hxxps://storage[.]googleapis[.]com/fwdamoz/wnftcit[.]html#4xyeoJ53914BZnP302ulmytmhwok180573UQRYOVKUSYUOOIH693/8285U21

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://storage.googleapis.com/fwdamoz/wnftcit.html#4xyeoJ53914BZnP302ulmytmhwok180573UQRYOVKUSYUOOIH693/8285U21

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3928	msedge.exe
3928	msedge.exe
4020	msedge.exe
4020	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	firefox.exe
Token: SeDebugPrivilege	1660	firefox.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
1660	firefox.exe
1660	firefox.exe
1660	firefox.exe
1660	firefox.exe
4020	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
1660	firefox.exe
1660	firefox.exe
1660	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1660	firefox.exe
1660	firefox.exe
1660	firefox.exe
1660	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 4472	4020	msedge.exe	89
PID 4020 wrote to memory of 4472	4020	msedge.exe	89
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 4260	4020	msedge.exe	90
PID 4020 wrote to memory of 3928	4020	msedge.exe	91
PID 4020 wrote to memory of 3928	4020	msedge.exe	91
PID 4020 wrote to memory of 2932	4020	msedge.exe	92
PID 4020 wrote to memory of 2932	4020	msedge.exe	92
PID 4020 wrote to memory of 2932	4020	msedge.exe	92
PID 4020 wrote to memory of 2932	4020	msedge.exe	92
PID 4020 wrote to memory of 2932	4020	msedge.exe	92
PID 4020 wrote to memory of 2932	4020	msedge.exe	92
PID 4020 wrote to memory of 2932	4020	msedge.exe	92
PID 4020 wrote to memory of 2932	4020	msedge.exe	92
PID 4020 wrote to memory of 2932	4020	msedge.exe	92
PID 4020 wrote to memory of 2932	4020	msedge.exe	92
PID 4020 wrote to memory of 2932	4020	msedge.exe	92
PID 4020 wrote to memory of 2932	4020	msedge.exe	92
PID 4020 wrote to memory of 2932	4020	msedge.exe	92
PID 4020 wrote to memory of 2932	4020	msedge.exe	92
PID 4020 wrote to memory of 2932	4020	msedge.exe	92
PID 4020 wrote to memory of 2932	4020	msedge.exe	92
PID 4020 wrote to memory of 2932	4020	msedge.exe	92
PID 4020 wrote to memory of 2932	4020	msedge.exe	92
PID 4020 wrote to memory of 2932	4020	msedge.exe	92
PID 4020 wrote to memory of 2932	4020	msedge.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://storage.googleapis.com/fwdamoz/wnftcit.html#4xyeoJ53914BZnP302ulmytmhwok180573UQRYOVKUSYUOOIH693/8285U21
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7b0946f8,0x7ffa7b094708,0x7ffa7b094718
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,5711828094415223858,4707720079592851817,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,5711828094415223858,4707720079592851817,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,5711828094415223858,4707720079592851817,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5711828094415223858,4707720079592851817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5711828094415223858,4707720079592851817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5711828094415223858,4707720079592851817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,5711828094415223858,4707720079592851817,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  PID:2732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1084

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2636
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1660.0.1189744867\1708074935" -parentBuildID 20221007134813 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11df56c3-be2b-4242-8252-d95362b9d618} 1660 "\\.\pipe\gecko-crash-server-pipe.1660" 1956 1dd35fe6458 gpu
    3⤵
    PID:4120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1660.1.512439982\1677347185" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e8f5f7a-f8bd-413c-969f-cf0b355fab7e} 1660 "\\.\pipe\gecko-crash-server-pipe.1660" 2396 1dd35de4758 socket
    3⤵
    PID:5200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1660.2.1203326141\1227342861" -childID 1 -isForBrowser -prefsHandle 3212 -prefMapHandle 3208 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {983149b4-fe21-49f6-8658-6752f938563a} 1660 "\\.\pipe\gecko-crash-server-pipe.1660" 3224 1dd3a195558 tab
    3⤵
    PID:5516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1660.3.1697745745\1205707155" -childID 2 -isForBrowser -prefsHandle 3512 -prefMapHandle 3508 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5e839de-472e-416d-8dfe-7eee492a416e} 1660 "\\.\pipe\gecko-crash-server-pipe.1660" 3524 1dd38a51058 tab
    3⤵
    PID:5596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1660.4.556473192\1001208957" -childID 3 -isForBrowser -prefsHandle 5020 -prefMapHandle 5016 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {889606ff-b206-4376-84e9-1985d6b9d29a} 1660 "\\.\pipe\gecko-crash-server-pipe.1660" 4992 1dd3b210658 tab
    3⤵
    PID:5748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1660.5.960913600\2136900907" -childID 4 -isForBrowser -prefsHandle 5180 -prefMapHandle 5224 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8f4dfe0-9b87-44b5-860f-8b9aba6c0a8e} 1660 "\\.\pipe\gecko-crash-server-pipe.1660" 5016 1dd3cd8a558 tab
    3⤵
    PID:5996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1660.6.473677234\430290280" -childID 5 -isForBrowser -prefsHandle 5356 -prefMapHandle 5280 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58e01acf-8496-47a1-a262-644b28a399ae} 1660 "\\.\pipe\gecko-crash-server-pipe.1660" 5400 1dd3cd8cc58 tab
    3⤵
    PID:6004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1660.7.1754299324\605404538" -childID 6 -isForBrowser -prefsHandle 5388 -prefMapHandle 5384 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5f73995-b588-4588-a95c-a0bf0d1c263c} 1660 "\\.\pipe\gecko-crash-server-pipe.1660" 5560 1dd3cd8a858 tab
    3⤵
    PID:5980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1660.8.1516354076\768966091" -childID 7 -isForBrowser -prefsHandle 2880 -prefMapHandle 3044 -prefsLen 26460 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3bbe12d-2d5b-4393-b674-9bdc1dc1f980} 1660 "\\.\pipe\gecko-crash-server-pipe.1660" 2900 1dd22364a58 tab
    3⤵
    PID:1600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1660.9.280130644\930478532" -childID 8 -isForBrowser -prefsHandle 5172 -prefMapHandle 5072 -prefsLen 26460 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca5b9869-03ab-42e4-8512-400f820d58e8} 1660 "\\.\pipe\gecko-crash-server-pipe.1660" 4396 1dd3b5e6258 tab
    3⤵
    PID:3688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1660.10.483937128\601197654" -childID 9 -isForBrowser -prefsHandle 5228 -prefMapHandle 5220 -prefsLen 26460 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64b3f152-b019-4ab3-9f8d-0e2d54f2e484} 1660 "\\.\pipe\gecko-crash-server-pipe.1660" 3028 1dd22363558 tab
    3⤵
    PID:376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1660.11.1655064988\1352716572" -childID 10 -isForBrowser -prefsHandle 4260 -prefMapHandle 1652 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b115f6b-0918-4ef6-8275-ddb4955ea943} 1660 "\\.\pipe\gecko-crash-server-pipe.1660" 3468 1dd3b5e4458 tab
    3⤵
    PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cbec32729772aa6c576e97df4fef48f5

SHA1
6ec173d5313f27ba1e46ad66c7bbe7c0a9767dba

SHA256
d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e

SHA512
425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
279e783b0129b64a8529800a88fbf1ee

SHA1
204c62ec8cef8467e5729cad52adae293178744f

SHA256
3619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932

SHA512
32730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
311B

MD5
f0d11553b7083680e5548e185b541464

SHA1
6e8860531bd21e64ee6bfad4d65d724591b54e6f

SHA256
9cbc4a4fe3c346e78d46f30d1a6e5323637f26e29f1f3e0b700cb8a03ba85021

SHA512
f0831ccb7db26777ca4f7fbe8fab71fbda292b54a7f671a342df1925a70cf543ef9647cd83bc1d72520091dbbf196b6bcf158fe9f66956610a37fbcaa7e4c048

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b6122c87c63b1561d8e3fc6a79659a01

SHA1
012f41fecb25736d41513c8d9f1ec5646da63f10

SHA256
7b79829890cc66f3a8f9c66c8547b5db9bfa7ccf3a48d4c5b13e9b273bfed018

SHA512
8d7ebd32d38c5dcb58cac3c84d0cb20b1c6644f69ead861374c926ebf1fcb25a018d2431612cfbc96c32379b70f69c898fdf59d3c8de6adf43933b6d2be4f414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
15244192000a492581e59c7d5a497d78

SHA1
3d1d1a8f3835f93907f708f4c2870f96903b3209

SHA256
a4071ac7fa955ca4dd4b516797c3b3870bb84fc91d81b943fdedc8c7eed47c9a

SHA512
9389eea0cd42ffa5f0ae11b1fb7cd44d71f6941660f78fc88780501ae78fb8e55efe42aefbca7c8c7e45ac94c86f306011ea92627c671c5021787005d45eaa14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
400827f80f509ff24fdf04f9490e9c95

SHA1
3ae092f4eb391d0015912af2f0ac2d67bb23ecf7

SHA256
d253c70557acedeaae9c36c3ae5afea16a9ddcf2af72b338fd759515539ba609

SHA512
9f78d9374356cabdba936d11e31ce13c66a4a3eac252af87bd70da10a2c1a1306af17611f4cff87eba98e127c12d3e24e7bb1ad3df1be751f926516da7b30de7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2e375b9a7a59cd2002b30ca625f920ba

SHA1
cd9a3c22e5258e2a754ec4f488fefea14fc2d6ab

SHA256
98a27902ab10ff6c8333fe4b387c2bbebef815fd28725b2b3a69b81bf788086c

SHA512
5cdae906bf96a88c3c41b894ae1b6b52cbe6eec7e76b3d230fb62e304c2326a2b7dbbf274aec4563e802037f629400871ac6b00f9d890e53cd1598d138c0b7f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
8c9fe1b441c406538e305c8efdfaf567

SHA1
46bdbbba877a46e3ada4e5fe3e97a3ea8585ac26

SHA256
0ee488324ef5b93635690aed1dd36e352f73208dc09d9bcce245fa88c0d9a95f

SHA512
0c85eb55b8a38ecd1065a98d4f19e5732cd1cf562dd2548aec752c2890a15841c36f51349eda228d5938f95dbc34458c6bc65e32ea8ad5c02554a1881a05a860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e9ade3984850780bcd8dff22739b54a4

SHA1
d60fa7e13b4bceabcf35140fbd584f107ed4f920

SHA256
85c5cda1381f7770b58d39468126c2d5fbaa7ae7eecb50c50d55a2c807ad721a

SHA512
64888d4d4428574801a15dbde0f95476bc6c8c9392c4ddfea40af0567b663d3ec3a460ec09c535fcddef87bb0cfd5ce15659945afa7c6a176127bfd06080eb4a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3e5zl51i.default-release\cache2\doomed\13937

Filesize
862B

MD5
5d9867069c5a7fb396a90554802c59af

SHA1
d647a810905ff075b36d3995ce11eb4e6a24eef0

SHA256
272b240d76f6a9d3ff37a3b4be6dc81e5c8fb2b71f1b4e722782131041c7ec00

SHA512
b10c1c8e24bc9ee5374f05be3defa37506330f100146274529b834b6c859bd67ceb39a036e2ddb0afc765e6a85dfb40b2e70ed17697e8e24a30e5a4db5f4b09a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3e5zl51i.default-release\cache2\entries\A72798DEF4F924983D5A0DB82D383C613B515FF2

Filesize
13KB

MD5
a5cc38ea610270e119e4b75af9f00fa7

SHA1
7d14127be3e5b95e84129d8f8622f52723ac1f9b

SHA256
18a98c4873faa6b93a351f27419e71d502c440d7bcbc07d5ef9cb50bd95f44d9

SHA512
7c90a1f2475bcff9d0eaeb79fc6d06c74d41c79d681b5ce3e9a9736a273f67d918d402118a7798b9d7b72b29a27ca0cb7406198bdea34c3e7100fb22d2e089c7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3e5zl51i.default-release\cache2\entries\E66F5AA5E3C285C270CF84BD11111C74D38F245C

Filesize
13KB

MD5
3416eb6b11ba0674d304a68b2e6bb8ff

SHA1
15812af53a782d499a340a762ca682943108e9e5

SHA256
556941cb6089133d0e22f13be8473313f48ebf8a4e51f8d6c3a57fd7aef0b87e

SHA512
30c4014f7efdc1a6b9308194d2fed7cd685263a926ff0baf1114dc352271af39c1ffe560822618fae0ddc0616777254de70c729a6998e6c514ab698706a924d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
6f45b28fa054cbba56ef4a87485d29f3

SHA1
d6c705e62b69f0cf7769b9c9f8d6c97e91f20aaf

SHA256
5211e293bc3593450d76435afdee03d3af321a9e5af721f6713ee5f41b664786

SHA512
55b4af097d70ae40670e74951fd5d10169d63036fb89538c418c79b73870cf24b8cebe2eaa673c4b958cebdf140279621eef8e430c9ed23abf7ccbead39c2a51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\datareporting\glean\pending_pings\4b5880e6-f652-4a79-b4ef-abadb2f59723

Filesize
11KB

MD5
686cbf113e6ba5b78e11abecf3cf19f9

SHA1
41b47da9c6b243f34422109d4bceda702b5f78b4

SHA256
29b17602e114cf4a45dc273c9fe637381b837ee338c9e495e2c746cae4bfa06a

SHA512
206dc11ee260525b314c6f3e20238c94a1613e870c861acea3c4d92bccca844441cded0d17603b3183ede813d5b8a3ea7e3584ecbc6da921c0443a3e768d80d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\datareporting\glean\pending_pings\eabdffe8-771a-4ff2-8132-7d05e98957be

Filesize
746B

MD5
914a5d3d8612ea5187fcb20010e29d65

SHA1
29c7444303698de107e82e6586f6c26f1e0fc3bc

SHA256
f638d9194ba0d060a655bfe1fc265c7ad8e5ecb25d39ccc57bb37bc83ccc429f

SHA512
eada115cc9396856e8a35ee3ede4757325409c1bf1cc22d98602b56f87bfa0b334f50234c7c971c98b4c6090f736ab384e11292bfc9112c7c198a2f3208d9804

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
192KB

MD5
0aba2e3d8642c750bd18c25a10627e05

SHA1
034968d51e9279e62d281877a06c7619aa2ebc95

SHA256
631dff80baca2581a5d53122e2469d04c8f97fd9a5309d85cb459b8561a69181

SHA512
361253928f6f90571e5fec4dd69a19a237fa75c7eb3b6034b06e5b08c748a72e0780135db5172b1efa7de18555b7d894571deef3664cdc6ac04a3e6da3629646

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\prefs-1.js

Filesize
6KB

MD5
4e70e1d8a18ad7abf46e3da0c52a7d08

SHA1
aa179afda09fb145f1f39beaea905dc9fb7fa600

SHA256
d8cc2c78068a0e106562d1e6e5a8f5f41b569ce2f8b069349157d7a27bec3852

SHA512
deb10627094605222ab897629bfd8a54b85300fecdbfb22b936171545108dfc33c2257abb08c1c5b1e3785fb5eac3bb4bc6e0d0819d5479b2b28596a24fa740c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\prefs-1.js

Filesize
6KB

MD5
e468321c5a1116eddf6ec3ff80269379

SHA1
516bbdb592cb57156b203f661006baf174692e74

SHA256
b9c910603a9ecacea061be237646a847ce3c0025dc7bd1758861d963338dd153

SHA512
f31e7f4cb4c93bc6f0dae9a7d33abc548c0b18e872a2a60d4d4d5f3ab8a6b6d9f8eeeff1f8e151abbdf83984edeed82fca93fd0072834b9e9009abc1e83d05e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\prefs-1.js

Filesize
6KB

MD5
215c128f8ea23712b1606ba28effc981

SHA1
3dfdfe46cbdb070e40560ca850a80a1b879a44c1

SHA256
82f72c26687bcc2bbf2df9e094fe8394f313244201a59a375148adf65987931b

SHA512
391d38ac25f0a9a7188b53e7cfb4b5488663edff6c8c4c2fca85563ab2dae81c8fc4bb944130aa356b80153777c7c8d3f6a095d3231d0fe05cee6273350485c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\prefs.js

Filesize
6KB

MD5
1c1403db94958591682b39eff7d580af

SHA1
01fbc62597a4f9144d124951dd82cff34db3da76

SHA256
e9c431ac5f18d2d6522ebd7da763769c84761df36fd05fa9d96001cbc67c9932

SHA512
2493f6216bf1f1352b3136c369e4baf602b7c898e18d4fdb4be3c65c79d9afb1450c82cfcf545f53bb7a7ac27ddc5fbfab24bc16986d7508876dcb933f0adb63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\prefs.js

Filesize
6KB

MD5
d575bda7f302a3a920170ef81856e815

SHA1
0638133aaa01528dc5aecba582457bcf658fa3ed

SHA256
85857d38b234b8aeeed5da2aecf133dde67d999231edd0162bc4c95ecf49be00

SHA512
e03790affc7dcce2b1c88b358cd3d47feea44ac752fcfd1db6f9c0024d7cd6620b98d2b9974f7f15cb92ed3de2960c2267f6528c5fcdc9b03588f1bd3ab62970

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\prefs.js

Filesize
6KB

MD5
f2cff1cc7ed10e01e9e4d3c73a1fc476

SHA1
6be4b709fa64e0417c581b70ea66410975e48948

SHA256
b3b4a83f26aa9d7596a521514c8fb9d10538c9bbae29eaad2eaffce0d7bc8f55

SHA512
b1c8535e949490b4cf0a0cfba08ba4db2bfc41be5008f63f378c77ac5c9f197c5b6fcbe5a3db642ab1cbd9e33fbe24fb39628ded207bbfaaa541733518a03901

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
1f0af3281c6232a7e6550e0f409367b1

SHA1
16c11f7234a874883c77671698eda5e396956e1b

SHA256
3f661decb8e703aedd7dea655548d54f6d1a560ac4a39e59a87a61e7af34415b

SHA512
02294e084b6b123f636d484deefd217cacc0408038d130d69c80eea2a6de399292d2438b2c5827850e372eda86ffb18d0c12dc272608d3efe4ae79ce20334e1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
dd6966d86a53b8e02f23fdae4db81a53

SHA1
40af3197e4abeddefadc5e90a6fd3a8fc385349a

SHA256
0a0389d8103a63a06b11abe0f44d6bddf4a33f7a5174139c2492f6e4257c2db0

SHA512
860e6ac364027c0af2554de15558819b7ab24c9d2b09f2775bb314022b24d58a2cbcef480b63e94d137379f4505c3da3fabd1e5f4332000201269c6960beb69a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
d2bff73c6b2683ff08e4c47091c3c044

SHA1
102bcab272597c7886d8f148f679ac8a81e33fe8

SHA256
fb67a1181df55998ca38b915f51e3ecfb449865a7c27d2880a00616978cdd91e

SHA512
33ebf2a2fb372a41d6de41765e18266bdbaae6e298523d2a94b58dc04dca9ddcb5d6d941cebf54979114416bf1bfe60cde65847f237b39dba74f48f5f8e6015a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
84145ab8e0b25ca626cf8aa8ae291a7e

SHA1
171604839cdcfb0d5f7ca525110e0bc679e7742c

SHA256
a795e5cbe7a16cf48efaa512b3c89a8e8fd2772cf99c90f8da296ce77782f829

SHA512
2564ac99bafe5b5187e82e5a594c2d5c9adf8ddc4f33df400a96102062f6c4e1c80773ffa730f4d5e438d0adea8d316bd2aa5de17c71f35716c56d9ef126eafa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
468aa4c150a7de4934dca098f42fa879

SHA1
da737a24771f6012d23004f5d62e46e3dce76e1a

SHA256
7cc18688daffc0a02e56949884a83312f664b6227a053afb6a2f371113d7a45d

SHA512
2b26cfdcd72243bdcd74855f296c88ae1ff0a78b30ac750e8820d2e660cd86baba0249ee3864d3b759332e853bda13d2fbd212f6ba68a2017919c57a5362afaa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.4MB

MD5
33a658c9722c3802a85c28ed2e1b750f

SHA1
3a817c1c46095e979fedcc11309db227aa88af95

SHA256
add5608810966fcaaac7fb85d3af534f1fde08fd52c61490083a66542a6075a7

SHA512
a11400fa145536509d4394146c9ea54e254f771ea555ad982a828c100b98346e010c025bd304aa71cd399ca909385cf2d591f40f16c74d7c8c91da12a6f761cd

Download Submit