hxxp://www[.]dropbox[.]com/l/scl/aabrj-tndeolxjv5nn3i_y7jucgxjrhyoo4

Analysis

max time kernel
176s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.dropbox.com/l/scl/aabrj-tndeolxjv5nn3i_y7jucgxjrhyoo4

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
2652	msedge.exe
2652	msedge.exe
1716	identity_helper.exe
1716	identity_helper.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
2652	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3980	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 468	2652	msedge.exe	88
PID 2652 wrote to memory of 468	2652	msedge.exe	88
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 3272	2652	msedge.exe	89
PID 2652 wrote to memory of 4824	2652	msedge.exe	90
PID 2652 wrote to memory of 4824	2652	msedge.exe	90
PID 2652 wrote to memory of 4020	2652	msedge.exe	91
PID 2652 wrote to memory of 4020	2652	msedge.exe	91
PID 2652 wrote to memory of 4020	2652	msedge.exe	91
PID 2652 wrote to memory of 4020	2652	msedge.exe	91
PID 2652 wrote to memory of 4020	2652	msedge.exe	91
PID 2652 wrote to memory of 4020	2652	msedge.exe	91
PID 2652 wrote to memory of 4020	2652	msedge.exe	91
PID 2652 wrote to memory of 4020	2652	msedge.exe	91
PID 2652 wrote to memory of 4020	2652	msedge.exe	91
PID 2652 wrote to memory of 4020	2652	msedge.exe	91
PID 2652 wrote to memory of 4020	2652	msedge.exe	91
PID 2652 wrote to memory of 4020	2652	msedge.exe	91
PID 2652 wrote to memory of 4020	2652	msedge.exe	91
PID 2652 wrote to memory of 4020	2652	msedge.exe	91
PID 2652 wrote to memory of 4020	2652	msedge.exe	91
PID 2652 wrote to memory of 4020	2652	msedge.exe	91
PID 2652 wrote to memory of 4020	2652	msedge.exe	91
PID 2652 wrote to memory of 4020	2652	msedge.exe	91
PID 2652 wrote to memory of 4020	2652	msedge.exe	91
PID 2652 wrote to memory of 4020	2652	msedge.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.dropbox.com/l/scl/aabrj-tndeolxjv5nn3i_y7jucgxjrhyoo4
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe2f6246f8,0x7ffe2f624708,0x7ffe2f624718
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,10759008588320184466,10909111878213425301,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,10759008588320184466,10909111878213425301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,10759008588320184466,10909111878213425301,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10759008588320184466,10909111878213425301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10759008588320184466,10909111878213425301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10759008588320184466,10909111878213425301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,10759008588320184466,10909111878213425301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 /prefetch:8
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,10759008588320184466,10909111878213425301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10759008588320184466,10909111878213425301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10759008588320184466,10909111878213425301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10759008588320184466,10909111878213425301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10759008588320184466,10909111878213425301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,10759008588320184466,10909111878213425301,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,10759008588320184466,10909111878213425301,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4788 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2200

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2220
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.0.1361319934\1129256914" -parentBuildID 20221007134813 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33fc31c8-465d-41b0-9567-57d1b5c5a4c4} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 1960 24254cdc558 gpu
    3⤵
    PID:3100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.1.231117349\622153047" -parentBuildID 20221007134813 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ff35b2b-b921-4cfa-af4b-419b53d03fd4} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 2364 24248472b58 socket
    3⤵
    - Checks processor information in registry
    PID:1424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.2.824463796\135792687" -childID 1 -isForBrowser -prefsHandle 3068 -prefMapHandle 2884 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1240 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4f5c857-54be-4f35-8a04-0a531d49a5d0} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 3128 24258defe58 tab
    3⤵
    PID:5460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.3.99624553\326028356" -childID 2 -isForBrowser -prefsHandle 3428 -prefMapHandle 1080 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1240 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5388bc45-545d-45cd-b3c6-14437de078cb} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 3556 24258dee658 tab
    3⤵
    PID:5568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.4.1968032903\448603516" -childID 3 -isForBrowser -prefsHandle 4212 -prefMapHandle 4208 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1240 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3bbff45-1066-424c-8671-16849187d15b} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 4224 2425a0e7958 tab
    3⤵
    PID:5660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.5.1136694313\1912402582" -childID 4 -isForBrowser -prefsHandle 5108 -prefMapHandle 5132 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1240 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e54b5dca-a227-45e8-a93b-1dab8d8930dc} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 5160 24248468158 tab
    3⤵
    PID:5456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.6.851896672\1325010179" -childID 5 -isForBrowser -prefsHandle 5140 -prefMapHandle 5136 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1240 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6655afc-48d9-49d5-8a93-c06bca41fefb} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 5176 2425a0e8858 tab
    3⤵
    PID:5500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.7.211890501\2058225431" -childID 6 -isForBrowser -prefsHandle 5304 -prefMapHandle 5176 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1240 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94b79d73-e3fe-4c1f-bde8-a49a44115f8d} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 5392 2425b225558 tab
    3⤵
    PID:5528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.8.547603586\1207140155" -childID 7 -isForBrowser -prefsHandle 4876 -prefMapHandle 4824 -prefsLen 26460 -prefMapSize 233444 -jsInitHandle 1240 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dae8930-ed4d-4018-83ef-4798eb2c3ced} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 5904 242573a8e58 tab
    3⤵
    PID:5268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\768a76b7-faf9-4ce7-8ef7-7687c4199792.tmp

Filesize
12KB

MD5
9d908d5ea440647d6ad29430595ef143

SHA1
28cc9e2106e84150ce7f4b8d3f20b0a4ff57f702

SHA256
ee184f62658f22144222405fa1087ab00122a98d5cad08c355b089d70c120504

SHA512
fba1a6a8ec8fd0d8eb110e81195d8bb03d042be8d244566c336da109b2b2433db40c2c36b950277f4f6d845a7c9fff76247a3e5b00c083c20664d0c041a8dee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e494d16e4b331d7fc483b3ae3b2e0973

SHA1
d13ca61b6404902b716f7b02f0070dec7f36edbf

SHA256
a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165

SHA512
016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0764f5481d3c05f5d391a36463484b49

SHA1
2c96194f04e768ac9d7134bc242808e4d8aeb149

SHA256
cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3

SHA512
a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
183B

MD5
6d7b8b13aaf175eb6ece8fb8ec08a9ec

SHA1
9b887b3f36cd12adbd0bbb8a02cb3edde501932b

SHA256
9b161006418b048745d20c8f96851b7e73d9e53180d067789d54e11dc065116c

SHA512
35bb28c4cec078c9049c161bb1927acdee65e6b666cdce06c6bd42462ffeb50fe4fce0c1a109e3d063a070cb93620f23b4a9c82992970f4e4c473af1b6d3a7e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5f1c0830490390d0358c0090b5d0a8b8

SHA1
a6855381341181550356762b294e6b74929ba8a7

SHA256
1dcd3391695f9fb1883b87d3fb5e818d3bd0a31e8a1cdbafb4baca8f52321a62

SHA512
7a9b7b5c1681de685fa133f4125029ef1d037cd86bb64977a23b50a1e4a008b40d0fc55ec02559e4dcf92ecfebea856bf96f0fc286edebdbe4623f50432260db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
38cfe1efca44a9fe715c25a760270f49

SHA1
e5c50df3dfbfb0cda435fb86a5efd8d0374f6a82

SHA256
16992f9f851e00348a546007a27c99211e90b3d1f842072d59af8045d8e76e75

SHA512
5eec0b0336aeb99c35fc4dd243ee038ec6fde1abea650c3551675b76d7374497479337120e3c1ce9baa69b8fc3dedf98cf8d02396dd9ab89a890bc1bdc49fe45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
01dca2ee907854241b28808e0b65ebd5

SHA1
5d289a7c795308f22a610e85edce0c04427681dc

SHA256
fa77ff0e9f850af2c8cd2cd87b968066e4ac4e9b2c41eb51c5e0d0140aecde21

SHA512
c8a097bed46c037a1484c5910de5ecf150ef7826618f9458fbfc38f97ee11eb1efb6088d5e52c7bf3eb1d653d43d63fec2039fd0ae5d9e7619874cc49e1d6ab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e0ea40b8daf2b69e3b04913a5ff628de

SHA1
b12b677ab00a0ae080a29118dd5e5ecfe2f36045

SHA256
47436d18a6313bb57d943afb65000799775b4f278bd75a7bba72917b12ee5bcf

SHA512
b1d35d4e9775bc19b466f95344d218f3579f048988b0136b527e86f86b0f2401c88b4a0758935563db06817556e7ed9f8d12836ff1753c1af91c938fef4ceb10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
251b119bcc3ca18f583e18e9c6d313a6

SHA1
c25e7d1600065b47f49602ecab802126faf65b19

SHA256
f475c5fe7aff2c6f92ba858a4273ac05e35f7e6a02038596818cb0d06a5f1ccf

SHA512
3aae8d27ebf86503f83eda1be8fce20d5f9b8ed277c2f83405fc322498ba1e24140017aaea59db5cf363d4091a030c9d0a8c4d349547ef439196d2cf1fde366f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
201B

MD5
c4545301b0dec563fa46476db12873bb

SHA1
d0840fb7cfe9aa4fe760137ffe750edb9882d32e

SHA256
f142079b55089ce66a5c869b90c881e223104c8743ce462f805decf4a3997b71

SHA512
e78c77487900afe5962f720d078784f3f3379a5ee03cd70284fa6803868721a393b9f865758fa0240fa3118ccf6334bfc276fff7aabe2bcd9ebcbd8d08585a19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58964f.TMP

Filesize
201B

MD5
73db8d6f8481c69296cfc9e83d96c9f6

SHA1
20b56b98993dca6a36e1051018cbd7010cc30ad6

SHA256
7a1b35e3995716a66f8b865c87dfcbb5f449771cacd8b4f25b60b09363585f54

SHA512
07adae5d537a4dda8a29a8387669c73f26e30722bc605a53744cae7e2ff82b7ba30dcc025e01c264b87ce36abaa96dfcc475e56759b88db70a472004d3c84f98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f1b64b0a0246d858263fa26d7a22471d

SHA1
f3d2dfb7919caf5b5c6fa4acb0e02bba54a8cd03

SHA256
d303e11b5a18dac622bd266deeb2b444fc5851d64c4cc7d739b26f8967b4410d

SHA512
730db99783ecb6206b44ea2505410751a27ac15d2392058eca4fb8feb73e5600e82c4a44db24a1c6c89bfe344869ecc00a7651ad00229a753d6a948725a0bd88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
60db38b9a0000c47182d86613b144091

SHA1
afa42ddbf27d54c63f7bd97d2d074ac5407db562

SHA256
5151bf4ff4384d366083accb2dae3867366cda2a99438d84a7229b25615efbec

SHA512
51aced615c7f2591936afd9d44e2201f3a968aca85cf1704c0efaab418e04d723b7c6701e8af760187848b32c027ae8627a91f5fe4aeecbf42141ab50c3f6c8f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gaix9yhh.default-release\cache2\entries\E66F5AA5E3C285C270CF84BD11111C74D38F245C

Filesize
13KB

MD5
1482df481a7a34b301d9e9390bd1c3d3

SHA1
39a8ae853b7dc70f3a6f83f54b67eb2c0606c005

SHA256
830fbd48bb90421509a270dfeb2686e5d96341cc5184ad7bf3523bf2e31232bb

SHA512
959ca709fdbed741d9fd2037dcdf4faf752355b9595fb1d568c394fd80985d7cb2fd87815e3c75319f6954c285dc8e456ab44c18d5b3c60021861a167604bb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
704KB

MD5
fa9a83d7507b7868e9667e106b936685

SHA1
6e6f166de649f2e956ab2a07ccbff1ec34ed458c

SHA256
ef4b4d1a24a623acd683ec18aeeeb48713991cdfc6ae514f79101014b4e43a39

SHA512
be4160e93746afcce782823bcdcf9f4399f6dc9ef61287fadd78c1f82b5d65e43a4cff7824eb3edb7073ee1349418f757a781ee74abc676dffd9c942a33226b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
c720e92c1cd8f9bc809f021596d47e43

SHA1
73ae2ea7ce7f9abf2c6e4f48d307b0be2d68cad4

SHA256
1403f744f85df7462e84fb8eb6ad1da2f37a11485d204d5f2a91526e4b6ec897

SHA512
d995edd3f6801e9832c8a4948607cf1fe46ae4e8c45ea4f88702b1377919e1bd493f1a30139467c4b0d48abe0c17646276db51a3dd46bd95184095b73ccfad58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\pending_pings\564883de-1761-4d46-aeab-2b7cf7811c26

Filesize
11KB

MD5
682380db341f7e22f5586598be282675

SHA1
2c636f871d1a0974d78f5a61af4784987c106f7c

SHA256
88eda637ac11c1e34dbd322e6121a7ce522f289ba9ceadee64a7eab9e08f5b53

SHA512
52cbaaf482209a6bbf448b7358878a098e6ed822c4f1d9983d69636059d89b1a4d578ccdbfe478d0bbba860c8a6db709ac3689aa5b35c1197afe25fc7a56dbb0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\pending_pings\9ec83a35-5501-4639-99ca-737c8a882e7a

Filesize
746B

MD5
048f80f4dc7585327fdb9216bd93da6b

SHA1
17468312593f46ad2208da0f86e5af32c564bb63

SHA256
cba3058c66c126ef4726af78b008d868f4a6b1161487e6acbeed44c01277aaed

SHA512
dd836b1f4f9f0a47dc52f2625148018f9746b658eb305e60f2080186bb6cb3488bdcd84bdeef38da2c60f71e4a7135eca7c4db454669b9ac8ee7839ca2c31e16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
14KB

MD5
1751850af82d05d168d65797c5367127

SHA1
bdf0cca6cae2136903903dee1885a14f55a05949

SHA256
93f974171db04bf73839b684033ea5205d84cca8e0aca22ce3424b9094a60429

SHA512
34ab51e9d7ee9307cde98e9435b1ba0c4cd1912ea203db33202dd090e6f31ba89e824db47349ff6dee3137de495f5601415c76e05ea8db29b69f280f539507e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\prefs-1.js

Filesize
6KB

MD5
6b6855c9a0639a6ae1245bee0feacc9d

SHA1
024ebe51b86dcd8ff778e976d35c61ef6f2e1418

SHA256
82ba06add7331ce6bd387ae932ff1fe47e7009997c82f18e2f891a73c485e7c9

SHA512
05b34523a1b7b65681d8216dfc7fdba03161ad5cc7eea301f3f03b80182bc1e3345e654df1c579b4e32220662ffb8286e691ace743c2251892f221c9a616ff93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\prefs-1.js

Filesize
6KB

MD5
9af9e61d544ec85b206bb73af6c9a23d

SHA1
77a78a69a4205d805b0feafab075fb777628e01e

SHA256
59bbe48428a70cf05d80bd3168bce3633d8bdcc977a1df0861ecb772f0b45945

SHA512
47349f1ba7656d822aeb9a9c0b962784408af8f27a54e753a8255e19b87a3981a399eff8510465da348fcb9d8b5342fd41c433a003ec6ae2388e6b6879169bb4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\prefs-1.js

Filesize
6KB

MD5
9abd770c6720e93208a07f9651b8deb1

SHA1
ba7eb454bb70070bd88216af089234e0d0c2af30

SHA256
f41a65521a57b030342f9e4cf4b7b516c5e55269c8980b36279f8262901eb7cc

SHA512
98e7398e119a6eb292608fead72269ea6ff2409ba6e6cd92af240495a6797858d95980304030ca517bda08c2a1354eb3857acd571fef7755cd506dac365b291a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
e7e0cbfa6f3e8179f15a3f505e1ca08d

SHA1
d42334a639e9a2693ba196d3b777190cb7fdb17f

SHA256
a54696b7ee9184dc3e89dee2624a46d2df665f05e9916c91035ff901c7dfa962

SHA512
82563c875638b7f912e6861ab36eaad8a96239e0981d7c44ed0eab878732d96998c463eac75935a52486a8d38f9c9953dad013ef5ea71b2187ab2830ce956197

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
0c485096ecaf3fedf8379d480358b118

SHA1
11cd76ab0787293ff1cd1479db3e21495943b976

SHA256
ed66f33718072c625bbab05af780da64cd0bd5b859f243851a6c5d33d65d2d13

SHA512
70c47b53205da2ea4cfe34b4faf005d247c6e1529595ad8b71af737f95e649fca5459ffe771d9a1784bbb2029bb10f70419bfabd1bf4a891bc91bc3c5b0872cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore.jsonlz4

Filesize
930B

MD5
31edc7161b74842401f2266282953a6b

SHA1
49c5b65c10522e517c061a167babe1e038b9be7e

SHA256
f4647cd97baffbbb91ca49b4bab5ab424098f649995202210f194d2c7a89f01f

SHA512
393d0263bb99b63fe59b0e8b9d81b696acc4dd003b15eecba7008043df567f2052e512eacfc27339dcc78951a1963f0a8779f8892705d3d79f0d88e0fc9df501

Download Submit