hxxps://s[.]id/1W1Ay

Analysis

max time kernel
89s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://s.id/1W1Ay

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3811856890-180006922-3689258494-1000\{EB7853AB-6DD2-4B11-ADBD-378336A70190}	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2084	msedge.exe
2084	msedge.exe
1756	msedge.exe
1756	msedge.exe
5672	msedge.exe
5672	msedge.exe
6388	identity_helper.exe
6388	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3860	firefox.exe
Token: SeDebugPrivilege	3860	firefox.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
3860	firefox.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
3860	firefox.exe
3860	firefox.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
3860	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
3860	firefox.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
3860	firefox.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
3860	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3860	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 4536	1756	msedge.exe	89
PID 1756 wrote to memory of 4536	1756	msedge.exe	89
PID 3860 wrote to memory of 2148	3860	firefox.exe	91
PID 3860 wrote to memory of 2148	3860	firefox.exe	91
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 4540	1756	msedge.exe	95
PID 1756 wrote to memory of 2084	1756	msedge.exe	92
PID 1756 wrote to memory of 2084	1756	msedge.exe	92
PID 1756 wrote to memory of 4560	1756	msedge.exe	93
PID 1756 wrote to memory of 4560	1756	msedge.exe	93
PID 1756 wrote to memory of 4560	1756	msedge.exe	93
PID 1756 wrote to memory of 4560	1756	msedge.exe	93
PID 1756 wrote to memory of 4560	1756	msedge.exe	93
PID 1756 wrote to memory of 4560	1756	msedge.exe	93
PID 1756 wrote to memory of 4560	1756	msedge.exe	93
PID 1756 wrote to memory of 4560	1756	msedge.exe	93
PID 1756 wrote to memory of 4560	1756	msedge.exe	93
PID 1756 wrote to memory of 4560	1756	msedge.exe	93
PID 1756 wrote to memory of 4560	1756	msedge.exe	93
PID 1756 wrote to memory of 4560	1756	msedge.exe	93
PID 1756 wrote to memory of 4560	1756	msedge.exe	93
PID 1756 wrote to memory of 4560	1756	msedge.exe	93
PID 1756 wrote to memory of 4560	1756	msedge.exe	93
PID 1756 wrote to memory of 4560	1756	msedge.exe	93
PID 1756 wrote to memory of 4560	1756	msedge.exe	93
PID 1756 wrote to memory of 4560	1756	msedge.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://s.id/1W1Ay
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc274b46f8,0x7ffc274b4708,0x7ffc274b4718
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,15891167584039026498,3572987073524719926,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,15891167584039026498,3572987073524719926,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,15891167584039026498,3572987073524719926,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15891167584039026498,3572987073524719926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15891167584039026498,3572987073524719926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15891167584039026498,3572987073524719926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2176,15891167584039026498,3572987073524719926,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2176,15891167584039026498,3572987073524719926,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15891167584039026498,3572987073524719926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15891167584039026498,3572987073524719926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15891167584039026498,3572987073524719926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15891167584039026498,3572987073524719926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15891167584039026498,3572987073524719926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:7036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15891167584039026498,3572987073524719926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:7164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15891167584039026498,3572987073524719926,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15891167584039026498,3572987073524719926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1688 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,15891167584039026498,3572987073524719926,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:8
  2⤵
  PID:6372
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,15891167584039026498,3572987073524719926,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15891167584039026498,3572987073524719926,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15891167584039026498,3572987073524719926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:5296

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.0.451036053\1842541045" -parentBuildID 20221007134813 -prefsHandle 1824 -prefMapHandle 1816 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42274f07-9167-438f-ab26-c815dfe51730} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 1920 22917ad5f58 gpu
  2⤵
  PID:2148
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.1.330930183\175015154" -parentBuildID 20221007134813 -prefsHandle 2332 -prefMapHandle 2320 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8759d63-81f2-4918-9afc-09841d3317ed} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 2360 22917439858 socket
  2⤵
  PID:3280
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.2.740411199\1392557064" -childID 1 -isForBrowser -prefsHandle 3020 -prefMapHandle 2940 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {064fc017-4e0b-41cb-8c73-dd1a58f8fd85} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 2980 2291afbb058 tab
  2⤵
  PID:2140
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.3.272048936\837171049" -childID 2 -isForBrowser -prefsHandle 3612 -prefMapHandle 3608 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb4238ee-0063-4483-bb0b-6b99ac1c01e4} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 3628 22903c65758 tab
  2⤵
  PID:3408
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.4.362798621\1578060739" -childID 3 -isForBrowser -prefsHandle 4932 -prefMapHandle 4396 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95c6521f-2149-440a-8b24-87e454c4d124} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 4940 2291df70358 tab
  2⤵
  PID:5140
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.5.1043080356\1826078580" -childID 4 -isForBrowser -prefsHandle 5160 -prefMapHandle 5196 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62122b2c-de83-4b2c-b9bd-da7699643e2e} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 5200 2291df70958 tab
  2⤵
  PID:5492
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.6.952903180\1449946288" -childID 5 -isForBrowser -prefsHandle 5188 -prefMapHandle 5172 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70c0178c-f57b-4c69-af03-57f061354047} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 5216 2291df6fa58 tab
  2⤵
  PID:5680
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.7.1767832524\1102578997" -childID 6 -isForBrowser -prefsHandle 5156 -prefMapHandle 5096 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33cca955-d860-4d0e-8ba0-9d3bc7a8fdc3} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 5304 2291df70658 tab
  2⤵
  PID:5688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0629525c94f6548880f5f3a67846755e

SHA1
40ef667fc04bb1c0ae4bf2c17ded88594f0f4423

SHA256
812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee

SHA512
f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8209d37dd941950a8723cd7c960e5d13

SHA1
8cd3cd00e5d23a7d6325f86549cbc812e78f8f64

SHA256
b4440fce1cc1de905d2f533a164faa92f1debc7c22273d505d67c6ca37d87e85

SHA512
c6337c07a8bd6cb058fc554ca9fc233128746931a437adc72a834d268abaa15d131e9838c6d90eccbd0de6c7cbb80411baaff627e05e7be5a18109ecb91bf6d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
a6bca782a02a13877e4c752e35b3b9df

SHA1
17cce754c63b89979423f9dbdac9a4651dd7acaa

SHA256
0d4cc160f55605936e8f6c782269e0da6d9394cf15ce6f0e3e1ce4890b33d8e4

SHA512
d932416b0fc12109d6ad2cd353d3805559e0a04e5b3b05c4a0e2721405688be0a73024cc5fdf5c37942874fe5c0f59d7a86e74ee8780b0a51397983bac63245b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1955ab8c677caa6623ae6508ac985b30

SHA1
e0f619f1a01f66744b79c2aefb7143433d0c1af6

SHA256
84b98363fe9355a6c2def957d8a4aa1703349be18fa37737a378ce0de4c6b40a

SHA512
91de376737a929cea17c4d3b18b6140d24eab01cc98ad16b4edab62cffb2c233975c2454250df4e15478212e8c2f0bcc1aa098f9a7646aa70badb71fb4563871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
19c0b69577919ec1de7770e8705efc16

SHA1
be57b6351841941f926d501e04318af4bcb5c265

SHA256
2e9e02dfeb12e34831b506a185be35e49c45247330d1852fec3ab9194a326928

SHA512
dcdda0f53b5bf38f5113a4fab2ac60d306ea03f8f150e1a4cfac88e545871661ae52779e6b948cf896ea25cd8f4b4189aaeb29ac162639dd4e7a05f7467bdc53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9958971c452a6079daa05c35f15c0498

SHA1
7eaf260747891cea13acfd180d65553e8f8e22bd

SHA256
a04e5166b91566159b85aa462bbef01ceba09e39597f3227fb441a04306558c8

SHA512
92ee8e9cde3bdc4b4071b14f427acba1915654452b673c9ffee74e298992c6e02f26855a1ac8dca241c4a6132722a148eb7287d1204c1c9529863760ddf6a21c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f9595e6ba46a3caa75d0ffae6b128401

SHA1
f8913ad7c84af1761e87ca471e79079701999d39

SHA256
abded71673efa8bab8030713b52763c797ce15dc7698647c04c388dac7f35a20

SHA512
36e9b900790ec17ca94f97f86bd36a6e5d41bc333108aae9e413557502222cf93c559dfd9f2be4c65ffbcb2d2380d6311156cf3264d2a8757fc5bb9d5a591a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
fd20981c7184673929dfcab50885629b

SHA1
14c2437aad662b119689008273844bac535f946c

SHA256
28b7a1e7b492fff3e5268a6cd480721f211ceb6f2f999f3698b3b8cbd304bb22

SHA512
b99520bbca4d2b39f8bedb59944ad97714a3c9b8a87393719f1cbc40ed63c5834979f49346d31072c4d354c612ab4db9bf7f16e7c15d6802c9ea507d8c46af75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
731c92c0991203cf4c311232d2a6cb90

SHA1
75d6ffe899d1dfcdd19c9d75240afc4d037aeb3c

SHA256
647e4ce28d09a943f0906d00c12b5de29ceb603e5a5470d72f5e70a1233d760e

SHA512
32d319a19d2e10b0ddb38eac0ffa0e2cbc50f2cf11ba7ae0821df0f9a882b0edacbc36177611ae04d9aa0fadc71ce12570e24173445d35a0398ae5d2d20a3c58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
6883d34d4846b1d33820ac42291a946a

SHA1
9420f28ae80dca0d044b81cb05b498578855e947

SHA256
895daa09c7a89961ceac24271719df7030b50e299a98c8d1fe20044fbc34e212

SHA512
78a0031113d3e42b7910b74eaf018a06e44b6810c48f5e9f9655f63dbb054192365b48c562f966f24e774bd24e42a309a8d62232b218ab243919035d8ba47604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
24803185793cf86c7abcc766bf440d51

SHA1
ff285c47dff026df01b798e7b9472ea2bf8054ae

SHA256
a3979fbfb161c2a0bc62b5ea788f4d0f49c3385e7150761d4df587b38f9a0973

SHA512
e9bbef111e16483f531005c759137e6eed573b3967f9cd9c77d687cbd76d991b9562b395d2ea0ad34e20161efe41cc58ea4806b8550d4633c1b9c33195a1f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58632a.TMP

Filesize
3KB

MD5
c4252be02eaacf7a9e224f5738152cb9

SHA1
8956307d0fecef145aa6a2c39eac44848c9dcf80

SHA256
70d4c4a36f3003188931f036900128d75df84f3d2ac941afdfd5215a2a6d03e9

SHA512
6c70eacc617aa56f486fd9c0d7b7d912e5b6caa36d1518e8e84428628af26e96464e0b09b4bb67583b4f95cc76d0045d48b180ddc0ad7b8c3a20d77a2b28de90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ac6ca41e-3cc7-423e-8458-8e6a10f18baf.tmp

Filesize
4KB

MD5
753ab331c99ece4cc468fa55cab59ce9

SHA1
2ba5b0f8264a61a3b2d61761aec09757e303b9c8

SHA256
41cfb0a064d82bfc04f37fd974bfc5d82bda9ad8734884957519109dabe4cfe6

SHA512
51cd4758558c29798299e75702c567aed8772c2c8d994a436f472764cbf4a560b6e770cd5ba2033673aa9aff772aa33f7173aa9b0563988bd9c0027f200865de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cf32b7ac6393f423b47cead075c0101f

SHA1
012b6d697616c55f19bda60b698a4976615ceb7c

SHA256
b8716870b36255179f003f9066b99dee6b3fab1cd9be139bf2aa123a5bac54c1

SHA512
1710f53b5a64398b38c7d8c2d751ff65d7b84d3149d24a4aea815fadcd4368a1c1e81a072ca1161761db21012889c7ae2d8365563a7d95f5f5fc66d6bfad7139

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f3zxqty5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
d8216b72e6cc071f60cb202095d83d9d

SHA1
d373e4dbaaafa50d4d068dafab230b8ee7510553

SHA256
27184f80722833e5f1b604f0f9048f4df1772e77790c3738899c50fceb410ba2

SHA512
b0987fa645acf0e84b7389f7894f8625fdf59056e543a0b797a7ee015ef8ddde1ce450fc476be42ffce2e65c95f8955fe8f86713e1096726e52724b2cd5eec66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\prefs-1.js

Filesize
6KB

MD5
40c368459826ef5b30b2e17e7149c86e

SHA1
0f78f3110a20feaf3f1f49877ef4602e0bf93c8b

SHA256
ec32156c999b6461437cf6b04db3d20c3675284532ec71e10cf8ef4e43d379f5

SHA512
0a9376e12a4f1861ed8462a075bdcdf6ea184b9cce479f0a153fdc15d237bfab41c428250f513e5f6902d570beb30c05d17fea9aa3a432828e653baea5145afd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
402dec3cb0fada5aa44e3aafff4ab75c

SHA1
6267335c0b200eed64984370f4d8b99e84a3af87

SHA256
a5bbd2a6a658d2342d046d2f43718ece637406cad89e502934b37ff7425c46c1

SHA512
4537d46bf1e0ceb91080ccb4a5146feb8bc7067049e12713e485c3f82a2724f931f9f516ffc85804634d45117693d2b0f0bbd0c7e34156c10f602ac8cf358a8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
f75de1efca6513eac868d869b180661f

SHA1
dc9c781bb9376e7b0dee90890ee87ff795a2a33b

SHA256
ae46b864edca185444c34b931deb0996aeadd29ae46c6742de3c894afcd4df40

SHA512
b7902efdf0a50f04a090dc61cd2e93542cb63997ee7e0ff29049a3a342910bc12ac56cd7038cab6d5db653714ddeb2dc340c4f13011c7b91e9eb3a3857856d91

Download Submit