hxxps://https-robloxi[.]com/games/12886143095/x2-SPEED-GIFTING-Anime-Last-Stand?privateServerLinkCode=26506707701818265698528425070781

Analysis

max time kernel
102s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://https-robloxi.com/games/12886143095/x2-SPEED-GIFTING-Anime-Last-Stand?privateServerLinkCode=26506707701818265698528425070781

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings firefox.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exe

pid process

4100 msedge.exe
4100 msedge.exe
3080 msedge.exe
3080 msedge.exe
3384 identity_helper.exe
3384 identity_helper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

3080 msedge.exe
3080 msedge.exe
3080 msedge.exe
3080 msedge.exe
3080 msedge.exe
3080 msedge.exe
3080 msedge.exe
3080 msedge.exe
3080 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 2220 firefox.exe
Token: SeDebugPrivilege 2220 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	firefox.exe

pid	process
4100	msedge.exe
4100	msedge.exe
3080	msedge.exe
3080	msedge.exe
3384	identity_helper.exe
3384	identity_helper.exe

description	pid	process
Token: SeDebugPrivilege	2220	firefox.exe
Token: SeDebugPrivilege	2220	firefox.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

msedge.exefirefox.exe

pid	process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

msedge.exefirefox.exe

pid	process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

2220 firefox.exe

pid	process
2220	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3080 wrote to memory of 1408	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1408	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4544	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4100	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4100	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3012	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3012	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3012	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3012	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3012	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3012	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3012	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3012	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3012	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3012	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3012	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3012	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3012	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3012	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3012	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3012	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3012	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3012	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3012	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 3012	3080	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://https-robloxi.com/games/12886143095/x2-SPEED-GIFTING-Anime-Last-Stand?privateServerLinkCode=26506707701818265698528425070781
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe92d846f8,0x7ffe92d84708,0x7ffe92d84718
2⤵
PID:1408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,5051147802910872899,4681328532415504992,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2
2⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,5051147802910872899,4681328532415504992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,5051147802910872899,4681328532415504992,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
2⤵
PID:3012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,5051147802910872899,4681328532415504992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
2⤵
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,5051147802910872899,4681328532415504992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
2⤵
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,5051147802910872899,4681328532415504992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:8
2⤵
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,5051147802910872899,4681328532415504992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,5051147802910872899,4681328532415504992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:1
2⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,5051147802910872899,4681328532415504992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
2⤵
PID:4876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,5051147802910872899,4681328532415504992,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
2⤵
PID:1832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,5051147802910872899,4681328532415504992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
2⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,5051147802910872899,4681328532415504992,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
2⤵
PID:5096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,5051147802910872899,4681328532415504992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
2⤵
PID:1220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2012,5051147802910872899,4681328532415504992,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5228 /prefetch:8
2⤵
PID:2184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,5051147802910872899,4681328532415504992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2164 /prefetch:1
2⤵
PID:6000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3764

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.0.1261601205\1333822894" -parentBuildID 20230214051806 -prefsHandle 1788 -prefMapHandle 1780 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9251987-f77c-47b5-8848-4df4cbd050ab} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 1868 1e3d18e3d58 gpu
3⤵
PID:4876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.1.1134007327\1655082132" -parentBuildID 20230214051806 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1eddea5-e29b-4a88-9952-710de90a817e} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 2436 1e3c5a8a258 socket
3⤵
PID:5084

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.2.1741932324\878951524" -childID 1 -isForBrowser -prefsHandle 2988 -prefMapHandle 2984 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b530402-3666-45f4-8cf7-d2f4c6655414} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 2996 1e3d5612e58 tab
3⤵
PID:4284

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.3.2147004972\1414455181" -childID 2 -isForBrowser -prefsHandle 3736 -prefMapHandle 3732 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63a00429-18c9-4c22-86da-f7445d7a0765} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 3700 1e3d7876e58 tab
3⤵
PID:5132

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.4.1436317331\1996405343" -childID 3 -isForBrowser -prefsHandle 4904 -prefMapHandle 4916 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {928aa3d5-2d57-48ad-8f92-19a6c222cf55} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 4928 1e3d9858a58 tab
3⤵
PID:5468

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.5.2079741593\1616063576" -childID 4 -isForBrowser -prefsHandle 5060 -prefMapHandle 5064 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89b558c3-632b-413d-8937-2d068c06389a} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 5048 1e3d9859058 tab
3⤵
PID:5476

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.6.1588824780\1069737791" -childID 5 -isForBrowser -prefsHandle 5348 -prefMapHandle 5344 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1dfe0efd-854d-4897-b5dd-018ab1be819b} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 5356 1e3d9859c58 tab
3⤵
PID:5484

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.7.310932016\1197773282" -childID 6 -isForBrowser -prefsHandle 5512 -prefMapHandle 5516 -prefsLen 27771 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0898b83-e8bb-4c5d-a40b-4b83f159a6d1} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 5656 1e3d841df58 tab
3⤵
PID:6048

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.8.364854079\1562065965" -childID 7 -isForBrowser -prefsHandle 4956 -prefMapHandle 4944 -prefsLen 28172 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {212bc29f-8ad5-4a42-999a-f5eb5f945aba} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 5248 1e3c5a7d358 tab
3⤵
PID:4060

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
1755bfaa6523d2c7a04c7eca89820a2a

SHA1
6902fe931baa963c5b335f985c65a59db437aa23

SHA256
a1030234d21848718e9c4dbd1b550e798d890ef8eb185f422e9ad2eb70eba31f

SHA512
fb040f963d5fd69cb6197d86b7379f9ff45927cc89c23f58849739b6e76d36f7a42c5a1e7f64d97690f28e00c906f4c50b4a06da23cea5e48427623c0a93678e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
94fbb1b7e1cef4451bc43e5c04539b68

SHA1
99790e9da9f341876d50bdf65686911d8166c978

SHA256
25ea1f304c1e7b168401fc50523f3331798d966436dc4430f6bdf564984d384c

SHA512
d0cd726efaae888d7061cc4a8b9ab61dd33cc3cc1b47c86f9ad44d8672a1536b5756a4a71106934c8ee816a7dd8eed06217d12927533bd79cb0b1c3d2b9be394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
e14612e6986c43db0eec3dba74fa755d

SHA1
0f052b0afbfe6faf2789f0337110d0c216b2fcfc

SHA256
0aec136d5459647d98e032b6b144ef9e66f4b586ed5e02fd52b80f2e4fdffb19

SHA512
403820d9762d56643a8556b1911414131f0eab657cd0cff2cdabe3920a950c96fbf0caea8d90136d9a3925f0e286b45f57063f89b20a7e571103ca356ec04c24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
875eff66ee51de9f14e25ff888c3ef4c

SHA1
a99e00098a95e4577e61c265ea10bddca816c7a0

SHA256
398ded837215d51748386982be0fa6969e55aef56ebf075adbedc8095d6fb825

SHA512
0f5ba411fb651032300065dd941a4c0db74dc5b2e863e8dbddf3988ec4eedfa94010151cce86bc3dcc96ab316a76b5dccc03d622263ddc73797ffc9383b5f71a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
161418e33caa49301d554cdeeb021868

SHA1
5d7732fcd1a140b6c227909cbc21b3a551b77729

SHA256
5ff3a3f419511c7b17b35b751bb3582e518a16d17072d6297fb14802bf4e098f

SHA512
6391986ecedafc3040afcdfe38e702959d3dfef743bd2caa42365d0f30220c2c81185d664be9a48d97d3af086bf7315e32d433107b0afb14abe93760edd53a1d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\activity-stream.discovery_stream.json.tmp
Filesize
24KB

MD5
21c3a013327a69f4c2dd0ab518ce1bfe

SHA1
8bc706836f3c63a7c2ebec32ff1f1ceb31a36401

SHA256
1798bcc6a7f1c47440f19f3f166482c806e52c4adcd8dcdd69e02de95f63de53

SHA512
9aeecd05b4aca1da408eb6b51779164d8940dec0aa4f5fd7c03a0b0651c8119b9e0e4f2f4218893fd96bd8aa2b5295f38a53a073d353cfc1c30be614795d1dd6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\prefs-1.js
Filesize
7KB

MD5
09f9d580560198235a65c87f453d93ee

SHA1
a9269512cc105771f61ad5a2ae433ed6ef546365

SHA256
afb20c99358d176243e31febcd9bd069262afa27a29d78a5c3bfa31856fb348c

SHA512
34aec3037741ef2cf5af8586beb18567741f5589a8d527c8030bd3a8609db5e1d7cdc1a5bf33d0a2781c3cd3484a62b1c285ed0434e101cf3361330b467bba04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\prefs-1.js
Filesize
7KB

MD5
c0b869692ec7bb6f5a69d8c231d6f626

SHA1
7b48380e2121a0d3d011f023adfce4aa15433291

SHA256
867a1f76ad88d4209178ce3d93a18250c4682379f13da51fa758a704e4ab8014

SHA512
e7cc8479bf93b9aabb4e7c92248a101fb5fdbfa08f72f5e804d886494e2da772e222e454567320f3682bc484d79d5b014cf00eeefe26cdbfb4af090c09b61f3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
708b2b932352ac32eacba58dc9ea2618

SHA1
bdb2af4f4ec2c5c068ae4b4a9cc577a2ae72b4c1

SHA256
b662cab0b1a0bc598f35c1fef53547531074a135a00452aedf36bc73b386471e

SHA512
70642113019660836548f2a36945e6e8485750435e93c67fdcf4176ad4036797a8be95a0754e8e6a8630f36f0c9dd0a83f365a5bb0946b5579080e9f39dcc70d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
bc683fc30225c85655a8bafdbda824f2

SHA1
c1b4e0ef968a79ac5ed134d8f8441fe94c7a7320

SHA256
e14a7bff5b24487012cf536a530858e6aab2d43d99ab93270af4639526c5884c

SHA512
1ce93bb303cbb9a8d82e8f4489fe53c4cbec1698c8ec9cb806e9365a76283ef92eed2860b4b0088a31db4c0b86f2b8569397d62c29cd6c920ffd2981f94290db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
e99f82a071ed715452db88362eb64d78

SHA1
dd5ad8f9f9182419af953daf3024f0a0ae48a443

SHA256
39de301d3efff6fb886c521a5f06a9e7ede167c6bfe88e772dee764a877597b4

SHA512
0aa215e142c4693e910eff52be9728dfb51dc79cd104e661468904c905ffd9e86c7fd51328b9a5793be6fd4a217a7167bc6f25e738d7bbde0d3576ff897e7cfa

Download Submit
\??\pipe\LOCAL\crashpad_3080_ZPDFARVUFILRTYSF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit