hxxps://go-link[.]ru/mQLDX

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
27-03-2024 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://go-link.ru/mQLDX

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings firefox.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exe

pid process

4384 msedge.exe
4384 msedge.exe
4928 msedge.exe
4928 msedge.exe
8 msedge.exe
8 msedge.exe
1432 identity_helper.exe
1432 identity_helper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

4928 msedge.exe
4928 msedge.exe
4928 msedge.exe
4928 msedge.exe
4928 msedge.exe
4928 msedge.exe
4928 msedge.exe
4928 msedge.exe
4928 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 1676 firefox.exe
Token: SeDebugPrivilege 1676 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings	firefox.exe

pid	process
4384	msedge.exe
4384	msedge.exe
4928	msedge.exe
4928	msedge.exe
8	msedge.exe
8	msedge.exe
1432	identity_helper.exe
1432	identity_helper.exe

description	pid	process
Token: SeDebugPrivilege	1676	firefox.exe
Token: SeDebugPrivilege	1676	firefox.exe

Suspicious use of FindShellTrayWindow 50 IoCs

Processes:

msedge.exefirefox.exe

pid	process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe

Suspicious use of SendNotifyMessage 29 IoCs

Processes:

msedge.exefirefox.exe

pid	process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

1676 firefox.exe

pid	process
1676	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4928 wrote to memory of 4364	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4364	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3256	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4384	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4384	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 2220	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 2220	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 2220	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 2220	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 2220	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 2220	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 2220	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 2220	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 2220	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 2220	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 2220	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 2220	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 2220	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 2220	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 2220	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 2220	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 2220	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 2220	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 2220	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 2220	4928	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go-link.ru/mQLDX
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd657e3cb8,0x7ffd657e3cc8,0x7ffd657e3cd8
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,9452274572874577603,9908228291762287127,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,9452274572874577603,9908228291762287127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,9452274572874577603,9908228291762287127,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9452274572874577603,9908228291762287127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9452274572874577603,9908228291762287127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9452274572874577603,9908228291762287127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9452274572874577603,9908228291762287127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,9452274572874577603,9908228291762287127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9452274572874577603,9908228291762287127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9452274572874577603,9908228291762287127,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9452274572874577603,9908228291762287127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9452274572874577603,9908228291762287127,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,9452274572874577603,9908228291762287127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9452274572874577603,9908228291762287127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:3536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2464
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.0.1761188573\1619215582" -parentBuildID 20221007134813 -prefsHandle 1720 -prefMapHandle 1712 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93fe04b2-bd9f-4203-bb43-e28d9a61ad10} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 1816 216433db358 gpu
    3⤵
    PID:2504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.1.1756803950\866883849" -parentBuildID 20221007134813 -prefsHandle 2232 -prefMapHandle 2228 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95b91d9b-5492-4276-a977-8397e0202f3d} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 2244 21642e3cb58 socket
    3⤵
    PID:2192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.2.742113722\1728958013" -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2956 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e284164b-9341-40df-8aa5-a9c8a1da75c0} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 2972 2164335c358 tab
    3⤵
    PID:4756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.3.1891125822\437923290" -childID 2 -isForBrowser -prefsHandle 3460 -prefMapHandle 3456 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af4a18e6-2615-4e21-b525-c710a4d2668c} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 3468 21648b9e358 tab
    3⤵
    PID:3592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.4.1705012139\1782011884" -childID 3 -isForBrowser -prefsHandle 4508 -prefMapHandle 4504 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {380acf4f-2670-4cc1-8817-23103be09426} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 4520 2164a1aee58 tab
    3⤵
    PID:3872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.5.1776113009\995470306" -childID 4 -isForBrowser -prefsHandle 3684 -prefMapHandle 1308 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ba9eba3-957b-4601-9095-b15f59196357} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 4652 21648b9f258 tab
    3⤵
    PID:904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.6.1405033317\625715739" -childID 5 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25d92638-859e-4bb6-9ae7-2127a647a9eb} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 5184 2164ab24a58 tab
    3⤵
    PID:1360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.7.496997744\704021532" -childID 6 -isForBrowser -prefsHandle 5384 -prefMapHandle 5388 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09060be9-1edb-4366-8b96-2a57ae2b4b0c} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 5376 2164ab26258 tab
    3⤵
    PID:388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.8.339721950\1839253531" -childID 7 -isForBrowser -prefsHandle 5868 -prefMapHandle 5864 -prefsLen 26458 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0663bc21-9d4c-4727-aca4-8cc22690326e} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 4724 2164c4f1058 tab
    3⤵
    PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3b1e59e67b947d63336fe9c8a1a5cebc

SHA1
5dc7146555c05d8eb1c9680b1b5c98537dd19b91

SHA256
7fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263

SHA512
2d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0e10a8550dceecf34b33a98b85d5fa0b

SHA1
357ed761cbff74e7f3f75cd15074b4f7f3bcdce0

SHA256
5694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61

SHA512
fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
7719de5a37453a0f5c9f8ca9d9c82327

SHA1
d07f21cf41eb2f3f95a2fbbbd4bbb3ec8aa106ec

SHA256
e5a110dad37bed22283f9ae5acd00ce563bf6353e4848cd0927a12e29dcebb90

SHA512
af5ec04a050f4d0287ef0eedfb0990b569c3d961b55c4d71c10cfcbc37be3d6a77643213d84c4cda9f02c0d449a73e928d818d735c69d7f040ca9b5c7590ab63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
788B

MD5
8674d9a197eb3dbb748148435cf5f6be

SHA1
ff3e75c52b1316725d428f7d4d265554f0eb8a0c

SHA256
cf56fdf75772afbc8771dc437b4d22408c5473d86659606ebc3ac149c1b869d0

SHA512
aeb547a0afea6644df071608c09adb7526f2a21a38594c38c5918fe1ae1450134a74f023b7fab4f5c434e9f66437af1a288187aaa2e1b5330f64cc23fedb6508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
788B

MD5
9d3915539eb182645216ab761a4f5fb4

SHA1
0fde368531660115a7f0319d804451e783d96568

SHA256
bc4bbcf97cef7b5bcdf708161293855b5041fb117c500c76a627b3720153790d

SHA512
717ef59183ccac24d3295f7202f769ba7d9f5fc53e201071c37ed490de0d8736152881ca6d0c996b83ac5efcb5f0597b97883b517b50bb2613a21c1632bdd286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5bdea9122dde0fef384c85a7c916f871

SHA1
766d1db8ee7b46b5abe380d11763f8fbc8b81ef5

SHA256
b6f29487d092bd531b0c84f579c1a20a6716df40d5407ce0fedb5a45fce99799

SHA512
8e73db209eff735fe7d7ad453adafd1d5f4b578d9c205d05b4ca601a0f01768f7cc97839945018ba1404105c2dd4adbd5b315ceb2664f30602b75256e7084e6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4f7d58d5439632b7f1e46411e700e138

SHA1
0c9f3fc5df3ee110c699a425445d06a2b7fd3895

SHA256
f45b4ff0bc0bf52e3ba4e18780dd55304d812f49bf5d7af52a5a26f38f94313b

SHA512
d28aee783afcaf976f5d7b88bac8a991e7dcb3e6370be1edea1be3a59b8dc9d27a1c1aeb04f4a053326eeb6e15fe320e84a438bc8923cf2db932f76a8383032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
60762f82f51696a9589521bd8c43d9a4

SHA1
047d4d36e38589482b21b3c7a48b90182c9ebc42

SHA256
ffce0f7cb1a5e38e5a79908029a9b46c9eaa1252e1a231a599a76ce6e4d82d95

SHA512
a5e3aec3457386dc9610dbd4a29a087e7d7bdaee9abfc3b30976f0938ece235be000aea00bfdb24b121a03ff1963973d175cba567a5a5fa9103ff08205b026e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bdc476441f05aefc96ab265e037ed16e

SHA1
6cbff60d3db54a9d582e5e8bbb4550eb76cd2dc5

SHA256
3a32bcffa0d13fec9eeadfb0e4d87ab9f2ac7010ecd11748fce19871ddbd6d98

SHA512
013fc9c30aaca04bf7bf83652290aee78f68a060336601973635041c6a4bcc4fd606f32dadc05a9f25424a28aeb98363e81e5a006ad2d26952be9c8ba81bbc51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
364d0f4dc5a681f97a407fb52f59aa4c

SHA1
8a5b6d96728b8604bf0a4a7ab8e47cee28d6a755

SHA256
3651a0c9f6be4f0eb3b537183f4ddf7d21296d93f2385863932b3f3871871fe7

SHA512
5a3d9e7ac41eb54c5730bfa72ae7d74e4b01e4b393502a6e56ed32fb47b36734ac630907e0965f6ee9ad8fe9d989a04ad3dff3ab48de51df9e057cc89c54dc7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0aca73c166f68494d8121f141f9ead84

SHA1
ff670d8c54557cbe15e3bfd23e5461d960c7508a

SHA256
8e220ebd77a0496b15e54977bf1c2f532eb94af4b827a8b20666895e103b118c

SHA512
300b5e4fb333fc45603b00b88fd6bc788a195474189fb756544eed3ff0de831bc90cdbc2991ac80e7473f99c144f271d18639dac41342b99d27e627378b542b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
372B

MD5
c0b3cc82e5a930470977740c87c49bfa

SHA1
4ff611acbf9dd24b819d13221a76e4f5f6664a76

SHA256
3b7e7d2abcc79e232984239171fb0a93e9fc36ac4f7668ae000b2eb36c2cbf02

SHA512
1a6b61bdd0ce8d63b8928897a4b93fe0e775fa00d132494a810df1d230999fcc8f865234b18866ddca8c7802e0751ef23d0c0160d9e1e4fed273e04aa0b393be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a95a.TMP

Filesize
204B

MD5
dde3c85eb2dcb3a5d4c0cd10328615c6

SHA1
d19a30cfddb8cd247db64a783822950380117b71

SHA256
5e241ae38f844bf336b76ffe8295bbd662ae720e06efa0c0340977db8907ae61

SHA512
bb51f21707497678e358e3094fee8e3db08f0dbf435d38d8e41bbde86ba0af94e3c15cd7437b31d0711bc77902c4f9be2bb9268d9583544c558ab08727193aad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9a9ef456a85b0af37bb9d7a2a5605944

SHA1
ba14ac36690d94a11a35045277159c8998323069

SHA256
acf62feda6df43555382254b02b31bfecfd5f2c4520beafd72c4004d1d7c6d9f

SHA512
88b8a8c80f8c26aafed1f53fe6d76d9d3bd72069d2d418e55eb87389357341d97645bac56cd406d49d773a03b87a58255a99e0959672c383f990d1fdf4e00961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5f741a3ab02dd1bb9fd16203c4217b16

SHA1
09fd9a8d3b44e068a9567c017630e2acb829b889

SHA256
74990b73d4a94f1edde08151a60408ce5c9057d5756a64c82339c634d486ea38

SHA512
781038c4e5790e245d99da7ded2c5ed864818787025bc21c405fb9fece4b7367a1ee5cf1a8319f5cd2bf9b929dfe8da7f8020c95817c67d11406222b78db1e25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
4b72d9a7df2ea02e3ffa5790e3cce6a5

SHA1
4502c681c22ec15030569f274188bbf15468a68d

SHA256
54b4798b2cc8b62106f72a94335505739165201e8f14be5800c92972706dbbcc

SHA512
2a978d30a058bf8cd6351b1974310ba1ebf82923be2c95be11b09225ce7bfb621522f6845795427f6774686281d53d5550b009b575b9b530a61811cd728ab03d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\datareporting\glean\pending_pings\4b51c596-2974-4856-8c75-23e66ca81fd4

Filesize
11KB

MD5
6af0abf4790345b860f7d624e592e3d0

SHA1
fa4314ed7019d23208f303eee62cb1ec15ab59ae

SHA256
1b02c080605a87ce89e88cefccde23e5150f35199c07d2a35aa747f7a7d7429f

SHA512
99797f6002b1157deafb7b37d889b0907a14c11543734d1ecad31fe51f7a97d7f1cfe12bad3ec65a8cf8fc026e40637cc88599f8ebc4fd31422dc52b81c19e60

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\datareporting\glean\pending_pings\85348724-89ec-435b-b834-f1d445f7dde1

Filesize
746B

MD5
0d72a8ac80ee847c8b1ec098a3175f2d

SHA1
803e9838ec695b259e1251328cd56e107e568b1e

SHA256
2dc47fda4d66ec51c871f00b1e0ed7eeff37d7662cebd5df21bb2526286560bd

SHA512
fa280e75a91f5f0e5f1d69795fcdb66679c1fd135b0292fd4c2cf08f6c4373ad6cae31e1b5282a8846c391042380391ed1be0ac64d5b6db7386774b6fd5c3efd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\prefs-1.js

Filesize
6KB

MD5
b5e82db0298f39da5d0687b9b99faf4f

SHA1
a1ff86feef193aa9af90de271c3ef02edff87733

SHA256
18631e90621a846805a0f3682f96dd3d3a6d2af585bd59d3cf13054bf6458bc7

SHA512
d5513690add237d07eb51bfd3eae33ed1ad0bbd016213c190c78375335d55a43dbe200df954808f651288b42c1d74a0ec710a3b300fdd9a840841d683f0794a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\prefs-1.js

Filesize
6KB

MD5
8f504b5132eaeec3745f623057f5501c

SHA1
831e5df02d0774759fa4289435a7704780273d98

SHA256
3cadb9a498d6a3b0a4deab48153a70eec55e99dd95a3910a88fe263fe15108e4

SHA512
d44c080be2fbe1c11b768ab0ff5ec052ae2e2a7a239e497c004fbaba73439cbb00fd3051d565514e8d9f6a988e392a9f19a98ca8fa08ae3bf5ee0dde4df3e46d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
067011bf1f0457350b4ce9ff91d19e8b

SHA1
4f23ae1e96f08fc9a497579d7e0216290eb9b967

SHA256
1525cf415eeeb9133d9c84a0c68cf17f5ef57032ded8f13bd1fb90426bc53142

SHA512
e7434c7441173cb473d4ea728a077fca35baa596700cd55a797646d48e695107ea30a68cbbf9f54be752e260e8cf787301f0a9e9cfdd6053ac97686c3150a172

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
7bbb8d4df2c7ba551ad32133b082df10

SHA1
ec298eee2fe8c985328b364c1dbaa3956a351362

SHA256
df6760ef88b4d3af53cbc0f67456a5efec55e7510eca790c42c42a2c78ad9520

SHA512
08ecc67c58be8e337a2f7f6ff1830ec92f3a2cb09e0aa0566d57c624467b7455bced26eaf061e95d32cf0af24e3cd74b812fa8e4a5d40674ade4042a712240d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
480f2ac246207a2c5ec984b74df261cd

SHA1
3d431fb255ef9e4ddef56420d99bb5c1b3fff634

SHA256
cbe3c63c09a512571d349a6ef92a70327ff29db0168a1f1e516e951eda166b6c

SHA512
e710794a4f572329b299574e46d6a78eae48667d2eb909ca8002a07816bed5aaf27b51920b614bc58804f915b1942d3083bc584d8d697cb8e7c2fd259c717ebb

Download Submit
\??\pipe\LOCAL\crashpad_4928_TQONYXQUFMUVHCTG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit