f7a518625499f2be5eaa851982ec10adcc449ffad3854d81a4f1386c6c34df94

Analysis

max time kernel
164s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

opengl32.dll
Size

36.0MB
MD5

ca1aaaccc6f19ccd74a48eea51c03338
SHA1

c0ca48ab85406b6a98761a212c3e5fde92ada7ec
SHA256

d109ab0e8f7aa6f00992368b72c9a8aa0cf6d1b1563c3ab1caedbdba9c4476ba
SHA512

8bf7382fdc59649a1b44107d4289a8ea898f19c2addb3d5fc87a1c60baa667abac359d084829b552b391456613a0e3273a64d3d2464d780cc1d7d6ef5c204a31
SSDEEP

393216:LoT0RoCZueyqN9LB2xmcR+hcoPwdyzjpECaT0UMPbGLsXT4El/uRKgI9v/2OlJ/I:84vb0GmnI9NX0

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3484	rundll32.exe
3484	rundll32.exe
980	msedge.exe
980	msedge.exe
2460	msedge.exe
2460	msedge.exe
4724	msedge.exe
4724	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4532	firefox.exe
Token: SeDebugPrivilege	4532	firefox.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
4532	firefox.exe
2460	msedge.exe
4532	firefox.exe
4532	firefox.exe
4532	firefox.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
4532	firefox.exe
4532	firefox.exe
4532	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3484	rundll32.exe
4532	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 3064	1504	msedge.exe	111
PID 1504 wrote to memory of 3064	1504	msedge.exe	111
PID 2460 wrote to memory of 5000	2460	msedge.exe	113
PID 2460 wrote to memory of 5000	2460	msedge.exe	113
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 748	2460	msedge.exe	115
PID 2460 wrote to memory of 980	2460	msedge.exe	114
PID 2460 wrote to memory of 980	2460	msedge.exe	114
PID 2460 wrote to memory of 2384	2460	msedge.exe	116
PID 2460 wrote to memory of 2384	2460	msedge.exe	116
PID 2460 wrote to memory of 2384	2460	msedge.exe	116
PID 2460 wrote to memory of 2384	2460	msedge.exe	116
PID 2460 wrote to memory of 2384	2460	msedge.exe	116
PID 2460 wrote to memory of 2384	2460	msedge.exe	116
PID 2460 wrote to memory of 2384	2460	msedge.exe	116
PID 2460 wrote to memory of 2384	2460	msedge.exe	116
PID 2460 wrote to memory of 2384	2460	msedge.exe	116
PID 2460 wrote to memory of 2384	2460	msedge.exe	116
PID 2460 wrote to memory of 2384	2460	msedge.exe	116
PID 2460 wrote to memory of 2384	2460	msedge.exe	116
PID 2460 wrote to memory of 2384	2460	msedge.exe	116
PID 2460 wrote to memory of 2384	2460	msedge.exe	116
PID 2460 wrote to memory of 2384	2460	msedge.exe	116
PID 2460 wrote to memory of 2384	2460	msedge.exe	116
PID 2460 wrote to memory of 2384	2460	msedge.exe	116
PID 2460 wrote to memory of 2384	2460	msedge.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\opengl32.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8c20b46f8,0x7ff8c20b4708,0x7ff8c20b4718
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,6721112846120478682,18280555162138532334,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,6721112846120478682,18280555162138532334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c20b46f8,0x7ff8c20b4708,0x7ff8c20b4718
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,14311142155477812462,15238058779356670038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,14311142155477812462,15238058779356670038,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,14311142155477812462,15238058779356670038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14311142155477812462,15238058779356670038,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14311142155477812462,15238058779356670038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14311142155477812462,15238058779356670038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14311142155477812462,15238058779356670038,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14311142155477812462,15238058779356670038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:4848

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4856
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4532.0.1706680138\296653611" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25b242a0-f5e4-4764-8bd0-741130b7bddb} 4532 "\\.\pipe\gecko-crash-server-pipe.4532" 1964 236a59db458 gpu
    3⤵
    PID:4812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4532.1.713462955\1027273162" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2340 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1f0ce97-4821-4180-8614-8ac3624652b6} 4532 "\\.\pipe\gecko-crash-server-pipe.4532" 2364 23698f6f558 socket
    3⤵
    PID:4616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4532.2.765408962\2093040366" -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 3064 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa6b9ea0-4520-4d04-9cf4-ce2c4022e7fb} 4532 "\\.\pipe\gecko-crash-server-pipe.4532" 3036 236a92a2358 tab
    3⤵
    PID:4568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4532.4.716753077\305179136" -childID 3 -isForBrowser -prefsHandle 3604 -prefMapHandle 3608 -prefsLen 20929 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b78b60f2-a02b-4bb0-88d1-902302d96c3a} 4532 "\\.\pipe\gecko-crash-server-pipe.4532" 3688 236a9533158 tab
    3⤵
    PID:5224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4532.3.161184456\56078152" -childID 2 -isForBrowser -prefsHandle 3412 -prefMapHandle 3408 -prefsLen 20929 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {652fe62e-64a1-4e1b-9d14-5dfa897d0004} 4532 "\\.\pipe\gecko-crash-server-pipe.4532" 3468 236a9535858 tab
    3⤵
    PID:5216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4532.5.891126343\1888270462" -childID 4 -isForBrowser -prefsHandle 3688 -prefMapHandle 3716 -prefsLen 20929 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76c57ea3-deff-45e2-bf06-6cb5d8fdbe59} 4532 "\\.\pipe\gecko-crash-server-pipe.4532" 3880 236a9532b58 tab
    3⤵
    PID:5232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4532.6.1410188694\1525972954" -childID 5 -isForBrowser -prefsHandle 4608 -prefMapHandle 4604 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8bc17ae-142e-4e2d-a67c-b7afcf0ae3f8} 4532 "\\.\pipe\gecko-crash-server-pipe.4532" 4620 23698f61358 tab
    3⤵
    PID:6032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4532.7.1528046160\191523836" -childID 6 -isForBrowser -prefsHandle 5092 -prefMapHandle 5088 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {683d70c4-dab0-4af9-a9a2-7dead1801154} 4532 "\\.\pipe\gecko-crash-server-pipe.4532" 5104 23698f69958 tab
    3⤵
    PID:5512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\9d37870d-d854-4138-b23e-d13b75aa4b83.tmp

Filesize
2KB

MD5
61144a44f6f98a622d5ce65cf87eb6a5

SHA1
9beb4bf3c46cd95d0c8ad061b179acead5947daa

SHA256
63ff8905ea61f55d10b1259a8cfce0409197af937a3f4ad4da371d156cff409a

SHA512
d57d9d6f2e94edd79903799342ad4790ceffb5c6f787d5bebffce3a2b934a2cb5a615d7540302883cc9f468c9344921db370e7c0cfbee39a64c92cf96ad59a3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0757254ebc89371bdd987e54e2c76889

SHA1
c102f5a36b29262ac366f40dffb2caede7589785

SHA256
3d3565746c471f202eadd13042fa8779443494ae29acdb81af4f499934fe3afe

SHA512
2622298ea69ead22ed119bd4c080dec9b2290b62ba325e31e6f212e9ee6114409c4c46eed6a020123e1d8d177641b6deeeea04c8e114486a4b599a32cb7bc694

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
600892707d7fef19252af735c844df46

SHA1
49a9fdc4ff6e7dba0ffda173317b5be3b2205ad4

SHA256
e9d754d51ee5c63932a4b7f5487603ed30fe1bda80d742cbafc4397ae99dd2df

SHA512
a90bc0db772b8fad83f1d229d48d6c8646f2af40b21efc28fe607b3902080ebcb9089c061457ec8d7805f9a3d83d3c2ec3d16967bcf9bbcf23d43182606b3ce4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5d2c7b2dbc43696f1b96e93dc8093773

SHA1
4f0affefa7f7e2708cc2a02f6d48bb6f63a77a2b

SHA256
b6558e906348dede945178b0d5c4a26dbc8df8b925f109fea4a841c6e05c0780

SHA512
02e9092c8642f3cfd0457e0194a2e5018ee8440fa78a9c26f6ac90b04e6de4d691b7c99dfe0e98135c4b44b7829af0f94c9a2ceeeb956226b8923da0e08fc0df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
77d8067f89e98acaf16b7bbffa3b661a

SHA1
bf5df56b2328ba24e00cc6eecb308361b6cf1065

SHA256
d571abcbcc5420f7d48ed888d8fb48f5d654662c2ccb0ebbd6bf3b707938599d

SHA512
6f337be97a34bb8ab45c6dbb376ea4d23090865f24d658f91dea6ab3bf1d733ae7c166df73061e8b21911349c6a90c1fe0301fdf7173cc736de68cea99a4dbba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d6022dc8-0ab8-47b2-a81a-dcf863761359.tmp

Filesize
6KB

MD5
d0216b6a8e2bc00c41a4163903b8801e

SHA1
b63d49f7ff60391f5073a2ac07cc1a834841d187

SHA256
aec58dccb489ef645077bc07432d5744af598c03f0322a3a82f4eb71cc24bbeb

SHA512
ba64a66595578174c2e57936a962b8dc4c11f67200b065274c5c26c017504916f3a2fd72eff8ed7dc03f6dee42362099ec8b20f685cffaefac561028639f1aed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4e28217b8d1c77cf2f4fa71d69b7ad5e

SHA1
7b87f2f5c7ee9cafa24143f01de7217cad7d3e3e

SHA256
99891cc7fd2139958441a156b986ed6c01ceba257f7eb22ce7ea13c4ccca2913

SHA512
a60e0c5535796e59f75f6daee9f668b5959a8f08a784443318887887fafc9eae56425984d692a13d01157a3d7cb54c69e7154d1219bb58fee048f6a4e84c86a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
37390794132a957b776c932c11924755

SHA1
7abefc9c8a99f30e159ca05a72b6f25fa3907f23

SHA256
f1b0a9aee825f9dae4ca546c0e37b0e492e98f88fa4e07a0b991fe21bca19688

SHA512
65d8217fdb0edc11b385cd651bde2bf5f62aafb1cdba19ff3f391c032def782e63e3aa394698e8c866a37ad1a90a2d2124a182f376f8cf4085bfc8cad1373676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
fb9906f083d7a3ac1950724270507773

SHA1
b324f1c6b5adde74160f369dd18990a8efa73635

SHA256
1ca88187ec99c1a0c2d07920db1c05e03867d848634266800d9116aa2e488ddb

SHA512
c15d9526d2a77ae301dad1b586cdc96c25a7bc7e7b0e5360677506d4eb81f869ddc55825ae34246b7b2497dd5aa5f10525ccc014fe104413c2d27d50895ea2b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\datareporting\glean\db\data.safe.bin

Filesize
3KB

MD5
3abf1c2cee2c912a3c97b599e42ecfa1

SHA1
b9e25a26288877d45c864b2233f5e390f9148556

SHA256
59aeb3a73166269950f3c86868178afdaf45b8cac97e5dc6208a0a5bbca0775b

SHA512
38004881d3ee133a0eea0316fe41adda42071143d86f522e8189437a5a9216be2753ff47fa1fb4101ebc93697d2104c2602b75e29bf39f66747d02ddee8f2907

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
6f1c9e204c3f9ce5f2eacadf3e728224

SHA1
4c5feb33b6ce77d8867a04a56bfc327c4fa0282d

SHA256
e188a6caa46670f24213764e0628c498e2ab4f7cf48bf0c7ce0cd0a728e84a09

SHA512
278dc7878ea276e9cfaa3120272c533e38f091505c71d1865ce8305668035e1f1031640f556a34bf8938bc455d9512517c99fda8317513bc48489c84fbdb3e12

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\datareporting\glean\pending_pings\0613c945-f6a7-490a-a4cd-0b23baa03be6

Filesize
746B

MD5
8078ad2d3b14d0a8dc51317d42f7eef4

SHA1
145ef555b6f683837f91b0f5acea0ac684e713d0

SHA256
f196a0690ee29922fedb66d80476f4a1de3b48218724605293774ee331b99fa0

SHA512
ba4a47ae98c8132cbcc50fb5ee130b27ec9472fbd83479bb49ad11611009249a9ca9b62c6502de4808b21d8f11c4742dd77ce3076d4e3862fb52e812b54ac737

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\datareporting\glean\pending_pings\e44d2122-4dbc-44a0-95f7-add070623edf

Filesize
11KB

MD5
036eef5df918c539a6952cede1cb0a24

SHA1
15d533aed8a46997b23817f50773b392b8f980da

SHA256
412da25519a8c4274832da13587b66c048b36bf05cc5edb84a22f15838f79ba8

SHA512
b6159080296076c55ca4d7755d7bb9a4b0a9170182aaff0fb0f7df008f51b85c4ebfb70efd4a226ee1cb85e3abcad08981644df6b294757a5e02492f39a50e79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\prefs-1.js

Filesize
6KB

MD5
977caf1be4c87c8336d3dcb7b7d35657

SHA1
7cd2a5da25c27a3a5f32c0b5bc61c743315d21ef

SHA256
a5f6a1bf2d27e2724d63266bc737a6c722f8705f16abada9cc7666b2ca014355

SHA512
bd7e60f651590fa30355af4e8ef10e74dcf240e9869f1d4feefe1b2ed741db3fe69aba6fc280256b228d208f60433d29af7568df253849fb6ac2c08ddc3db7b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
984B

MD5
3a2296ca3093dcfa576d8551b5c698d7

SHA1
6856f69120a32dbe6c21e43a9ecb42f63a73856c

SHA256
efa4b688aa9ce9b5b925a7ecbf56b16d42d8a18be45ad6eed43d2827421df4a2

SHA512
a5b04fb4edac7d6aa75a7c0a592f54e7320bf0764bcc41a04c8bef882a39f80266fb956a8b16e89dcfb92f786406a8edbf51f48e951d84fc25c600f8dc62bd22

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\sessionstore.jsonlz4

Filesize
893B

MD5
0492021e64c5cb3ab4d3001be90288e3

SHA1
0916dfa47ea1be4f0c47bf2165db84ed4050d03c

SHA256
dea6aeb363d46152176cf3fcaab1cfafeaaa843350967e27cf399a523d78c0b0

SHA512
9ca3752cabe0caf1358d5399259e325d02e755219dc622e9ab2db048791e03a180dc1d1ecbdd6f8f76ac744347b4e69193711899d187746b0f44befce900b1cc

Download Submit