hxxps://speed-drive-5161[.]my[.]salesforce[.]com/servlet/servlet[.]ImageServer?oid=00Dal000002j02k&esid=018al000000B5V2&from=ext

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://speed-drive-5161.my.salesforce.com/servlet/servlet.ImageServer?oid=00Dal000002j02k&esid=018al000000B5V2&from=ext

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\servlet.ImageServer:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
780	msedge.exe
780	msedge.exe
1392	msedge.exe
1392	msedge.exe
692	identity_helper.exe
692	identity_helper.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	5168	firefox.exe
Token: SeDebugPrivilege	5168	firefox.exe
Token: SeDebugPrivilege	5168	firefox.exe
Token: SeDebugPrivilege	5168	firefox.exe
Token: SeDebugPrivilege	5168	firefox.exe
Token: SeDebugPrivilege	5168	firefox.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
6776	OpenWith.exe
6968	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 1028	1392	msedge.exe	90
PID 1392 wrote to memory of 1028	1392	msedge.exe	90
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 608	1392	msedge.exe	91
PID 1392 wrote to memory of 780	1392	msedge.exe	92
PID 1392 wrote to memory of 780	1392	msedge.exe	92
PID 1392 wrote to memory of 1604	1392	msedge.exe	93
PID 1392 wrote to memory of 1604	1392	msedge.exe	93
PID 1392 wrote to memory of 1604	1392	msedge.exe	93
PID 1392 wrote to memory of 1604	1392	msedge.exe	93
PID 1392 wrote to memory of 1604	1392	msedge.exe	93
PID 1392 wrote to memory of 1604	1392	msedge.exe	93
PID 1392 wrote to memory of 1604	1392	msedge.exe	93
PID 1392 wrote to memory of 1604	1392	msedge.exe	93
PID 1392 wrote to memory of 1604	1392	msedge.exe	93
PID 1392 wrote to memory of 1604	1392	msedge.exe	93
PID 1392 wrote to memory of 1604	1392	msedge.exe	93
PID 1392 wrote to memory of 1604	1392	msedge.exe	93
PID 1392 wrote to memory of 1604	1392	msedge.exe	93
PID 1392 wrote to memory of 1604	1392	msedge.exe	93
PID 1392 wrote to memory of 1604	1392	msedge.exe	93
PID 1392 wrote to memory of 1604	1392	msedge.exe	93
PID 1392 wrote to memory of 1604	1392	msedge.exe	93
PID 1392 wrote to memory of 1604	1392	msedge.exe	93
PID 1392 wrote to memory of 1604	1392	msedge.exe	93
PID 1392 wrote to memory of 1604	1392	msedge.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://speed-drive-5161.my.salesforce.com/servlet/servlet.ImageServer?oid=00Dal000002j02k&esid=018al000000B5V2&from=ext
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ff9c04c46f8,0x7ff9c04c4708,0x7ff9c04c4718
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,15038355810901551146,16654350419104264755,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,15038355810901551146,16654350419104264755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,15038355810901551146,16654350419104264755,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15038355810901551146,16654350419104264755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15038355810901551146,16654350419104264755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,15038355810901551146,16654350419104264755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,15038355810901551146,16654350419104264755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15038355810901551146,16654350419104264755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15038355810901551146,16654350419104264755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15038355810901551146,16654350419104264755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15038355810901551146,16654350419104264755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,15038355810901551146,16654350419104264755,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,15038355810901551146,16654350419104264755,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5372 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2916
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5168.0.1711938409\289516453" -parentBuildID 20221007134813 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0db53723-c409-41ac-ae7e-e031a77f78e0} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" 1960 1e11e5f8858 gpu
    3⤵
    PID:5336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5168.1.1914105635\885740725" -parentBuildID 20221007134813 -prefsHandle 2332 -prefMapHandle 2320 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37ff4ac1-44f0-446f-a79b-7062d38e2379} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" 2360 1e10aa71658 socket
    3⤵
    PID:5412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5168.2.976800731\1798607962" -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 3084 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1eee2c67-76f0-4c0e-abef-e6babca1b685} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" 3100 1e1225acc58 tab
    3⤵
    PID:5628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5168.3.1072793773\1534741662" -childID 2 -isForBrowser -prefsHandle 3580 -prefMapHandle 3576 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2381f093-b927-4987-8818-a24518d27492} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" 3344 1e1233f6758 tab
    3⤵
    PID:5776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5168.4.891405706\1098121782" -childID 3 -isForBrowser -prefsHandle 4292 -prefMapHandle 4284 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6ec30d4-6887-44b5-a2d1-09434684aa8e} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" 4260 1e123b22b58 tab
    3⤵
    PID:5128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5168.5.1268588669\1766327076" -childID 4 -isForBrowser -prefsHandle 5140 -prefMapHandle 5136 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7f55e0b-bcfb-4d96-a919-cb6e85d7a34b} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" 5148 1e1249da458 tab
    3⤵
    PID:5668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5168.6.631958837\1308353427" -childID 5 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f84774f-5010-4e52-9220-b5b7e39b5396} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" 5280 1e1249dcb58 tab
    3⤵
    PID:6012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5168.7.414664060\283798003" -childID 6 -isForBrowser -prefsHandle 5476 -prefMapHandle 5480 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56cbc28f-9eaf-436f-a242-7fd7bc915e24} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" 5560 1e1249db358 tab
    3⤵
    PID:6024

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6776

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6756

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
47b2c6613360b818825d076d14c051f7

SHA1
7df7304568313a06540f490bf3305cb89bc03e5c

SHA256
47a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac

SHA512
08d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e0811105475d528ab174dfdb69f935f3

SHA1
dd9689f0f70a07b4e6fb29607e42d2d5faf1f516

SHA256
c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c

SHA512
8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
202B

MD5
cb3ac7df2ec045febff59e915d87e9bf

SHA1
4aa99d79f068e1e6583d1db0a59f9eb89763376e

SHA256
e783a7628b732d09a5bad68b7bc7b9cd4b67f82b5027779e66caad2ad6e0e734

SHA512
43fe886c815f62b6497d83ef7f03ada454190d178b64fbd479c2312d8bde39c3ec8c3a7d85ed4fd88b00ee3803248d0eb1014f313e70181f9f029ae650e89187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
500b84b3f01ccea5097cfa8b92884edf

SHA1
380b7c2bd33c8da7854af2f2a9adf25c8bd981bd

SHA256
9872b20c6515f6cfde9784acb3223e9d310e0aeda0ef970bd64aac8b8312dfab

SHA512
a2829104f7911d74e9ed6b22641d4bd3ddd65965070e561310e24bd1562550205392b52f22338af2b11e5841865eede7454b9fe650c770c4895f70af406b026e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
32c66818cc95f6662c915fe55c96aa4a

SHA1
8dcb26563a0c974625579355ecd678bcd313e5e4

SHA256
8c7f2091415bc8c4e9ba5edd997260047fef1c9bc00e88aee2d8a984918948b0

SHA512
efe5654ac03b8272b7718ad6b60a9f2b8d3a3a8bc49fbeb8fab11450fa2b7e2b3995d1779019eb72692396f89175f72e346e251b64f27aea975f9cb92f1e1323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
97f68ed7c213eed3ee13a8423a81afc5

SHA1
3ed3ef4657da41e8b17bea6ed4ab2efe09b54e22

SHA256
af1ae42f5afa0ce1e17e1acd1b5e44cad69b44c1fe15348a19bc2d90ca583001

SHA512
99830feac774689a3e083089749ae3723aab609c6e44aa75032bd337116f71fb3df7e850799860ffd00db8198c0c0dcf413644852a417f729385e843a18771a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4852b33d0db5028db1f620662a33bfb3

SHA1
103dd4e8cbdd88362df110e863fbe4dc26951ad5

SHA256
bbebdb382bef6b5c117a5e687cf3bc57fd6ce13d8a7a5f4e9125c97ea31247c1

SHA512
14509f35eab582e86d1a847cb64ba31d0ae7af5b142a5a249ccadd6ee48ff4f7b7c3cfdc286c19b7b48fcbf8a0c4f3de1747126ebc6c3371b7b2dd73d065f9d9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\cache2\entries\E66F5AA5E3C285C270CF84BD11111C74D38F245C

Filesize
13KB

MD5
60a86ee3d41365e8a9ca4c2ff8e0976d

SHA1
76035313df080cff465c396b5d159b55d38762b7

SHA256
a77d742fbf9a5ba19451f248671d69ec79075f2968e65d124532c93ac95ba2d2

SHA512
108a9727c1fe0248a14ee78bc873f5480e946d832b094b63add9b11a26f3158c7ace4f0ad7a30e0b5bdfce98893769f2f118d220b8ca88c1a5262315754c22c3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

Filesize
9KB

MD5
000da3d6ccc41aa53e322fbfe8f769b1

SHA1
37d78584821108192b5b2b51579fa42db8ffecce

SHA256
b4c54fad17ce3832b4befeb6f476e143d606862a94679bf3ef97441cfe97dd5f

SHA512
a01c7746a0e68b9e36f743afb5223a1d2cdfc4958feecb3741bf419d696834d377d92f7dc0b5e7cdb57504dfcbf4ee0e4876a909c2f41411f358a1ad272cf920

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
4.0MB

MD5
e371d0d431a326a9f3476992d73fa1dd

SHA1
3441809375ef93d32c37390088e28e9ea948f7a3

SHA256
30f7260ffb076c83806321f1936db896a71ab7a8ca3a61c27ae2703c7f02e901

SHA512
e6f6d5ec801005d8362f16852c6bbf65dc719c5c0308491057d58c5d732c5ebf8f5d230e4fdad9f08a7bcbb6294f854dbe7cb9f72d51ed02229dd4ce26dc2838

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
5a235bfddbb49d5f2bd819d7fa794e83

SHA1
eba5b856d5961eac9db408ef4e64c279ad5af14d

SHA256
b0abca25bb06f46f61960d4277323b9b39f3c6420ef9e5645b5933996fb02363

SHA512
825d9f1edd4f0e7ab030aaf7ead887ad3f7a72f6e5cd13245980b443c2eada02518ed77ded7449a74296a87451779c7cbd07bacb2fc6dd6fc5358d1187bf592a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\datareporting\glean\pending_pings\56496f7c-289f-4e2e-a657-fa4fcabd4b65

Filesize
11KB

MD5
a2f0de1e76396de9068911481e8e76d7

SHA1
db07443d5bb163da80b78a246b10d77016bc7792

SHA256
b4a68b2f2e97d7f99d734dc32dabeed20481933146864a01540aaaad4ade1736

SHA512
ba9d4b8347793312f00f19220bdfc85ae055f5e855552bc7e5f34e031126d76c26abced9f9705487b5f89729d0db05996605eb8edb0fbd7e8c016bf48e9defdf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\datareporting\glean\pending_pings\f6169089-4a86-43b8-b41e-373e5eb925c6

Filesize
746B

MD5
372a8430d4ae0acaa26bdddf4d13dd39

SHA1
ab8f06732a18ac10aa1938bd265daff9b5fbf462

SHA256
e7bd0f4314324abf4ffc182e0d566354b4aa4dbdef30891daf8e9f4704a52dba

SHA512
c351c1780ad436ecd900020fe97d9cc6328d860c5a10c754b242b0a16fea63f7a8fc73bcdc9710544ea597965bddc3a33f72d21e3a949e950d9716f13089541f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
3.4MB

MD5
8b68d4c67f52cdab619b6210bf11dea2

SHA1
fbd063b166a1029a9d5c7ce1db4ccfab598bf4f4

SHA256
2b9a2dcc57fc2ac3fe9c8a5722f6e40f60616a5c3427b5e9f444010d29e3d1c8

SHA512
99ca0fe4016d2d02cf77fb9ae3a3de7ae15bab4625b647660cf31a5ee325cf817fc61d1969c9683cf9e5b7fa9a3da0ccc2d7dc661a4f746ceac0c5da3c5166c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs-1.js

Filesize
7KB

MD5
c9eb39450736b899ea98dff4474499bc

SHA1
0e30129932e14872b46dec76b38cc0356914c05d

SHA256
ca413c2acd2e4bf96a3856e234e7d2307c9e9c3a64fc8d7e801e2b8ebe81dd08

SHA512
45cc89103b723be902ca577d0a73a777f02c2ee2e5ce8c73d9c96200df3514253fca2bcbba55c3dd6ad6fed9c7998cc9a2559d734b6614026b9b6da0f2ce6d81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs-1.js

Filesize
6KB

MD5
e78060d505f5be4ef602cbf8d8fa999b

SHA1
bd304a5b6354a5e4087f765169d0c18405fff9fd

SHA256
31f5c8adb641d338cd2b907722f4d5648c8fb23f9d472da6dcb08c5a8cf3996b

SHA512
0d0755e009bac84e5b00d886350a4e434e360c0be35d7d7abc35b50622b17e2277b8f88729e4826012bba4e991c3d6be8143ce7e5ddd796a6c9fdeff7046f86d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs.js

Filesize
6KB

MD5
9fe25ddfe6907706361594df79c51757

SHA1
0e5061c25ce4dea9a6a9acb9bf041bc377ccdffb

SHA256
9a75ab246e3616e4a331d05f01756738214ea89bfc6dc65c8fa6cf03c6a71b0d

SHA512
36a525ab51bc7229a40b0be662f9ccc1f3c401a4f42c03e90415ebdcedeee15e996888ec3c82fe9a1a68798f68ce6d54eb06803918b24dfdee73a491e5476b5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
165624e326d3b3c8e0971fa46bc8e6f9

SHA1
adf5e43ebc428994655f97e660a58638129d71f4

SHA256
1d4912956f7571e4a95f05fcd263775ffe2466bf85285dc7905c15981089351b

SHA512
e0ad6a0504120af8f5d5a2a93f9a4a4b9240d8d7eba4b4f8d140eb4937c0cb430aa89bf9b9a309b874641e26884705c136bd467d4bf0d712563d3b56f34395bb

Download Submit