35288aeeeb27a30c343271ad58813a5a066ce7b63868561e4118a1a275b5fe03

Analysis

max time kernel
127s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2023, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Beyond Launcher.exe
Size

23.1MB
MD5

474a97f73bd209f58f32e28fa2ee7175
SHA1

dbc7c67af7aec4f5474da33a9f2687d38c771357
SHA256

35288aeeeb27a30c343271ad58813a5a066ce7b63868561e4118a1a275b5fe03
SHA512

e439c49a687d6a4e3ed5dcd77fded2f450bc4b878d3b61103f0572a0b663549109e1e3af6cb4bb3f790d1d1fec50c3dbee1c3363d1e4a9c8c59a53130b3b3b4b
SSDEEP

393216:P850RfZDmuXSXoPirJxMQTERfpFCBv5ZrQogE17sGnnhUuoIAOQ:P84f1dS4PEJFTERfvynxgE1YGKuotp

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 693811.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3620	msedge.exe
3620	msedge.exe
4964	msedge.exe
4964	msedge.exe
4744	identity_helper.exe
4744	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	firefox.exe
Token: SeDebugPrivilege	4628	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4628	firefox.exe
4628	firefox.exe
4628	firefox.exe
4964	msedge.exe
4628	firefox.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4628	firefox.exe
4628	firefox.exe
4628	firefox.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4628	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 4964	4224	Beyond Launcher.exe	88
PID 4224 wrote to memory of 4964	4224	Beyond Launcher.exe	88
PID 4964 wrote to memory of 1460	4964	msedge.exe	89
PID 4964 wrote to memory of 1460	4964	msedge.exe	89
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 2060	4964	msedge.exe	91
PID 4964 wrote to memory of 3620	4964	msedge.exe	90
PID 4964 wrote to memory of 3620	4964	msedge.exe	90
PID 4964 wrote to memory of 528	4964	msedge.exe	92
PID 4964 wrote to memory of 528	4964	msedge.exe	92
PID 4964 wrote to memory of 528	4964	msedge.exe	92
PID 4964 wrote to memory of 528	4964	msedge.exe	92
PID 4964 wrote to memory of 528	4964	msedge.exe	92
PID 4964 wrote to memory of 528	4964	msedge.exe	92
PID 4964 wrote to memory of 528	4964	msedge.exe	92
PID 4964 wrote to memory of 528	4964	msedge.exe	92
PID 4964 wrote to memory of 528	4964	msedge.exe	92
PID 4964 wrote to memory of 528	4964	msedge.exe	92
PID 4964 wrote to memory of 528	4964	msedge.exe	92
PID 4964 wrote to memory of 528	4964	msedge.exe	92
PID 4964 wrote to memory of 528	4964	msedge.exe	92
PID 4964 wrote to memory of 528	4964	msedge.exe	92
PID 4964 wrote to memory of 528	4964	msedge.exe	92
PID 4964 wrote to memory of 528	4964	msedge.exe	92
PID 4964 wrote to memory of 528	4964	msedge.exe	92
PID 4964 wrote to memory of 528	4964	msedge.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Beyond Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Beyond Launcher.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win10-x64&apphost_version=6.0.14&gui=true
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8da0f46f8,0x7ff8da0f4708,0x7ff8da0f4718
    3⤵
    PID:1460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,9183127040569831041,13605145039261422493,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,9183127040569831041,13605145039261422493,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
    3⤵
    PID:2060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,9183127040569831041,13605145039261422493,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
    3⤵
    PID:528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9183127040569831041,13605145039261422493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
    3⤵
    PID:1904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9183127040569831041,13605145039261422493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
    3⤵
    PID:3344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9183127040569831041,13605145039261422493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
    3⤵
    PID:3076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,9183127040569831041,13605145039261422493,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5420 /prefetch:8
    3⤵
    PID:2168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9183127040569831041,13605145039261422493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
    3⤵
    PID:3156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,9183127040569831041,13605145039261422493,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5716 /prefetch:8
    3⤵
    PID:3832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9183127040569831041,13605145039261422493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
    3⤵
    PID:2444
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9183127040569831041,13605145039261422493,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:8
    3⤵
    PID:4704
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9183127040569831041,13605145039261422493,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9183127040569831041,13605145039261422493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
    3⤵
    PID:5568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9183127040569831041,13605145039261422493,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
    3⤵
    PID:5700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9183127040569831041,13605145039261422493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
    3⤵
    PID:1552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9183127040569831041,13605145039261422493,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
    3⤵
    PID:2264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9183127040569831041,13605145039261422493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
    3⤵
    PID:5220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4196

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2884
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.0.18752919\28411192" -parentBuildID 20221007134813 -prefsHandle 1916 -prefMapHandle 1784 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa7cbc91-f0c3-421c-8e67-a290fd80af40} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 1996 2a955bb3158 gpu
    3⤵
    PID:3288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.1.2050332196\929274609" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2356 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {445924ae-778c-4c6a-ad51-e5c77199eed9} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 2396 2a9558f8758 socket
    3⤵
    - Checks processor information in registry
    PID:372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.2.287763131\926135021" -childID 1 -isForBrowser -prefsHandle 3492 -prefMapHandle 3488 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95b2e117-7db7-4cd7-ba7e-b9f9f0b5eecf} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 3500 2a959bf9258 tab
    3⤵
    PID:2016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.3.1974642389\926023352" -childID 2 -isForBrowser -prefsHandle 1288 -prefMapHandle 1280 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9860fc9f-d850-4e6b-a47b-66de03ce6b87} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 3764 2a949162558 tab
    3⤵
    PID:5232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.4.1569779661\1196469413" -childID 3 -isForBrowser -prefsHandle 4548 -prefMapHandle 4528 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb79e316-078b-4dc2-a98e-ec02bc28708a} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 4468 2a95b873c58 tab
    3⤵
    PID:5412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.5.1626062668\1583412230" -childID 4 -isForBrowser -prefsHandle 5188 -prefMapHandle 5184 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b21a2d1-ce37-4a3d-85c6-0b66ed866ecf} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 5176 2a95b872158 tab
    3⤵
    PID:5988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.7.1001869143\182632160" -childID 6 -isForBrowser -prefsHandle 5596 -prefMapHandle 5592 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0753adf-cfe6-44e5-8a3e-ad63f6bf4249} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 5604 2a95bf54958 tab
    3⤵
    PID:6004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.6.170287476\1014423791" -childID 5 -isForBrowser -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9541ea5-6c60-41ec-b94e-8b4d546750a2} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 5304 2a95bf54358 tab
    3⤵
    PID:5996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3423d7e71b832850019e032730997f69

SHA1
bbc91ba3960fb8f7f2d5a190e6585010675d9061

SHA256
53770e40359b9738d8898520d7e4a57c28498edddbadf76ec4a599837aa0c649

SHA512
03d5fee4152300d6c5e9f72c059955c944c7e6d207e433e9fdd693639e63ea699a01696d7bbf56d2033fd52ad260c9ae36a2c5c888112d81bf7e04a3f273e65d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
547d3841696f927e6768897d90d8ed18

SHA1
995b0d243101b77bb69f2cfe0725ff15b2feacdd

SHA256
9a63553f554991d7068ed0bd15f3b6bf02c75e0033683ff015389bc766151708

SHA512
aedaabdade4a0ae392defcfcee7a171be7a7f67633d5cdcd25f32f7d0c8d9641a87a566cb5b2dc0ccb74d0e6ff0633370ffd2f8f76e63ee50e9d79ed726bc06c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
902B

MD5
702b6417ba3f3575064417b2b6a7dd39

SHA1
aeec1737ebfaf5cd2b8c56b5afc4c0a2d03455e0

SHA256
16c38b81e653de0a00d6be30e1d7388b051db70944b30df1eb56bf7cb343713b

SHA512
f532e1619c8722e956e63b828063ddb8c14799f75a32920229855f31fd4718448611c0db877e58693418917e3e04140811ee6441e955aaa590605aa725c8f71b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
927080409ba414d0352ae37186b42f8f

SHA1
ee1e027aa246c468937109a5fbd4818a60b87968

SHA256
3cadc7bf826e5d5af4326770fa1e11e3ddcf84a64faaf08efcc63dce2e862f23

SHA512
0965c0bbe5371e3e5b7761abb6c4951de63be05b6bfe11d614d756da97a32e8c7a0562120a46801e33866110b1f98ccd6f34b1ddff1a8a991cfb33a84dd71ffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
196b084d576572ce51451646524e2efa

SHA1
356d0896854b94084376a522b2386179ce2eb8b0

SHA256
7f1ba50df0658c4291197fc1287170a2aeea3d36ce98e01ce4b01d15f385728e

SHA512
973d60fdeda71cc1fbaf3eb7ecddb4789b6ddcba772381a9c5c07e00aaac43746bd805801ce5c34ea9ae1dee9ec08b7622e64debec45da8c86ad66b5bafa4d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ef41344b736d634f7888519d21ef0c4e

SHA1
9011818568543a3d224e268ac47259a7c4089b48

SHA256
7d3fd326f8895c6b42bc0a6f9b491b5cf45613a65b303bd97ce837cf30f1cb63

SHA512
1055213bbfc10b4cfb00aa01e3c9701e8faaa38e0ba913c1386183c6a081bece8f3bab9fcd040ba11e54fd90b13a50f6243c8452277ecfba9b9a84658d2b4072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f9eb5e1166c7808bd8d6691a6c7e8436

SHA1
c3427e88a7c16188eb7b59eadc40684a8c36427d

SHA256
92b748c1e263313d916a567af08371834a5708ad49311e367bae12e6518317da

SHA512
d0f046a48fac7f59371061f54a98f09519dfb58bce26bdbbc31f1c334552018a4c7bfd7654d4f877443e0018cbbcdf927b770f668adc8502703580ae0753ade3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0e78f9a3ece93ae9434c64ea2bff51dc

SHA1
a0e4c75fe32417fe2df705987df5817326e1b3b9

SHA256
5c8ce4455f2a3e5f36f30e7100f85bdd5e44336a8312278769f89f68b8d60e68

SHA512
9d1686f0b38e3326ad036c8b218b61428204910f586dccf8b62ecbed09190f7664a719a89a6fbc0ecb429aecf5dd0ec06de44be3a1510369e427bde0626fd51d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
623ea152a82788977ab7d8e27fb91427

SHA1
1d35e13ed159facd287c912c801be05b8f05d73e

SHA256
26f571d1a958dfd651eac95fd871d87da65aab81b9dce300c477114193ea7420

SHA512
9c6e922019f85b6ae89123eea55fbc00f3783e48c2975e08a4082fe3686a4e6f4251c79d9e681584bbe5c8e3ecc56fb1a3c22bcb0150ce3a527c0f7adf4ebd08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c6324428b7f6cfeedd160ef877695017

SHA1
bd8eb6890501bdb49dc89ad51db88772d7b4f8af

SHA256
2ad366149a574bae3561a2fe4e1e15d6c482dadd4f427bccb0b7f6ddc15215b9

SHA512
ac1e802aca495c3a41fc2777488860ac168d601cadae0dbbe22bde496add23b4d590d3224f19b31f206b2172498ff770c13a77ac659836d1d2829d0b128d96e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
721a3e1e83cf83c718d66a34095abb83

SHA1
81ecb5ff01e880f62f5cf9461e0d9742317d657c

SHA256
df94ed844bf266ba492131739fa0a6ddbfb645482d966b893f6c59cd38b71b63

SHA512
84129475d25e186cd2959ccdbf4132af9629bc5c0269e912e6a5901010d95cec9765d537edcbe3330dc77d89f970577a752c2859b162b3b477617d87d8af5e13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ef413087ac6a84a4be4c4cbd5c572cd9

SHA1
737c8b4e6b6533ed9f7897d09f2f8c62c502b493

SHA256
8101f753db41f50bde0f17d0ad6a8b966fa42754c9bcd09508a04d1da31f1b67

SHA512
51c8f1bdfbc9e9ea2144249e9dfbc40bb99b451c34b342f5cd3f6448ca3a6ffb2654b6b162ee5e6be4835a37d94099a9867f11ae9ed3921d936d7cd5e1b964dc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ob0k9snf.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
dc5057822b27b8c871cde70e9dd7006c

SHA1
2cd6fb3f71b8fa90f70dd5de9d243636e0fca694

SHA256
765e713188f36319b94fb0bf0f6424aed08ed3620992c3ba3eba32198c3dfc84

SHA512
71c1cb9aaa7c1985b5877822fb8d031954271c3442fa1956dc8b3db5b0ebd6071c69a20a63db99e5e312a7aaa3dcbd60d1dde224b9cfad788482c50061289272

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob0k9snf.default-release\prefs-1.js

Filesize
6KB

MD5
7d324fafbb26f56d6ad6df12ebbc9878

SHA1
72f319efb90b080ebef377090c98576ffe730a07

SHA256
a2e010d0201e334e490801404bafcd7dbd9fb24665949420817dee8e06bad1c6

SHA512
67a7147481197c62c38157ff3ad8251fa6d1b9deb2805dec10ff87ed2a5eb34b3d5ffee0e6ffab79027144389406e1083aab6f6ee448f521f9a38e5c5c75f1b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob0k9snf.default-release\prefs.js

Filesize
6KB

MD5
9fefbc46e26a261babc6bf5813a65193

SHA1
d8334b54fc48702ab9516c79ae16940ad10ece7a

SHA256
670818c2554f1b1cd2a397355a80d03b123d52dc36cad41d283fee07d5756470

SHA512
4560f82f6ab9751f63def724aa34b165e27b87d270bd8747a10ff43d7e2ab1518bb6a2b3647b8a9fa6c8ebd7e9824bb4ed8344d0a56a97744a1ca44f1bb73fd1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob0k9snf.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
700fe59d2eb10b8cd28525fcc46bc0cc

SHA1
339badf0e1eba5332bff317d7cf8a41d5860390d

SHA256
4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

SHA512
3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob0k9snf.default-release\sessionstore.jsonlz4

Filesize
883B

MD5
8cb8e0ba6dd42b95507c670f5ad0ef1d

SHA1
fd78b47b63b54d056ead53eb25f6e553c9cd1740

SHA256
5a0b91f8801bb3b6cd9686524b20f2acfad84997b5f07f7a7049f5ea2be19ad0

SHA512
2ae93f6a2befb0e6c488eb646de0900a01c349574880ac9b84ac44bbdb1d8969edc0541f51554b21a016f303209b47bcb5788106cb8638c2fba388e15a473499

Download Submit