hxxp://45[.]144[.]3[.]216[:]10000/rnv2ymcl

Resubmissions

26/03/2024, 20:51

240326-zngc7aeh9s 1

26/03/2024, 20:48

240326-zlj2asca34 1

26/03/2024, 20:44

240326-zjezkaeg8z 6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://45.144.3.216:10000/rnv2ymcl

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4920	msedge.exe
4920	msedge.exe
208	msedge.exe
208	msedge.exe
3580	identity_helper.exe
3580	identity_helper.exe
4480	msedge.exe
4480	msedge.exe
6696	msedge.exe
6696	msedge.exe
6696	msedge.exe
6696	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5932	firefox.exe
Token: SeDebugPrivilege	5932	firefox.exe
Token: SeDebugPrivilege	5932	firefox.exe
Token: SeDebugPrivilege	5932	firefox.exe
Token: SeDebugPrivilege	5932	firefox.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
5932	firefox.exe
5932	firefox.exe
5932	firefox.exe
5932	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
5932	firefox.exe
5932	firefox.exe
5932	firefox.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5932	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 3560	208	msedge.exe	86
PID 208 wrote to memory of 3560	208	msedge.exe	86
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 2180	208	msedge.exe	91
PID 208 wrote to memory of 4920	208	msedge.exe	92
PID 208 wrote to memory of 4920	208	msedge.exe	92
PID 208 wrote to memory of 1856	208	msedge.exe	93
PID 208 wrote to memory of 1856	208	msedge.exe	93
PID 208 wrote to memory of 1856	208	msedge.exe	93
PID 208 wrote to memory of 1856	208	msedge.exe	93
PID 208 wrote to memory of 1856	208	msedge.exe	93
PID 208 wrote to memory of 1856	208	msedge.exe	93
PID 208 wrote to memory of 1856	208	msedge.exe	93
PID 208 wrote to memory of 1856	208	msedge.exe	93
PID 208 wrote to memory of 1856	208	msedge.exe	93
PID 208 wrote to memory of 1856	208	msedge.exe	93
PID 208 wrote to memory of 1856	208	msedge.exe	93
PID 208 wrote to memory of 1856	208	msedge.exe	93
PID 208 wrote to memory of 1856	208	msedge.exe	93
PID 208 wrote to memory of 1856	208	msedge.exe	93
PID 208 wrote to memory of 1856	208	msedge.exe	93
PID 208 wrote to memory of 1856	208	msedge.exe	93
PID 208 wrote to memory of 1856	208	msedge.exe	93
PID 208 wrote to memory of 1856	208	msedge.exe	93
PID 208 wrote to memory of 1856	208	msedge.exe	93
PID 208 wrote to memory of 1856	208	msedge.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://45.144.3.216:10000/rnv2ymcl
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb4fa346f8,0x7ffb4fa34708,0x7ffb4fa34718
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,15684243708751051337,13706356442505094881,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,15684243708751051337,13706356442505094881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,15684243708751051337,13706356442505094881,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15684243708751051337,13706356442505094881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15684243708751051337,13706356442505094881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,15684243708751051337,13706356442505094881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,15684243708751051337,13706356442505094881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15684243708751051337,13706356442505094881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15684243708751051337,13706356442505094881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15684243708751051337,13706356442505094881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15684243708751051337,13706356442505094881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,15684243708751051337,13706356442505094881,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15684243708751051337,13706356442505094881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,15684243708751051337,13706356442505094881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,15684243708751051337,13706356442505094881,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5492

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5716
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\rnv2ymcl"
  2⤵
  PID:5872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\rnv2ymcl
    3⤵
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5932
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5932.0.1076491378\1441856115" -parentBuildID 20221007134813 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa4ca319-823f-4344-b679-f50a7bb13ddf} 5932 "\\.\pipe\gecko-crash-server-pipe.5932" 1980 1f9577d6458 gpu
      4⤵
      PID:6112
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5932.1.379024870\1035337222" -parentBuildID 20221007134813 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16a6e044-a45f-4692-8e13-a0c4086f82f3} 5932 "\\.\pipe\gecko-crash-server-pipe.5932" 2400 1f9576fa258 socket
      4⤵
      PID:1744
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5932.2.54527885\1333917459" -childID 1 -isForBrowser -prefsHandle 2924 -prefMapHandle 2968 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {515d48fa-d9a4-4634-a529-a1e22f6b910d} 5932 "\\.\pipe\gecko-crash-server-pipe.5932" 3164 1f95bbd1b58 tab
      4⤵
      PID:4140
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5932.3.2129653654\2071285075" -childID 2 -isForBrowser -prefsHandle 1044 -prefMapHandle 1132 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1963b61-34e2-4411-8b38-c720790b8c67} 5932 "\\.\pipe\gecko-crash-server-pipe.5932" 3440 1f95a409f58 tab
      4⤵
      PID:1632
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5932.4.1770379815\1902588225" -childID 3 -isForBrowser -prefsHandle 4888 -prefMapHandle 4884 -prefsLen 26300 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee7fdd9c-2c2e-4c3f-a132-0450b193fe07} 5932 "\\.\pipe\gecko-crash-server-pipe.5932" 4912 1f94af6a858 tab
      4⤵
      PID:2108
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5932.5.1166690192\901547564" -childID 4 -isForBrowser -prefsHandle 5052 -prefMapHandle 4932 -prefsLen 26300 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b86dac3d-cfb0-4c7e-9750-804211be64a0} 5932 "\\.\pipe\gecko-crash-server-pipe.5932" 5028 1f95da93158 tab
      4⤵
      PID:5408
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5932.6.2133366260\666003176" -childID 5 -isForBrowser -prefsHandle 5184 -prefMapHandle 5188 -prefsLen 26300 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dae56aa2-d7c6-4d41-aca0-b0d6e2d1037e} 5932 "\\.\pipe\gecko-crash-server-pipe.5932" 5268 1f95da93a58 tab
      4⤵
      PID:5456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
807e7c7149cc435e4d35ee017dd1feeb

SHA1
e937089256f6e3b73d352b81f96d0cbed919cf9b

SHA256
6f4197e5199af97051464f5f6ea73a3ad86a86f029a6b7ed4226452b03bb970c

SHA512
e626d4712931fa1c8b171cb7444ba9e4c41aee79b3d8a32cf0d9e84873298d2111b81257ebe639b3f59a804ea3beb15b9602159a1e6fe80221876cfd933cd20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d12f5ed48a25ad94bab66752db89c271

SHA1
0f9715c3dd88629939fd373babeff9c865700469

SHA256
1afcc01fe3904f664f7a0731aca1f6905aa939b0effacb41d55c01547d132598

SHA512
8685e1cea9d3584cb77e26a644245c41f4853292fbfd3d7d8364c0451da1b64b23b784eda1b22ae38a8cf28b1aeef3001ca14685ed450af0956d6c8f07d2c53a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
db9d9dc400ab3a11e29a59fc08420fb0

SHA1
0b0414c8ff90f7ed70b3a7fea4381bcfd9da4219

SHA256
e87019718eec92ef279d7bd77f0e3d8df4f993855fe66e7034a5c7a58639da8a

SHA512
04ca6e054453831687d58f821b66e985b335badcb302cd01e253e291f9440f05afd766e3ad9960f87b85e6a2099e3717b66578e76538bd24c5ad11180a91c86b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5b69d02ac3b89c8b2c5e7d27ef16544a

SHA1
a230e2bce1f650129b85aa058b9186cbdb36a92e

SHA256
601ca6b90f277a7ecbb64b21938a4390e4ace751108d1144448a8bc69533ee59

SHA512
aa7a3475d2fd9719cd7f76676356e119eb4d8436109e49003b1b6111351b412fc46d4a0f8b70dcfc9b832af0b04c16bd932bd949ee82831219d64858cfe6aaa5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qapp529h.default-release\cache2\entries\A72798DEF4F924983D5A0DB82D383C613B515FF2

Filesize
13KB

MD5
c613fd52bdb500737d66729ce2050258

SHA1
84bb2d2077a325d1800b9052c140e6067ba5aaae

SHA256
2163438cff06e4eadd02aa02daa07a098b5e386b25e178287a626ee85703fb2f

SHA512
c430187f2195b0149ba8b573af588ff2cb02082e057d3e51b9979551b97fa60259ca950a538e10c52eb27999243911cf5e5bd0eb0f850882e91dcfa0dac00cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
41ff1fa0f31e6ab45db463f54db0692a

SHA1
6cbb0b8cbdad0fb4191a7c6d9909f5a079cc1f38

SHA256
0dd4faf6bb9917f6f81b7aa406cf501fb8058fe8fcd15647fecf44ec065e0d2f

SHA512
bf717918ec5973d74c7e3d5da10ded222275250acc53d04d1540b67e73dcf2f3ab2bde8dd5c02f3fe724d145d8e290f2ed0c3edfcc5ab2a698e8e2d5c62389f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\pending_pings\ca0d5c2e-8222-43ac-8d7c-6ce370c75c5b

Filesize
10KB

MD5
b4d9613dbba7e7f9d04f530d1b641cfe

SHA1
01f85355429ad97dc892f453e0511031613ebbcb

SHA256
946162cb1308eebf929b15c3db141404dcb55a32c52cd024382b1ad2964d8c77

SHA512
58e2440f9d2eb4b21dbcde9a0c6c7fc06e9c0417f67fa85254e6e68e5b556b768c782666c6b11aade36ac265e826bc7129eab6d41d29848d0e8da100ea433ee7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\pending_pings\dd88e6c8-799f-452f-99f5-5b88eaf6213b

Filesize
746B

MD5
bcf09451f36ca3c748145785b8d352b5

SHA1
ea416962cbbea0af7aeab0041b34eca0ac4d13e4

SHA256
eb46aa61866ab4b4a738461a22cd685531ff397877d726520d397f9a64dc8ca6

SHA512
c142aa35159564ef7d41ebdca79a8c48d9b521fe01f2557873ba3eabee195b04a248778452b8e055db70742bdb15e82ad74e37e74126ceb64379dc982043ee28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs-1.js

Filesize
7KB

MD5
ee06b0c20db16c27b24945ab0c02aa6c

SHA1
df3c5338a84af42c9cc8e0ad2a57f9318a3ffec2

SHA256
f1c8e33f28c42fad0959403947339aa67ab3be44175e41eaa04482c2c4cdb5b0

SHA512
5ab43176baf70dc7152304c8cd0393fb79896b856a52081c0b821ab7cb2b4811bfa95fcacb506c5095c9b1393316e2817b9186279fb698949c2d545fe220926d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs-1.js

Filesize
6KB

MD5
9b3bf0e1ca3c3d91647f678821cae1c3

SHA1
dbb181288a861b2905d323b475725daf118d2d2a

SHA256
96ee4a43a2fcb1fd742026b23ac115cd695a67a7aadc51b388db6abc395d498c

SHA512
9c14fca452321171d81a543a6bfb6e9b0763b758f4b8a69792fc5bf87ebf275f1bfa1bb51f4ca39464a6e50b61ea97651cf36d593973ccdc9907f374d77f8e5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs-1.js

Filesize
6KB

MD5
1bc12402d6fb12c465e60e25b53ef8cf

SHA1
44afe4d807e5459cf5315cdfcee18a40466e8700

SHA256
76edbd6666163b0ccbb551e7770e027c5617c75a534c3d953a23083ad93613d7

SHA512
6f6d70824e06d9bfb25337f976942dcb6e4e5751728a9025e246d07bdf7e40fa465252f3762e14fc0d94adc744047503e14413bac47b21dbdbeb3e295eb7d80f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
3736b98a00ca88a09e9e5287b2e5610f

SHA1
9f693a42ae5745778d7a29866316279c3179a0b3

SHA256
b1bc2b4c7e9e220cac113123bc76c29bcd4e8f90c0a33eb28322d8054b1b9fbc

SHA512
5344ce3bf9eef3a27b053efe119470e03a93c5280819e78e338bbe345ca1e6d5e9f826d5b8eb82d68da6cf7271539702502f433de655ed85e022df953d6d6b7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
79461e839ead6e7ef6c2687c0d1e8b5b

SHA1
b2f34c1a3400da6f44aa02447c6c2a7498a99f0e

SHA256
77d435de8c4e5a2d1e61085ac18392bbdf96e8a05e8b6f12c29aa7ddd71d7a7e

SHA512
522d0d78f56bdc9baf148ae105f321a45f2edbc4c2574b200ff62e6da5cd16e133e4d79cd2f1d2dbe4c1819772682fad41e20d3c9175423767cc450ceb515b6f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
b35094612111dd35077a6d548bd3e662

SHA1
b02c0f8de7089d01ad1b7b091bb86d7f1f7b4e3c

SHA256
a4078ff9e30f4dc0ac06d5439b0af138ba0e35ba3a15ce8b8c7c945b7c2e7591

SHA512
36e22b5a5cbf44534cafb2865df0f0630b95f74c92a7d960299256ae5967236cef6b5ee6ec80e5b2d465bd310298da58f430df9e17efcb9bd1961635399dbdc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
505bfbd083d4738600b8ec248566f637

SHA1
97194294f5f5a9c987618a9111e52a7defac76dd

SHA256
d8afc7c92f89b748d6ad31dca2c159a68d97c90bce87d6b841dd15f55229ae00

SHA512
a3b3c800150f004b1776c2e8d83bffc963d1842251d636797d8521b0db5bf20b120cea820b1058b08a79cf8cfbcc6c5fa417dc39ed1c22c0fa8f0cdf32cb7046

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
d502258782e8a11f1cafa84ede545da0

SHA1
ce4b70d8e91cca864c86a92ca72ee92dfc8c177f

SHA256
c973ef17a41d91af1edd222d12d2552d85a4471fa33478d593601978b6fd3c9c

SHA512
3ee96019502ab07f773764006b9ad61a1397b05a329709cce021b49fa16374c4ff8e05c4edcae5829e899e9051d21701ff50e978cae839d4a435d4239dd01b7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
480KB

MD5
7d41f82b347bbbe10fbb039394737bd1

SHA1
66212626d379d36d9f2dd7ab577cfc9fb6b96526

SHA256
82e1d73ab311b2e2bce57283391a86967a7c891a987588be6a0a7ccf647c3b20

SHA512
1b866885675c35cc9d7e2d5b005dd7e4728e321e19f7d874b552bfe2704b52d190cdbd5c3bda0b14faebc60f8c90e671bf07ac307708de327bb8f4dc22011ca3

Download Submit
C:\Users\Admin\Downloads\rnv2ymcl

Filesize
12KB

MD5
b3bfc68de683391e674ada5ce72b584b

SHA1
d1b2e945d87df96ae11af7d6360f1cb0d8903457

SHA256
3b6bb4d96a2bd862ced17976ce8fd747c38b91df1447061d027d6c0e280d2e83

SHA512
97538061357a49c35d74558924334d562821f3279b4202203b2c431bb7527668f45bc52d7151d5835c50285f200f97fab2befb27714aef17d9cb32446a9f26e9

Download Submit