hxxp://google[.]com

Analysis

max time kernel
82s
max time network
83s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4968	vlc.exe
1264	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe
2860	msedge.exe
2860	msedge.exe
2276	identity_helper.exe
2276	identity_helper.exe
1264	mspaint.exe
1264	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4968	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4384	firefox.exe
Token: SeDebugPrivilege	4384	firefox.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
4968	vlc.exe
4968	vlc.exe
4968	vlc.exe
4968	vlc.exe
4968	vlc.exe
4968	vlc.exe
4968	vlc.exe
4968	vlc.exe
4968	vlc.exe
4384	firefox.exe
4384	firefox.exe
4384	firefox.exe
4384	firefox.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
4968	vlc.exe
4968	vlc.exe
4968	vlc.exe
4968	vlc.exe
4968	vlc.exe
4968	vlc.exe
4968	vlc.exe
4968	vlc.exe
4384	firefox.exe
4384	firefox.exe
4384	firefox.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1264	mspaint.exe
1264	mspaint.exe
1264	mspaint.exe
1264	mspaint.exe
4968	vlc.exe
1264	EXCEL.EXE
1264	EXCEL.EXE
1264	EXCEL.EXE
1264	EXCEL.EXE
1264	EXCEL.EXE
1264	EXCEL.EXE
1264	EXCEL.EXE
1264	EXCEL.EXE
1264	EXCEL.EXE
4384	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2204	2860	msedge.exe	83
PID 2860 wrote to memory of 2204	2860	msedge.exe	83
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 1436	2860	msedge.exe	84
PID 2860 wrote to memory of 3356	2860	msedge.exe	85
PID 2860 wrote to memory of 3356	2860	msedge.exe	85
PID 2860 wrote to memory of 1960	2860	msedge.exe	86
PID 2860 wrote to memory of 1960	2860	msedge.exe	86
PID 2860 wrote to memory of 1960	2860	msedge.exe	86
PID 2860 wrote to memory of 1960	2860	msedge.exe	86
PID 2860 wrote to memory of 1960	2860	msedge.exe	86
PID 2860 wrote to memory of 1960	2860	msedge.exe	86
PID 2860 wrote to memory of 1960	2860	msedge.exe	86
PID 2860 wrote to memory of 1960	2860	msedge.exe	86
PID 2860 wrote to memory of 1960	2860	msedge.exe	86
PID 2860 wrote to memory of 1960	2860	msedge.exe	86
PID 2860 wrote to memory of 1960	2860	msedge.exe	86
PID 2860 wrote to memory of 1960	2860	msedge.exe	86
PID 2860 wrote to memory of 1960	2860	msedge.exe	86
PID 2860 wrote to memory of 1960	2860	msedge.exe	86
PID 2860 wrote to memory of 1960	2860	msedge.exe	86
PID 2860 wrote to memory of 1960	2860	msedge.exe	86
PID 2860 wrote to memory of 1960	2860	msedge.exe	86
PID 2860 wrote to memory of 1960	2860	msedge.exe	86
PID 2860 wrote to memory of 1960	2860	msedge.exe	86
PID 2860 wrote to memory of 1960	2860	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd7cc46f8,0x7fffd7cc4708,0x7fffd7cc4718
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,18078257712060310538,6503384305249584413,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,18078257712060310538,6503384305249584413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,18078257712060310538,6503384305249584413,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18078257712060310538,6503384305249584413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18078257712060310538,6503384305249584413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18078257712060310538,6503384305249584413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,18078257712060310538,6503384305249584413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,18078257712060310538,6503384305249584413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18078257712060310538,6503384305249584413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18078257712060310538,6503384305249584413,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18078257712060310538,6503384305249584413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18078257712060310538,6503384305249584413,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:2796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2156

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\OpenUnblock.dib"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4640

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\GetRead.ram"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4968

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\BlockEdit.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1264

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3776
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.0.1925828483\769465392" -parentBuildID 20221007134813 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8af65ab5-1d50-4f26-8c48-1e40b7ea000b} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 1964 1f165b7fe58 gpu
    3⤵
    PID:756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.1.2096371012\891225339" -parentBuildID 20221007134813 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc00bcf7-8e12-43fc-b1ac-91c6bf4d5628} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 2368 1f164531458 socket
    3⤵
    PID:3504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.2.780769800\1933880896" -childID 1 -isForBrowser -prefsHandle 3108 -prefMapHandle 3004 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {302833d2-7c50-4c22-97a6-791a874680dc} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 3128 1f168a9dd58 tab
    3⤵
    PID:2944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.3.1043703362\55027378" -childID 2 -isForBrowser -prefsHandle 3564 -prefMapHandle 3560 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de957d97-194f-401a-bb54-804e8393873f} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 3576 1f15805e558 tab
    3⤵
    PID:1956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.4.223798470\986757831" -childID 3 -isForBrowser -prefsHandle 3992 -prefMapHandle 3980 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {486d42b4-fe7c-49bb-ac45-1a8883a230b1} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 4012 1f16a211d58 tab
    3⤵
    PID:2608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.5.382819941\2121278463" -childID 4 -isForBrowser -prefsHandle 5092 -prefMapHandle 4752 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5083fc9-c40a-47c5-bc70-4f0f0a2557ae} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 5112 1f158064458 tab
    3⤵
    PID:3648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.6.1602833338\800487099" -childID 5 -isForBrowser -prefsHandle 5252 -prefMapHandle 5256 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c2d04b4-bba7-4449-8f3e-997b1e646a09} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 5244 1f167f2eb58 tab
    3⤵
    PID:920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.7.1789492687\398127268" -childID 6 -isForBrowser -prefsHandle 5460 -prefMapHandle 5464 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {effc7983-4c2d-461b-8932-9e47ee2555b7} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 5452 1f167f2ee58 tab
    3⤵
    PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
194KB

MD5
f5b4137b040ec6bd884feee514f7c176

SHA1
7897677377a9ced759be35a66fdee34b391ab0ff

SHA256
845aa24ba38524f33f097b0d9bae7d9112b01fa35c443be5ec1f7b0da23513e6

SHA512
813b764a5650e4e3d1574172dd5d6a26f72c0ba5c8af7b0d676c62bc1b245e4563952bf33663bffc02089127b76a67f9977b0a8f18eaef22d9b4aa3abaaa7c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
cf9cc7fee390f19f19b2c784da7b0fb0

SHA1
4dc4b9235d749cb41acdd8042aa9237fb45639cf

SHA256
a2c5dede000700022b8e6ec61557efd80378e7a0741b85b77692c502ffbdf534

SHA512
602d9e62dc6c587ecabe8ce05296f252ad0a4021f5912e794b26a6dc66536d88b545a2b967bb005f5c25eab7d3afa87f9adc2206c38249907cefbcab16127f46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
814B

MD5
94fc2a3152989f3fef5ba18a21c59f9c

SHA1
219a76a4478018de9a2871340604dc37b3ef1f50

SHA256
b839f732a7b284b058298e816550e5603067dcf66b0f844e1d0ac54a2e4bc756

SHA512
2c8e05c79cef5ddb219a610735e619f38cf9f3839d5b3631663c474ecdb45ddbebc6abac8c75ba01acb2885d30b5e98bcca2ec9638677321b3b4534160de2931

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
027caa4bd856cd30a1df4913aef4bfcf

SHA1
68cd7829c055ea3b56ef2c2f91a6273cb1014690

SHA256
430ce1b90e98f8d2dac8fdf48e3f140c72a9e6297456bb1ff19b31b84e65f459

SHA512
23cabbd6da06ad9360934c4f48744c4283ce804281ce3c5348b691fdf8735632fcfce32a6d1033a07c1008be7094e47fd528b5ea9761ab4220cc66674d2b2d69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
91b4f91902657d8191ed432d7e4adb6e

SHA1
70d48e391aed49cb420bc6edb33711b2b170ad24

SHA256
03e48a57c0cabb859fa3eeecd883be8ada97acd6d3e49c6316c53bd8543bfefc

SHA512
e1e421b427bdb2b43113a11371b2c77490206d36d609775ca0f2d546223f18861cdbfefc683c995b476fb031cf8a8e05320f8188fc2412c373ab3c63d332986d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1c7ec27d94da04714401b9adf0b17756

SHA1
3e18d51664cd7c8036552c1557391ae0e7d3363d

SHA256
57be391e5772faf9845cc18c3b6c5e428c1181feaa56c5dd4c4d16472c9ebb52

SHA512
067ce3414a4fdadf8b1fbc79cd0abfdbde43e60b848d9f06e1310f3c1192ab2135347d570baa9c1eee1da941f70e66a85ff4a82fcd6286268c542c97a5f2ba24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c530f1af6b274c04a21d452bce38c14a

SHA1
92c7737d8812e6e74fcfc0c72cc74c61d50cb718

SHA256
d1d120bb9e67f7395630e1504fb2f2b36352a6157afddba10101571679e8aa49

SHA512
7205957f46bbff7391c8358892c3b039129b138ee3d4c07005c3800c51cf44495c7c266c0559594fc2827204b676499700ed67693bdd08b203107943e6004653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
be965e206cc922637766df55d55d441c

SHA1
f241555468b388bf685e521005950e02cc807ffe

SHA256
bf14881c1cbd481ed888efc066abd256104e6283193cacd3049e05f6001beaa5

SHA512
63adb214f251a9dc8dc711e2cd0d8337f0a89db3dba084383ceeaa8515c17ac9dcceef366c41c0603ac16a05086e5fa546ac4ac7c7db778fffb44a9fb70d992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
d1ef921f3e0990c551cc61f0a4bf5b29

SHA1
308324cc78c6df2a5be12872777e3062d36a56c1

SHA256
81aceb8b2bc578f714a9dc0a8d04146ba9bb18eea7a3fb8f59530850a978d3b6

SHA512
1d456f3d93ed40a80f7f9eca1b428e1771d29335c215ffe96c8331efe653bc64615cba951ceb620123a6b14b25f4260bac1ce3702710a98b0af1a44cbc6e49dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
fcaa90f69e19147847558d128e7e3edb

SHA1
3fa7bc06645f4cd226da7b6c97dfcde4884338bb

SHA256
8612fcb15570683b1be217ff4ab551b8502dbd84c033734832f3f94ea6842265

SHA512
f812e5e8142e6d1fe1e32df8737de5b3821ede9ba091e0bf7270f559f29e06facd7aee9cbfa30a1374a36aba39f3b67edc57dd38cee5048c1682475b48871331

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\datareporting\glean\pending_pings\2e353395-d3e5-49cb-b4e7-07d43f1c3754

Filesize
11KB

MD5
faa354e1deb662597bc3506d2f9c6c8d

SHA1
a87c7d5470886d01362b11240e0b69409c00e948

SHA256
b0efc94818a720eefbd65c8392acb4913e65b349bdcaf5992d7a44dd2e5d546f

SHA512
91d24af12d11b3a687987307c4ad597a6a7abcdd59e69f7221aa57f9bd0aa17c7f0402ccfc5f8c9cb8b98d2bffeed743a7959d3bd37b588696985afe71b9f98b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\datareporting\glean\pending_pings\9072296c-210e-4d6e-aaec-68e0f26cb923

Filesize
746B

MD5
d2c20b8c81c838db514f036c143d3b5c

SHA1
798d8163d1e4e61e974ae34d34e2f28c96cf5850

SHA256
3dd938a1736d09c31bebf2a1039acd008fdb134d2379cedbbb5a982a909fcf0b

SHA512
1817fdd16a391a763dcfd6f2a1d7f02c76548ed91c8f91229b94da6c80b61d64b7cd317407b75d7f890fbb1b07bf5cbe8c1071066946fde9db9634bde0854ef6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\prefs-1.js

Filesize
6KB

MD5
47f58920964096928be73ba2172a62ce

SHA1
c7216939451c5dfb404bcb1bfda424a1ee6a8b17

SHA256
3da34e2129c6c3644289940407f59c51cf13545c2baad339915d1c5749de1f34

SHA512
84e0efe33dfc3d7c39cca2e0c1c273451b6bed043bb2d4f9feefef66cf48b3952b0999bebf9a993ba29b5e2ab2d0d49c83cee9b82811cd96edc0f76e8f7a126a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\prefs.js

Filesize
6KB

MD5
ceafcdda3fe6fce848052a857da1ae8d

SHA1
333031fdb710db663fdc8399fc1ec60dbac40142

SHA256
f3a95141337a9118492c4835b856bbf971f6a52a71d299d48569ceb8408dabee

SHA512
66ad803b97d5b92340f59ed57817ee7669849aa7189fb7ec86fd2d4f6773416461122ebd56623b0663d70c4f5241dcbb6fab41566a52946c24d663d2b21c327a

Download Submit
memory/1264-335-0x00007FFFE6090000-0x00007FFFE6285000-memory.dmp

Filesize
2.0MB

Download
memory/1264-334-0x00007FFFE6090000-0x00007FFFE6285000-memory.dmp

Filesize
2.0MB

Download
memory/1264-306-0x00007FFFE6090000-0x00007FFFE6285000-memory.dmp

Filesize
2.0MB

Download
memory/1264-305-0x00007FFFE6090000-0x00007FFFE6285000-memory.dmp

Filesize
2.0MB

Download
memory/1264-304-0x00007FFFE6090000-0x00007FFFE6285000-memory.dmp

Filesize
2.0MB

Download
memory/1264-303-0x00007FFFE6090000-0x00007FFFE6285000-memory.dmp

Filesize
2.0MB

Download
memory/1264-301-0x00007FFFE6090000-0x00007FFFE6285000-memory.dmp

Filesize
2.0MB

Download
memory/1264-299-0x00007FFFE6090000-0x00007FFFE6285000-memory.dmp

Filesize
2.0MB

Download
memory/1264-300-0x00007FFFE6090000-0x00007FFFE6285000-memory.dmp

Filesize
2.0MB

Download
memory/1264-298-0x00007FFFE6090000-0x00007FFFE6285000-memory.dmp

Filesize
2.0MB

Download
memory/1264-297-0x00007FFFE6090000-0x00007FFFE6285000-memory.dmp

Filesize
2.0MB

Download
memory/1264-295-0x00007FFFE6090000-0x00007FFFE6285000-memory.dmp

Filesize
2.0MB

Download
memory/1264-294-0x00007FFFE6090000-0x00007FFFE6285000-memory.dmp

Filesize
2.0MB

Download
memory/1264-293-0x00007FFFE6090000-0x00007FFFE6285000-memory.dmp

Filesize
2.0MB

Download
memory/1264-291-0x00007FFFE6090000-0x00007FFFE6285000-memory.dmp

Filesize
2.0MB

Download
memory/1264-289-0x00007FFFE6090000-0x00007FFFE6285000-memory.dmp

Filesize
2.0MB

Download
memory/1264-288-0x00007FFFE6090000-0x00007FFFE6285000-memory.dmp

Filesize
2.0MB

Download
memory/4968-204-0x00007FFFC75F0000-0x00007FFFC7602000-memory.dmp

Filesize
72KB

Download
memory/4968-232-0x00007FFFC4550000-0x00007FFFC45EF000-memory.dmp

Filesize
636KB

Download
memory/4968-198-0x00007FFFC76E0000-0x00007FFFC7736000-memory.dmp

Filesize
344KB

Download
memory/4968-199-0x00007FFFC76B0000-0x00007FFFC76D8000-memory.dmp

Filesize
160KB

Download
memory/4968-200-0x00007FFFC7680000-0x00007FFFC76A4000-memory.dmp

Filesize
144KB

Download
memory/4968-201-0x00007FFFC7660000-0x00007FFFC7677000-memory.dmp

Filesize
92KB

Download
memory/4968-202-0x00007FFFC7630000-0x00007FFFC7653000-memory.dmp

Filesize
140KB

Download
memory/4968-203-0x00007FFFC7610000-0x00007FFFC7621000-memory.dmp

Filesize
68KB

Download
memory/4968-194-0x00007FFFC7900000-0x00007FFFC7930000-memory.dmp

Filesize
192KB

Download
memory/4968-205-0x00007FFFC7250000-0x00007FFFC7271000-memory.dmp

Filesize
132KB

Download
memory/4968-207-0x00007FFFC7210000-0x00007FFFC7222000-memory.dmp

Filesize
72KB

Download
memory/4968-206-0x00007FFFC7230000-0x00007FFFC7243000-memory.dmp

Filesize
76KB

Download
memory/4968-208-0x00007FFFC4BF0000-0x00007FFFC4D2B000-memory.dmp

Filesize
1.2MB

Download
memory/4968-209-0x00007FFFC71E0000-0x00007FFFC720C000-memory.dmp

Filesize
176KB

Download
memory/4968-210-0x00007FFFC4A30000-0x00007FFFC4BE2000-memory.dmp

Filesize
1.7MB

Download
memory/4968-211-0x00007FFFC7180000-0x00007FFFC71DC000-memory.dmp

Filesize
368KB

Download
memory/4968-213-0x00007FFFC4990000-0x00007FFFC4A27000-memory.dmp

Filesize
604KB

Download
memory/4968-212-0x00007FFFC7160000-0x00007FFFC7171000-memory.dmp

Filesize
68KB

Download
memory/4968-217-0x00007FFFC4750000-0x00007FFFC4981000-memory.dmp

Filesize
2.2MB

Download
memory/4968-215-0x00007FFFC6D30000-0x00007FFFC6D42000-memory.dmp

Filesize
72KB

Download
memory/4968-219-0x00007FFFC4710000-0x00007FFFC4745000-memory.dmp

Filesize
212KB

Download
memory/4968-221-0x00007FFFC46E0000-0x00007FFFC4705000-memory.dmp

Filesize
148KB

Download
memory/4968-224-0x00007FFFC46C0000-0x00007FFFC46D1000-memory.dmp

Filesize
68KB

Download
memory/4968-225-0x00007FFFC4650000-0x00007FFFC46B1000-memory.dmp

Filesize
388KB

Download
memory/4968-227-0x00007FFFC4630000-0x00007FFFC4641000-memory.dmp

Filesize
68KB

Download
memory/4968-229-0x00007FFFC4610000-0x00007FFFC4622000-memory.dmp

Filesize
72KB

Download
memory/4968-230-0x00007FFFC45F0000-0x00007FFFC4603000-memory.dmp

Filesize
76KB

Download
memory/4968-197-0x00007FFFC7740000-0x00007FFFC7751000-memory.dmp

Filesize
68KB

Download
memory/4968-237-0x00007FFFC4420000-0x00007FFFC4522000-memory.dmp

Filesize
1.0MB

Download
memory/4968-235-0x00007FFFC4530000-0x00007FFFC4541000-memory.dmp

Filesize
68KB

Download
memory/4968-196-0x00007FFFC7760000-0x00007FFFC77CF000-memory.dmp

Filesize
444KB

Download
memory/4968-195-0x00007FFFC7890000-0x00007FFFC78F7000-memory.dmp

Filesize
412KB

Download
memory/4968-193-0x00007FFFC7930000-0x00007FFFC7948000-memory.dmp

Filesize
96KB

Download
memory/4968-192-0x00007FFFC7950000-0x00007FFFC7961000-memory.dmp

Filesize
68KB

Download
memory/4968-191-0x00007FFFC7970000-0x00007FFFC798B000-memory.dmp

Filesize
108KB

Download
memory/4968-190-0x00007FFFC7990000-0x00007FFFC79A1000-memory.dmp

Filesize
68KB

Download
memory/4968-189-0x00007FFFC79B0000-0x00007FFFC79C1000-memory.dmp

Filesize
68KB

Download
memory/4968-188-0x00007FFFC79D0000-0x00007FFFC79E1000-memory.dmp

Filesize
68KB

Download
memory/4968-186-0x00007FFFC7A10000-0x00007FFFC7A31000-memory.dmp

Filesize
132KB

Download
memory/4968-187-0x00007FFFC79F0000-0x00007FFFC7A08000-memory.dmp

Filesize
96KB

Download
memory/4968-185-0x00007FFFC7A40000-0x00007FFFC7A7F000-memory.dmp

Filesize
252KB

Download
memory/4968-184-0x00007FFFC4D30000-0x00007FFFC5DDB000-memory.dmp

Filesize
16.7MB

Download
memory/4968-182-0x00007FFFC7A80000-0x00007FFFC7A91000-memory.dmp

Filesize
68KB

Download
memory/4968-183-0x00007FFFC5DE0000-0x00007FFFC5FE0000-memory.dmp

Filesize
2.0MB

Download
memory/4968-181-0x00007FFFC7AA0000-0x00007FFFC7ABD000-memory.dmp

Filesize
116KB

Download
memory/4968-180-0x00007FFFC7AC0000-0x00007FFFC7AD1000-memory.dmp

Filesize
68KB

Download
memory/4968-179-0x00007FFFC7AE0000-0x00007FFFC7AF7000-memory.dmp

Filesize
92KB

Download
memory/4968-177-0x00007FFFD7A20000-0x00007FFFD7A37000-memory.dmp

Filesize
92KB

Download
memory/4968-178-0x00007FFFC7B00000-0x00007FFFC7B11000-memory.dmp

Filesize
68KB

Download
memory/4968-176-0x00007FFFD7F10000-0x00007FFFD7F28000-memory.dmp

Filesize
96KB

Download
memory/4968-175-0x00007FFFC7280000-0x00007FFFC7534000-memory.dmp

Filesize
2.7MB

Download
memory/4968-174-0x00007FFFC7B20000-0x00007FFFC7B54000-memory.dmp

Filesize
208KB

Download
memory/4968-173-0x00007FF67DF00000-0x00007FF67DFF8000-memory.dmp

Filesize
992KB

Download