hxxps://learn[.]radacad[.]com/event/power-bi-fabric-summit-2024-online-conference/

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 11:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://learn.radacad.com/event/power-bi-fabric-summit-2024-online-conference/

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
2424	msedge.exe
2424	msedge.exe
2036	identity_helper.exe
2036	identity_helper.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	372	firefox.exe
Token: SeDebugPrivilege	372	firefox.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
372	firefox.exe
372	firefox.exe
372	firefox.exe
372	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
372	firefox.exe
372	firefox.exe
372	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
372	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 3164	2424	msedge.exe	84
PID 2424 wrote to memory of 3164	2424	msedge.exe	84
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 3088	2424	msedge.exe	85
PID 2424 wrote to memory of 4944	2424	msedge.exe	86
PID 2424 wrote to memory of 4944	2424	msedge.exe	86
PID 2424 wrote to memory of 3008	2424	msedge.exe	87
PID 2424 wrote to memory of 3008	2424	msedge.exe	87
PID 2424 wrote to memory of 3008	2424	msedge.exe	87
PID 2424 wrote to memory of 3008	2424	msedge.exe	87
PID 2424 wrote to memory of 3008	2424	msedge.exe	87
PID 2424 wrote to memory of 3008	2424	msedge.exe	87
PID 2424 wrote to memory of 3008	2424	msedge.exe	87
PID 2424 wrote to memory of 3008	2424	msedge.exe	87
PID 2424 wrote to memory of 3008	2424	msedge.exe	87
PID 2424 wrote to memory of 3008	2424	msedge.exe	87
PID 2424 wrote to memory of 3008	2424	msedge.exe	87
PID 2424 wrote to memory of 3008	2424	msedge.exe	87
PID 2424 wrote to memory of 3008	2424	msedge.exe	87
PID 2424 wrote to memory of 3008	2424	msedge.exe	87
PID 2424 wrote to memory of 3008	2424	msedge.exe	87
PID 2424 wrote to memory of 3008	2424	msedge.exe	87
PID 2424 wrote to memory of 3008	2424	msedge.exe	87
PID 2424 wrote to memory of 3008	2424	msedge.exe	87
PID 2424 wrote to memory of 3008	2424	msedge.exe	87
PID 2424 wrote to memory of 3008	2424	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://learn.radacad.com/event/power-bi-fabric-summit-2024-online-conference/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe70f746f8,0x7ffe70f74708,0x7ffe70f74718
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6320598201309857505,3967913548305698608,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,6320598201309857505,3967913548305698608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,6320598201309857505,3967913548305698608,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6320598201309857505,3967913548305698608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6320598201309857505,3967913548305698608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,6320598201309857505,3967913548305698608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,6320598201309857505,3967913548305698608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6320598201309857505,3967913548305698608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6320598201309857505,3967913548305698608,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6320598201309857505,3967913548305698608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6320598201309857505,3967913548305698608,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6320598201309857505,3967913548305698608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1744 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,6320598201309857505,3967913548305698608,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6320598201309857505,3967913548305698608,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4224 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1304

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4724
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="372.0.1765603703\856669590" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d620465-23bb-40de-853b-a5ba744b8baf} 372 "\\.\pipe\gecko-crash-server-pipe.372" 1980 211855d0c58 gpu
    3⤵
    PID:4468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="372.1.985317881\2058758589" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2340 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6dafafd6-fcb0-4ef1-9aff-f0730763100a} 372 "\\.\pipe\gecko-crash-server-pipe.372" 2380 211852fd558 socket
    3⤵
    PID:4016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="372.2.1343093506\810000180" -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 2976 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {880e3fad-8fbc-43b1-9c94-1e487c7f2d51} 372 "\\.\pipe\gecko-crash-server-pipe.372" 3064 2118555bd58 tab
    3⤵
    PID:1804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="372.3.1067597912\2045763832" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3564 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f37f6f1c-1f7e-4520-aeb8-63a903f090f0} 372 "\\.\pipe\gecko-crash-server-pipe.372" 3580 21187dfa858 tab
    3⤵
    PID:4756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="372.4.408325860\1405783639" -childID 3 -isForBrowser -prefsHandle 4040 -prefMapHandle 4360 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46cae71a-80de-453d-9de1-b071b52e568d} 372 "\\.\pipe\gecko-crash-server-pipe.372" 4456 2118a8e5358 tab
    3⤵
    PID:5188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="372.5.275214938\431316290" -childID 4 -isForBrowser -prefsHandle 5096 -prefMapHandle 5092 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d6c7430-43bd-44df-97a6-2cc6d197da60} 372 "\\.\pipe\gecko-crash-server-pipe.372" 5080 2118b6aab58 tab
    3⤵
    PID:5572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="372.6.1201064925\538803463" -childID 5 -isForBrowser -prefsHandle 5112 -prefMapHandle 5228 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89a3a67e-1280-4b57-b2c7-0422a11719b5} 372 "\\.\pipe\gecko-crash-server-pipe.372" 5308 2118b6ac658 tab
    3⤵
    PID:5616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="372.7.303371976\229349033" -childID 6 -isForBrowser -prefsHandle 5568 -prefMapHandle 5552 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae17d084-c9a9-436a-894d-1e115b55e8b0} 372 "\\.\pipe\gecko-crash-server-pipe.372" 5564 211852fc358 tab
    3⤵
    PID:5628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="372.8.1909356142\1750950978" -childID 7 -isForBrowser -prefsHandle 5924 -prefMapHandle 5916 -prefsLen 26460 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3f2c3b7-a70e-4f32-8a87-e2a6f5e0cd60} 372 "\\.\pipe\gecko-crash-server-pipe.372" 5932 2118ce43b58 tab
    3⤵
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bcaf436ee5fed204f08c14d7517436eb

SHA1
637817252f1e2ab00275cd5b5a285a22980295ff

SHA256
de776d807ae7f2e809af69746f85ea99e0771bbdaaed78a764a6035dabe7f120

SHA512
7e6cf2fdffdcf444f6ef4a50a6f9ef1dfb853301467e3f4784c9ee905c3bf159dc3ee9145d77dbf72637d5b99242525eb951b91c020e5f4e5cfcfd965443258c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3b69476f-075e-4d4c-8051-9b17b3fcc39c.tmp

Filesize
5KB

MD5
72476066250975279bbef6cb63b2c75f

SHA1
3fe4358a8f81407cf9ff4b5f4a242a45522c2392

SHA256
3e8e6c37ec8d52f79e3d7399aa8f4821bb1f376b98baee8bc8525c0bfbabd733

SHA512
a00391e97356e9f753a142e09b443673190749339dc850576dd8cadf5d5a2424f468d2a0927e3fbfa4827ca3b3c9bd33b66ba63eb913e319257b610897a86f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
330B

MD5
a866db8f0ef9112e3ee1ddbbb5fd4bcf

SHA1
8b65898f75fd04eedcd8f9ecd834b4f5b06671b9

SHA256
85d326849e370360754a8a5fc9e158b58b507f3c71db67a0b2eb023d45bbef6f

SHA512
ada00a156e754099e75a6fb4072ff75d77a40c161ecf653daa197f09a29963b978e563eee81eec8169bdef960246739d553a9980f9914fd4c5704c9b59220cd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
33f1918c0d21f9b41a4667f8fe4dc3c8

SHA1
06cae67369fedc60c89def2857399d1f26360db5

SHA256
fb558c306d07380f012320aedb0b2c7992dd5dd3035b85d649f7a07355600137

SHA512
0515e6d3cd1c24b39306234393e39f1edc57fc1ef0ee4f9cb11c57fc9fd47fe5915e680e0fabfdce614fd45f0631b41a2a85aea451e97e79d861228c0e4650cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b67d83e9d2bf229766748baeb743a5b4

SHA1
04313e7eaea489a92c1ecbdf7374307e46b6daa6

SHA256
561644d360cc2977914d06c47809de93f291f25b0751c0792226a54eb23dd46c

SHA512
f4c22abaf042b5e9e9be04f23781537b3eb69afd9f88f1133ecad94d773143a1741f9972a955421d0e87e41d08796673382b0569f8d2dea730e1db4516936a04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
42cd2cd9289333016b8784135a089939

SHA1
fa8d8326b4cd4d7628a1f48491edd9166cb0a03f

SHA256
e0d8f7046cc7b2740841cc48c670eb3c87f39db71871a1842710345acc034993

SHA512
af5c6329bea246a2a82861b3fb26e9faead9b5ab35a98111c2d41c2025821b7640f4347079800d0096f16387562a09fe6cbdb44ecfb1d40c167b79fe64bfc3d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dab03ad86e7cacd2bd2150b8e42cc155

SHA1
87a026f61450997cd74f59bcb323bb0518348ed0

SHA256
9db75ddc2424ef11643e5b4ae0a5370bed794d9bdf8e497ff539473ac0cb6622

SHA512
14edb339a0e1340a1f26b4533804b9034aee2b0ed43ce57e64fc900dcb31acbd53fb472f8e816be25c5aaa3e0c51ff41815b0bec7812dbc43fe79379a2df6bb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d1a94e21df84b2848e6991bf41520172

SHA1
4fa610e03b1a8ae5baa7e46773d28c9b7307fa05

SHA256
1b6ab662245285b2f1d8122809669c9d99dcf6d4c13792a7f4c5cc99b8f5d9c4

SHA512
536a2be08a2ff8563c3da056922ea6f78d90b866f1a4a73a61f4ce391ddf1b1ed04a189ec805d33b1672685dc47ec4d72b648cf852c2f274ecc8a29eb5dc04c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b0ba6f0eee8f998b4d78bc4934f5fd17

SHA1
589653d624de363d3e8869c169441b143c1f39ad

SHA256
4b5ee509e727accbd11493dda2c1d512e7dbfaff66c4f5f7ea9c2d2ccd06151f

SHA512
e9a165da246c6b80fc38431538203cf03f95794184ff63f00c9500f8919a2028b803f64b670e685185eed72df0509e3185c9b434fdbf2bc7af36021d46bd08d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3206f4e6f95cf4917a8a4f8a4b69617c

SHA1
e5df0b484be34dd01200615003bae27d6afecfe8

SHA256
5b22a519d20dde59c3d200d0057568f8d14149377e5ff27a6a491fcc40bb0e93

SHA512
6ad6b9db09c6b98173281d64c442d675cb3feb2e1bc5b0c0872d6610af6688f1947beba2f033c7eff14e31d0c981279a19fc41d6a54fc03f2c1099e24ae84db0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
03fb22682b1e0859aed65f97fdc7b6ce

SHA1
86fe7cad45006bb6bb1a4f717d583f28d89504af

SHA256
98d2d5bb62b48ee6d96bc5293df24bca5c772eb92bb5587424d295968abcde3d

SHA512
a352f4d152a873979c07a5731d3e14feaf390fa26ded6954038903f85f6929b013199c9bbb11a9eaaa11a188d2ca9591e85b77e8b1183691942faa46211b295c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d9fe1ceacebee795473d29329398c430

SHA1
b996006967eb8a6d56727d245f10cc06a77555e7

SHA256
c742ca874535119a950664009e89812bcb03505b2487cfd915307913512289aa

SHA512
0efbb07bb4d9acfb634e8d8a2d9eb576434c07e69ad32c1061ad1834a932be914a8bef716daef225b8f7b46e9dfb827c759403a30cbd6a987120005137b06faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g5azq69j.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
00996d8d4bdd6c9e3fd9af0469180b15

SHA1
261b6f8ccc72c02d29f9d58cd69ca2b38cac75d6

SHA256
c015b84e70646c5c290b17648ea947aa2431e6aa17a867c9f6d4b789262ec9dd

SHA512
c095e0bb60825415c4b8a0ef6994731b987356f1899f3785c12df670cc283e8ef4c893574b376608dc2e4a6e174d8862ea2e54b4c746a107d711d53a293d189c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g5azq69j.default-release\datareporting\glean\pending_pings\873190c3-3788-4a3d-8bce-1ddbe58e6af3

Filesize
11KB

MD5
d8e57375791e09cc9dc1b7960c8d4d9b

SHA1
039bae530049a4365665b00ef3b10f8d5525fea4

SHA256
a94396e84593bb7897c6be64d9ff954e370a8801a518a470b15069e9f66796bb

SHA512
b3797b350fc97f30d67887c9aec9d6d0728ac34b7e9ca23b973ebc55e90b1ea28e25ffe9f7c0eb6be61e41a0ca9e51627ab306ad7ce653055db786e8349961ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g5azq69j.default-release\datareporting\glean\pending_pings\b394352b-1a13-47ca-bef6-9df08c925d70

Filesize
746B

MD5
ba58a12355d0d53ed18a3ce373834763

SHA1
89ad414bf99f7e9ba4a005565e33190ef5cde22f

SHA256
87486bcb490c1e2642a09843ad153bd510734d9c5ac6edd970373cdae95456e6

SHA512
2ede5f3e956d13257055a869038747ea9aa3a9da68cfd84b77975948451f87c9de34ef3617ae5f1937494a9578e1efe761fdeaa68af89874377987591ed775bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g5azq69j.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g5azq69j.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g5azq69j.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g5azq69j.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g5azq69j.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g5azq69j.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g5azq69j.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g5azq69j.default-release\prefs-1.js

Filesize
6KB

MD5
8fb1ac39bfdb1b79ec0c56035730bb62

SHA1
c13e3f0127190bd2e898031f1b4abc79ddca884f

SHA256
17983f8ef2f3508af249e126eeaaa9933ca336efac997185f44dac173d56c13c

SHA512
fdd3675bc1d3e2e8648c25639aa74c3bc79262459dc578e02b1f162b6d344ed820e0f24392785bd5d58f9109f890b8479b385605060999a49e37bfcda5a9a11c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g5azq69j.default-release\prefs-1.js

Filesize
7KB

MD5
fa6f3aebe9d58d2e43e74c45f5445be2

SHA1
80bd82335a4926bafbf09c85e7cda31b5a6502bb

SHA256
12e4b5f86c5af16fecae1bc59de08cf6259e70c5df56823024afd20b9870bb67

SHA512
96d8f713cf36c40e127d5afb3c3b38cdff0110fdb76056e3bbba3dfcc736fa978b83bedaab6c9e856eab85eb38659005daedb93dad76580278df7247c97c57fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g5azq69j.default-release\prefs.js

Filesize
6KB

MD5
6cfa332fa531647151512beb0294ad76

SHA1
1520f14d0eeea0f60f511b6387679aa984a03f93

SHA256
4ddaf5c72623486d992b8fd06e41baa852dcfdaf229705dea42fcc70aceeb275

SHA512
eb4385cd76eca5c16a5cba956710143454c5f0c62d52ed04bd8a9c92e33b52ba7bbd82b4027e462998b446ba28f8df3206e1f108dfd40688ae0024093407f5fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g5azq69j.default-release\prefs.js

Filesize
6KB

MD5
c3ee0b80b0a2cfa5ce2cadacee8365a3

SHA1
b16d6547464c65d21b78a9742c0448badb64e7ad

SHA256
1f68c6c91f19f583375b19e744970b2a03b20918f672069a1473470e64f51d25

SHA512
a9a3700c62904c6e6cd84ec952df87fe342a122e5d7ca12854fe8de93a8cf695c3377304b68c72a358bb27d0427722174e4603f0c17b81d61d905358ec8d6f73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g5azq69j.default-release\prefs.js

Filesize
6KB

MD5
d2653e0ce63eca4109dbd8df023f1cd8

SHA1
ba352678497f8806dba8fa95ff3c744d9d19a961

SHA256
bb95d1b06e9c3d99ec7f5e8194724864aad8b2a2a58add4eed1e98ece69da6b7

SHA512
5573f463953e1ed7830b309a113a5ac1c8b87afa7b5107554d0f91597249ba3312b661749bc57b0c0aa2779e1918614a3d8b95e807d6a64878b08f629896797b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g5azq69j.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
7f581eb2703091f36f38a4db003c402e

SHA1
7f39910b51ac84b8953f2e9a0ae04469ba416032

SHA256
f6c81b9cf23c2f607e222f9829bf0e4379b1f1825880e9b0577c2f2718e480bb

SHA512
85094cdcb4cd855ab5ad515e2c75556b76dd23bdac00b585e0009009c8f96df9ba6afba012a0a9a53a6227f5e4184bd7dd2fd661ccc8355a63d72c76abc98835

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g5azq69j.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
e01316fd1915915d1afb37419000f682

SHA1
cfffe7fe25ebb6336988f5a5d3c4e49a0ef28cc6

SHA256
0f84d3f9404183590ecc2aeee13f01d57a8aa9807a15bf6ce6c5efe3f74e7fa3

SHA512
6f38fc7cbeba8e8b11719120e24bead1f490c59257afb23168c6c54bd88560a03753548de162fc4699599264e85c4cc2e50197edc04f4d06a30242c37a4f6775

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g5azq69j.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
05aa67062b76df84a8dd06a7325e34f8

SHA1
9ab66925429d87369d4abf4a3d24631d312781db

SHA256
92aa9e9171ff2261d82190581e447e32a86bae9ea799dc1146d89356d6bedd36

SHA512
ac16fb7f613b614a70b5dd01e8fa2a2feff3c53753acc2f869f4677527ab6d39acf1ee2d851b433a8d86036789b197be80eb2dc2d681fae63ccd0be93024f282

Download Submit