hxxps://open-click[.]smtplw[.]com[.]br/openings/m/0941997ed22d406f5879da11bbfcb509-1709992690[.]7/a/0941997ed22d406f5879da11bbfcb509/r/NjE2NDZkNjk2ZTY5NzM3NDcyNjE2MzYxNmYyZTcyNjU3MDc1NjI2YzY5NjM2MTQwNjE3NDY1NmU3NDZmMmU2MzZmNmQyZTYyNzI=/v/8073d95e95871c64d7c5863edcdad8b1f56c5c35

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2024, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://open-click.smtplw.com.br/openings/m/0941997ed22d406f5879da11bbfcb509-1709992690.7/a/0941997ed22d406f5879da11bbfcb509/r/NjE2NDZkNjk2ZTY5NzM3NDcyNjE2MzYxNmYyZTcyNjU3MDc1NjI2YzY5NjM2MTQwNjE3NDY1NmU3NDZmMmU2MzZmNmQyZTYyNzI=/v/8073d95e95871c64d7c5863edcdad8b1f56c5c35

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2044	msedge.exe
2044	msedge.exe
1552	msedge.exe
1552	msedge.exe
4792	identity_helper.exe
4792	identity_helper.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1148	firefox.exe
Token: SeDebugPrivilege	1148	firefox.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1148	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1660	1552	msedge.exe	85
PID 1552 wrote to memory of 1660	1552	msedge.exe	85
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 1784	1552	msedge.exe	86
PID 1552 wrote to memory of 2044	1552	msedge.exe	87
PID 1552 wrote to memory of 2044	1552	msedge.exe	87
PID 1552 wrote to memory of 1468	1552	msedge.exe	88
PID 1552 wrote to memory of 1468	1552	msedge.exe	88
PID 1552 wrote to memory of 1468	1552	msedge.exe	88
PID 1552 wrote to memory of 1468	1552	msedge.exe	88
PID 1552 wrote to memory of 1468	1552	msedge.exe	88
PID 1552 wrote to memory of 1468	1552	msedge.exe	88
PID 1552 wrote to memory of 1468	1552	msedge.exe	88
PID 1552 wrote to memory of 1468	1552	msedge.exe	88
PID 1552 wrote to memory of 1468	1552	msedge.exe	88
PID 1552 wrote to memory of 1468	1552	msedge.exe	88
PID 1552 wrote to memory of 1468	1552	msedge.exe	88
PID 1552 wrote to memory of 1468	1552	msedge.exe	88
PID 1552 wrote to memory of 1468	1552	msedge.exe	88
PID 1552 wrote to memory of 1468	1552	msedge.exe	88
PID 1552 wrote to memory of 1468	1552	msedge.exe	88
PID 1552 wrote to memory of 1468	1552	msedge.exe	88
PID 1552 wrote to memory of 1468	1552	msedge.exe	88
PID 1552 wrote to memory of 1468	1552	msedge.exe	88
PID 1552 wrote to memory of 1468	1552	msedge.exe	88
PID 1552 wrote to memory of 1468	1552	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://open-click.smtplw.com.br/openings/m/0941997ed22d406f5879da11bbfcb509-1709992690.7/a/0941997ed22d406f5879da11bbfcb509/r/NjE2NDZkNjk2ZTY5NzM3NDcyNjE2MzYxNmYyZTcyNjU3MDc1NjI2YzY5NjM2MTQwNjE3NDY1NmU3NDZmMmU2MzZmNmQyZTYyNzI=/v/8073d95e95871c64d7c5863edcdad8b1f56c5c35
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9dca746f8,0x7ff9dca74708,0x7ff9dca74718
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,10548721196735233197,9524198936967931004,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,10548721196735233197,9524198936967931004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,10548721196735233197,9524198936967931004,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10548721196735233197,9524198936967931004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10548721196735233197,9524198936967931004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,10548721196735233197,9524198936967931004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,10548721196735233197,9524198936967931004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10548721196735233197,9524198936967931004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10548721196735233197,9524198936967931004,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10548721196735233197,9524198936967931004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10548721196735233197,9524198936967931004,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,10548721196735233197,9524198936967931004,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1704 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,10548721196735233197,9524198936967931004,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1624

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1036
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1148.0.224496842\2002083775" -parentBuildID 20221007134813 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90c11c30-a870-4c7a-b67a-f22a356abe62} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" 1948 1c73eaf3358 gpu
    3⤵
    PID:1124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1148.1.695466930\462724173" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7297e3b2-3d07-46a9-93a6-15f8dcfb6e6e} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" 2348 1c73226fe58 socket
    3⤵
    PID:1628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1148.2.1058529431\986717107" -childID 1 -isForBrowser -prefsHandle 3124 -prefMapHandle 3120 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99237899-0069-4dc0-acfa-31bfe0adcf27} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" 3136 1c73ea5f758 tab
    3⤵
    PID:1152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1148.3.1999784507\1283804879" -childID 2 -isForBrowser -prefsHandle 3560 -prefMapHandle 3556 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cfd20b8-4c68-41aa-8557-81a97cc45a2d} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" 3256 1c732262558 tab
    3⤵
    PID:5036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1148.4.1236592581\1627074905" -childID 3 -isForBrowser -prefsHandle 3880 -prefMapHandle 3876 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7945f43-954f-4bbb-b4c4-4e8c8d54a1c3} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" 3860 1c743e8ff58 tab
    3⤵
    PID:3304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1148.5.1078659721\2023391479" -childID 4 -isForBrowser -prefsHandle 5152 -prefMapHandle 5180 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a18bdc9-72a3-4e94-9be4-4dfa4a094edb} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" 2816 1c7450f1658 tab
    3⤵
    PID:5696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1148.6.1788513696\1029720383" -childID 5 -isForBrowser -prefsHandle 5304 -prefMapHandle 5308 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {195f7c5f-3a78-415a-b3d0-92a205371cb7} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" 5296 1c7450f1c58 tab
    3⤵
    PID:5704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1148.7.2037348162\1402980920" -childID 6 -isForBrowser -prefsHandle 5492 -prefMapHandle 5496 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97de955b-57d6-4066-aaa2-8d345368184b} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" 5484 1c74583c758 tab
    3⤵
    PID:5712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1148.8.1964207832\564322057" -childID 7 -isForBrowser -prefsHandle 5168 -prefMapHandle 4192 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1ab5323-f15e-4194-becb-199ee33f5600} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" 2892 1c7463ed658 tab
    3⤵
    PID:5236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
af6809a0834947933a7e6b792ec68a6d

SHA1
fad86c47fa873c65a526928a9c8f4a8489dbc2a2

SHA256
6d8464520358afaf6335d35fe81f9ea1f34af01bf191bb1672ebc5ed56b1f3f1

SHA512
d739836a46cf2aa984dc278ca82c29da876ad94a9bc26d72437301b420ea407a9ac46d96919281e8e02ac4f4defbe3d1ad06eb4ce5050c3308af08628802ebf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
160535b979bbb6c070ebfbb6850fea8b

SHA1
1a4a8105a2f7c6df9064f85fba4148e102b30e34

SHA256
d5de3b42dc14010a5e1b47e64e6f458b3486761d6562f38e79464ef2f8bed05d

SHA512
a962c320434a5e076b24da974690c2d52e75f25bafde94f442c72fb2a84e94dfca4b8c14c85062e61aeb06caa4c5d36f62ad44c3592d60250404ad8ef9d90009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d9432a84e9331baccae023be50d7638a

SHA1
df73eb7c3cbc3dd427fdf2008621482a56a312cf

SHA256
7b5660eedc893c06da3fa4125eb4f6ff84615c1477b7da286e71d59433ff5627

SHA512
69df17474dd19866cb0430161a384d0facc3fb6ecec0434abb71f020f785466b80658e4dfbf3effa531fe5231b2b747fc12b4094f0fbbf1c556480ae24aa922f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1ad7f6e3def3d004bc8ce51a99bac54e

SHA1
b24e6a74cbe1ded0b2df8b7cdc4568d1ef46de43

SHA256
15187d74bc8ceab91bf028f7937ad308896fb3a49f5820e0725af77d75b2537b

SHA512
9f3c31dff472f7e5fb990aaf3c1ad8773f53e8102be67b1ca9949217df171fd3adb36dccaf1e235a751371db8d2713a7610db33c522564a387145ed0aef061e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b9af0805c9597186c8b184db77703058

SHA1
b2222578efe504e61c46ee91ca0713be6683d2fd

SHA256
250651cbab62e2cdc8432e28641ab51c5d781839d7e025b3d46457dc9c66a1bf

SHA512
e7baf471c7566313983a406473181a8ce6e89d8ae7c538c20c1ad52a6646d776ba6c8be9d29f659c9b4d132ba0a7fb931bd4fadd8724746765e8fa8ad1573e90

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\92qyi9k9.default-release\cache2\entries\A72798DEF4F924983D5A0DB82D383C613B515FF2

Filesize
13KB

MD5
a5621948b7aa52738730cc3a169859ae

SHA1
b50c47e35b071f431afa9bc50b3c69a460a33947

SHA256
1add8def651fb2029cfe23a010db86cf8b1b15bc4f29092a54ddafd091343dfe

SHA512
7fe71cdfe7c790fc909aa470f66118f4ca2de4cc93a275a108a8a6c42c66ed67e629efeed70a6fe7fef92657e4032cf92a811b5da2953e672d568ec816aef07a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\92qyi9k9.default-release\cache2\entries\E66F5AA5E3C285C270CF84BD11111C74D38F245C

Filesize
13KB

MD5
b9caa0f7b4ffd6cbb433bdeeef8da159

SHA1
83325bd2a07f80fda987c4887107f31f1e1b1ca0

SHA256
02e9a5b0bbed61e6126269fed9a6b8e3beb01291de7edc943aba280495ac004d

SHA512
34745fb1043cf9cd5cbba11b5e797e470ed7cb4bb787098425e70dfb29d493601cd15d0685c05195e605423e22809e56a1afcee08cb357421756f2bfbe508456

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
f386deab1cb57276bd4d7abe063183a2

SHA1
0e06e3fc0dfac73a2ed2e91fecce44c3495123ed

SHA256
73b72858c15fe0a72f972ba5c7c3694e2c588a53d8903777de30e32cf744de64

SHA512
a4a189272cfc04874107981a5546609d95668cfe50e7ef1997592b89fa491e56e58aa462cf81a5ffcddfed32cd6cff67d2c69f1e4a46861969bcc8958eeb7bd7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\datareporting\glean\pending_pings\24095872-4e93-4940-9414-d30d144aff7e

Filesize
746B

MD5
a97c0c9e99fba8531051b57eb8e66498

SHA1
697986804448f64bf1b024a690e9081b2d9cf6f9

SHA256
89721fac67cf464cb7e0549e269635f0f6b17983c7745e113fa150d7a5bffe02

SHA512
417b89a638664e03e7dfe4e4fba07cb8f5bd97f55fa18b81110273bb8fc001469c2c039abba452ea46da5c85d879db2823d03b7cfbb03017c174295aaaa870ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\datareporting\glean\pending_pings\f4c2defb-758d-4f13-8d2a-fe9aef85193c

Filesize
9KB

MD5
5c38952ab6a84a87291285668ad8fe27

SHA1
1773aaaae1eb85798706df1977a12565634a4e9e

SHA256
9b38d484f82956077530b0768cc9511b83c13281f41404cf2b91ad925eb9fd9e

SHA512
6f0728dcf25aa51066e9042a405c55ebc30aa4188f56d6b3317e34be03805ebff7bd1b33c299a3cfbfc822f78b8ff4aefd1ee4dcea5686fb73f2e667832e2132

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\prefs-1.js

Filesize
6KB

MD5
52571c32e9670f61b26fb21921ff28f2

SHA1
090899434f5f06b7452dab3ae058079ef34a735d

SHA256
c9625d9cb100b115df52984110a0871a15d66a485923b15b0d9ab14a72be390e

SHA512
d1164fd52a844abfe6b33fbbb0626836018ccf51962faba1eeeb57af21b1c2e4a5cf45fb71828eb569266a64481f6bf6e52cece43a281a9120a5055baa1a6140

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\prefs-1.js

Filesize
7KB

MD5
d4b33e239efc4d0afd1413bfdb32b359

SHA1
d928f430775a8b91449f2e3801c6aa82fa296626

SHA256
d65800125c7dd6c8e63c7c97e78c9e4541b15ad380de371e50993849eb8e2c7d

SHA512
4273188d70f9371af2ca1663e5666a145d8d3d11484f03ef33586371a67b5816f1bc00ff46ca9bf93f5b26be7f2d4edcf9085b0651d78b75962f783448ed0a6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\prefs.js

Filesize
6KB

MD5
12a3fe1545211e1d119e9d6be4158aa9

SHA1
12830dafccb84bbfd1c648bc67eeebb07c7642e6

SHA256
340dc0f35e84232a4312025ee919490c70e2624df30a86b743bfd23263f1f7cd

SHA512
911589385007807f3dca4bf1c2fc7410cc57bbcff611294e2647f9e95791673cf93ccaa06ebf8fda1f893763434b9fd0a21859f6efe0de5fd3691d7eaaf26fe5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\prefs.js

Filesize
6KB

MD5
39527662f0231d08d3bb30bbdb4d0e33

SHA1
a2b516f8c593144b3eebdb7e0f93ef6faa10038d

SHA256
906cd2df4c5789386dc8db4f77f740d9cd5e8b10a52b96cd65da2b3367fbabb0

SHA512
db97395244d48199008381296acd2f6b63f93b656a47164b5d56885fc074c2f91611586b9948fe998812e5176d0bb8d838d8b927e73b03073b2188d240d930db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
d35548ef0578fece841c9f351aa33612

SHA1
0787c4cba85957673f48a949d1d511909789860d

SHA256
04bf896b33e0c972fc5061134cad0aab54067fcb36fca89790e1372e13454e66

SHA512
18a1d19ff8cb37b968383ecf214f82dbb77611db6805bc6467033eebffcd4b4d6bf8e9c2afa1f371e1b9f6da5b3d29053cb0fbb0cf6f1798ac604bc9859af193

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
bf58b990344969c482b9682816064d2b

SHA1
3d0d637b9e811473eafb6ed1fc89964ca38c80a5

SHA256
089d1abcdcbb76f9acfe442c93f2e22e7a36b9463eb958eba17b2864bdb563bf

SHA512
5466b0e697cd14e6d1406e2ab3d57db8c48a9261f36301c9274101a38496dbc8dd260439cf95cef19fdbace245cf688945e7c483030891f099f4169dbdce180c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
feacfeaa6370d0dd460a0609e1e1435e

SHA1
1463da69f34d0efa56e61d9dd55ac1f435237b5b

SHA256
d57b87db93a487d521c52be8e0d599fcfb17e8012f6066c303f4e48e92c3f439

SHA512
61097d4419f67e7b364a5f0f3a248d801e0bbff2283ffce8cb89a5d43309145288c20ce1a6620217c81256db7da81de7d184a0c7eb769ea237902a5abbe5782b

Download Submit