hxxp://www[.]sourobesepay[.]sa[.]com/udmblmqtj/caulb3526brklm/MzZF5ddSzDL4-3Cf_at8rc3MefUqJzj2qx3oXScXa6o/MmboWW8Q0DDZ4-6MKkoPldkxovta7dUW4D-45jxLMMntCC2Rp_pgLXTYANDIxQGm

Analysis

max time kernel
176s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.sourobesepay.sa.com/udmblmqtj/caulb3526brklm/MzZF5ddSzDL4-3Cf_at8rc3MefUqJzj2qx3oXScXa6o/MmboWW8Q0DDZ4-6MKkoPldkxovta7dUW4D-45jxLMMntCC2Rp_pgLXTYANDIxQGm

Score

6^/10

motw phishing

Malware Config

Signatures

Mark of the Web detected: This indicates that the page was originally saved or cloned. 2 IoCs

phishing motw

Processes:

flow	ioc
77	https://bid.g.doubleclick.net/xbbe/pixel?d=KAE
71	https://translate.google.com/translate_un?sl=auto&tl=en&lang=sk&u=https://elitegadgetinsider.com/zoomshot-pro-svk/%3Futm_source%3Dtaboola%26utm_medium%3Dreferral&usg=ALkJrhij1a18A7Jbu6a1e19rjzbmnYcw9g

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings firefox.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

1700 msedge.exe
1700 msedge.exe
3016 msedge.exe
3016 msedge.exe
5632 msedge.exe
5632 msedge.exe
5632 msedge.exe
5632 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1700 msedge.exe
1700 msedge.exe
1700 msedge.exe
1700 msedge.exe
1700 msedge.exe
1700 msedge.exe
1700 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 2648 firefox.exe
Token: SeDebugPrivilege 2648 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	2648	firefox.exe
Token: SeDebugPrivilege	2648	firefox.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

msedge.exefirefox.exe

pid	process
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
2648	firefox.exe
2648	firefox.exe
2648	firefox.exe
2648	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

msedge.exefirefox.exe

pid	process
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
2648	firefox.exe
2648	firefox.exe
2648	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

2648 firefox.exe

pid	process
2648	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1700 wrote to memory of 2992	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2992	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 1284	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 3016	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 3016	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2228	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2228	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2228	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2228	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2228	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2228	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2228	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2228	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2228	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2228	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2228	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2228	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2228	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2228	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2228	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2228	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2228	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2228	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2228	1700	msedge.exe	msedge.exe
PID 1700 wrote to memory of 2228	1700	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.sourobesepay.sa.com/udmblmqtj/caulb3526brklm/MzZF5ddSzDL4-3Cf_at8rc3MefUqJzj2qx3oXScXa6o/MmboWW8Q0DDZ4-6MKkoPldkxovta7dUW4D-45jxLMMntCC2Rp_pgLXTYANDIxQGm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff86ac446f8,0x7ff86ac44708,0x7ff86ac44718
2⤵
PID:2992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,359345109484318468,7801051865938521176,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
2⤵
PID:1284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,359345109484318468,7801051865938521176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,359345109484318468,7801051865938521176,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
2⤵
PID:2228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,359345109484318468,7801051865938521176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
2⤵
PID:3932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,359345109484318468,7801051865938521176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
2⤵
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,359345109484318468,7801051865938521176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
2⤵
PID:5168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,359345109484318468,7801051865938521176,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2840 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,359345109484318468,7801051865938521176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
2⤵
PID:3760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,359345109484318468,7801051865938521176,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
2⤵
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,359345109484318468,7801051865938521176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
2⤵
PID:1200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,359345109484318468,7801051865938521176,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
2⤵
PID:4828

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2648

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2648.0.45699776\1028975515" -parentBuildID 20230214051806 -prefsHandle 1788 -prefMapHandle 1780 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2abf94df-544d-40d1-ba04-a4b450f17a00} 2648 "\\.\pipe\gecko-crash-server-pipe.2648" 1868 2001730e758 gpu
2⤵
PID:3760

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2648.1.840618690\1669514991" -parentBuildID 20230214051806 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eff02fd3-3139-4a8e-bce0-07b756965f1e} 2648 "\\.\pipe\gecko-crash-server-pipe.2648" 2436 20003089658 socket
2⤵
- Checks processor information in registry
PID:2600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2648.2.1422587078\2141120844" -childID 1 -isForBrowser -prefsHandle 2920 -prefMapHandle 3068 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5baad516-0681-4b42-beb9-5bca33ed5d9f} 2648 "\\.\pipe\gecko-crash-server-pipe.2648" 2856 2001a1f5b58 tab
2⤵
PID:4784

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2648.3.718817600\1298810914" -childID 2 -isForBrowser -prefsHandle 4200 -prefMapHandle 4188 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cfa58f6-76bb-4993-8810-b02435ad8803} 2648 "\\.\pipe\gecko-crash-server-pipe.2648" 4212 2001c0bab58 tab
2⤵
PID:4608

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2648.4.1993448886\1637289167" -childID 3 -isForBrowser -prefsHandle 4980 -prefMapHandle 4976 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0a97630-311f-4c0d-a306-6c683944744f} 2648 "\\.\pipe\gecko-crash-server-pipe.2648" 4996 2001dfe1258 tab
2⤵
PID:5228

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2648.5.322808344\177975523" -childID 4 -isForBrowser -prefsHandle 5136 -prefMapHandle 5140 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a750a26c-11bb-4d3e-a269-934cd97f3366} 2648 "\\.\pipe\gecko-crash-server-pipe.2648" 5124 2001dfe3658 tab
2⤵
PID:5236

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2648.6.1652125098\1000333729" -childID 5 -isForBrowser -prefsHandle 5336 -prefMapHandle 5340 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {694fcfbb-aaf5-4c12-84dc-26a20e04f95a} 2648 "\\.\pipe\gecko-crash-server-pipe.2648" 5324 2001dfe2158 tab
2⤵
PID:5252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e2ece0fcb9f6256efba522462a9a9288

SHA1
ccc599f64d30e15833b45c7e52924d4bd2f54acb

SHA256
0eff6f3011208a312a1010db0620bb6680fe49d4fa3344930302e950b74ad005

SHA512
ead68dd972cfb1eccc194572279ae3e4ac989546bfb9e8d511c6bc178fc12aaebd20b49860d2b70ac1f5d4236b0df1b484a979b926edbe23f281b8139ff1a9ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
864aa9768ef47143c455b31fd314d660

SHA1
09d879e0e77698f28b435ed0e7d8e166e28fafa2

SHA256
3118d55d1f04ecdd849971d8c49896b5c874bdbea63e5288547b9812c0640e10

SHA512
75dce411fce8166c8905ed8da910adb1dd08ab1c9d7cd5431ef905531f2f0374caf73dedd5d238b457ece61273f6c81e632d23eb8409efbb6bf0d01442008488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
b9afd8c3e0378362235c118d4f6248ea

SHA1
45fa1e57493c8a343f552a6c977df34a65825932

SHA256
852be431dbf78d2016a48575e4ad1ad55fdac66f5370dcc8841ef287d0e7f698

SHA512
a4acbc028b3e500066bb7c1505d7122215d7530359ca3570bddf2201f66081a13f6771a7796fedfd775d939eac2270fa3611c70808e2a5ebb2ac420ad4c13ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
941b08d181b976125ea8dd02bcec4c96

SHA1
41d641e4caf5402e354da4f519ecfe545dbb64cc

SHA256
eb16181fbbf8e847e49ade055ba06297b14426b6d0b5150d8f5b49eded5d01d1

SHA512
b40b0b7159aabd9c152ee56b6ae64b9ce302769f2ead7537d06c3100b567399c1c9e29c5855adbdf64b8e7c0a2306c3604eb877b98a549a026145576e12b5669

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
2357474854a5825552d100ecd6af7f49

SHA1
a1ff144096199207634b13c3776f8b8c234366ef

SHA256
b493aa134e445b3fef8c22eab457062178ff89f10401e7b699faf64c10e09bf3

SHA512
c7eb75f158a24906c91f1118475f4f766a8e83bb5b607cdd7174b360a5dd8cf0bd63bb9eb73164e7fdab5a15d5f5bb3a92baa616a17c8a0766cf97f03b36922f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
fa2148e1e0f2adfd0bcf66db722c56a5

SHA1
775beeba280126f486658b4da1dd851a7ebaca34

SHA256
68462234c3aa57f0553e8149022298dcf4a0bb9eb2d56ac69ea7c6b9b52ea2d9

SHA512
7b49a5ec0dd9d32cc50da79dbfda325223fbd54c98918b840a575772e8778546e3c7d58ffd9f7fa481b72b3e8888a1ddbcfe563937c587aa8a9b54341fd06efe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
1a3f20597946052ca39b04e8de802103

SHA1
d804771b3c513bcc25494e08e14a96e71266b86c

SHA256
e1eced609bc2d13cbfa2320f0a04dfe23e4909f38845724cf32500d0a5165bef

SHA512
6b4d7925683875f5c65c513544451239fac8864203da73bba27f0eaa9d92efacc163d37d66129bef33feb27a595f5594cdeacebb292dfb05cb557d58bff8f21a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
b0eae98ce16cbfdff3639e2680ffa37d

SHA1
d79975f8b03587417fc758b992ed0c4a01be8695

SHA256
bb9168038e10b5813686d9275ea981269f9534a0001e81d2fd9522c9ebd5f11d

SHA512
5d2662dd27d357db1e5b2b69f769ea55f4799178fbb828185070d6c73148eb3a1dfc18d75e02cbf8de51f04be6982ed3e81035538b3997cefc5d4b630a4b5a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
bc6c808e48f05c2c6c9e537139bfe59a

SHA1
fc0ec0e7c797f823393993825faca3e07decbe66

SHA256
9221c0ba4d0c7837380054a959bd442488138c9c0365b6e2a44875f88a0f30d5

SHA512
6aa2d695c1a632a601ef02a864f6df2c54ab8356a006a40632585e81224d6e5eeb9136750a1e5c7ee9c0b1d904bd35e189518534cc7789a0aacfaea4a227c882

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59a85c.TMP
Filesize
1KB

MD5
c5cef5bb47416a13e9ad23ac3b05145b

SHA1
f12b2130747cee79138456288ba5d3eef0f2eabe

SHA256
2137c68376cab5d71b52a6dee72e12524a398b24c09bf03024cf74fad5d9c0ed

SHA512
946ce748199585f90fcd009db5c96df9faaa270b0956915db90dd39a42ca336a3bd2451d36608a27082745b933affc99d297a816b2b7c58204135621380b2ae3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
f6afcf9be8bf2df429d0612e7b9e4810

SHA1
d6ee1367f9cbedc890f26fb801e3e278464c77cd

SHA256
e80955eda0964302effe924867c69d522ee13e9be628ea102c095b063a8bbdbf

SHA512
d897d759f76f9abd9a7e9bc455890408a8652db6d79c0155b953501e9500a0ef4e6a3c1808858fab4bb83d5b4f45e88a3bb1d02fe6d2deba83149904bf8b0248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
9aa5e42aabe43386e37c3d2b49733880

SHA1
b6338dcaf06fc54b6f89b350eb16286330ecd3f8

SHA256
3b3144a77da74e49c3cf839b81903db5434ff1a5a14451876884e73fd37142e3

SHA512
1cae28dcf728fc4f6b9d361e0ad6ec25c8dd14e41248b8c594a6f1e47a85e4e80929edef389f7c6fada7b04357265f21284b5024099934599e7cf36834343ad1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hwldqhqu.default-release\activity-stream.discovery_stream.json.tmp
Filesize
28KB

MD5
98c177c04d64015ff23b0569ae084549

SHA1
1eada371e7760584a64cc67ff8982641a1badfed

SHA256
77e3e3775b7ef2531a8e8016da8715283f9c36bb4c5fe2f043e14a605dc3ef39

SHA512
db3c54e849e15b42d30c4030605696cfc4ba5c33ff9d733c7d58166a93c94af79c62c19cc91475a378bbe3dd442fa97e3ff366ae95ccbd198f51a67577f8ee3d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hwldqhqu.default-release\activity-stream.discovery_stream.json.tmp
Filesize
26KB

MD5
410a6941b3a3969f28ec69c395422dd0

SHA1
dab674a3acbbcb4708d0939cede99813cc145805

SHA256
a0340303717e08881e65e181544793b37a11d6bb55f9d8a2ce6330b7a1a5b54d

SHA512
277a36d2115870b9e9929510883f9a90f5b192fb995e9d25ef3b730cc210426029dc06120f11da8a6bb13db0f3297900252434d887ca84e1a3e10ec383edb6bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hwldqhqu.default-release\prefs-1.js
Filesize
6KB

MD5
e75b45b8937913d13d98005725b444b7

SHA1
2189b266d8cc88acd7a8ce051ec5bf1a7f69f9ce

SHA256
1bbbe712d317cea98b80746d1cd5ae02e393272b2ed98dc6bd68b18646ed0a5b

SHA512
b22c2dc5cf72a7cb1bd5792030ad4abc2273ac30876b3f8f933a44193de5c02e4f46e879d76119018b347a854f5a21f9e8d58261af2e42d127d0ffccd6a688c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hwldqhqu.default-release\prefs-1.js
Filesize
6KB

MD5
4cceecb19deeb4e98ea4e14287400477

SHA1
1ca4b8c6fa6be803bd2c7a3ac7f0d27fa9c1a6f1

SHA256
3c139477a32359056769e1186b33e47d606a4613b12070caa8a107095227933f

SHA512
42a549299598c62ea4df2d4e59ac67756328915f4383e609c4ad1d059da3b9921263802291f6c50276fc72056d6f069f64063e86b400f11c138851f75cee8e21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hwldqhqu.default-release\sessionCheckpoints.json
Filesize
212B

MD5
29ce37dc02c78bbe2e5284d350fae004

SHA1
bab97d5908ea6592aef6b46cee1ded6f34693fa2

SHA256
1bfee61e2f346959c53aa41add4b02d2b05c86c9f19ffefe1018f4a964bf4693

SHA512
53a9eb746e193c088210d8eaa6218d988f3a67ee4cb21844d682ff0178db040932404f5ce2f3cf8b4576313ba0ec33c04ca288c3412bfa5df7dd8230cc2068bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hwldqhqu.default-release\sessionstore.jsonlz4
Filesize
903B

MD5
fe263430d092c25461f05eda52ffc2ca

SHA1
0dc84fe03e85a344591b80bd983a0f3bc486eb44

SHA256
4054510db815f30eedeef7aff4af32604659429517d94a77427547ba37a5788b

SHA512
06e816a3037ab9b64f9d2650450c13d1b78a0bb3eb0342230ff2f0b39ade4540ae850b939c95c34c592d9da798ec4bbc82803d9d80f4c1d4c6d9a0fce5795a19

Download Submit
\??\pipe\LOCAL\crashpad_1700_SDWMUGYQTZXJQHJV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit