hxxps://gofile[.]io/d/No1dZA

Resubmissions

19-03-2024 22:20

240319-19cskahh7s 8

19-03-2024 22:13

240319-15j13shg4v 10

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
19-03-2024 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/No1dZA

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 865979.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\nudes.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2376	msedge.exe
2376	msedge.exe
3988	msedge.exe
3988	msedge.exe
2464	identity_helper.exe
2464	identity_helper.exe
4592	msedge.exe
4592	msedge.exe
4416	msedge.exe
4416	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	firefox.exe
Token: SeDebugPrivilege	1992	firefox.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
1992	firefox.exe
1992	firefox.exe
1992	firefox.exe
1992	firefox.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
1992	firefox.exe
1992	firefox.exe
1992	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1992	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 4692	3988	msedge.exe	79
PID 3988 wrote to memory of 4692	3988	msedge.exe	79
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 4996	3988	msedge.exe	80
PID 3988 wrote to memory of 2376	3988	msedge.exe	81
PID 3988 wrote to memory of 2376	3988	msedge.exe	81
PID 3988 wrote to memory of 2312	3988	msedge.exe	82
PID 3988 wrote to memory of 2312	3988	msedge.exe	82
PID 3988 wrote to memory of 2312	3988	msedge.exe	82
PID 3988 wrote to memory of 2312	3988	msedge.exe	82
PID 3988 wrote to memory of 2312	3988	msedge.exe	82
PID 3988 wrote to memory of 2312	3988	msedge.exe	82
PID 3988 wrote to memory of 2312	3988	msedge.exe	82
PID 3988 wrote to memory of 2312	3988	msedge.exe	82
PID 3988 wrote to memory of 2312	3988	msedge.exe	82
PID 3988 wrote to memory of 2312	3988	msedge.exe	82
PID 3988 wrote to memory of 2312	3988	msedge.exe	82
PID 3988 wrote to memory of 2312	3988	msedge.exe	82
PID 3988 wrote to memory of 2312	3988	msedge.exe	82
PID 3988 wrote to memory of 2312	3988	msedge.exe	82
PID 3988 wrote to memory of 2312	3988	msedge.exe	82
PID 3988 wrote to memory of 2312	3988	msedge.exe	82
PID 3988 wrote to memory of 2312	3988	msedge.exe	82
PID 3988 wrote to memory of 2312	3988	msedge.exe	82
PID 3988 wrote to memory of 2312	3988	msedge.exe	82
PID 3988 wrote to memory of 2312	3988	msedge.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/No1dZA
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd76a73cb8,0x7ffd76a73cc8,0x7ffd76a73cd8
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,452243332879290733,12451164324779847756,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,452243332879290733,12451164324779847756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,452243332879290733,12451164324779847756,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,452243332879290733,12451164324779847756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,452243332879290733,12451164324779847756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,452243332879290733,12451164324779847756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,452243332879290733,12451164324779847756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,452243332879290733,12451164324779847756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,452243332879290733,12451164324779847756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,452243332879290733,12451164324779847756,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5900 /prefetch:8
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,452243332879290733,12451164324779847756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,452243332879290733,12451164324779847756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,452243332879290733,12451164324779847756,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,452243332879290733,12451164324779847756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,452243332879290733,12451164324779847756,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,452243332879290733,12451164324779847756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,452243332879290733,12451164324779847756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,452243332879290733,12451164324779847756,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4896 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:328

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2532

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:780
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1992.0.1497632210\940897271" -parentBuildID 20221007134813 -prefsHandle 1792 -prefMapHandle 1784 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b11fd66-78e3-4cdb-8515-67a9a3300621} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 1872 1d016fd6958 gpu
    3⤵
    PID:2604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1992.1.1046568295\1038815886" -parentBuildID 20221007134813 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {396ef58d-19ba-4e21-b487-edc4d007de86} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 2248 1d016efd558 socket
    3⤵
    PID:3724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1992.2.15481387\759208691" -childID 1 -isForBrowser -prefsHandle 2748 -prefMapHandle 2960 -prefsLen 20886 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eed8839d-941f-407e-abb7-3ad6a11e950d} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 3024 1d016f5f658 tab
    3⤵
    PID:772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1992.3.54717223\490102839" -childID 2 -isForBrowser -prefsHandle 3168 -prefMapHandle 3336 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d3caa7e-a420-41cd-bc67-ab37b589f724} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 3444 1d00b15e558 tab
    3⤵
    PID:4332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1992.4.1133683793\1832494116" -childID 3 -isForBrowser -prefsHandle 2724 -prefMapHandle 2728 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f0e827d-93f3-4569-bb36-ac2e725293c0} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 4520 1d01dec4b58 tab
    3⤵
    PID:5172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1992.5.1087248824\1143542733" -childID 4 -isForBrowser -prefsHandle 5072 -prefMapHandle 5076 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c49044d6-31b7-4887-a0dd-df198ad107d4} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 5060 1d01c260a58 tab
    3⤵
    PID:5564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1992.6.1767043552\1136507940" -childID 5 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50a361fe-8797-447b-86d8-9a2b6a5e15fb} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 5216 1d01ec05f58 tab
    3⤵
    PID:5572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1992.7.1581183109\232785819" -childID 6 -isForBrowser -prefsHandle 5424 -prefMapHandle 5428 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a935f2c1-7d04-4e04-98d4-c66c0b77c725} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 5416 1d01ec04a58 tab
    3⤵
    PID:5584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1992.8.724848882\1154117729" -childID 7 -isForBrowser -prefsHandle 5768 -prefMapHandle 5764 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f08885c-bec4-4ce5-ac38-bc966e383fe5} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 5780 1d01cb0e658 tab
    3⤵
    PID:6040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
96899614360333c9904499393c6e3d75

SHA1
bbfa17cf8df01c266323965735f00f0e9e04cd34

SHA256
486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c

SHA512
974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
19a8bcb40a17253313345edd2a0da1e7

SHA1
86fac74b5bbc59e910248caebd1176a48a46d72e

SHA256
b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e

SHA512
9f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
ab92f59dc333af4453c4e471dcddecb3

SHA1
341252b4fa434347e567f6bd231dcb375dc3ac54

SHA256
75bd222058eaa6e989a9d67b75eaa0cd514a4ec4fc4fec3833ff87344424f115

SHA512
cc3e68ffb2b8d88c1583f9119178cf39f9454d631c05de103bb7e6ca5ec6759502f27858c27baa2a796f0b78ba76c15cbb0204bb563793ae1959d776dd4749f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
317B

MD5
afc6cddd7e64d81e52b729d09f227107

SHA1
ad0d3740f4b66de83db8862911c07dc91928d2f6

SHA256
b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0

SHA512
844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a45efc2550915cebfb8bbcec64cc134f

SHA1
7218122f2428750d0682b81a131191c79a319514

SHA256
2b90b97b6ae82cdbdd16abe2156184ced55d04216dd8d8cd7346e5830fd76c18

SHA512
97c891e3606eed7a866590e08bb9aae736f785383eeeb941b02c3fe026abf9b2059b930f1205e910d035185a6ac2494f78a4626bf9a68ecc044f5550a03e1727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
467fde3d0b0afb8985701e8c2ecc91f1

SHA1
5c9d2142281c7b42566b0665a6ffda24d665cc12

SHA256
f5ff736ab99870aab7d93d929455bb1e12b538f7ccd8900314aba82ad5a95fb4

SHA512
66d5ce28fb75a8dfca4936efe19ea602ed483c163a800271935fc7bdb042dab82750759b2805f37cc5fc5b28dacd543e580213ff71e668f5773387829ecf0986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ab7c882458660796e79db11813419b7c

SHA1
0828d3d96ca0975de9dbf14a9937736857240fb4

SHA256
7c15fdf2a875dd5b54bec916d7c69ac7eb297507246b5ee4ac2dfdf284d407dd

SHA512
3977301d1d34e6a1c0eef8bbe1933f9b397220660c1b89c2cfa59c4069788bd137b18846d98b8322515d6cd4ae153b7656754e0346b2271544e2a089ae06a61f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f374344685fd146595d9f59a791c187d

SHA1
3daa8a452f82d1f69f8325d16379dc139837cbe8

SHA256
d0cf0ae1f4a4da031f770f4ffbb925e82d8f13b8254c01e1ba4b2c998d78e0b4

SHA512
79ef6079257859767b82160c5171819335a25992d37033ca91b846c7bf9ef995191f685a9b72d061becb3cecb3e24bfa3a694ddd62148aa796f7df51cbde3462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e58fd4095145376587ef3df064c5cf6e

SHA1
32d5d466bf91ce867685aef7da86638ac32ef95d

SHA256
0f4125ab0a69057d16a331855a98fab5679b02214cea50dbab204392b632bd73

SHA512
2f9dfdacb0b7e521572aa1ab5f112bcf473618e1241792b93a7b85643f4d6ef2e784ffba8745f26f8316430e0aa61e573c24be985fa5a6346946bd24261ff538

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
807bcdb846d25f805aafc78d701200a1

SHA1
3fab49d78f3373e337a706be1a69519a436f7f64

SHA256
bc972262033984fed00b9e3eefad849be35bbdc7b4bde9f0a285eda629922649

SHA512
f8f1c99879fa5aacdf4c9cd787c845f2c4d4d2e0b62e8adabedd2b8c791f21f029f8aab0e267d89066998954b50dbcc993e43b99db84c663e0892cdfbe1bec6f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\pending_pings\72c737ac-dd68-4d92-9f02-56f162ec6255

Filesize
746B

MD5
26264e4f2ea44cd5317a2e7670e775ca

SHA1
b4da4e6d9f9e5b66cbeb13383e15319d92984231

SHA256
b646d957f8e1d1cddcbb8c9fe3f2b74f6a68c0cc24848057387a09eb03ead628

SHA512
38c81bcbdda211dcc700c82366232a25c3326721670f499a46f1bd7279296e5f399da827c0b6ad070ba45689b83bb671f2f30f49bdb5e73611c38e48044f25a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\pending_pings\f6a83a13-9d9d-41cd-8a79-58f2ff650afb

Filesize
12KB

MD5
9a77a55696844fe2ae22bdf52a479ab4

SHA1
aecf7a26a4e2546652529dcf1f9f352fe20d829e

SHA256
1997922c25581bacb81301e93ee7fba4795df4959ed440d8b9552c3acd24e8bf

SHA512
c01cad6e526dce9d40f68046a26cf89414de4dd412dcc538c6b1abc7a2078924231fad4ab8be0e5e783a83dcc03e77f70ccb0d3c1c137f7f399e9aef077acff1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs-1.js

Filesize
6KB

MD5
e61957e94b5d0baf193da9eca031382d

SHA1
69d8ea2d313e650e24858dce8d2aee7bfe4bcad6

SHA256
e2a91a41372e93e01e8be63f9b7032b88e236579b4dfccd07754e2252aa66e2b

SHA512
de2ed21aa19ebd49c7b805fa485579fc54ffe6f586fcc327d02e2b301de5480612371dd23a4a91d3f9f0c073541204b3e6b8e1855b4e2cfa1e53723905f2b752

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs-1.js

Filesize
6KB

MD5
fc32a63bfaebf38a3617e6f2d595b2fe

SHA1
ddc66d3aeb66b65c675349cb4da80b3a9ff95d99

SHA256
6deb31e3e071acc60881812dc02ae9f794642da193cefec84af1995a9bcc77d6

SHA512
39f67917a023461334ca38765fa760f9caf767fdaf05a44fea364e5ca2eb6d63c8b45f48b88e56940614613377b162a5c99f2fafeb2977f9df50f9a0f79602bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs-1.js

Filesize
6KB

MD5
b9fe3808875f78b83c775fc823d6889c

SHA1
b5573b1698b93475aee0e353ff0398da5a0e8316

SHA256
f3069c83259cea40f13ca893698e423eb1c88812d90c5128d35d8d7ae9740dcb

SHA512
3ae56a7a3256d00944d76505ab04cb503d358163f5de04bf50cb0fcd11697a9cf828f361d1f51892ada430fa10f56057f90737067b55bdc337845e573d3093b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs.js

Filesize
6KB

MD5
01f9052692e95e591fb1f1c4ea2d9f5c

SHA1
8a44935f0226bac7d4933fa848867339d25c06b7

SHA256
777e9e5765e0ab9892d7702ee80c690cb71cfcd49a1fb7419038f581705e46e1

SHA512
34541539f1ad6dd1b81cd497f4d1770a380438879e7b89607869b899af4b64f04e6bcb57394b731776af5134394ff82bcc3e94a5f56065a3b4368b5a847fa3c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs.js

Filesize
6KB

MD5
20eeb857423b96ce7cbf00edf721beee

SHA1
00a8cd8d1c34d72ca12b47ac16989004e751039f

SHA256
d22681dbd6f5ba4f912ec956eee1ce2b6a5251c5f5b462e3eaa6b93dc00909fc

SHA512
f7d91bfb1a2f4ae710b89f8852347c66c9444f77810173f050982585354921f4a2445d57e6f3de70e39133b6edbae81aeb86dd5554b79fff58084467f6ac8e27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
ed5d5b1dbfc33965c67d05303858a754

SHA1
ec75ff8b93aea83aa41db2b72e4bbfda00b0c3dc

SHA256
af239a4b0664b52ec3a5abb98a0a93daac00820160be4de9921796a1b7e2504b

SHA512
1a6b713ca5d93e4b6836036554a2ec9ddf812f7a95e4d252c4ca58f92536ff5b0e1e40f0dc171b33e8cc5c09dae234c994913ec307f8425b6e55745f1ffb72af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
f64bf9c930032ed080505afec29244b5

SHA1
9099c692f6f72b09417e7172f28ed895a96c2008

SHA256
b71117b4fcca07f3ddc08f1d6c55ed2a303cad1d7ee129f957e53ac753b24e45

SHA512
72b054bdc81d84914bd106e1c7548972a3a12eda3dad01b1994a744422b8a3fed9aa6436b938a6e0e4180c565faa1c09518ab80f0f0c6c1202fdc83ef9e0e973

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 865979.crdownload

Filesize
78KB

MD5
bdbd6fa439fb4dc1725ad7f834add265

SHA1
ed02a46eb700d976aa2884058f697eb8a4fc09f4

SHA256
870d8d7d4a4abbbf0138e5a063554f73389add79079467fedfc1814e32a57f33

SHA512
1eb43379afa4bb75256a67b453c02f5673fc549c946ef0e176bce21ca0194cff1aae602eda56764abb60a49655d36abdb690848819e14acc968f0505aa75cf1c

Download Submit
C:\Users\Admin\Downloads\nudes.exe:Zone.Identifier

Filesize
153B

MD5
63da0151ed39ebf81a4916d3c8c75ac3

SHA1
6e5403bdb9e77dfe72074200cd1cfe14be7dc9a1

SHA256
9d479d07f6d8486e11c4b24ad0925b2ad66eeef257dca33e97049cb343fa40aa

SHA512
8f2cebac9f50813238577ce2287e3ec262657ae7a213e8471826e0a5dd6046816aea24fba1640349d33be7018c4d52f45ffd9cc080e168e7720c56bdf1737d8f

Download Submit