hxxps://crl[.]circl[.]lu/

Resubmissions

02/11/2023, 19:42

231102-ye1j2agc95 1

02/11/2023, 19:39

231102-yc2pbaed7w 1

Analysis

max time kernel
309s
max time network
323s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://crl.circl.lu/

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4964	msedge.exe
4964	msedge.exe
5004	msedge.exe
5004	msedge.exe
3932	identity_helper.exe
3932	identity_helper.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4720	firefox.exe
Token: SeDebugPrivilege	4720	firefox.exe
Token: SeDebugPrivilege	4720	firefox.exe
Token: SeDebugPrivilege	4720	firefox.exe
Token: SeDebugPrivilege	4720	firefox.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
4720	firefox.exe
4720	firefox.exe
4720	firefox.exe
4720	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
4720	firefox.exe
4720	firefox.exe
4720	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4720	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 1864	5004	msedge.exe	88
PID 5004 wrote to memory of 1864	5004	msedge.exe	88
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4204	5004	msedge.exe	91
PID 5004 wrote to memory of 4964	5004	msedge.exe	93
PID 5004 wrote to memory of 4964	5004	msedge.exe	93
PID 5004 wrote to memory of 1796	5004	msedge.exe	92
PID 5004 wrote to memory of 1796	5004	msedge.exe	92
PID 5004 wrote to memory of 1796	5004	msedge.exe	92
PID 5004 wrote to memory of 1796	5004	msedge.exe	92
PID 5004 wrote to memory of 1796	5004	msedge.exe	92
PID 5004 wrote to memory of 1796	5004	msedge.exe	92
PID 5004 wrote to memory of 1796	5004	msedge.exe	92
PID 5004 wrote to memory of 1796	5004	msedge.exe	92
PID 5004 wrote to memory of 1796	5004	msedge.exe	92
PID 5004 wrote to memory of 1796	5004	msedge.exe	92
PID 5004 wrote to memory of 1796	5004	msedge.exe	92
PID 5004 wrote to memory of 1796	5004	msedge.exe	92
PID 5004 wrote to memory of 1796	5004	msedge.exe	92
PID 5004 wrote to memory of 1796	5004	msedge.exe	92
PID 5004 wrote to memory of 1796	5004	msedge.exe	92
PID 5004 wrote to memory of 1796	5004	msedge.exe	92
PID 5004 wrote to memory of 1796	5004	msedge.exe	92
PID 5004 wrote to memory of 1796	5004	msedge.exe	92
PID 5004 wrote to memory of 1796	5004	msedge.exe	92
PID 5004 wrote to memory of 1796	5004	msedge.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://crl.circl.lu/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb029c46f8,0x7ffb029c4708,0x7ffb029c4718
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,2566225314471906332,15093640214151035543,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,2566225314471906332,15093640214151035543,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,2566225314471906332,15093640214151035543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2566225314471906332,15093640214151035543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2566225314471906332,15093640214151035543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2566225314471906332,15093640214151035543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2566225314471906332,15093640214151035543,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2566225314471906332,15093640214151035543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2566225314471906332,15093640214151035543,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,2566225314471906332,15093640214151035543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,2566225314471906332,15093640214151035543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2566225314471906332,15093640214151035543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2566225314471906332,15093640214151035543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,2566225314471906332,15093640214151035543,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5952 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2566225314471906332,15093640214151035543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:5368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3688
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4720.0.683383553\1084286211" -parentBuildID 20221007134813 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a0e04d2-5100-437b-bd21-21ddde6d1dbc} 4720 "\\.\pipe\gecko-crash-server-pipe.4720" 1988 232314c8b58 gpu
    3⤵
    PID:4008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4720.1.481742115\821416984" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0e46c61-b0e2-4f4f-ba61-d7d65b62eb0b} 4720 "\\.\pipe\gecko-crash-server-pipe.4720" 2380 2321d774058 socket
    3⤵
    PID:3612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4720.2.1987077315\114927240" -childID 1 -isForBrowser -prefsHandle 2996 -prefMapHandle 3080 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {823feed5-4f16-4023-b544-4d77a523d8ac} 4720 "\\.\pipe\gecko-crash-server-pipe.4720" 3128 232352c0b58 tab
    3⤵
    PID:2968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4720.4.1121651652\310654173" -childID 3 -isForBrowser -prefsHandle 3464 -prefMapHandle 3460 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e36046f2-980d-48be-8025-35e04c05ea1c} 4720 "\\.\pipe\gecko-crash-server-pipe.4720" 3312 2321d765b58 tab
    3⤵
    PID:5640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4720.3.1492900842\381138210" -childID 2 -isForBrowser -prefsHandle 3396 -prefMapHandle 2884 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {734e5d36-5c7d-403e-bc38-b530be8de472} 4720 "\\.\pipe\gecko-crash-server-pipe.4720" 2536 232329f7758 tab
    3⤵
    PID:5632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4720.5.1126609494\934774114" -childID 4 -isForBrowser -prefsHandle 3612 -prefMapHandle 4384 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb164f88-486c-4e7e-af49-6ca807b64791} 4720 "\\.\pipe\gecko-crash-server-pipe.4720" 4440 2323564a058 tab
    3⤵
    PID:5996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4720.6.1725124028\316921853" -childID 5 -isForBrowser -prefsHandle 4428 -prefMapHandle 4424 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75894332-0d2d-457a-a7c5-77f03e2b8559} 4720 "\\.\pipe\gecko-crash-server-pipe.4720" 4464 23236364058 tab
    3⤵
    PID:6008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4720.7.22690337\1311536617" -childID 6 -isForBrowser -prefsHandle 5300 -prefMapHandle 5312 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {907163ea-9b2d-4b5e-80a3-9993605ba7fb} 4720 "\\.\pipe\gecko-crash-server-pipe.4720" 5288 23232957e58 tab
    3⤵
    PID:5296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
c836b9d1b08de74dea9451b84e7202ef

SHA1
4ce7e8aac8015c6ed8fc7a1d635576249b83b455

SHA256
41eab77134f9cffd7d826b730bfc065a8f1a36e7447a2386a1adac6411ae3349

SHA512
3bddfd26698107a452a0af5e917fd8be1987bc2202e4784b0856888f26b99ef280b1bd9c2e20aa07745126942236c0cdd9bb613df5dc36d77d3cb4ab32f60b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
b42101ef505cc1fc108f247dc4ea3e86

SHA1
cd61b8cae721c644ba16e27d601c9f34b01dc4a3

SHA256
af70ec94c563ba8f55053c932bddeb1fcd34baf22003758dceaefbb45bc8afa7

SHA512
278405be194b2abfced8cffa46ceb34ef9c1a840f8936646ced96aba72c97c4cb994e0dfa724645d88e95207bd6ec20598a5b4987c7ae9b6a85a19769328a789

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
183B

MD5
b8c2f061a44ee2979448e4595ad84566

SHA1
3548fa17079c6a08be455bff57bb87a2ee641bb3

SHA256
7ca2443975fcf9d12b70fa6b5b7d481875712834a1c6e759a825c01d06b92077

SHA512
be28dc723bb0021cc6cb417ab3d8e7779f2c5428d6634d74f33440a9b0767e0ab05829254b10373d72bef37534e4abf077cd3da3d237b1d821c6824e89e87f24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
538ea50eb0da25064bdb65ee51ddf566

SHA1
e137fb99e5b97c34c13958bf408e11bf526a1e1d

SHA256
eb0b32d6b3d5a2afcdfc0b933560916751403c25e0d22e9527aca9c11a04e4bb

SHA512
3e9c5eada16326f5e9596d2d5fdc860cf84cf57eb8a56c6f0e9e02c61095116c3be7ce9a812481cd62b31d03beb253e4c1d62d47bae739a60295bfca37162ca0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eb9f855473aef0f34ebfef8738da9714

SHA1
e191a878ce1d5d818f8b0c72b743b27e979a56d7

SHA256
95a75edab50b106841b1bb9abb463c60df9778a7e993bd437adf8750c9bac4b1

SHA512
9719493731f824bda69b30987b00a921ff9a890427e169451da8fd53322150e818fb7987725793cc9ea55dc2fa8fb0e4cfe89ecc5cfb15d010dd0f51f68f4483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
818f1825dc6950626e914b56e9ed37f0

SHA1
d63fc3c8ef014331cdb7376e436442be560da49f

SHA256
f54ff72eaab845832ec0b90e88fa7aeab9a37c11e710b86e7e787d12dbacca2f

SHA512
ca291c268c7a0a6ff2b45a9a6e0c025426c67082a549ea8ab400266ba5f9f4cc269ea430c500e0e0724665be11985ff8b5aba02ca992d4a9547ed0061f9b4785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3a591d650b0b4dbab287464dcc661c11

SHA1
3818c06e92b8f93471a6e19c6ef0bce24fd67306

SHA256
47bb56ca2c8fd2e71b2ad26a717921eb6a4e0c528f93968f83925742f0ba388b

SHA512
1996dae4359a5394e7c685f2dae0180875667ba0260f60f0aefd87683aec655781fb6e16f7bf73e08ba6fd9fc4f37db24c9b364ab5b5554115c85b33fb5fe727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ec7c68ef6bfe462b50fffdc14552ea6f

SHA1
e2ce05ef85faff5db54c87cb50ca4084b4be6f15

SHA256
15133c1f521a3bef7a29278d1305ddc0b729428a226daee2583ceecbf253711a

SHA512
ed89344d8e3c6ed2b7590556fb18079a492f68b31e16db703839c60807f8103de9850ad0cba3cd254b9077df1f710c62374c79380287448e374463e39528fa68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c786eacffcf4fe61546d17cecaeb5658

SHA1
24754dcf1fa4caf22894f9b6e0442c2e5a23c502

SHA256
89c571c60d432aa63bbd503df16b082450fe652ef2abf92106dbf84d4aff5604

SHA512
6467d91d645a43c50f57fadba2cf34af95060760945dc5c1aa3c681f8ae3aff9365da7cf6a9272da164d9df3250563d28f8174cd69ca0ae3075532e876259dc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0b8abe9b2d273da395ec7c5c0f376f32

SHA1
d7b266fb7310cc71ab5fdb0ef68f5788e702f2ec

SHA256
3751deeb9ad3db03e6b42dedcac68c1c9c7926a2beeaaa0820397b6ddb734a99

SHA512
3dd503ddf2585038aa2fedc53d20bb9576f4619c3dc18089d7aba2c12dc0288447b2a481327c291456d7958488ba2e2d4028af4ca2d30e92807c8b1cdcffc404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
202B

MD5
6b00b8b6db253abc960022bc3507e5b4

SHA1
7975cccd45c64139143c8ee633add9b3fc7c97c7

SHA256
0b625dd20cef566b94bfcdda8a2071f81b9130870dde4064b48d12f3c3c0c60f

SHA512
cd77d0178eeed2f86a238c546b39a81353c5afe2484a2f428019b7b64dfc0c21900c9efd0a89e382de653a1fa43a66a3575e9b98ad992ef0348fea59e22b5d98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5bce97.TMP

Filesize
202B

MD5
96decc8f245b46c26220058be9d2d54a

SHA1
7eed247e7155b6d18f623a9a81f3cd4de598a396

SHA256
b25af62b3f0dc226c336ec3df1e35ac1fa06c6f7e0db4702f906c2bb144edb4b

SHA512
ebfce24fcb98b4b640f5ac95d30994e597ae37eedf8b377fc79979207d1984909e07d445a054783538ce3a209f4056315b73956084ef255ab6ccc57fcb959eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
1021693ebc8856326bffe1bdf19fe592

SHA1
d38bb918bb80f364100bde9f630ada42b26a9c08

SHA256
29f09a3d4024252317e421b474b095d37a093369751f6c25a4e7015c94b19b31

SHA512
64b1e4b1dc950054df340f6e79da0f0913d330f02ba4d27fb91f7ef562ec0291152ac904f86c3b152d39c8d903a8ef718e0ce3d268e71670fba1d3f52539b2f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a9495fb28ecda30094468c5611b4860d

SHA1
dfb7386f1753f3becf7f7fff5db5f75f1d524e75

SHA256
cfc0ce6787f094494c8c9169f8dc4e50cbaa9d0f0a0c02111693c43868bd7ad0

SHA512
3facf41bb7fdc6c326148f6ebca08070c511c2c4eb1952fd80e308e0518a379efb48397a8c94985e60a90297a4338ede8cb66072be5cce52b09ae849f3f3e3fc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\04pqhkp3.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
289fe34efc33a536563082316f93cc8b

SHA1
ec6f29c59cb93b14ea80939658fae05807ea761b

SHA256
fb4b76cc326faa425260e5674e85842cc9d4a6f72dbe19430346523a02a3c668

SHA512
09bbf1d1b01222535689deb7b73b1325217efafd7e0261b2ba5e9a71d583dd4410e56f721899fe6ec8975b45f2d5da3473630b856f3ae9ecfbbc8c503da431c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\04pqhkp3.default-release\datareporting\glean\db\data.safe.bin

Filesize
182B

MD5
7d3d11283370585b060d50a12715851a

SHA1
3a05d9b7daa2d377d95e7a5f3e8e7a8f705938e3

SHA256
86bff840e1bec67b7c91f97f4d37e3a638c5fdc7b56aae210b01745f292347b9

SHA512
a185a956e7105ad5a903d5d0e780df9421cf7b84ef1f83f7e9f3ab81bf683b440f23e55df4bbd52d60e89af467b5fc949bf1faa7810c523b98c7c2361fde010e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\04pqhkp3.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\04pqhkp3.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\04pqhkp3.default-release\prefs-1.js

Filesize
6KB

MD5
b50538662dd38505939478c286c93971

SHA1
d63d279108c252558ca9db7cf03d2b085b828a5f

SHA256
71428ce3bed98da1de499f8d4b78becd050b51066a03ec4606bd109a04b1deeb

SHA512
d0037fed95505e3b23511869cb6530b0e394d762260e1a37faa39b8967c025abb5476072e5dcf593722cdec7046af23f5e311ca873102932daff06c12cf38354

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\04pqhkp3.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
c5545178effa608e6ec53ea1fa8f8ea4

SHA1
201c5ab21c6ab29621ec89cb7a50879accd72551

SHA256
2443563db9708cbce6e27134a51a841db6f2e8a577f5635cd836836393af2548

SHA512
51c19758ab855d55763b72a6b4a192078db0cad334673a2dc669246830fad21460d930c250f727d74d8e2cad02890452d72de0598df40b9e3d65ac13444f3bdc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\04pqhkp3.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
993B

MD5
a8e1dd8c83d83537d2c73ded90c07578

SHA1
d0716cc9138336831df49646049aee0105fc66d3

SHA256
86de2b10b970b4e0870f6e9748258e6fb86976dcad463b02669706eecc5689ff

SHA512
5a2ddb91b2b6f12e9bbc0d55d5f8507e4b9a965da3a0ed3c570e0562fae4290baaac504261da44290bce9c1c55166661ec796c18b8a787530af37b466ccbdf27

Download Submit