hxxp://tinyurl[.]com/yypz894j

Analysis

max time kernel
248s
max time network
285s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://tinyurl.com/yypz894j

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
1524	msedge.exe
1524	msedge.exe
5084	msedge.exe
5084	msedge.exe
5600	identity_helper.exe
5600	identity_helper.exe
5532	msedge.exe
5532	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

5084 msedge.exe
5084 msedge.exe
5084 msedge.exe
5084 msedge.exe
5084 msedge.exe
5084 msedge.exe
5084 msedge.exe
5084 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 1576 firefox.exe
Token: SeDebugPrivilege 1576 firefox.exe

description	pid	process
Token: SeDebugPrivilege	1576	firefox.exe
Token: SeDebugPrivilege	1576	firefox.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

msedge.exefirefox.exe

pid	process
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
1576	firefox.exe
1576	firefox.exe
1576	firefox.exe
1576	firefox.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

msedge.exefirefox.exe

pid	process
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
1576	firefox.exe
1576	firefox.exe
1576	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

1576 firefox.exe

pid	process
1576	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 5084 wrote to memory of 1180	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 1180	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 960	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 1524	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 1524	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2252	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2252	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2252	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2252	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2252	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2252	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2252	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2252	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2252	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2252	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2252	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2252	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2252	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2252	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2252	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2252	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2252	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2252	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2252	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 2252	5084	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://tinyurl.com/yypz894j
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa828646f8,0x7ffa82864708,0x7ffa82864718
2⤵
PID:1180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,3918316987078993397,8235610361451381860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,3918316987078993397,8235610361451381860,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
2⤵
PID:960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,3918316987078993397,8235610361451381860,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
2⤵
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3918316987078993397,8235610361451381860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
2⤵
PID:2020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3918316987078993397,8235610361451381860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
2⤵
PID:1432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3918316987078993397,8235610361451381860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2208 /prefetch:1
2⤵
PID:916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,3918316987078993397,8235610361451381860,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5168 /prefetch:8
2⤵
PID:5804

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,3918316987078993397,8235610361451381860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8
2⤵
PID:5596

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,3918316987078993397,8235610361451381860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3918316987078993397,8235610361451381860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
2⤵
PID:5752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,3918316987078993397,8235610361451381860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3918316987078993397,8235610361451381860,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
2⤵
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3918316987078993397,8235610361451381860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
2⤵
PID:1228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3918316987078993397,8235610361451381860,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2728 /prefetch:1
2⤵
PID:3448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3918316987078993397,8235610361451381860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
2⤵
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,3918316987078993397,8235610361451381860,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4724 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3356

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:60

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.0.275264998\1637949419" -parentBuildID 20221007134813 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1887af23-dc6a-48ae-a52a-5ba1f830fdd7} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 1992 1c5fa1dbd58 gpu
3⤵
PID:3000

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.1.315700746\802737665" -parentBuildID 20221007134813 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32ad4511-a420-4f98-a762-48f2295acd93} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 2392 1c5f9930558 socket
3⤵
- Checks processor information in registry
PID:3528

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.2.1544758949\913654169" -childID 1 -isForBrowser -prefsHandle 3196 -prefMapHandle 3248 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00d99366-e87c-4479-bfc6-387ccf6b05fb} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 2948 1c5fde9c558 tab
3⤵
PID:3272

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.3.1816637425\2143514749" -childID 2 -isForBrowser -prefsHandle 3676 -prefMapHandle 3672 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d8fcce8-0ee4-4002-a799-3dce3d07064b} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 3068 1c5ed55eb58 tab
3⤵
PID:2004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.4.1851318695\574312996" -childID 3 -isForBrowser -prefsHandle 4628 -prefMapHandle 4152 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b61475dc-44a6-41f0-9974-22bfd1321bbd} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 4660 1c5fff46558 tab
3⤵
PID:5100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.5.2028442133\163443165" -childID 4 -isForBrowser -prefsHandle 5128 -prefMapHandle 5124 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09d32977-da00-46ae-8285-07e6aec94da1} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 5136 1c5ed52ff58 tab
3⤵
PID:5456

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.7.2044382170\1265938849" -childID 6 -isForBrowser -prefsHandle 5440 -prefMapHandle 5444 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e221763-03c8-4d58-9272-cdbcd7cd299d} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 5432 1c60064db58 tab
3⤵
PID:5508

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.6.1133283398\1412790143" -childID 5 -isForBrowser -prefsHandle 5260 -prefMapHandle 5264 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e6b3012-38b9-4710-825c-ccc8345cfaf3} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 5360 1c5fe49e958 tab
3⤵
PID:5500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
7ca0230785c1f053f0bdc21813aa403d

SHA1
0d465560360d450d60a90b87a5484f38fec4dd96

SHA256
58b21ee911dc328d6b9f4309746c1d8b2737592898561259e5d8a7652a5700dd

SHA512
0bb5e0f52d3597f72165b9a72bdf2084434bda8d11ecb9432378a0db11b1fdb234f2f2380837c5c88fe393bc747556fb1252f99d45d0dbbe31b683f62a50ee89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
df16d1c431ae5b2cf9bf4f0a17a6abb1

SHA1
aef9633c244d3694ff67881bec1a6b74e0938ce6

SHA256
14911c31000623dee1c728ebfaa1f5a418b31290c7f132f9b3bbd99cd0bdb995

SHA512
cee711c147c7dfa5955f3bc5ae15efa831888c8c04d15ce04493581060a11336016d2f611b650ea05c9285e636ad333968040e4bb6a8e8a0f38649e7f1adea4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
02088b120b859909b33ad918e6ef83c3

SHA1
c506273647425213c38f3ef063269e63d83aaf60

SHA256
9e29761a80f1d92ca20b2aeb1bc9ed3078f6dd2f24f9cc3bbee3d42cf06529ff

SHA512
4cab793372ec6f2d11c1892074fec4410626f25bb288f95328ec8461be1c9866ab16541309a0f4b139e2bb961604ae992dc7b39d9b21324d653e7435992d9a50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
788B

MD5
f7f73a6a15a6282c904527045e3a918a

SHA1
a399c194d88e99a8dfa7ebf3b4e4c541571090c9

SHA256
a0aa901a6ed524d5af5175a1ee0e4fcd26a60ab56f674a117a3085a5431b248e

SHA512
5b9dd0fb5f0b6097d0cafe134e7c01be224e4b50e12b3a3721cb46212239773142d697909c60aa4519bbcf53f4c39eda8d25ec608c36d5e04717f44827691448

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
788B

MD5
e4357f1901b94a31d3ca2b177adff940

SHA1
a98d631fbf8bb9a878c66883e5042ffeb0a59f98

SHA256
f588d091d6db0567d255bad85c4ab2b1e64579962c730dab258c88b6d99f9e30

SHA512
dc6921fae3b4b5b4986184dfc49d634196f7a93a23b6ffb184f39b9d3e488fd49646900c7243180bf34e729800f6ca86710f006d96529010f1c03129d1884635

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4845f7aadb432d9207c4ecffb5273b4e

SHA1
d497a12cec98fb70aeef8f6bd8ba39f7e1fbf3f4

SHA256
942c5042b8bce5d712191d9b20913353e9d5342019996a863647fc22777f2bb3

SHA512
7f63864113d46b13bd7cd8f3cd16c92456687b59c2b8408a9eb9e88b79e51bca7dffb0c72558b42a6d53c36494fd2dbdfc89f59f4415ae3e9c287c73e4c3b37e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
779fc1563e8fe17a0b4ca2136d47ddb8

SHA1
b70705dff552d839df5ea6ce2d54811f73df7331

SHA256
5f64c0b1285451607ad0aceeef77191359e8022f87bd2c0d034fb33cb75a4384

SHA512
6bcce720d2dd7999a2e5cd8e8392defc8b9634aec8e0f66fce7aa37f773a10f7221119472dfa8d456fe9f9472f1eefe68cdf38e4f569493b36fc26b9e59f6041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9792b7f62b39b3c50bc51962c62f7f45

SHA1
2bf5951a2e95c87b7dfcd6ccd549d4f71febc1a8

SHA256
d02f7a612a3bcf356aa64b068785a9ca1fd14b4a58afa0bda9b4705efc589327

SHA512
ec9aa20f540ad290b376b880ca44d22a0b9451febd6c22aa0303213b2870a98ea332aedc359be429d22a746aada672f60a68ef78f49a0eef384d49e087691bce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
06d63531e46fe3d83697f0b34dbf0d67

SHA1
76984a26425a49055c31b32d34aafc074b4fe9fc

SHA256
5713cdd1dda84f2eaef4128f20b85e59e343a7e6c61b1809ea8f5ef81e94edfe

SHA512
988b1b33357f4df7319f06d8aacefcc57117bc382c49048ecfe63ab3887f86fc6f87e6e1819203f0c183271a46d2ad8c2442a7c79956a44a2a89bb62df3596a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ee058bf78edd6d0a32ec5abfcd27f003

SHA1
c9d09e4b85b9846c3aa7323b57e29c9184abe4b8

SHA256
01241315560e2e29c36ed2a2a2cf27cfd385e8eaaa06e8fa4f9c1084702ab863

SHA512
0282a31bdbc01b913c1edf6c1aa4e7c1af70689feb4f06eb8f6f69efe79e93bc634a7fb85671dbe37a03e1f501728044f5ba0fcb33c3a6b5df53f03ef97d89b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4db590a012ac1cded1fda903ad2c6bc5

SHA1
6f73d4a77f5951599853e1972cdad881089c7e8e

SHA256
e2207dbeb5ae26990a385ff56de05fe535e727413bb100d082e2467b6200bb07

SHA512
7f0cba0afc04cf49fd1fba33f76b6f176feee30737490af9efb29e9408cfa810e980ba020585b7c74c17a73ca366f8219187142d0ccc74ea24acbdf8e7fdc3cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3ea765811cf67d564c036f89fb27cbcd

SHA1
ece2b062c92e848854386ff56d5984a5bcf855ee

SHA256
443158e9f15da8cc7004b1afe65f95c5af6cf261c8f4f2691a5946f8db9b86cc

SHA512
b566a20d57ca35a3ba398c2ae5c97d8151ff75ec99e9ed03bb4d64b6fa3270cf30b7e9bf727f3d5b8c7344fe78b91eeb78dca79ecea203f460d0f5a040da397b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fae58c651ed428057861429b6e176557

SHA1
39012060d0831681051e465ec92d6c463bedde39

SHA256
7258d109250ee2e385cca0dec295681499022f76d220b82132c634fe55f8c32f

SHA512
823302f69793edf56f2baeff6c93b6690cb02975dde993ab6e41c0465ad8b4efdcb4c981fb470eb381d05d995324a87f2ab74aca669e09b969854a3270e2cc1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
00d735379bb85bf4618737eb27c980bb

SHA1
0556347d68d4419df7d876ae0f29982cc33e7b2e

SHA256
1cbc292d1138fa818f57b6e5af62700d211209d5d09c9d9ce1168611f55943c9

SHA512
75752ec9fc65c4c69e1f450e6576e35291434f4a04a4a854c1309393aa8460ec9e1908204086e88b2a0fd03ee0a035165a22259dfc817cbb9a53e56553da0747

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\datareporting\glean\pending_pings\4fb179b8-e3ea-49bf-8465-70a0d410eb9f

Filesize
746B

MD5
3f99d12ed332d154d75ddc809699a8ba

SHA1
1e78d0e4737f186ee4d4c1a32604d1a28056a560

SHA256
861aab73b3d82c41c289eebf1e08ab3b51c3e003162c0a8e8eae8c61a1e9a49e

SHA512
f26fb63561a843ec57d1b6a98e27e7214b94a9f0e48c5d0aff2ef461533eb5bfb52262935b23357f712aa1be556ba47fd101f7f854f7c8cf9cb14fe80dd51604

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\datareporting\glean\pending_pings\634e27f7-6c30-4c7d-94c3-d1c634a51c25

Filesize
11KB

MD5
4fb3ed1e6e5c61b847e6531d86d23400

SHA1
59412897b5d319e9b32cd7734aa55eb0534f1db6

SHA256
df157b1783b9d1a46aef133fc2a1249f427afb077ff996a666d80c8ca2a3bd90

SHA512
19a5c6eb34510498be631650ff83561d32df08ec5fbb67723c1bf5e7d176ef056a74e2e3fc79b0c67e8e9e4d807e6004109af3ed39f31755e944cff3ff8d781b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\prefs-1.js

Filesize
6KB

MD5
cc4b47115b008c52029d466685cef041

SHA1
1bac902e0594302971da79ca7ba303869a4d3e2b

SHA256
1a10b8d88d0a75d51fcf6dd1be23f25101b3973ffc42c195b048d1c8bc9c79aa

SHA512
f821daadcb7d24c80c172a237fdd4e1bd8a1e16e8dda1cacd497b1fad5085d69a719badb3d628886d6d6e76f4ff21fc2140fc9d1f76504c939c30128b2dc6781

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\prefs.js

Filesize
6KB

MD5
dfbc7ac5c88eab287191920f118453b0

SHA1
48a1903d1d631b33fb04d150108a209cf15731e9

SHA256
d269a45ab947ceff6afb6a935ef5ba58850aba608c6af8c8b87434a1118381ad

SHA512
467d1ebfef28180b81592619dcb3b5a3b9bd182ed232ec144a91dd70d2a8ae4e973749fc878e621c7b00c2683ccfeb83df14e73db5cde6374a07f38f9c048e30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\sessionstore.jsonlz4

Filesize
902B

MD5
474106c3f13ddc19a877379bfbda70bb

SHA1
58c0eccd8db728071719e848168190577ba49d2f

SHA256
a808c96ad14e5424c9f48471d887b5a089149ec189ef12f4da805e4e335a80b1

SHA512
61b86473112488ec76753eb09fd0d8727ff4b6b366acf74c573e0bacea6d846912e5b5b8bc22ac2ffbd0a58ad73ff21fdd60bd285f80c7687faa328070195334

Download Submit
\??\pipe\LOCAL\crashpad_5084_RWFZPBCVBBWFRPVM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit