hxxps://social[.]mtdv[.]me/watch?v=rnbazceKJs

Analysis

max time kernel
141s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://social.mtdv.me/watch?v=rnbazceKJs

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1896	msedge.exe
1896	msedge.exe
1776	msedge.exe
1776	msedge.exe
4328	identity_helper.exe
4328	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	5312	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5312	AUDIODG.EXE
Token: SeDebugPrivilege	5976	firefox.exe
Token: SeDebugPrivilege	5976	firefox.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
5976	firefox.exe
5976	firefox.exe
5976	firefox.exe
5976	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
5976	firefox.exe
5976	firefox.exe
5976	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5976	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1616	1776	msedge.exe	84
PID 1776 wrote to memory of 1616	1776	msedge.exe	84
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 2704	1776	msedge.exe	85
PID 1776 wrote to memory of 1896	1776	msedge.exe	86
PID 1776 wrote to memory of 1896	1776	msedge.exe	86
PID 1776 wrote to memory of 3972	1776	msedge.exe	87
PID 1776 wrote to memory of 3972	1776	msedge.exe	87
PID 1776 wrote to memory of 3972	1776	msedge.exe	87
PID 1776 wrote to memory of 3972	1776	msedge.exe	87
PID 1776 wrote to memory of 3972	1776	msedge.exe	87
PID 1776 wrote to memory of 3972	1776	msedge.exe	87
PID 1776 wrote to memory of 3972	1776	msedge.exe	87
PID 1776 wrote to memory of 3972	1776	msedge.exe	87
PID 1776 wrote to memory of 3972	1776	msedge.exe	87
PID 1776 wrote to memory of 3972	1776	msedge.exe	87
PID 1776 wrote to memory of 3972	1776	msedge.exe	87
PID 1776 wrote to memory of 3972	1776	msedge.exe	87
PID 1776 wrote to memory of 3972	1776	msedge.exe	87
PID 1776 wrote to memory of 3972	1776	msedge.exe	87
PID 1776 wrote to memory of 3972	1776	msedge.exe	87
PID 1776 wrote to memory of 3972	1776	msedge.exe	87
PID 1776 wrote to memory of 3972	1776	msedge.exe	87
PID 1776 wrote to memory of 3972	1776	msedge.exe	87
PID 1776 wrote to memory of 3972	1776	msedge.exe	87
PID 1776 wrote to memory of 3972	1776	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://social.mtdv.me/watch?v=rnbazceKJs
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa94c146f8,0x7ffa94c14708,0x7ffa94c14718
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,1931172211833889442,14662286958685441032,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,1931172211833889442,14662286958685441032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,1931172211833889442,14662286958685441032,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1931172211833889442,14662286958685441032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1931172211833889442,14662286958685441032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,1931172211833889442,14662286958685441032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,1931172211833889442,14662286958685441032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1931172211833889442,14662286958685441032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1931172211833889442,14662286958685441032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1931172211833889442,14662286958685441032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1931172211833889442,14662286958685441032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1931172211833889442,14662286958685441032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1931172211833889442,14662286958685441032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1931172211833889442,14662286958685441032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,1931172211833889442,14662286958685441032,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6256 /prefetch:8
  2⤵
  PID:5216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3628

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x51c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5312

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5880
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5976.0.1653652666\1302546185" -parentBuildID 20230214051806 -prefsHandle 1776 -prefMapHandle 1768 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {065b771f-3199-4511-a4c7-2d79013014d8} 5976 "\\.\pipe\gecko-crash-server-pipe.5976" 1868 25f0be40e58 gpu
    3⤵
    PID:6108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5976.1.116664591\1886360969" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3818c518-ecf2-4da3-9122-7de2ffffa579} 5976 "\\.\pipe\gecko-crash-server-pipe.5976" 2436 25f0c375f58 socket
    3⤵
    - Checks processor information in registry
    PID:5356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5976.2.1422976988\146899669" -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2956 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1dd78af5-bb7c-4a06-a042-3cd169afd960} 5976 "\\.\pipe\gecko-crash-server-pipe.5976" 2972 25f7f281358 tab
    3⤵
    PID:5180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5976.3.2109179577\1253266170" -childID 2 -isForBrowser -prefsHandle 4196 -prefMapHandle 4192 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9952f86f-ad7d-4679-a864-7f9cf0ca1eb1} 5976 "\\.\pipe\gecko-crash-server-pipe.5976" 4208 25f115dba58 tab
    3⤵
    PID:5260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5976.4.1171182292\1833412851" -childID 3 -isForBrowser -prefsHandle 5056 -prefMapHandle 5012 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74c7b365-eb07-4321-9aa5-f74d2af6cbf1} 5976 "\\.\pipe\gecko-crash-server-pipe.5976" 5064 25f13373b58 tab
    3⤵
    PID:2900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5976.5.314142737\246104688" -childID 4 -isForBrowser -prefsHandle 5228 -prefMapHandle 5268 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7f1888e-6290-4377-b0d1-bceb9e6d3aa0} 5976 "\\.\pipe\gecko-crash-server-pipe.5976" 5320 25f1359c458 tab
    3⤵
    PID:3752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5976.6.667138654\1041333896" -childID 5 -isForBrowser -prefsHandle 5360 -prefMapHandle 5480 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4fa9f8f-2888-43e7-9d83-e5a595639d34} 5976 "\\.\pipe\gecko-crash-server-pipe.5976" 1528 25f1359d658 tab
    3⤵
    PID:2852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5976.7.541473932\69152473" -childID 6 -isForBrowser -prefsHandle 5860 -prefMapHandle 5856 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fa77ec9-31cd-45b2-ad34-b4b6c38e6fac} 5976 "\\.\pipe\gecko-crash-server-pipe.5976" 5872 25f7f277258 tab
    3⤵
    PID:4200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5976.8.947704352\2096764242" -parentBuildID 20230214051806 -prefsHandle 5888 -prefMapHandle 5884 -prefsLen 27697 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9613af6-8b04-42b4-b4b8-20db6b794d1b} 5976 "\\.\pipe\gecko-crash-server-pipe.5976" 5916 25f14932858 rdd
    3⤵
    PID:5812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5976.9.230158502\259953254" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 5900 -prefMapHandle 5896 -prefsLen 27697 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {653c5772-25dc-4d48-9c52-8effdf81f333} 5976 "\\.\pipe\gecko-crash-server-pipe.5976" 6028 25f1492fe58 utility
    3⤵
    PID:5644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
1024KB

MD5
626048146bd459d91088cec04846f528

SHA1
c985f321ccd27fac4232c9e982a673e5834747d4

SHA256
eb5e268a05d200846810b3b1d070e4820fd6c0a8ae9bf316f73f7ae3112831e1

SHA512
852a033cce6c860fa9cf5d99b091302e4d88dc479e57959a1ea64c957dd5e85f4b4a462b9fb26b8ab1e6d784028ae374c10cf056913e7d1f6024375dd6a127ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
43abd195080909c1511a3234d11a981d

SHA1
32b2d99a4a2e180b20e654cfb33a9cc62384c3cf

SHA256
bb9a3bb6bd2f2e1c8d6b740ede0a7395e33bf18a3f8d45ec58ce6826c5b462a0

SHA512
99cc9047ae3ea8c22ec916e05ed34e0011fa4711d05d7d5ba74f85f0ce2bfe649ad520cd894ede76e1b7cab334c78e8e5028eb3577b2021fbd64d972a177c5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9ef6099e020a5314d1d18ef2957c8802

SHA1
8a755098ccce22aefb40a58e7b62280a8048ce54

SHA256
6fed0579a52c86ea866dba50ff5a76f931ae86995613d178a6a9407f9e6c3157

SHA512
6c326dfb3cf0c243e73fd38ff3d10c9433bac6ecd535b99319e842422e9043f88a5137ba51b5909994043a3c0d18baeb14a381c04d22dd3533afa353b89bab3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3bd56a02249eb8b3b505db6b1caec403

SHA1
4ae88dcb9ba06c6d85511f40ebe7da31cfc7ef5d

SHA256
7136b0b85da53a243a250a53c09e1e01dd6e0ed0e9ca36bca153d1e7f9ef5ecf

SHA512
2cddf299c6f93919e9fed30f76868fb3ae2481b4605ee27c0d1f58eed00fac678518f2feb9e41103ba93ffc0de0649e5cefe14ccf9456a8bbc580c136f643898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e83d48743bcb6a82a51a9c92a431d681

SHA1
c661c3c17f7aa07ad358a6a5f5a55219d7ca6d90

SHA256
7278e34488f019928f0ca6ef10ed2a44023ee205ac6670861829208ac1fe4406

SHA512
56047fd7688d20c3859190c1e7ac3e67afd463a438ec8fcbda973ab11e1aa1939df5154989252cadcc6d184e25e27ddd7deddfe620ce329678980e7782a95c12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2c917aa032a85a9484416dd65115d3cd

SHA1
a3022aeb645a75da617e79e3bb501080a3c52e83

SHA256
c4a16127895f011fb3b3495428021670ce399f812c98beb35523315c828c149e

SHA512
ef5ba0981c2b1415422778ae0e6eea60f50a85fa9b0e16c0717c3266bf4bb033cf7317f6dfef2a4f40f633650314141df3f98597d63efc0ce66e92675a3b9bef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3be04146f506b494b7ee0462e022f2f1

SHA1
eb28a0310e61774d796ad5cdd1bbdb32af08e4f0

SHA256
8737a98ead218df4a47410c983c68a2c1adca2c790fdcd97d6491f99bc32ee77

SHA512
36cab615c3fe05125a1224c390f24639e7d9b7fb8c961687b0758c4cfa38d8876abe3bca19040f31c4ece4e81b80850adb81acdaf667e9e6bc75242400d104e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c1a17efc33596c9c90df2274e94540c

SHA1
1b65ac5882760c3934f6234ba170cdc20770d3ac

SHA256
8a492109d72c94683a3eeccd3f7a88bacfbf9ceb5858a9cc74d7170e051f958f

SHA512
baea94868882bd0b3a1c9a54a851947ddfc9a17a3933b5c25f19b6edf2a5b2dcaf29061ce6c3dedd3ab5d9f2cd8b541780a271b33eb0ff81d156675d5bf7a024

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\activity-stream.discovery_stream.json.tmp

Filesize
29KB

MD5
65caeabb0951c982698f9249d66b7f92

SHA1
7de7273e1a6a6a09df3e17713314993bfc7f821f

SHA256
d96e3c820f4270d9e05ba0c111dcf6e82ca0fb351e83f0dcb3dbc38255201cfe

SHA512
4d59bf5d67fecf1abc32d320a7a6ece630506ad15074135756865b18b71308184f9f1274165076778d52155d075d82bd7d2d204db44cfd4969f49e394b5c51c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\prefs.js

Filesize
6KB

MD5
425a8b9939675ba1982b11b8a1eb8b15

SHA1
6c33b8f585a3359725e5a0ac8583290a2e961cb4

SHA256
72958a6d0350ad2d39a169d87aa083f3048a02c702f9938f462f5a1c11fb3329

SHA512
6ebb599d7cccd32bc25b8128a5e9c468272693bcb7efcdc6d289a9fd6cfb5ad7e0bd1bdb3dd9ce0403d98765e5b7292c60782a69ae37d69e589a227cb1820021

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\prefs.js

Filesize
6KB

MD5
a9126b1aff8cc70ec0caf7602d66de08

SHA1
ee763fc12a7c70bd4a03c5ab11be8b67e92fd1cc

SHA256
0285212b36adb7422bc0e87ef19055236bc2e7b55b103d9e88f4aeae67bef89d

SHA512
747ee2ac821394a85ec4964fcd35af2c6cb0b6d310ec9a7b6e0962637cdc64e293a92474aeb0736c910ba3fc1bea4efc6b83f4f63793088f9d8427a154955cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\sessionCheckpoints.json

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
827a005f57835205f776401f8616c0c0

SHA1
7fc47c6cbdd4bbec370a216af6c8c53771ce9ff1

SHA256
9736734c70277d887c459bb53253666771d04d7b07596a75ace88ee494baa1bf

SHA512
88d9797b443c61e84cc071f85bab95cb6016a7da5f8ce95badc7963bc911c25801eb1ad6403f5e4cf5c6c3c2ab27734f5530399e6c49cb24a444943c7b665a84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\sessionstore.jsonlz4

Filesize
2KB

MD5
afecb0a80fcfe1b05fc26614a715e8c8

SHA1
6e2ade78363f49b754c61076fc548a5c9984780b

SHA256
3bc6d341c0aaa92b8473c280e81d612eef7d4d595e060f681d135d23cabea8ad

SHA512
c3e279baaf54e49cceb0aaab3b1a64fee647d3b26df82385e3f2eb024dec9195058731611fd3ec617144f1e268aa5bab485eb4093dce463cc07f26f0c512687c

Download Submit