4a070bbd0d4f84a8b85e084dfccaa0297d483879031ce6d700d20d4fed100934

Analysis

max time kernel
86s
max time network
92s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
03/01/2024, 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

113HiXIRO5J6t-cg42Cd6vyO2nrKL3GGO.html
Size

506KB
MD5

47f70d73c698b6218ca9ddd18669882e
SHA1

14288f54481ed7eb063f8b5f57608d848785af3d
SHA256

4a070bbd0d4f84a8b85e084dfccaa0297d483879031ce6d700d20d4fed100934
SHA512

6408a8833a5eebf69f268a1254dd3d9372b66dcff895364e8879ba023ce639237f53dbd6206c8310fe9d2d532ddec62cf44e3135b3578d42b6867f05ce56317c
SSDEEP

3072:p9nrcC5uZhY+d9Iblg4LZBpnAQ8Fl9i/JmvxFfDb5dwPtrMlSH19m25F3P7BWycS:z4GuZhcbl9pR82H19m25jW7jJjUjvjKs

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1380	msedge.exe
1380	msedge.exe
2972	msedge.exe
2972	msedge.exe
2180	msedge.exe
2180	msedge.exe
3196	identity_helper.exe
3196	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4680	firefox.exe
Token: SeDebugPrivilege	4680	firefox.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4680	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 1556	1380	msedge.exe	84
PID 1380 wrote to memory of 1556	1380	msedge.exe	84
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 4468	1380	msedge.exe	85
PID 1380 wrote to memory of 2972	1380	msedge.exe	87
PID 1380 wrote to memory of 2972	1380	msedge.exe	87
PID 1380 wrote to memory of 908	1380	msedge.exe	86
PID 1380 wrote to memory of 908	1380	msedge.exe	86
PID 1380 wrote to memory of 908	1380	msedge.exe	86
PID 1380 wrote to memory of 908	1380	msedge.exe	86
PID 1380 wrote to memory of 908	1380	msedge.exe	86
PID 1380 wrote to memory of 908	1380	msedge.exe	86
PID 1380 wrote to memory of 908	1380	msedge.exe	86
PID 1380 wrote to memory of 908	1380	msedge.exe	86
PID 1380 wrote to memory of 908	1380	msedge.exe	86
PID 1380 wrote to memory of 908	1380	msedge.exe	86
PID 1380 wrote to memory of 908	1380	msedge.exe	86
PID 1380 wrote to memory of 908	1380	msedge.exe	86
PID 1380 wrote to memory of 908	1380	msedge.exe	86
PID 1380 wrote to memory of 908	1380	msedge.exe	86
PID 1380 wrote to memory of 908	1380	msedge.exe	86
PID 1380 wrote to memory of 908	1380	msedge.exe	86
PID 1380 wrote to memory of 908	1380	msedge.exe	86
PID 1380 wrote to memory of 908	1380	msedge.exe	86
PID 1380 wrote to memory of 908	1380	msedge.exe	86
PID 1380 wrote to memory of 908	1380	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\113HiXIRO5J6t-cg42Cd6vyO2nrKL3GGO.html
1⤵
- Modifies Internet Explorer settings
PID:3048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa88273cb8,0x7ffa88273cc8,0x7ffa88273cd8
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1732,14077738076465082798,5943090883009279483,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1732,14077738076465082798,5943090883009279483,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1732,14077738076465082798,5943090883009279483,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14077738076465082798,5943090883009279483,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14077738076465082798,5943090883009279483,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14077738076465082798,5943090883009279483,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14077738076465082798,5943090883009279483,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1732,14077738076465082798,5943090883009279483,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1732,14077738076465082798,5943090883009279483,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14077738076465082798,5943090883009279483,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14077738076465082798,5943090883009279483,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14077738076465082798,5943090883009279483,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14077738076465082798,5943090883009279483,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14077738076465082798,5943090883009279483,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:4444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2244

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1100
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.0.162709240\689190757" -parentBuildID 20221007134813 -prefsHandle 1776 -prefMapHandle 1756 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {83aed1bf-a922-4a33-946a-15e9157014ac} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 1856 1f502ff1e58 gpu
    3⤵
    PID:4320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.1.353809495\348423550" -parentBuildID 20221007134813 -prefsHandle 2220 -prefMapHandle 2216 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cb20147-721e-48b2-af2c-eafe8075d70d} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 2232 1f502b40858 socket
    3⤵
    - Checks processor information in registry
    PID:1336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.2.339179231\1049120167" -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 2980 -prefsLen 20886 -prefMapSize 233444 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f0604d2-efae-4bb1-8f3d-f4387ea10c30} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 2956 1f502f61a58 tab
    3⤵
    PID:3924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.3.861747418\983336664" -childID 2 -isForBrowser -prefsHandle 1020 -prefMapHandle 3488 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e03b9684-0633-4ce5-99ba-cc162622268d} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 3496 1f5087db458 tab
    3⤵
    PID:1780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.4.760099947\1829316271" -childID 3 -isForBrowser -prefsHandle 4144 -prefMapHandle 4132 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42da7954-034d-4a51-a854-81912d7cec86} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 4156 1f5087ddb58 tab
    3⤵
    PID:3040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.7.1305337425\1089240034" -childID 6 -isForBrowser -prefsHandle 5376 -prefMapHandle 5380 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f194632-0bde-48e8-b3a6-85a92bcd4d43} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 5368 1f50a4f5358 tab
    3⤵
    PID:5540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.6.192708816\485591925" -childID 5 -isForBrowser -prefsHandle 5184 -prefMapHandle 5188 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47e9d28b-3296-4c4d-b843-d7f7d3ac6e18} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 5176 1f50a4f4a58 tab
    3⤵
    PID:5532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.5.1806798155\323315928" -childID 4 -isForBrowser -prefsHandle 5116 -prefMapHandle 5084 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76a560fa-2fff-4457-882a-36d95ea86e58} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 5064 1f50a4f3e58 tab
    3⤵
    PID:5524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dbe72a1f5827efc08f70d06ef815d46

SHA1
6aacd61519fce53ecb92e5e61207a6c29c01f47b

SHA256
dd673404dd6deb2d2b331316370fd05e47c01b9dc489640f05b50898d536a6e3

SHA512
2e6115ca818df5f5b7985caf3ce2324e266b376f6180f84b44e9ae725e037a8456c2cd63e22b9750e2ba27f4c7460dfa429ce9910517a728b056e5f1e730e25a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
73dd13c8b8a9012cbb62fdd73aff5092

SHA1
56755dbb4e864e2ad76dd1cb7eda45f62f67c1a9

SHA256
f2b3d4e5eb2078ef637b4b3d44e34b963178361f9ea8a0bd542c5eb183be166e

SHA512
c75c8de373ad3355d76b9cc0a9f453466122fbc041f8d52e286ca5a1f1ccbca5913b7c9f2b879bf8be8cc9f0d6ef50c4fb6918bbde98f5223b4929efccf5b5dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
92997e2496e81bc22fe6f206e5ea1cae

SHA1
01d2e243401687e51e9f1d12b7f9479e066a858a

SHA256
7076322ea5a0a579c3bc18bd6d083a47388160d7523522d03d855f500a3e4b2a

SHA512
39244953033231fac28759ac7dc1db8030e814d601e488b5ea4260a534ed2d21ac42bb3e8cc4e2f8c534aaceb64a120570b7d8cb5715ba7d04dbc765787b9ea6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7eb7dda624b275f74237822e8bedec48

SHA1
56718906aea1920e9db2708603f697a501c4e0da

SHA256
94a1e7f453b5abd18b77a570d2cc7b6296f9d725e96e41b7b7bb1fcce72fada4

SHA512
a89ac0337217e8bcd00148ba1fa9f98703abd46a203230087cc48fd56d478bfc93f2fb0854485801777d2de9d3456e7431b47b988cd30c6ee46f9c9d17a43d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0c0ec9b9925332806e2b880358c9751b

SHA1
fc3d7442479ba575c7e00c59b46a0db4fd4f6096

SHA256
70ba23ed68c588ac1f16295c5a8c74296b256ca742174a3c0d2a0d8711aa210d

SHA512
1df0d23847b45dae2dd03677ddf14f9aabf5305a1d7211a3423e22fe64c993026cefab7603dbeeffae2af6136130caf28647517fa5616fbef70d390a5bc76e0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
05b6b1be00f40417bfc0d58d483c5638

SHA1
797f5694969e5cb92180bdecdbbb9a0782bd5cd6

SHA256
923b3b278aadce0e0b9ea7dde4878afeea36a79d8d472d2b1432d53121fc951a

SHA512
bae64b7dec7885116db45d7ec773ab6f5fe1b0bda7a58dee106e9a364d1ae796eeb96bd345f8c69405aef87c62b6c1c0f8975a9e99eccc568257bb29f4582018

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4efa9e2a78e78cf3be64f8bd91c33673

SHA1
c3310ebbf330a4c672e655d3ba4f9f22be87cecc

SHA256
8e9c624d989041ddd49cac20a3d4a10441b6bcfcd4122faf7a9f964a43f3bac0

SHA512
0e72fea72d20b55b6f78b017eb56c3157b7bddddaa80193da7df0a32f837e96d2f5e8ba4e48e7863c8c178cab1733fb17fa3b3f3f16c4c7da6c697fad5b3de50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
e5477be1e6c4cc9f570c69a84dd4f681

SHA1
fdcbdc83ccfef1c270b927c6815e641f6d96a132

SHA256
f06ab204d1d24ecd2d13e473bf807a8fc65ed09114a227966b4a308bd7eaa531

SHA512
24eb3338f0a7be6df183c5d5f22831bed07ce0779dcc124e805364a128a08f571160a6809556cd1de323c9d3cc64299855978967c8693b8324cd9bb22f5ffe14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
852a96f002b25b3347ed4c2332034967

SHA1
c10c24b04a061b4d4faad6ae7e20f4237e0da464

SHA256
57c4f58afdb4b60e359ea2d1ced10b31bc57e9c8173f011f8d13d8c076d18334

SHA512
69eba1d56f5607a28851fa96eb534cac0076d4a77c97122c7c8cc9132909125131a844e5bc82e8597ac4668c6fd7cf3af6277192d756eda47ded4a8fae54db23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6abc82e1a485fbfd153fc47ed48343b1

SHA1
b44d3bf82e8ba06dbfe343071bb1a02e9121c450

SHA256
52db418a1dc79d5d3553a498c4391d3f2f244f85dd0e4bfb234d55d7721d3b4f

SHA512
28449a682deb71180db866501f2d2572af2b4dcf464944dedb98c358aec499946a50d357fac976ea637d44d820f73f838b897ab034b2775682cbd74bc14052d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
79447a86f2c9f4f4bfc84fc0c9cb8f33

SHA1
1175ac9147e49bd1dd0ae64fe60f9bdcfb3d6068

SHA256
3ac5d20814a8ea683e5d6fd9067917cdb0df0a5393b8be18fc6a0d8d392d3b22

SHA512
269c002653de889111a3b3615822b5db5a86a511422673d4c40ab545d632aa69d056cbab92807cbc435f1e6a9a5b1c47a4b33a3ef1f34b15be16ac153e0af79a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3e2f58d2aeeadff736fd2e1a9d350e4d

SHA1
eb583fdc944554a85eb312d006af2b1e4d9ffa81

SHA256
128022cc122e70a3eae5441d3395c833f300525781ddd1ea543cfecc3c5ff952

SHA512
8bed08f53f1d63de02eb4444d545c2f6ae896259f9f254d1ed1f6fb3fd389bc6d2fd451e107266e96afa21592e11043cbb4424ff604338d15cd8ff9b26f431ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6fd8mnze.default-release\datareporting\glean\db\data.safe.bin

Filesize
8KB

MD5
0a93873cb1dde3654903b105b3ef125c

SHA1
498dd5a74da13c85862fa01cb8c41358d87d07a1

SHA256
756ff050f49e1a4ce8c3a34f1f2766d12b7aacd91cec03c0299aa3d22371a01c

SHA512
ae21c89778a8646bce2c6c89b2fbb2e2dc52f2752a755223cc6472252b4d374644006c44ffaaf12107f6b32cc8517a20b2b56ae34f3f102fce77e04f61610a79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6fd8mnze.default-release\datareporting\glean\pending_pings\c62a681b-15cd-4b75-839b-db7f0347d27a

Filesize
734B

MD5
8ab6dea6a7c1fac36d6157566573f3b5

SHA1
c555c0b198387a4b576235bb75e275437a35fddf

SHA256
af69d717cec6f3a9cb36ba2b0f0b8f9a21062f50a5202a1372d0a32fc86c805e

SHA512
d13b7e40531816fc586f8ac46604ab626077e6c70150e04936668d54773960551252ef7149e66917511af194f9ea60416513d8a68a90e2c3b314f6db2de3cbd1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6fd8mnze.default-release\prefs-1.js

Filesize
6KB

MD5
1060a0878761b25c7b7491b9bc6f974e

SHA1
31b534de0d7349edfa394c572f70cc054b314113

SHA256
aca1167eda1ae6654d718764cf377445658e3fc25f920134b80a27a134b2dbfb

SHA512
d519fdaf44e372f8b4ba477e236badeb49f34149faf64c3a63a38887f59531216678b43016e1d622981a4c6d39a34194ab5bdc89f2d5e81ec8838911928fc8bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6fd8mnze.default-release\sessionstore.jsonlz4

Filesize
901B

MD5
b3f01520749a17c7c7ccfab87af0eaa3

SHA1
3557a66a171a75975e1303ea73287c55b00b91a3

SHA256
692de0c4f9171e6d2fff1a51e356c056704724a54fbbc14d181cbecd5633cd3c

SHA512
0b12e0c19f02767e322ac4ba58c509823ac08d38a178c98e535a0d6f44e33675c1272268acb8f63b3974dfa2d6140ac4a4e5afbfcc093355c803427948cf730e

Download Submit