Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/11/2024, 15:40
Behavioral task
behavioral1
Sample
PepperX (1).exe
Resource
win7-20241023-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
PepperX (1).exe
Resource
win10v2004-20241007-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
PepperX (1).exe
-
Size
81KB
-
MD5
b950502f66e5c9b058f340ab24b3b5ab
-
SHA1
fad3abdf88ef351b25ef339a6d1a082d8516b9e9
-
SHA256
d45f6608d6afc48189e0ef63e489f9034cd3e864a95d634640df53ad302b42b3
-
SHA512
132235bf2ad67b8b22428e716a27d35b024c38ca09e770237688b4d4e88eb4f44a98b267c068f422aa75a6050bfff3db6073bc71619b5bb85fb76ddf9833a5f9
-
SSDEEP
1536:w3kIZ4nmr9iW2wU3gUvpdO0J//E2dLEgtMRloDpU:w3kI4nmr9iY7MhdHMRl6pU
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral2/memory/1828-1-0x0000000000B40000-0x0000000000B5A000-memory.dmp family_chaos behavioral2/files/0x000d000000023a6c-6.dat family_chaos -
Chaos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3832 bcdedit.exe 4512 bcdedit.exe -
pid Process 5024 wbadmin.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation PepperX (1).exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2164 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1n6mu5uyq.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2972 vssadmin.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4472 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2164 svchost.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 1828 PepperX (1).exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe 2164 svchost.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeDebugPrivilege 1828 PepperX (1).exe Token: SeDebugPrivilege 2164 svchost.exe Token: SeBackupPrivilege 4792 vssvc.exe Token: SeRestorePrivilege 4792 vssvc.exe Token: SeAuditPrivilege 4792 vssvc.exe Token: SeIncreaseQuotaPrivilege 3852 WMIC.exe Token: SeSecurityPrivilege 3852 WMIC.exe Token: SeTakeOwnershipPrivilege 3852 WMIC.exe Token: SeLoadDriverPrivilege 3852 WMIC.exe Token: SeSystemProfilePrivilege 3852 WMIC.exe Token: SeSystemtimePrivilege 3852 WMIC.exe Token: SeProfSingleProcessPrivilege 3852 WMIC.exe Token: SeIncBasePriorityPrivilege 3852 WMIC.exe Token: SeCreatePagefilePrivilege 3852 WMIC.exe Token: SeBackupPrivilege 3852 WMIC.exe Token: SeRestorePrivilege 3852 WMIC.exe Token: SeShutdownPrivilege 3852 WMIC.exe Token: SeDebugPrivilege 3852 WMIC.exe Token: SeSystemEnvironmentPrivilege 3852 WMIC.exe Token: SeRemoteShutdownPrivilege 3852 WMIC.exe Token: SeUndockPrivilege 3852 WMIC.exe Token: SeManageVolumePrivilege 3852 WMIC.exe Token: 33 3852 WMIC.exe Token: 34 3852 WMIC.exe Token: 35 3852 WMIC.exe Token: 36 3852 WMIC.exe Token: SeIncreaseQuotaPrivilege 3852 WMIC.exe Token: SeSecurityPrivilege 3852 WMIC.exe Token: SeTakeOwnershipPrivilege 3852 WMIC.exe Token: SeLoadDriverPrivilege 3852 WMIC.exe Token: SeSystemProfilePrivilege 3852 WMIC.exe Token: SeSystemtimePrivilege 3852 WMIC.exe Token: SeProfSingleProcessPrivilege 3852 WMIC.exe Token: SeIncBasePriorityPrivilege 3852 WMIC.exe Token: SeCreatePagefilePrivilege 3852 WMIC.exe Token: SeBackupPrivilege 3852 WMIC.exe Token: SeRestorePrivilege 3852 WMIC.exe Token: SeShutdownPrivilege 3852 WMIC.exe Token: SeDebugPrivilege 3852 WMIC.exe Token: SeSystemEnvironmentPrivilege 3852 WMIC.exe Token: SeRemoteShutdownPrivilege 3852 WMIC.exe Token: SeUndockPrivilege 3852 WMIC.exe Token: SeManageVolumePrivilege 3852 WMIC.exe Token: 33 3852 WMIC.exe Token: 34 3852 WMIC.exe Token: 35 3852 WMIC.exe Token: 36 3852 WMIC.exe Token: SeBackupPrivilege 3948 wbengine.exe Token: SeRestorePrivilege 3948 wbengine.exe Token: SeSecurityPrivilege 3948 wbengine.exe Token: SeDebugPrivilege 4992 firefox.exe Token: SeDebugPrivilege 4992 firefox.exe -
Suspicious use of FindShellTrayWindow 22 IoCs
pid Process 4472 NOTEPAD.EXE 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe 4992 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4992 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1828 wrote to memory of 2164 1828 PepperX (1).exe 85 PID 1828 wrote to memory of 2164 1828 PepperX (1).exe 85 PID 2164 wrote to memory of 4740 2164 svchost.exe 91 PID 2164 wrote to memory of 4740 2164 svchost.exe 91 PID 4740 wrote to memory of 2972 4740 cmd.exe 93 PID 4740 wrote to memory of 2972 4740 cmd.exe 93 PID 4740 wrote to memory of 3852 4740 cmd.exe 98 PID 4740 wrote to memory of 3852 4740 cmd.exe 98 PID 2164 wrote to memory of 2504 2164 svchost.exe 99 PID 2164 wrote to memory of 2504 2164 svchost.exe 99 PID 2504 wrote to memory of 3832 2504 cmd.exe 101 PID 2504 wrote to memory of 3832 2504 cmd.exe 101 PID 2504 wrote to memory of 4512 2504 cmd.exe 102 PID 2504 wrote to memory of 4512 2504 cmd.exe 102 PID 2164 wrote to memory of 5092 2164 svchost.exe 103 PID 2164 wrote to memory of 5092 2164 svchost.exe 103 PID 5092 wrote to memory of 5024 5092 cmd.exe 105 PID 5092 wrote to memory of 5024 5092 cmd.exe 105 PID 2164 wrote to memory of 4472 2164 svchost.exe 112 PID 2164 wrote to memory of 4472 2164 svchost.exe 112 PID 2240 wrote to memory of 4992 2240 firefox.exe 123 PID 2240 wrote to memory of 4992 2240 firefox.exe 123 PID 2240 wrote to memory of 4992 2240 firefox.exe 123 PID 2240 wrote to memory of 4992 2240 firefox.exe 123 PID 2240 wrote to memory of 4992 2240 firefox.exe 123 PID 2240 wrote to memory of 4992 2240 firefox.exe 123 PID 2240 wrote to memory of 4992 2240 firefox.exe 123 PID 2240 wrote to memory of 4992 2240 firefox.exe 123 PID 2240 wrote to memory of 4992 2240 firefox.exe 123 PID 2240 wrote to memory of 4992 2240 firefox.exe 123 PID 2240 wrote to memory of 4992 2240 firefox.exe 123 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 PID 4992 wrote to memory of 2160 4992 firefox.exe 125 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\PepperX (1).exe"C:\Users\Admin\AppData\Local\Temp\PepperX (1).exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2972
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3852
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:3832
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:4512
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:5024
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4472
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3948
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:712
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:1956
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9533bd16-8528-4f12-bf2c-5e99d2c46a3b} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" gpu3⤵PID:2160
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2388 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45d606ad-104e-4513-a7b0-92c6642ffede} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" socket3⤵
- Checks processor information in registry
PID:3412
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3124 -childID 1 -isForBrowser -prefsHandle 2932 -prefMapHandle 2912 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e347cf37-e150-4797-9f65-8e054bcf11d3} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" tab3⤵PID:3188
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3896 -childID 2 -isForBrowser -prefsHandle 3872 -prefMapHandle 3864 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae3782d8-9291-42b7-b537-552cc32a4abb} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" tab3⤵PID:4496
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4920 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4912 -prefMapHandle 4908 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22bc2874-8759-4d51-8ce0-9a5af198e903} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" utility3⤵
- Checks processor information in registry
PID:5588
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2724 -childID 3 -isForBrowser -prefsHandle 5160 -prefMapHandle 5196 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d40e63ac-6936-4897-b796-6ba8d2f53761} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" tab3⤵PID:5996
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 4 -isForBrowser -prefsHandle 5508 -prefMapHandle 5512 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3791b12-f8de-45db-af07-76fe364d2748} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" tab3⤵PID:6008
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 5 -isForBrowser -prefsHandle 5700 -prefMapHandle 5704 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18938d67-1733-46c7-b59d-2e592c666d6d} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" tab3⤵PID:6020
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD54ffe1fb4e26312bd0ce99b2e7b6720c6
SHA1fa319cc2e76c05aa2b40f728577d34c13e411861
SHA256e0bca2c218e2204e883d8232ce2d1392d610fb9ceea07c9bc9bc4d7ab757cd3f
SHA512f8e48661b1921d3957d7c8fdf07ca5bbb53ef805dfbb3e00bf0afd1aaf5cd600cf54135328fbd5de21905beba7f3da4fd97534c51e71af14632f7e3586e5abb6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5169d842b16a50557746193f2db4e7475
SHA11736255e9470d8b7e43f904df30c3c14cef7a4fb
SHA2560dd4795a33753306b4d69bc001e6a4895c66250ad36ea1f40c5bca7c8458c197
SHA512b18e8823e921573dbe3307d8d56bbc4cb2a937df66397ec8de21ed51c69ba34c0ed0d9e6cc7d4fb1aad505cf8dd806bb716900be43aebe41b95edff6c9dfd697
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\2f4c8f81-83b6-48a8-b9fb-3ada0608030b
Filesize25KB
MD5abda9c3dd839139f86e7d3699add4070
SHA1bf593809907358f3018de196b621ab629f7708fc
SHA25634ad66ca260c44066b4591708ef2e3e2afb7c1465760c915ad112b9507c0e34a
SHA51287a29b0fdde5d96e8d173db6aecab2a553b4f48dc35d1d0b7f7edbb00755f6bfa21b3c3e9f4ca0b7a1f60b202f1b0ee43c57c327ae0580818e8349dd4073c079
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\dba8ebb5-5148-477d-a466-648acb32f9f9
Filesize671B
MD597c1c3f6ea212519e9608ecc26211b62
SHA10ddb90efd8652649d9e45545132efa59f284dbc3
SHA256b0620ac12509667d14085baad2f4b68fd7829e65d231a6840872fe80e3a34b47
SHA5120341e6681fa95cdc403782a6b4d87f422ee767f4ec981c75f30a8fbd9dc07141cc7c63098babb1f4b04ee35ea9f822e215f424577c822a7e92aa8c43d4c7715d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\ee52691e-05cb-443e-8675-5a0ad1c3006f
Filesize982B
MD501f63ddf8d042d87420e2add2a468fb7
SHA18af801b320dd04df6a1834ff2963396a0f2b3d12
SHA256e3dcdb7bb6e4d830cc00bf59df0f857d875c74f11833f4782f50b858ef70773d
SHA5125105d2b3ec88001040ca269e1b2ca705a19abb1dee889fe06eca694891e62f638ff90355dfe41661732528cd8b24a813b0175e8caa0203eb91f0ad8ddf323ef0
-
Filesize
10KB
MD57424976c963967eb79cbe51da8c436c8
SHA157c2e8ce014e9436fc8006c609160506b637df8f
SHA2561574b825abbc10c734d87a5130d40f1cdbca263bd68e5bf85de21a8145ed2cc5
SHA512991f0545b1e9b8090b9bdc1bf8239d0cdf93de95a6ee2748df20981c8d0358167cfb0c307b3ddb953c4e876bf31a3691317de9e5efb8be4efdfd5e516862ddac
-
Filesize
10KB
MD58ca44a9eaea292d47549565a4636aec9
SHA1dce996897d57ed74e620a9f2e568e25d39c8d827
SHA256308f5ba7233d3b9342cff498fbd55f2114d20d1c7888ad728eda1224b0f4edfb
SHA51258f90411a9926cd825bf160f99deeba9032cb849ef4f487a5b6af8f6c847d2a233fddb4e6ed85c472be8ee97c29aa0b22037522b3b7859fa93a44671c37c34ae
-
Filesize
81KB
MD5b950502f66e5c9b058f340ab24b3b5ab
SHA1fad3abdf88ef351b25ef339a6d1a082d8516b9e9
SHA256d45f6608d6afc48189e0ef63e489f9034cd3e864a95d634640df53ad302b42b3
SHA512132235bf2ad67b8b22428e716a27d35b024c38ca09e770237688b4d4e88eb4f44a98b267c068f422aa75a6050bfff3db6073bc71619b5bb85fb76ddf9833a5f9
-
Filesize
778B
MD5e476ae4628a4272384255b6003b1b5b3
SHA17bd05141ec08774a5c0ae500e0a5d9806be681f4
SHA256c5f2d8ef689c1af8b9d9f9908beb8e9e16abe5338bc569f4998d6f5e45b95d0f
SHA512a9ac31705fb99985f1b241c5d06447c6870dd5f203bfc43056c7d2c92e6f0af9711395e42707253ec98730f1e765966359ec061f1deee6529df69fe4354a5d8e