHA1
75cc445265ba1e0ae6a931c5246f3184fadb4aa2

SHA256
2a790f82059988858e640480bd7ae4fafc4e339daa831c9001726f4e220a83f3

SHA512
a97368899df128e04fa2abd3de7415c787dd6aa3b574e462a810fd19feadc275732d0a61f86d74402cfe347f67e62f273d837594b40e4809123614f1ade89ac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c186a4344346391deeca2a8cb7b22536

SHA1
1fa7f581b5f513b3dc186236f5eb0bb7fa2c960d

SHA256
e5835b274127b8e99c345b2c9672ed2e294fe27933009d7d412f199ae7337c22

SHA512
d4d9515d5eaff346f5dbc971aea5048ff1b99ed03e6494fa66d5d8c419158958bbdd91f60281e57d465117952b8f52fedba692e6c014db1d32ca05a6b1bb21bb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jj59r4xg.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
2a400ed5b917880ba11e6c7cf8c44c95

SHA1
be96c6cb0904eeb9f9cf6bc8e00f094d22aac3f2

SHA256
a62fb099e157104c4eaaac6cc44c6a8ba2d315664f6a8b96d0023ebb40f264d0

SHA512
c1265172df771b67e5ee158d5f5ec24cce73f93510a72312e9ca863c3bd7e5e9c9362753dafafc0854fe035c25283877198077ed71ef626d0bbf23521de1b7ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\AlternateServices.bin

Filesize
6KB

MD5
4a5db8fc7e742429ec1e7225d9b14abe

SHA1
c2d0a1b947708a743216f95c0870f76df08d3986

SHA256
29ca58a5af4018046b5be71a20a43928203407724bc11834f801221410518bef

SHA512
8eab36ede0507d7745ec0b8d2f2a691f5a6e541352312f96ca7bf88f9dcbaa2ccd3b4ec17cacc4e5fea216985ff7f4cb7b14b585c67b3f8fc7c595fd1e919a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
653c8902eeb463cff11f05a9d44e1297

SHA1
c0613087f6e9a520ed6482354285c8045aaf510e

SHA256
6e321adef96ff80f39dd796f204616389307923a7072d855abdd0a5871b91ceb

SHA512
c90b907339974b6a2bca73b1edd0410669dec9dc7860803fee4b9ea5906484d749680a22fae669c4d01d7af6f00677244cf3b5b705cd1049c4c26c676eff394b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
19e6a2a1550667c3bf66c11608fd50fb

SHA1
0846cb354634052df755cd24f72bdeb405dfa370

SHA256
0367896b8b8ea5896f0a6012fa68e6ad1c276fc90ce356d38e64a2673916d140

SHA512
8fe05648dfcbea8b7783537a7c3f40ba5a85b0713451dba94a486ba8bc3284bb4d0236e964f0ef1096b86c4b817d338ac8c8298f1f22b426bc84c8ea99c3ed5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
54be6ba12aaf7603c44013f1bd6704f6

SHA1
96069b77b186ba0a43dc87b602c4080cbbfee06c

SHA256
5bf902a0eba27fc30efd6bbd91c571e53e9f09c95db05557a3549aa2f4902844

SHA512
7d33a4741648f98e5f1584307b4d968d083f2ebf713df9390796ef4caa007516c7161f3ea40dd0b52765c5e93d7293c36779287c8bb03aaa6345bed345ff89d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
ccb7412863c8d2a9a5c394b76be1962e

SHA1
39e1373aeb5531f77ab4fa38062a4abecf9bdf2f

SHA256
7667d632359ec47c76c541930a7456e5617463e331d6396a168b2d5149ca569f

SHA512
8d50e002fc9ad99bfbfad72970dca586cdf16ec1d69a6ee128b7d9d763c696f8514279ca631162526456225b3e3e9cbc6ba0903e597eed881ed57023411f3b74

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\adac0032-8bf8-4114-9f2d-97fd3aece982

Filesize
671B

MD5
74cfba3a4e9d59145a3c4173ad4dbb23

SHA1
f7e707f2e6dd02224b45f4918756ee272987f7ab

SHA256
0fa10e09b63bc79aee2b749599082f45e91de9548f4fab47d0a6a6e3d35642de

SHA512
0f4cc3ef5b96f770e20362bcd180591f345202da9412c12c178c48f9686f97f07f3b9d9fcc34fb3c93fdfbab419a511633c2375ab4e5cd75a6d1cf4ac5ee41a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\b21e43ce-90e1-42a8-bb0c-83460ef8552a

Filesize
982B

MD5
7add46ca82463b7a4ce446ace8a383fa

SHA1
1c14ed4f9bbb2a3ff83f8e93830b5c1acce800a3

SHA256
e7846ad41dd5107ed43e1d8d2ae3cdf56694ec1c715c3afa46768dd52bd4774f

SHA512
35007cf932cb69841329ff53cb827c15b023193b8720e1707c2e6e176d337452bfab087153b16cb34a7353861be6384959ddaf8a266ee097e1bcf6bb81038b88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\b87b0f2a-2096-43e4-865a-49109d65bdef

Filesize
23KB

MD5
8a046830fdc279e263886a6e4c9d9ccd

SHA1
cd0eafd731e60dc7db00790923e87d5a61b6513f

SHA256
f6f130a35e277be1fb4a952ac266b3834dca903d926d8edf5fdcff931a8a7016

SHA512
07ebe0f16e5e9647c1877dcce9952454df3e1ee54377e84837da6eb5af516eed855bc55d2ac09e46a25e57293473ed52387f5ab0d07c8774639533983e91ce13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\prefs.js

Filesize
10KB

MD5
c622b8d5ade0eb73d719eff0f8f2dcd3

SHA1
48731f808cfe364c6c85505b7f823e06078ff172

SHA256
51ddea2e5da5fa8967fad1b3203cf669cc979dfdb64297e06ebfbb44a7779d44

SHA512
9bc80b25362dd8abc037881b2e8892ebb4d9a842e06d1fd133515d7cfff02084464ca6160b2db72d18e8f217177ef25b93db54dca8d95c2690a84c0d66d94bb1

Download Submit
memory/1132-3-0x00007FF712050000-0x00007FF7129F2000-memory.dmp

Filesize
9.6MB

Download
memory/1132-171-0x00007FF712050000-0x00007FF7129F2000-memory.dmp

Filesize
9.6MB

Download
memory/1132-1-0x00007FFA13287000-0x00007FFA13289000-memory.dmp

Filesize
8KB

Download
memory/1132-4-0x00007FF712050000-0x00007FF7129F2000-memory.dmp

Filesize
9.6MB

Download
memory/1132-0-0x00007FF712050000-0x00007FF7129F2000-memory.dmp

Filesize
9.6MB

Download
memory/1132-2-0x00007FF712050000-0x00007FF7129F2000-memory.dmp

Filesize
9.6MB

Download
memory/1132-5-0x00007FF712050000-0x00007FF7129F2000-memory.dmp

Filesize
9.6MB

Download
memory/1132-6-0x00007FF712050000-0x00007FF7129F2000-memory.dmp

Filesize
9.6MB

Download