hxxps://1337brucks[.]irg/hzsk

Analysis

max time kernel
153s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 16:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://1337brucks.irg/hzsk

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
920	msedge.exe
920	msedge.exe
4484	msedge.exe
4484	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4424	firefox.exe
Token: SeDebugPrivilege	4424	firefox.exe
Token: SeDebugPrivilege	4424	firefox.exe
Token: SeDebugPrivilege	4424	firefox.exe
Token: SeDebugPrivilege	4424	firefox.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4424	firefox.exe
4424	firefox.exe
4424	firefox.exe
4424	firefox.exe
4424	firefox.exe
4424	firefox.exe
4424	firefox.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4424	firefox.exe
4424	firefox.exe
4424	firefox.exe
4424	firefox.exe
4424	firefox.exe
4424	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4424	firefox.exe
4424	firefox.exe
4424	firefox.exe
4424	firefox.exe
4424	firefox.exe
4424	firefox.exe
4424	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 4828	4484	msedge.exe	42
PID 4484 wrote to memory of 4828	4484	msedge.exe	42
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 1892	4484	msedge.exe	89
PID 4484 wrote to memory of 920	4484	msedge.exe	88
PID 4484 wrote to memory of 920	4484	msedge.exe	88
PID 4484 wrote to memory of 392	4484	msedge.exe	90
PID 4484 wrote to memory of 392	4484	msedge.exe	90
PID 4484 wrote to memory of 392	4484	msedge.exe	90
PID 4484 wrote to memory of 392	4484	msedge.exe	90
PID 4484 wrote to memory of 392	4484	msedge.exe	90
PID 4484 wrote to memory of 392	4484	msedge.exe	90
PID 4484 wrote to memory of 392	4484	msedge.exe	90
PID 4484 wrote to memory of 392	4484	msedge.exe	90
PID 4484 wrote to memory of 392	4484	msedge.exe	90
PID 4484 wrote to memory of 392	4484	msedge.exe	90
PID 4484 wrote to memory of 392	4484	msedge.exe	90
PID 4484 wrote to memory of 392	4484	msedge.exe	90
PID 4484 wrote to memory of 392	4484	msedge.exe	90
PID 4484 wrote to memory of 392	4484	msedge.exe	90
PID 4484 wrote to memory of 392	4484	msedge.exe	90
PID 4484 wrote to memory of 392	4484	msedge.exe	90
PID 4484 wrote to memory of 392	4484	msedge.exe	90
PID 4484 wrote to memory of 392	4484	msedge.exe	90
PID 4484 wrote to memory of 392	4484	msedge.exe	90
PID 4484 wrote to memory of 392	4484	msedge.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://1337brucks.irg/hzsk
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa5e946f8,0x7ffaa5e94708,0x7ffaa5e94718
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,2247687411233867502,11529037293932034385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,2247687411233867502,11529037293932034385,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,2247687411233867502,11529037293932034385,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2247687411233867502,11529037293932034385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2247687411233867502,11529037293932034385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2247687411233867502,11529037293932034385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2247687411233867502,11529037293932034385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2247687411233867502,11529037293932034385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2247687411233867502,11529037293932034385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2152 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2247687411233867502,11529037293932034385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1120 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,2247687411233867502,11529037293932034385,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5352 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:880

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2420
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.0.764764313\1859651401" -parentBuildID 20221007134813 -prefsHandle 1752 -prefMapHandle 1744 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ddcd1c2-c956-40c2-b6b5-8e54c589609a} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 1832 2b777f03e58 gpu
    3⤵
    PID:4932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.1.1733807971\670011233" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f33a86c-0c8f-49fd-9b44-a427d7975d51} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 2332 2b76416f858 socket
    3⤵
    PID:4252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.2.1117114618\1042493613" -childID 1 -isForBrowser -prefsHandle 2908 -prefMapHandle 2724 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 888 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1a0ef3d-fad2-45fa-a17c-6bb3ba264b28} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 2932 2b77aa8fb58 tab
    3⤵
    PID:3304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.3.494184007\1021312016" -childID 2 -isForBrowser -prefsHandle 868 -prefMapHandle 2472 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 888 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {351d2a8c-9dd0-4479-a6ee-44c1cc361252} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 3444 2b76415e258 tab
    3⤵
    PID:3940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.4.745324281\984157475" -childID 3 -isForBrowser -prefsHandle 4108 -prefMapHandle 4104 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 888 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fc21d6e-07b5-4572-a955-137cff58ca93} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 4120 2b77cc42558 tab
    3⤵
    PID:1628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.7.641810997\1829632625" -childID 6 -isForBrowser -prefsHandle 5596 -prefMapHandle 5600 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 888 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1948c3b8-a748-47ef-bf81-168ba2daa584} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 5588 2b77ef2ed58 tab
    3⤵
    PID:5320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.6.45209698\849146891" -childID 5 -isForBrowser -prefsHandle 5404 -prefMapHandle 5408 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 888 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23d9577b-9188-48ed-b6ee-de15d017e2e0} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 5396 2b77ef2db58 tab
    3⤵
    PID:5312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.5.1905642419\395983272" -childID 4 -isForBrowser -prefsHandle 5252 -prefMapHandle 5264 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 888 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3ff494b-76db-40a2-8866-17d4dccceab1} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 5268 2b77ef30b58 tab
    3⤵
    PID:5304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.8.1392291501\472688808" -childID 7 -isForBrowser -prefsHandle 5888 -prefMapHandle 5884 -prefsLen 26550 -prefMapSize 233444 -jsInitHandle 888 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8767173-dff0-49fc-8663-0cc7c39b732f} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 5900 2b77c87df58 tab
    3⤵
    PID:5472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.9.2096746581\895369742" -childID 8 -isForBrowser -prefsHandle 5588 -prefMapHandle 6116 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 888 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff0e04f3-e13e-4c8e-9b7a-2098741778bc} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 5772 2b76415cd58 tab
    3⤵
    PID:5916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.10.1551021810\1320047489" -parentBuildID 20221007134813 -prefsHandle 5772 -prefMapHandle 6236 -prefsLen 26725 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ea0ff1f-b9bd-4f7b-be88-6dc519988d1d} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 6552 2b77c859c58 rdd
    3⤵
    PID:208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.11.927002681\1355656125" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6680 -prefMapHandle 6572 -prefsLen 26725 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f46db77a-e309-464a-b16d-5e0b8b8d2830} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 6692 2b77c859958 utility
    3⤵
    PID:5204

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Checks processor information in registry
PID:4216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7a5862a0ca86c0a4e8e0b30261858e1f

SHA1
ee490d28e155806d255e0f17be72509be750bf97

SHA256
92b4c004a9ec97ccf7a19955926982bac099f3b438cd46063bb9bf5ac7814a4b

SHA512
0089df12ed908b4925ba838e07128987afe1c9235097b62855122a03ca6d34d7c75fe4c30e68581c946b77252e7edf1dd66481e20c0a9cccd37e0a4fe4f0a6fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
177248264897d1fbdd0c1a425ffd9e63

SHA1
2bdaac64aef54060d2505d8fb8df5e37a5d69bf5

SHA256
e87a70388e7922c93f52dda8fc5736ceaae0b1feb79e45fdbd2e02f0ecbefdbb

SHA512
fff4eba8736e677c3a693133347d4f9b74b2f0826e2dbe9c8bd40308e30b89520c32b900d7269af786512da6d8c085524e8497c025e3b16f9774548c853c017c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fa01b232dc998a80635e42e2e9d986b4

SHA1
475eb4faf493da88bc65d01206f46f26ddf202d6

SHA256
8375c0b0f10fec5eaf2de4057a10e126a3f5da3884b094729da1d5021f0f538e

SHA512
4b3dd9940448d8f19b6ee29dc302c0358dc457c8ef99da0d44c4dbcd15a7cc6feacebd72c4354bdebb319678480e5723d5de00821b3ae98fa277b0a4b68f0158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
52826cef6409f67b78148b75e442b5ea

SHA1
a675db110aae767f5910511751cc3992cddcc393

SHA256
98fc43994599573e7181c849e5865f23b4f05f85c1115dff53c58764d80373fb

SHA512
f18df18cab6b5ecd71b79c81a2a1fdac42cc9960f62f06ac25f4d6487792705f2766ee3a10239eaac940d090186e6bc820e4eb7a5ee138f6e5c1c64f951b960c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e9dcd5b6d35c10aace5e710280cd6044

SHA1
3bae8c091967e5b5ed181171c91546c983231f0e

SHA256
82bd07a9ce60bb28589c42ce6992e5583b70a4202585ac9ad704f487180fab53

SHA512
0e7822d0c699833074af7f06ddeba39606ffad5f448f462bde17e8414bcdea0c45d1250f04c6295367809dad068b789d431f61fc16f55168767090ace962dd1d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\stdidscq.default-release\cache2\doomed\1523

Filesize
10KB

MD5
33094136003129f8f14fe12cbd3249d7

SHA1
d7e5726d9ac4a38290400670dc2125847f6483de

SHA256
0e2f737503cd2097a636fab8130b42bfd41202ad852434f8d3a2c10f05d928af

SHA512
c385d40c091d307f030a57d018c46d30c9b43087140c0426bdf4ef32c0c4386ac08ce1445e7a2913a1fd450b5f4aaf2c414b8d565f0551fac201cd3ac56e5280

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
fe4680497202c6fe13da2326b03dead1

SHA1
00f49a741f8c36e0335e8e65963e623913b4af7b

SHA256
b4eea61523ae4e3ac5b6d45aadb1967162c7a513900a81fdc5a97004279c2d04

SHA512
adef77274e73ebf7c3ba5ce7f3b373a5c77cbcb8dd97b1009493ebb914f0f61ced3b4dedf88cfac90d9fecc3e184884fbf7b8a29563f3d00acd6662b379e2fcf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\datareporting\glean\pending_pings\8ee3db24-db37-40c3-a9eb-4dfb2df99e7d

Filesize
746B

MD5
352d55134d6a2156673ad94c074b7b11

SHA1
5dee4102f46cc667495b6baebe7741ccc6bc9474

SHA256
0a6751003c2e17a072489fc239d8ed57c0815823efe451117c94868b5c76d2b8

SHA512
4effe86230678baf99688a5a0473ddb3f1652d5e6197575573daadd6682e1a4deb4458f69161735a41ba615a1140668c7b9117f8759d43d0f2f4cc185b23d025

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\datareporting\glean\pending_pings\d4d5085b-1492-4cf0-93c2-dd5166689426

Filesize
10KB

MD5
6d6a0a0122f67207c30a647afb0ed752

SHA1
33b657b3994a7d6c9832b6d3e3bef3212c2ecd54

SHA256
2634e156a7d542da47b3a182323e3552f840e9a8813e15616d9cc80e65820041

SHA512
24adad405361492245dc0721d5d6fe2abd7cac9995f99c7bcb541dc96e9bc8b8f31a3c4fd56dc7e33592444791b311c41900bfcc04f48f40e943dd8e13c63ab2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\prefs-1.js

Filesize
6KB

MD5
739eedbb75a9e33ef1ebec8e7669bf72

SHA1
3b056927283a8669b7e2b2abc0d04ee0ad012d21

SHA256
ba173a23cdce3b367353854d2ec8411a84dd1470201581efab8f162f436106b3

SHA512
26a393af589d565f36570c6360685ea3ef9dca66547aa5efbbb463f8b281ab7ae0ddc73627f28fdb360d633dcd9094db34a75dc0b11256b0cd88f5867980bf3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\prefs-1.js

Filesize
6KB

MD5
8e9d620577799d1ec56b48e71dd9cdfa

SHA1
be91ee6d02d95360d58f79733258dbe443565dfc

SHA256
ec3e283cecc0bb750500598c28aa531b259f64fe9d7cb132e50561ad73f4c11c

SHA512
5aaece15da5d4b88839c819ffba55f091bbf8a1f366f15d47d3092717b84857ba32acc6491a7d37e204a85978b8ec12e8a4047909b6ccd80218728e397ad8198

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
1bc61106b4ee28037ef2c81c039937ef

SHA1
b2bd73be229e0ba5fd0dee649f94905efbb77017

SHA256
fa62370a7c50c1c63a2a0b17e4c72b0cf63b6e8d478930b15cc61bb006eace0e

SHA512
10d31488a0c4247052a30839b7305c0c66dee387f6ab413586ba8957ce710cc3244a0eb0c978e98ffdf0a9ce4b016de579f6d669ce4bb3fa57e0c98d75031e15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
0eaa08aa9b21fdc48576f729151c42d4

SHA1
d703d8de818c64015661fb6f8439f083c63e1e28

SHA256
5a56a889a5d88437b7eccf9d2b3fcf8ddeff86eafc9ff73b027c4abf219c882c

SHA512
f20b3133e1d0ccfd97dda3c9003dad74a87ca9ef2a794f0d5ff3d4fe4bfdf19016b52ed2f45022903259814c135422b062202a8c339fd0cecc83ee4055da1c3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
fae26dee23da24bd715f7c52c365e0da

SHA1
201f80fb45c07c0f05b2749ddbb28097e994228c

SHA256
81fa25df4cba8874c369f7403098f14f258386e9215387a2f0ee16d71c353ad9

SHA512
25174785d2269d8edfe4cf6e0dce8bd3e5eb2f731b8269c1cff1de837fc3dd2e84b255d1ee536d30daa4fd2ff369c9ac0fd9554a6179f586d542d7db900a9c21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
17869e6a12ada75ae92468afd48b7374

SHA1
76dfe56c1d5878a1211c34d3e5571c829d807572

SHA256
5d248b9af716af6970cbe0e5d97be029a4e638d3a60c0e190c05fe1335ccc409

SHA512
99b611d85f1453ab360bf3c27f46e35461dea2649b002122c8e74c0d1f91d284f92c9ef830bebcc8596ac7ac69704d70daf4dd5a9073f0f0a600a2e965d1764e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
aef4122065f178b5b15aff2f248a4b52

SHA1
5f2100a56a6922c41ed5ef6698da8a7feba8779d

SHA256
968ac2c7137ed75350ba8b5e7b7092959161a31750619504939e37161a8ab709

SHA512
28c6437abf28e162d81ad4580ec55d89653653a95fcf4edba5053292af17bbf4ab43eaec1e76aef935e7861ae0eb2cf942bbbe181953ec0ca65abbab74a94c1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
d4847061bdc0fc06a72c05b2ee91df4e

SHA1
3bf72cad352d75ae142dea5fbb8d9d5cd5afaeb0

SHA256
7df3623b7ce0b0c8ecadd9d51124fb3c558536eb696b7c5e2c56190705174423

SHA512
43b5dc3f9079570bce1ea813e7e55f52f00eb1e90426a929678b8702dcd5e927559124057d261568e1d895674bbcad5b4854ee67fe99323c251a67a3405a6fea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\storage\default\https+++www.youtube.com\cache\morgue\213\{e9f089de-d9e4-45e8-b417-b86f2bd4bdd5}.final

Filesize
192B

MD5
2a252393b98be6348c4ba18003cc3471

SHA1
40f75302fcbe4a8ac2e33a8d9daf801abc2a9598

SHA256
04cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee

SHA512
07af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\storage\default\https+++www.youtube.com\idb\2750856956yCt7-%iCt7-%rfe4s7p9o.sqlite

Filesize
48KB

MD5
bb6c59e75fed8b06b7d2551e6bf2f553

SHA1
dfcbbbcad29c44a0d2ae78296013f4ab8dca3f69

SHA256
9fe71d212c7bccbf63f988e1979e4eca55986a7c4209d85097a2f9f9bd5329ca

SHA512
d0a27bad5205b26170d5b37dda61e8c3f4f53fe3f9173062161c4aac103f421bccc89e7017b123a853728f901867ae9ee9dfbed89aaa7f5ed783afae17d65053

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
4b187cd97e9c4827fbb4306276444216

SHA1
35352694472efa275d172eb63ffe8df937f3c485

SHA256
153c5daf63e2ef61b70fe69969eddac0d911a5bb5e5ba8049eb41172d90a769c

SHA512
ec9b5f181909fa654f7e760eac71eee9b80bb708ac69894649603c95ecebb8035a4e4035cc9e8908aa3c1ea42c4e036491df65541787d82911c6d3b8a20f74bd

Download Submit