f8683d2f46375cb732e300154b1a68cfcb728a1fe496ff01ac646275e7e69016

Analysis

max time kernel
232s
max time network
234s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2024 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

post-8774.html
Size

271KB
MD5

2292447bec151f05728370a1f2e33ddf
SHA1

9a5fd456314186e3b8bb763791fe45c64db5e2ff
SHA256

f8683d2f46375cb732e300154b1a68cfcb728a1fe496ff01ac646275e7e69016
SHA512

58c3f96b8ed5450dbbc28b036bb82b830acc1f937c6756e933cbe9c9c1505533b0035f6eedc45fec8c4975028a12b032276c48e14b120330362156d8c2069de0
SSDEEP

6144:zVs2u5SO1+UQ3Zo/0kPZQQrpmadlAZ6lpaZY++O/2:zVs2u5SO1+UQ3Zo/0kPZdrpmaflpd++1

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
324	msedge.exe
324	msedge.exe
4080	msedge.exe
4080	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
5288	identity_helper.exe
5288	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3540	svchost.exe
Token: SeDebugPrivilege	3516	firefox.exe
Token: SeDebugPrivilege	3516	firefox.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3516	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 4580	4080	msedge.exe	84
PID 4080 wrote to memory of 4580	4080	msedge.exe	84
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 812	4080	msedge.exe	85
PID 4080 wrote to memory of 324	4080	msedge.exe	86
PID 4080 wrote to memory of 324	4080	msedge.exe	86
PID 4080 wrote to memory of 4516	4080	msedge.exe	87
PID 4080 wrote to memory of 4516	4080	msedge.exe	87
PID 4080 wrote to memory of 4516	4080	msedge.exe	87
PID 4080 wrote to memory of 4516	4080	msedge.exe	87
PID 4080 wrote to memory of 4516	4080	msedge.exe	87
PID 4080 wrote to memory of 4516	4080	msedge.exe	87
PID 4080 wrote to memory of 4516	4080	msedge.exe	87
PID 4080 wrote to memory of 4516	4080	msedge.exe	87
PID 4080 wrote to memory of 4516	4080	msedge.exe	87
PID 4080 wrote to memory of 4516	4080	msedge.exe	87
PID 4080 wrote to memory of 4516	4080	msedge.exe	87
PID 4080 wrote to memory of 4516	4080	msedge.exe	87
PID 4080 wrote to memory of 4516	4080	msedge.exe	87
PID 4080 wrote to memory of 4516	4080	msedge.exe	87
PID 4080 wrote to memory of 4516	4080	msedge.exe	87
PID 4080 wrote to memory of 4516	4080	msedge.exe	87
PID 4080 wrote to memory of 4516	4080	msedge.exe	87
PID 4080 wrote to memory of 4516	4080	msedge.exe	87
PID 4080 wrote to memory of 4516	4080	msedge.exe	87
PID 4080 wrote to memory of 4516	4080	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\post-8774.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffac9a946f8,0x7ffac9a94708,0x7ffac9a94718
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3842587285952117118,7580017730346825850,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,3842587285952117118,7580017730346825850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,3842587285952117118,7580017730346825850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3842587285952117118,7580017730346825850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3842587285952117118,7580017730346825850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3842587285952117118,7580017730346825850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3842587285952117118,7580017730346825850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3842587285952117118,7580017730346825850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3842587285952117118,7580017730346825850,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4672 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3842587285952117118,7580017730346825850,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3842587285952117118,7580017730346825850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1704 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,3842587285952117118,7580017730346825850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,3842587285952117118,7580017730346825850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3842587285952117118,7580017730346825850,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3842587285952117118,7580017730346825850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:5784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2752
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3516.0.753837701\1109592409" -parentBuildID 20221007134813 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2379b8c9-cc29-4308-b3ed-c26dc747d8ca} 3516 "\\.\pipe\gecko-crash-server-pipe.3516" 2004 144962d9558 gpu
    3⤵
    PID:2980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3516.1.12905020\1641834428" -parentBuildID 20221007134813 -prefsHandle 2400 -prefMapHandle 2388 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67e7a4f4-9b03-4bbf-b554-3bd45185d734} 3516 "\\.\pipe\gecko-crash-server-pipe.3516" 2412 1448986f558 socket
    3⤵
    - Checks processor information in registry
    PID:3264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3516.2.322728509\1840473805" -childID 1 -isForBrowser -prefsHandle 2912 -prefMapHandle 3136 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e545846-3463-4975-b9e4-8294e770477b} 3516 "\\.\pipe\gecko-crash-server-pipe.3516" 3000 1449a1ae258 tab
    3⤵
    PID:1116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3516.3.1342895613\818593975" -childID 2 -isForBrowser -prefsHandle 3588 -prefMapHandle 3584 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfb02b3f-f10c-4636-8a41-0c47d89a76dd} 3516 "\\.\pipe\gecko-crash-server-pipe.3516" 3600 14489871c58 tab
    3⤵
    PID:3380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3516.4.1484638382\1791516090" -childID 3 -isForBrowser -prefsHandle 4368 -prefMapHandle 4360 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93fe104b-d583-43a3-8896-e452b3179284} 3516 "\\.\pipe\gecko-crash-server-pipe.3516" 4376 1449b41da58 tab
    3⤵
    PID:5344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3516.5.225742703\725165855" -childID 4 -isForBrowser -prefsHandle 5136 -prefMapHandle 5124 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {453dba3f-ba81-4268-a12b-0b593281c8d6} 3516 "\\.\pipe\gecko-crash-server-pipe.3516" 5148 1449a162458 tab
    3⤵
    PID:5756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3516.7.109216230\186587803" -childID 6 -isForBrowser -prefsHandle 5476 -prefMapHandle 5480 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd1abab1-03bf-40a2-bbc0-3f92a2f69090} 3516 "\\.\pipe\gecko-crash-server-pipe.3516" 5560 1449a161b58 tab
    3⤵
    PID:5772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3516.6.1660308829\324561101" -childID 5 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faa350cc-a005-4a9f-bfec-214ab70d0c17} 3516 "\\.\pipe\gecko-crash-server-pipe.3516" 5280 1449a161858 tab
    3⤵
    PID:5764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
7b6e41930147451360de3fbf561021de

SHA1
e32fac5d2cb206989979416d2601ec0deb3fabb0

SHA256
cf0dbb6f08bca5728fc2a7050a0948a86a652efa7e8f17b1e1b379ad2f600f05

SHA512
cf9623d7f9edf5571e2be10c338499760d392b471df0828f6894aceeda9abe62d46d9ce4e261a8975d29634334af8e47a436f5bc8bf571f589bbf4ea072df65d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fa070c9c9ab8d902ee4f3342d217275f

SHA1
ac69818312a7eba53586295c5b04eefeb5c73903

SHA256
245b396ed1accfae337f770d3757c932bc30a8fc8dd133b5cefe82242760c2c7

SHA512
df92ca6d405d603ef5f07dbf9516d9e11e1fdc13610bb59e6d4712e55dd661f756c8515fc2c359c1db6b8b126e7f5a15886e643d93c012ef34a11041e02cc0dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8ed2ee68-6a82-43c0-8ae0-9bb7f27a2dc7.tmp

Filesize
24KB

MD5
917dedf44ae3675e549e7b7ffc2c8ccd

SHA1
b7604eb16f0366e698943afbcf0c070d197271c0

SHA256
9692162e8a88be0977395cc0704fe882b9a39b78bdfc9d579a8c961e15347a37

SHA512
9628f7857eb88f8dceac00ffdcba2ed822fb9ebdada95e54224a0afc50bccd3e3d20c5abadbd20f61eba51dbf71c5c745b29309122d88b5cc6752a1dfc3be053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Bookmarks~RFe5a2be4.TMP

Filesize
1KB

MD5
c52a086e4bdd22875111cd1f6007b887

SHA1
123c358285caa5867a7bca699b9f9d16df33415e

SHA256
f09240379fb3db1b2047dfc17d520a90c6265816c30171730a72ee64f18c868e

SHA512
4c481adc5ffbf4f2eb13e50aa8dba02d72185dbc752765998ecbad446fe6f0e03b9a954cf51d3a37cd46139fe017461c752295648fe99d207ad5ccd9e56e2edf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
46661309254df6699c1080e0ccf5f79e

SHA1
32ae6f84d10bd3c52224708452b5669160088eb7

SHA256
7b8c5cf93335235979b254981283660527a5b3dd1e36526aad9a2b0545d388e0

SHA512
1942fb8ad35b987d7256ff2250212aa5caeefbe34bfc839fef526b87ee70b032c79546660db6ca91a053c06aa75d831aa8543c10bb7a557cbdb23b2b238dab8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
6bd83c52eaee792afdba4fe345914589

SHA1
dcdd5290812ed13f6e9ae2f1e8b8f4cafda6c92d

SHA256
c332e2e27031e4f2bbef9e1b64c1bbfac1afbb0aeadeedddf91e223ec81bee1c

SHA512
4ebd0ccb06d12f52b03bf05d2081e12d7d9acf2dff767215d4ae1c71d722a64e6e8eef381ed8099a77350c78379fd0b2bcac378322697caca0645b8110989d37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
483B

MD5
4eb45908133ed9e29a0755dfcc9ee43a

SHA1
fe7aacb75e73539453bd439ae2152e15a4cc2174

SHA256
0e99b2f45ab60f9ac516a7bc8352144c456f166fdba0b7b99b8fd62a6d3ac9ad

SHA512
c0b929805ea4bc5b9d66687f6a2da1b8c049725d967f025d1f473f661babe37fbec7ea1aca60eea0fb75ddb3b50805041c680e753865ad3adbf6e29bd69d7228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e495a0d327ca146631340e99cabe91bf

SHA1
75edef012cf6e3c43f64c269de7b91c9b1028efb

SHA256
1e68008e1156c35752fb26a5c4a4515b0e008e42e97738c4d43f4170f06afcd0

SHA512
b641376129ebf2bbd9ddc508955880df8704416a1d495d19ace6abc7ef1c7ff562e51e16d0e80dee9fa95682a95fabcbf2e2aac6a1a203f943846a0c4bd40941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
085e78f378a4869b0a3e54390178896a

SHA1
79a26166df5445dbb1b1cba9c9a5858f1e64ba41

SHA256
6650e88a81502d2d664ef44e03779e1571856df18eec018ba4e73bfcfcea1fb5

SHA512
97f993c7b6c47c5178aca1c3adc34623df3379905d58a0b302f27142bca77598498a97f7902fa6badeb54bd69d74aed3e989ef7f7329b356a6a62f265abff155

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
21c54f19d1c8bf9e082c18241e29d61a

SHA1
4c42fe78249d57577ddbc89ac6ace8da19f2d3f1

SHA256
5a718e673cbbf6435d7d1f6132601c6bda1582fb51ce0b9007bf317b5cdb5c13

SHA512
008ed563d310577752fee5cb5494a1defda1e9c58eac8ab3c01e7331ee94751bee3989f9ff485403b452bbd3a5bc09682d250db2b013fe649d5eef0add46bb3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
540B

MD5
643109a550cb66a3e84f7c414c3b280d

SHA1
1d54a5f337e7be036c5f8b8bf5e20b3c66e03554

SHA256
3decf62f0dc33efaaa54d6e813b558823a48bfae58e2e0f24d775f1c37f2ec6e

SHA512
330c797fe8c5da48031e934563f9c83727fe41616111d7d27c0501f90c79aa5d63bfaa19bd1e07aa97f58bdc4746e01e8ef5b13aadcd7160f83f7468780bdc6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b10b.TMP

Filesize
204B

MD5
9ce57747d533027eea017b2a793ef0e5

SHA1
9ccc4546c999fbb4fcf5a77e8b90981bb219dd36

SHA256
b96c2ae5e285830922d2cac7274edb3784904ddfaf45d90a09c424a9f01b34f9

SHA512
0a8c900eea9cf44e8fffe40f4f9c0faf78e8b5a20a821150e3b0113d36efa30cfd4d2d83932aa8024af0987f2a71597568fcc843f7f0c5249a2680964986bb5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\dec2a0c9-8ddd-4400-af74-827cd9c55875.tmp

Filesize
1KB

MD5
a1eebc9ed7e693bd57a60add93848167

SHA1
7b5cf1c7f0ccba5e7ee435f620af302a5731f29c

SHA256
a25ca865527e50a1c4405dcac5abde5a5a87bdc9e820c460fbb99be4397e1ac3

SHA512
e56d7c7a5831fd1accc8fe83803ebc78cd1397db6996343113c9b6dfc84d6a0f65e7ad4bb86b1a1f189ccd3041c8834ff917e93314ac3c4b16f845c4a945da12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
da70b60efe3cb83c4f765e055d8749d6

SHA1
14f8188b380eb1f38cb15e82e2fefa407adff68a

SHA256
8be0a846a47ccce7bda92aee2a156679c311ed96099c7d04e6fec51c3e1ce446

SHA512
59ac7057caff260b918a6c1285acda87a7269a449df6016f8b19fd574eed1397660afc1af6244fa1e4e3962e5bf3a4cf2a34b0bd5caa0dbda86c5705bf019a2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5277800c563b2abff629f6eed940cf7f

SHA1
7aeca126a199c6e7845f199edcca84f5dd39ab5c

SHA256
95fb13f8418662540878a12721a71f81a3f04cc46808045f62019e9326425912

SHA512
713b130b066cb55b483443930e8f1d0bf4c8352ffa56cf30f626abe59198f716587b6858f8ddf189908258672ec5143a066dea874328c73ba1760c7234684e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
66470562e0429aa75c52405740b3a4d7

SHA1
dfca63feecaf621d0d6c412f4e0e698e518f0ca3

SHA256
511c4a0e3254d30054ec60745568e2c1ae26bc84789695ccacb3cd2c7def199e

SHA512
5981f1d534e8ca695cc533757b12e376a79d75d7604febf26d1ba26c611ce7160e64f4e3d44baa2d2f72aa827032d10dc7cf639b19e376ce40c92c286aa88c64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
3ff5088b0fe12696dd77951ce3fe05e3

SHA1
a4ba422265be4ffbed2db11734aac346f1435d95

SHA256
d039b9b2f9bd766c65fa49db21d914a1c3c2e2c1225d712a2c64e13bda300870

SHA512
fb033d21fe3ee84a3ce8edb65ff281033a71bcadb1d9b2aba310fe37ba414e34e5e501d63229e264f79438ccb409a4e4dbd01eda3e439293b3f5c4086d44f001

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\datareporting\glean\pending_pings\5cd62472-1000-4b14-8766-447cbb9de6b4

Filesize
11KB

MD5
167b33b7f544f4b3255e96630bcf3098

SHA1
362652ccaedc70218c443eca3c181b3004d72ce0

SHA256
0a488295041d5e54949efdbd4bf1eafbc292f3bd54fc6465effd0f5b5caf1996

SHA512
b814d6deb8477bfb48806b82fd20b1a2e0ec5dc498098d37c6989066e5787ddebb390bf2038ac8efe67fa848d91832c01ffe39eafac8bc41237673d2b67a29f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\datareporting\glean\pending_pings\66a1c92d-8edb-4c01-bbfa-517d0c2f7418

Filesize
746B

MD5
9d32d2af56d3d439ac5073f429df65a8

SHA1
7bcb0c723bdbe1cecafa909d585a6e71b31b0b31

SHA256
3a5a37a88aa69217a5f1676a8e9dc0c35e49bd67611893faae34bcb8ba26d424

SHA512
9abd4e002b75932b9835736cfe8207359397000c5e8d8e6bbae2eb66309017016f4a2a1d148633976b6cb28868a64958939624c45850acadae61586b3074fef2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\prefs-1.js

Filesize
6KB

MD5
d6c4aeac9fc6869512c479e143b62d59

SHA1
9bb1a8dbd4cec477c142cac1fab45fe2a4961387

SHA256
eeed2bab17e1816c9679de39e82e9c46815be767383a502cb681170c4732d8ad

SHA512
0aa614120826863e95f7a934d1c6c3b81644221bf89e79a117df647bf692060aae2c8f1a2189147b2c763e765c5bf0b9f2a6b09a69f8e100ecbb5b048164c5b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\sessionstore.jsonlz4

Filesize
884B

MD5
0dd8f60465b0a6a329fd861372cdba92

SHA1
31a43cda7060e74d784d433d0c3a9526e5a00af0

SHA256
8135cd8fc4fb216b4de04020158986389287e87ff94a11bcd742532e503fe49a

SHA512
8846be289f1a8bd60be7ff89843a5b0f3932334e1b267ce7a42c27d5822a81a1c10ecd6c7b19ea266d99a28a1af4cad92f8ce126d1150fb67ca340e080a944db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
c7d68ab7381a0e06d8428c47b6a7abd7

SHA1
22b2c3f77830f7dbc19a5106b8a400512f6d7f34

SHA256
7eff8f28c9937842c52b02de166c91abb6347548313394838f8cba51092fc627

SHA512
97aeed813b41cf5bf2d4883c01188d300c1373f8a2eb1810262f19ced633e89542a5a7cab6be81f0541a19a4617d8f3c6a11167403b6513669d6292e9decbcd9

Download Submit
memory/3540-106-0x00000252FF010000-0x00000252FF011000-memory.dmp

Filesize
4KB

Download
memory/3540-135-0x00000252FDD70000-0x00000252FDD71000-memory.dmp

Filesize
4KB

Download
memory/3540-137-0x00000252FDD80000-0x00000252FDD81000-memory.dmp

Filesize
4KB

Download
memory/3540-138-0x00000252FDD80000-0x00000252FDD81000-memory.dmp

Filesize
4KB

Download
memory/3540-139-0x00000252FDE90000-0x00000252FDE91000-memory.dmp

Filesize
4KB

Download
memory/3540-140-0x00000252FDEB0000-0x00000252FDEB1000-memory.dmp

Filesize
4KB

Download
memory/3540-141-0x00000252FDEA0000-0x00000252FDEA1000-memory.dmp

Filesize
4KB

Download
memory/3540-123-0x00000252FDB70000-0x00000252FDB71000-memory.dmp

Filesize
4KB

Download
memory/3540-120-0x00000252FDC30000-0x00000252FDC31000-memory.dmp

Filesize
4KB

Download
memory/3540-117-0x00000252FDC40000-0x00000252FDC41000-memory.dmp

Filesize
4KB

Download
memory/3540-115-0x00000252FDC30000-0x00000252FDC31000-memory.dmp

Filesize
4KB

Download
memory/3540-114-0x00000252FDC40000-0x00000252FDC41000-memory.dmp

Filesize
4KB

Download
memory/3540-113-0x00000252FF010000-0x00000252FF011000-memory.dmp

Filesize
4KB

Download
memory/3540-112-0x00000252FF010000-0x00000252FF011000-memory.dmp

Filesize
4KB

Download
memory/3540-111-0x00000252FF010000-0x00000252FF011000-memory.dmp

Filesize
4KB

Download
memory/3540-110-0x00000252FF010000-0x00000252FF011000-memory.dmp

Filesize
4KB

Download
memory/3540-109-0x00000252FF010000-0x00000252FF011000-memory.dmp

Filesize
4KB

Download
memory/3540-108-0x00000252FF010000-0x00000252FF011000-memory.dmp

Filesize
4KB

Download
memory/3540-107-0x00000252FF010000-0x00000252FF011000-memory.dmp

Filesize
4KB

Download
memory/3540-105-0x00000252FF010000-0x00000252FF011000-memory.dmp

Filesize
4KB

Download
memory/3540-104-0x00000252FF010000-0x00000252FF011000-memory.dmp

Filesize
4KB

Download
memory/3540-103-0x00000252FDFF0000-0x00000252FDFF1000-memory.dmp

Filesize
4KB

Download
memory/3540-87-0x00000252FDA40000-0x00000252FDA50000-memory.dmp

Filesize
64KB

Download
memory/3540-71-0x00000252FD940000-0x00000252FD950000-memory.dmp

Filesize
64KB

Download