073a57664a96bcb5dd48fb39a1f8b2f5b80844adffcb18a290c292128253d4ce

Analysis

max time kernel
150s
max time network
155s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27/06/2024, 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Microsoft.MicrosoftEdge_8wekyb3d8bbwe/en-US/assets/ErrorPages/DisableAboutFlag.htm
Size

993B
MD5

56e5a4477f0d5980ec5d05f811bd9a6b
SHA1

3d343248d27dddc70b1cd78a94b3819dffcc8e09
SHA256

0ed46fee8517cb7a69fa32ba3632b331ab28ad2d063aba9a81e2ac07b5c7f047
SHA512

2e3f8b7a9b3c4b645cdd545ba944ae312d35333e62ec3b3fe319e5cb35022a12db8e5dba4ac85eeaf7b7e5540ec44a01987cb2c4aa9c5a8c49b60020a5d6158a

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	taskmgr.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "426252354"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000acb572bcbe2d14649ed14db931c276f4345ceaf4324a74762b4c185f41e2963bf44b4b08e58a4dcb005ad8d7da3adf84881f5a45b20abb7a019b	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7b602d7984c8da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{E6612205-9B31-46B3-AD4E-A814870C865A} = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 877b715e84c8da01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 40c89e5e84c8da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "426268949"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = d1388d6784c8da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2cb6eb7084c8da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2656	taskmgr.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
3616	MicrosoftEdgeCP.exe
3616	MicrosoftEdgeCP.exe
3616	MicrosoftEdgeCP.exe
3616	MicrosoftEdgeCP.exe
3616	MicrosoftEdgeCP.exe
3616	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	3992	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3992	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3992	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3992	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2316	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2316	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2316	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2656	taskmgr.exe
Token: SeSystemProfilePrivilege	2656	taskmgr.exe
Token: SeCreateGlobalPrivilege	2656	taskmgr.exe
Token: SeDebugPrivilege	2304	firefox.exe
Token: SeDebugPrivilege	2304	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2304	firefox.exe
2304	firefox.exe
2304	firefox.exe
2304	firefox.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2304	firefox.exe
2304	firefox.exe
2304	firefox.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3572	MicrosoftEdge.exe
3616	MicrosoftEdgeCP.exe
3992	MicrosoftEdgeCP.exe
3616	MicrosoftEdgeCP.exe
2304	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 2316	3616	MicrosoftEdgeCP.exe	78
PID 3616 wrote to memory of 2316	3616	MicrosoftEdgeCP.exe	78
PID 3616 wrote to memory of 2316	3616	MicrosoftEdgeCP.exe	78
PID 3616 wrote to memory of 2316	3616	MicrosoftEdgeCP.exe	78
PID 3616 wrote to memory of 2316	3616	MicrosoftEdgeCP.exe	78
PID 3616 wrote to memory of 2316	3616	MicrosoftEdgeCP.exe	78
PID 3616 wrote to memory of 2288	3616	MicrosoftEdgeCP.exe	79
PID 3616 wrote to memory of 2288	3616	MicrosoftEdgeCP.exe	79
PID 3616 wrote to memory of 2288	3616	MicrosoftEdgeCP.exe	79
PID 3616 wrote to memory of 2288	3616	MicrosoftEdgeCP.exe	79
PID 3616 wrote to memory of 2288	3616	MicrosoftEdgeCP.exe	79
PID 3616 wrote to memory of 2288	3616	MicrosoftEdgeCP.exe	79
PID 4948 wrote to memory of 2304	4948	firefox.exe	85
PID 4948 wrote to memory of 2304	4948	firefox.exe	85
PID 4948 wrote to memory of 2304	4948	firefox.exe	85
PID 4948 wrote to memory of 2304	4948	firefox.exe	85
PID 4948 wrote to memory of 2304	4948	firefox.exe	85
PID 4948 wrote to memory of 2304	4948	firefox.exe	85
PID 4948 wrote to memory of 2304	4948	firefox.exe	85
PID 4948 wrote to memory of 2304	4948	firefox.exe	85
PID 4948 wrote to memory of 2304	4948	firefox.exe	85
PID 4948 wrote to memory of 2304	4948	firefox.exe	85
PID 4948 wrote to memory of 2304	4948	firefox.exe	85
PID 2304 wrote to memory of 3612	2304	firefox.exe	86
PID 2304 wrote to memory of 3612	2304	firefox.exe	86
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87
PID 2304 wrote to memory of 1324	2304	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "C:\Users\Admin\AppData\Local\Temp\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\en-US\assets\ErrorPages\DisableAboutFlag.htm"
1⤵
PID:1768

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3572

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4432

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3992

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2288

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2656

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3256

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2304.0.79343945\1528301380" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf102cd1-d93e-442a-ae20-f817c50e593c} 2304 "\\.\pipe\gecko-crash-server-pipe.2304" 1796 207f6df5858 gpu
    3⤵
    PID:3612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2304.1.542810504\105650498" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20efa046-b64f-4daf-b22c-8638dd7c4f8d} 2304 "\\.\pipe\gecko-crash-server-pipe.2304" 2156 207ebc72e58 socket
    3⤵
    PID:1324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2304.2.226663184\1893690890" -childID 1 -isForBrowser -prefsHandle 2920 -prefMapHandle 2916 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dadf093f-58dd-451e-a70b-82f0480162b1} 2304 "\\.\pipe\gecko-crash-server-pipe.2304" 2932 207fb09ee58 tab
    3⤵
    PID:3256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2304.3.862385032\1825500349" -childID 2 -isForBrowser -prefsHandle 3528 -prefMapHandle 3524 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {978f4cbb-6899-4a40-86c2-9424bc1871db} 2304 "\\.\pipe\gecko-crash-server-pipe.2304" 3480 207ebc5b258 tab
    3⤵
    PID:5228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2304.4.1106923354\1184365742" -childID 3 -isForBrowser -prefsHandle 3880 -prefMapHandle 3872 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a372bef4-355d-46b1-b672-eb0873b5a21e} 2304 "\\.\pipe\gecko-crash-server-pipe.2304" 3896 207fc665158 tab
    3⤵
    PID:5312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2304.5.1836929340\1402431896" -childID 4 -isForBrowser -prefsHandle 2680 -prefMapHandle 2664 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6438dbbc-6976-4076-87f5-605bc4fca780} 2304 "\\.\pipe\gecko-crash-server-pipe.2304" 5044 207ebc6ab58 tab
    3⤵
    PID:6132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2304.6.685607559\1889491615" -childID 5 -isForBrowser -prefsHandle 2688 -prefMapHandle 5064 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4edfe7fe-be26-45cd-87ef-6cd7c27eda02} 2304 "\\.\pipe\gecko-crash-server-pipe.2304" 2672 207fd04c758 tab
    3⤵
    PID:6140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2304.7.546160037\1557272315" -childID 6 -isForBrowser -prefsHandle 5296 -prefMapHandle 5300 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fd5df41-c03b-426b-a9d7-bb459e284d4e} 2304 "\\.\pipe\gecko-crash-server-pipe.2304" 5288 207fd85b458 tab
    3⤵
    PID:5084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2304.8.1173462180\1126858483" -childID 7 -isForBrowser -prefsHandle 2576 -prefMapHandle 3380 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3854a9b-b127-4aae-b300-b7b7672e8fd2} 2304 "\\.\pipe\gecko-crash-server-pipe.2304" 2744 207ebc5ca58 tab
    3⤵
    PID:5936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XCFODRP5\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\B813C467\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\U93LUENG\favicon[1].png

Filesize
7KB

MD5
9e3fe8db4c9f34d785a3064c7123a480

SHA1
0f77f9aa982c19665c642fa9b56b9b20c44983b6

SHA256
4d755ac02a070a1b4bb1b6f1c88ab493440109a8ac1e314aaced92f94cdc98e9

SHA512
20d8b416bd34f3d80a77305c6fcd597e9c2d92ab1db3f46ec5ac84f5cc6fb55dfcdccd03ffdc5d5de146d0add6d19064662ac3c83a852f3be8b8f650998828d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
2e288bda3486beb91e43888f7b22f2f6

SHA1
7729d7b9c8ee6bae24fa498837fdcc97469c9acd

SHA256
40bd701ed11ddfd02b49eb41c6a063e850cdc2a93fcec05868a6b5b8a0bb7b33

SHA512
0c84677f5f73693247ac545c035401d63301c7ffd55077abf681ab9af69bfc9207b0e72acdab5c9b08cd6efb58df8546bb085e4bf76e20736a83d018380068a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\7c6a2f91-8a49-4e8b-95e1-8641b7a28f4e

Filesize
11KB

MD5
344ed4fed95f85fcf2cee93fb4194fef

SHA1
1493968e2e11aedcf2c0f761375afc7dd88e1f20

SHA256
4acca2fa82ba74f159fc3a118bf530b733b0941f719ce64fe9e6a55036b3e016

SHA512
94b366a4bfecb9ef859c2717b0ef4a525364ef6096f9e7bbed56def413226d50d0eb5448058b2e25e123dc0ac5cccdbbe81552c1dd798571311cee6edec9af6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\84a64fda-03bd-46b7-9658-2e764810c92a

Filesize
746B

MD5
f0bff78dabdcd7da6f51245747e80d16

SHA1
a333abdeca090b8e33e44058d74758add57c1e81

SHA256
9f6fff7fc3db9a4635aaf76b7f38db19b2539045e4cfb2c05b7a2773f3a057dc

SHA512
6903658f4d41f01ef2ddccedcd293799fb1d4622eda1012361224f4c3c433144aab5e4f74b460e8471d3264a8adecd478c68d890955269222d6e5d732be8d7cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
4b024f73f5bd6a11c63e881e5829247c

SHA1
8aefc4a2993a5a074f0db2b29d402547f38adb11

SHA256
4b86ec4da3caf75129ff6d8293f2c34611ba5447ce8e46ba5164ea09c63a02e9

SHA512
233119e80760e4d49a6e3792018a1790345a6a703dafcca4c4cb025cd33731f172fd237ba8c3ca29d0f75c3658cdec52677d4182d2d116970534c8f09183a660

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
d4af86d17f9063c0a9cceca50978079d

SHA1
9364d71ada6f79adbfe63a9d79735227ff1dec5b

SHA256
7eaeaa69be404a995e99d53e7a0f29cabc7668d80e9e724e456c1d7c62ee95db

SHA512
5d4aff7721aa094cb68947dd57545dc9a125b0dcdf0894d755ce9870f7101a121e7a5e233866a3f5bc19de09df49199b91888e7c4fc9d3ccad1b55680361c30a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
225da7fcfed72e27709abc5e39729253

SHA1
10e95a52b9826f74d37ebfe7d36dcfca1bc128aa

SHA256
8f4f8b5750dbf1fd7b05a606f1641470bd8991b5d6bb388d3b9a4b0471668c09

SHA512
44e43cbfa9575948cf9b2e92ad8fd2e00029aedda468f5bd39714e3bccdb499b04c09a14435e1182f4e281eda6d870a0391b420a4feb5558ead37c2ca6776004

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
3e6afe0743d1834537a100c6bd9fa9dd

SHA1
59fe1de6d3c69c3ddcb6af807f43ea51c14a0c45

SHA256
227ef418d6082fe70fd62ba96e0d094e80f36fc89f9eb4547b5ec009da916281

SHA512
f8202938a5f94f0e9c7d1a1d56aff42cb2fa1cd9db621f39c6a0d3df42820c8bfc92a752b91c231af7b170fa9fd66b4b49e4d7a5b475b5d6f333886871f8c6ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
0c35db8c839ace44a3a111417ec7489f

SHA1
5bda00f437b0092d9b0a663521f86d1e9ebd3e8e

SHA256
5f6584d552a15a49cd32ab3edd1380b826b46381853b8c0cf856d5363f315161

SHA512
0a39e51735cbef76743e3de0c68aa45b441522ed8d380a728c9ce51d07806910a03be5245b238d459ae07fc85a1ecce90a4744607d7dde4d8cefeabab696b8b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
e17856189a854739d2c4a587be0051c4

SHA1
f99c0f9738e313b1fad67e52c549374d1bbc799b

SHA256
1d043a7ccdb3b77b8a81f7ea1a5a5864d07f58a7384e03bb281f457fe2e3ffca

SHA512
33d867a88b2e1f2c81c2c8459d62174f00e380a246d00d85f5cbd39fc3ce734fae9a268797be69e532222a26b548a89de6072a16af333c9dc7545d7a33cc4529

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
7f868e557b098795d645df9ea302427f

SHA1
001f3306144559b4049a8ab139b4139f51e59c0e

SHA256
b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5

SHA512
56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a

Download Submit
memory/2316-65-0x0000028E1C920000-0x0000028E1C922000-memory.dmp

Filesize
8KB

Download
memory/2316-61-0x0000028E1C840000-0x0000028E1C842000-memory.dmp

Filesize
8KB

Download
memory/2316-52-0x0000028E0BF00000-0x0000028E0C000000-memory.dmp

Filesize
1024KB

Download
memory/2316-51-0x0000028E0BF00000-0x0000028E0C000000-memory.dmp

Filesize
1024KB

Download
memory/2316-55-0x0000028E1C6E0000-0x0000028E1C6E2000-memory.dmp

Filesize
8KB

Download
memory/2316-57-0x0000028E1C800000-0x0000028E1C802000-memory.dmp

Filesize
8KB

Download
memory/2316-59-0x0000028E1C820000-0x0000028E1C822000-memory.dmp

Filesize
8KB

Download
memory/2316-63-0x0000028E1C900000-0x0000028E1C902000-memory.dmp

Filesize
8KB

Download
memory/3572-16-0x000002631A120000-0x000002631A130000-memory.dmp

Filesize
64KB

Download
memory/3572-171-0x0000026320F30000-0x0000026320F31000-memory.dmp

Filesize
4KB

Download
memory/3572-172-0x0000026320F40000-0x0000026320F41000-memory.dmp

Filesize
4KB

Download
memory/3572-35-0x0000026317500000-0x0000026317502000-memory.dmp

Filesize
8KB

Download
memory/3572-0-0x000002631A020000-0x000002631A030000-memory.dmp

Filesize
64KB

Download
memory/3992-46-0x0000026E43700000-0x0000026E43800000-memory.dmp

Filesize
1024KB

Download
memory/3992-45-0x0000026E43700000-0x0000026E43800000-memory.dmp

Filesize
1024KB

Download