hxxps://u[.]to/iLJnIA

Analysis

max time kernel
146s
max time network
159s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
25-02-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://u.to/iLJnIA

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
1192	msedge.exe
1192	msedge.exe
2704	msedge.exe
2704	msedge.exe
1384	identity_helper.exe
1384	identity_helper.exe
2520	msedge.exe
2520	msedge.exe
5740	msedge.exe
5740	msedge.exe
5740	msedge.exe
5740	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2704 msedge.exe
2704 msedge.exe
2704 msedge.exe
2704 msedge.exe
2704 msedge.exe
2704 msedge.exe
2704 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 3984 firefox.exe
Token: SeDebugPrivilege 3984 firefox.exe

description	pid	process
Token: SeDebugPrivilege	3984	firefox.exe
Token: SeDebugPrivilege	3984	firefox.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

msedge.exefirefox.exe

pid	process
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
3984	firefox.exe
3984	firefox.exe
3984	firefox.exe
3984	firefox.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

msedge.exefirefox.exe

pid	process
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
3984	firefox.exe
3984	firefox.exe
3984	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

3984 firefox.exe

pid	process
3984	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2704 wrote to memory of 2568	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2568	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 908	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1192	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1192	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1128	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1128	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1128	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1128	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1128	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1128	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1128	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1128	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1128	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1128	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1128	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1128	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1128	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1128	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1128	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1128	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1128	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1128	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1128	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 1128	2704	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://u.to/iLJnIA
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffb49573cb8,0x7ffb49573cc8,0x7ffb49573cd8
2⤵
PID:2568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,5518808243854296065,13338034669862403507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,5518808243854296065,13338034669862403507,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
2⤵
PID:1128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,5518808243854296065,13338034669862403507,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
2⤵
PID:908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5518808243854296065,13338034669862403507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
2⤵
PID:4224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5518808243854296065,13338034669862403507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
2⤵
PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5518808243854296065,13338034669862403507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
2⤵
PID:1400

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,5518808243854296065,13338034669862403507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,5518808243854296065,13338034669862403507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5518808243854296065,13338034669862403507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
2⤵
PID:3728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5518808243854296065,13338034669862403507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
2⤵
PID:772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5518808243854296065,13338034669862403507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
2⤵
PID:3912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5518808243854296065,13338034669862403507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
2⤵
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,5518808243854296065,13338034669862403507,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1752 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1348

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2356

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3984

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3984.0.1797090642\1899246335" -parentBuildID 20221007134813 -prefsHandle 1788 -prefMapHandle 1780 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e567955-f243-490a-b243-4a416bb2a0ab} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" 1872 2495b7ca158 gpu
3⤵
PID:2376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3984.1.1763518711\1112318194" -parentBuildID 20221007134813 -prefsHandle 2232 -prefMapHandle 2220 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa231ae9-d03a-4a2e-b2fe-09bda9763860} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" 2244 2495b132c58 socket
3⤵
PID:432

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3984.2.1724744134\1933230392" -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 3164 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {761254d7-6047-4c1e-b767-387c427525ef} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" 2928 24960899658 tab
3⤵
PID:4560

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3984.3.1708303696\2066342821" -childID 2 -isForBrowser -prefsHandle 3460 -prefMapHandle 3456 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {513574e0-06de-4308-a75d-66dc0b7c65d1} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" 3472 2496019ac58 tab
3⤵
PID:2592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3984.4.193888641\1560477456" -childID 3 -isForBrowser -prefsHandle 4608 -prefMapHandle 4604 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a3b5435-5dc0-4e29-8f5b-25a80b4f3a93} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" 4616 249623c7258 tab
3⤵
PID:1660

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3984.5.86909404\803703806" -childID 4 -isForBrowser -prefsHandle 5068 -prefMapHandle 1656 -prefsLen 26283 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1c3c06c-b4fb-4b9f-afbe-f8ddfbc2104e} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" 5028 2495b7cc558 tab
3⤵
PID:3672

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3984.6.473116891\1366497214" -childID 5 -isForBrowser -prefsHandle 5096 -prefMapHandle 2860 -prefsLen 26283 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {723c554b-2012-402b-8591-475ca0e72ca1} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" 5232 249629cad58 tab
3⤵
PID:5064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3984.7.640231444\1119089307" -childID 6 -isForBrowser -prefsHandle 5480 -prefMapHandle 5500 -prefsLen 26283 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c9f0638-693b-49b9-bc07-32abd99e545f} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" 5472 249629cb658 tab
3⤵
PID:2352

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3984.8.1699342174\1812064769" -childID 7 -isForBrowser -prefsHandle 5856 -prefMapHandle 5852 -prefsLen 26283 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a75a4a4-6f88-43e8-9aa1-21fc58224eb4} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" 5868 249646f1e58 tab
3⤵
PID:5368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3984.9.16620571\2086582010" -childID 8 -isForBrowser -prefsHandle 5176 -prefMapHandle 4792 -prefsLen 26723 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f30d0de3-ecc0-4018-9caf-d71e4282e094} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" 2696 249628e8d58 tab
3⤵
PID:5752

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3984.10.1057195306\773434413" -childID 9 -isForBrowser -prefsHandle 5464 -prefMapHandle 4192 -prefsLen 26723 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f341497b-a242-4124-9af1-60abd587fba0} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" 5320 24964fe3558 tab
3⤵
PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a91469041c09ba8e6c92487f02ca8040

SHA1
7207eded6577ec8dc3962cd5c3b093d194317ea1

SHA256
0fef2b2f8cd3ef7aca4d2480c0a65ed4c2456f7033267aa41df7124061c7d28f

SHA512
b620a381ff679ef45ae7ff8899c59b9e5f1c1a4bdcab1af54af2ea410025ed6bdab9272cc342ac3cb18913bc6f7f8156c95e0e0615219d1981a68922ce34230f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
601fbcb77ed9464402ad83ed36803fd1

SHA1
9a34f45553356ec48b03c4d2b2aa089b44c6532d

SHA256
09d069799186ae736e216ab7e4ecdd980c6b202121b47636f2d0dd0dd4cc9e15

SHA512
c1cb610c25effb19b1c69ddca07f470e785fd329ad4adda90fbccaec180f1cf0be796e5628a30d0af256f5c3dc81d2331603cf8269f038c33b20dbf788406220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
360B

MD5
b725a93d76980f621e58b0803a62b35e

SHA1
484c13716e609d5073ba490c758a2c9915ebd42b

SHA256
aaacbd48d84dd0fe60729e8090ac0fe255114718f95a64af387d507e942a3938

SHA512
63ce5ce14b52373d8b440913a99cc2d6149ac27d343633b93245b3834c887d02b7f16c8a1a8116d049c37f80dc1ecc4c548e91fccbc13d8eeb888e06c275b431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
714B

MD5
85bf8f7dd116f8a74dc06e081d594e46

SHA1
8c02e0c8a736cee794fded246c72d72b2eca3687

SHA256
acc4ff7cbafa15db38f2a70e9f7f035370d10e3f8ce972158f533dca77413b02

SHA512
addcafe318bbd565c2bce25535a67821bd8b2b0f3791a09e9e1cb713099eddc5947544177ea3acc75975f49741663c13c87b1ebae59f74bf8944e05243417c8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
989316d7cba18dc391ee0e7d3cc37baf

SHA1
c857ef5d574c0427e88fd1e4fcf5541da6d949b8

SHA256
bc1873e2d013d302f479491650e479219446bf9f95fc48025b4fed141f63ad1a

SHA512
19c6dabb259de7ffa43645f438e9ad830bee842fc6f0fa8a0777c3d62c7d3db48e1309fe21f23e4283c6d89ed2fce99e81a2cb4088e6de966ac62b9bc90f43d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
69548a21817e64ab40e402624bd3f5dd

SHA1
af6aa3312aa2e4d0065305ad31a5fd84e8212a2f

SHA256
58a814e787399497171ab9a284d82addaede23794d156376ae846b7810c20dac

SHA512
0af232d4b2bf1248009729bb5343321b7c0f3c7804de22e7b5b6e4f48d2943573d39681892847c18af90cb1deaefa0a72aaca16f8fae8f1c0e5eea6e9c84be46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
6aee631995b40d053e42468d62c4f4f6

SHA1
708e7b051ea636dd0405c0ea6a8cf97627314911

SHA256
1605767890831f011532285ec45ffcc13e7fb0a38b99a81187068e7c5179916c

SHA512
dca2a216fb976a85250d6193338c86b219029a0c060a45866b3edff8a1d66d3dbe8c41498672d878fdbf7975794e86c8af46e6cccaf2ff0594b3407a6d3bf939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
fb9dc2640bbf0131d3ec6c0079d53206

SHA1
99dffc7bbf8775f43b493a4103a48fd75e67d30e

SHA256
b89a2d25f8df7273e1fcce0f1b93a9b1e10bede9283c0b029415b2a5ac108fac

SHA512
5b99c12b994c675975c2228aff1b02c6bec2dd2329fff7802bed234716619eaef661313d7e095c9bfc458dfccdfeb1accc3a1ac58e8b24c00ef6ddd251258381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
9ff843e3b0aff3c1419d3f6eb8d6324f

SHA1
333d98f894b536633993646d7aff57a675646f29

SHA256
706d221dd4d2076f07514d9a2b52a9d695b53a2384a955a59ccbc8e91f7bb314

SHA512
3c3fd3f71eb22c80b8da55d21889e43c7fa02687ffcee409e7686f80d96b46ccf26d2c38bfd6f15ef1d91ee2cc378e79346c757ac60c5835dfdf5482cb82d073

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f6y7ha3v.default-release\cache2\doomed\25289
Filesize
9KB

MD5
6ee35b3ab3e53e2ca9184de22c45dd28

SHA1
31528e645acaf09f6699c2975d0142e2b7d4c0df

SHA256
d83fe314e539519275c27e2a2fb0eb1cecb0a05c29b2466fa1c70d2a0ed988b2

SHA512
7042c480326295495ff20d8797ab0b35fe3d06864b570169011a2ef9c231bdb42dd80b17adb995cb9deb13d159ad27fa21ef2d5a3a81e6e96db8f00145b37969

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f6y7ha3v.default-release\cache2\entries\0B64D5DEAD0290398D9FB907F7C6C56F129812AA
Filesize
81KB

MD5
a908d391a6373d2832000b0b55562bff

SHA1
37eaaeee3ea900f1ff8c8a813ad911bb4a421821

SHA256
5ec1f662a0636f239bc854b46c41f2a986ac991f83d7790b776d45eb235e3e30

SHA512
706090b813f5c60b5c1b643ee861a822e376778601e0986809cd62dcd2214455e1335e461e6c267864796338c5f349554ee043c33e4607eed56368ca217026f7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f6y7ha3v.default-release\cache2\entries\80285EC16EDB2FCB53FE4D6500B0396AC776DCD0
Filesize
1.1MB

MD5
caee269ab436e06b00999239de8bef67

SHA1
b246872a4f68c9208343da240dd45fc58c3fecd1

SHA256
533ef740ad8198d7c817e6f171db31ad1f72e0f652cfae1157e822ce3d74e2a7

SHA512
df315c84999fee6441eca69aa7801c32e6396f60949538cbcdd65029cd3debafa97a394e79ee37a9ae66788c380a0012a1e261af41999772a9d24093575de3bb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f6y7ha3v.default-release\cache2\entries\ACC88C413B3874FCC9A7595D4FD3EFF93F58097F
Filesize
111KB

MD5
81af9c6f10b426a93bff67a0b0cec722

SHA1
3ac13b672bdb20cb678ca3332a5c3def77fe2946

SHA256
4b069b6435eb9d092a21bec4389ab69ec20111136155cf7df8ddcc7bc2e4ded0

SHA512
cf91812883f707e05f23a789628de30a4a229c91598921ac2c88eceba963b896eeb23928ef621e5a1c0b61bf5a5d6e488315641fd524493a23b90f7f7bcfadff

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f6y7ha3v.default-release\cache2\entries\ADB77CF89BB7C3EACBA0400910D8956D4F8A5D23
Filesize
1.9MB

MD5
447dd4ff67e0bd5c419f81b67a905515

SHA1
3f9a2bfe0fb5efc2fbd3d741bd60a3e8a79e12d2

SHA256
f3c0a0cc38ceed9230c63f6867215140648cd2ae2f508ba977be5a90349b92c5

SHA512
e6ddefde1fa6556a62e21f419566510c8ef937da510147caf6c353d3fe98e82e9b8f4deb70265f9226e2e791c0bd82fd5e506e37b6c6dba6c3b6c7300f459b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f6y7ha3v.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
31646dbd2bfe83130acbce3c100b6d3c

SHA1
ee2353585df8c5131f8e1379731a6fe46f5534d9

SHA256
9957df66b3e85bbd03582a1dc366bf357234cb984ca760189d1b4839bc1e2fca

SHA512
794a32a3e9d869983bcf8169e522ccb8e87cf45a1d2e3b418d5e1a054915b368977b7c13bd62425487c39ce72a7bbd8d6b3cbb4fc9508da0bb2c9ee56930fab8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f6y7ha3v.default-release\datareporting\glean\pending_pings\38bbd654-afcf-4700-96bc-a329986e6945
Filesize
746B

MD5
5199ec6381e41e93a09b7e9224b640a8

SHA1
f83a2c4a4fe213ed00b471217a4a3a7aaed59e7b

SHA256
5c679568f438ffb13761a2086c38d9db1d59e494d1325a93006cc23a64ef7d40

SHA512
38025edacb096febfc333e2bb38165916ca67e6f8642e6f606d917ceb2b0d3d246439ca03d202c124aba23ac0a3e258b4b63754c475cd429e598ea97365dd7c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f6y7ha3v.default-release\datareporting\glean\pending_pings\dac6814d-95df-4580-87ae-bb969b22f4be
Filesize
11KB

MD5
989ccad855da6071ed3ad4fd9305de8d

SHA1
ae8f7e1e1d38086a3a09e3ca94eeceab50a170c1

SHA256
6d6004b729139dc84108aa8a0fde362959ae8a9c5caf21093635473499ea4ca4

SHA512
dbcab3c6566b8cd85cdcb2431edab50db29fee850dbafad922339fd44c05ec782acc8c91bbd7becad89a58729a92877870ee02132fbc0b3badb775496aa8bb00

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f6y7ha3v.default-release\prefs-1.js
Filesize
6KB

MD5
b36f5b8fe605ac6da9e75ae85ee66e31

SHA1
3758252ab3c23f82f6d8c2f087474196a8b8e17f

SHA256
08cf86e89a24a423c33e4b46c3170b5b9f105b8b5736e6f35f965018a5f2ddcb

SHA512
776bc380114d898d41eb5c91d5cc0e9d04a0ea9b3633b0d90cb02cd223baa9c895ee0b862834e130d3e955f841816267c1c19d87f10870fd6842cc164c1f3e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f6y7ha3v.default-release\prefs-1.js
Filesize
6KB

MD5
83501325fa7d569f22df6112d58616be

SHA1
84518169f87d68f8844fff1197fcc79eaf7083ea

SHA256
32748181baac93a23a2eb7a0c3b2555bdc192c2073b59a04d253b46c298dd111

SHA512
6e660b1cc129912459067f97778d33e66d662e3a4b992703a5075ec4a0b1b63770e46120308129dbd24a1f4735efaf8e34740df8c55e400ba60c8e1f8e551252

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f6y7ha3v.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
583eed33a66f695dda95eaa9e6d19a00

SHA1
273ca91c7ea62e79d2c3dc1743474bea5ca0057d

SHA256
208f89eaabf490dfcc19fdaab5a33db10360b8a90534e96e397585370a0a1f56

SHA512
dae0f4c337435725acb6d945200f7f7f4b9cc6e8d47e5c680da3fb7dcffa5dda27753b30534c0c4e337104e42c5043e0f1da1f62893f12758e4d8e8fad1b964e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f6y7ha3v.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
42c2ace7651a28f1423b8aad6499da08

SHA1
5a8f68382ff670051684ab4daf07029615bc16de

SHA256
2f165269caabcabb77f83f0fec6d9ad5ef9a55f526fe4c674b862ea75bf08aa0

SHA512
0227b6fdfec8964a3e5873366ffeb4b6cde010d4bd3851cb4da898dd327f3399b3dcd60880415d3ffdeb97abab25adbb48c017cb5000b6a66a58bb56cfea0933

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f6y7ha3v.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
640c5e349ce160b8ab27df015d5262b7

SHA1
691a2e75ec241785fae19d6d452981463ba1edce

SHA256
e86dbf3de5f8636c4035515a72334c4ca505c5c7fa263ae6bd2cc6f569e7afae

SHA512
4d1fe24df4473df1e582d897ad446f6a0e993e7066d74a0e3eaad822de75e77b0a5f48062fd4b4d6f83032080ac67d9f28034654a64a4d8d2f3fd1c9bc055d1f

Download Submit
\??\pipe\LOCAL\crashpad_2704_PJVOZTIREVQAFKDV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit