hxxps://cdn[.]discordapp[.]com/attachments/1256043165568466954/1260782457171738666/Domain[.]zip?ex=66913b69&is=668fe9e9&hm=57a7366a998b27ba4a0010221a8bb7043b343394e71fe340935138475476eea3&

Analysis

max time kernel
46s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 22:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1256043165568466954/1260782457171738666/Domain.zip?ex=66913b69&is=668fe9e9&hm=57a7366a998b27ba4a0010221a8bb7043b343394e71fe340935138475476eea3&

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4544	msedge.exe
4544	msedge.exe
4808	msedge.exe
4808	msedge.exe
4328	identity_helper.exe
4328	identity_helper.exe
1556	msedge.exe
1556	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2416	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5020	firefox.exe
Token: SeDebugPrivilege	5020	firefox.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
2416	OpenWith.exe
5020	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 1704	4808	msedge.exe	83
PID 4808 wrote to memory of 1704	4808	msedge.exe	83
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 3676	4808	msedge.exe	84
PID 4808 wrote to memory of 4544	4808	msedge.exe	85
PID 4808 wrote to memory of 4544	4808	msedge.exe	85
PID 4808 wrote to memory of 1608	4808	msedge.exe	86
PID 4808 wrote to memory of 1608	4808	msedge.exe	86
PID 4808 wrote to memory of 1608	4808	msedge.exe	86
PID 4808 wrote to memory of 1608	4808	msedge.exe	86
PID 4808 wrote to memory of 1608	4808	msedge.exe	86
PID 4808 wrote to memory of 1608	4808	msedge.exe	86
PID 4808 wrote to memory of 1608	4808	msedge.exe	86
PID 4808 wrote to memory of 1608	4808	msedge.exe	86
PID 4808 wrote to memory of 1608	4808	msedge.exe	86
PID 4808 wrote to memory of 1608	4808	msedge.exe	86
PID 4808 wrote to memory of 1608	4808	msedge.exe	86
PID 4808 wrote to memory of 1608	4808	msedge.exe	86
PID 4808 wrote to memory of 1608	4808	msedge.exe	86
PID 4808 wrote to memory of 1608	4808	msedge.exe	86
PID 4808 wrote to memory of 1608	4808	msedge.exe	86
PID 4808 wrote to memory of 1608	4808	msedge.exe	86
PID 4808 wrote to memory of 1608	4808	msedge.exe	86
PID 4808 wrote to memory of 1608	4808	msedge.exe	86
PID 4808 wrote to memory of 1608	4808	msedge.exe	86
PID 4808 wrote to memory of 1608	4808	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1256043165568466954/1260782457171738666/Domain.zip?ex=66913b69&is=668fe9e9&hm=57a7366a998b27ba4a0010221a8bb7043b343394e71fe340935138475476eea3&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9848746f8,0x7ff984874708,0x7ff984874718
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,12138840419392029289,7318559105518668039,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,12138840419392029289,7318559105518668039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,12138840419392029289,7318559105518668039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12138840419392029289,7318559105518668039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12138840419392029289,7318559105518668039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,12138840419392029289,7318559105518668039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,12138840419392029289,7318559105518668039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,12138840419392029289,7318559105518668039,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12138840419392029289,7318559105518668039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,12138840419392029289,7318559105518668039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12138840419392029289,7318559105518668039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
  2⤵
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12138840419392029289,7318559105518668039,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12138840419392029289,7318559105518668039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12138840419392029289,7318559105518668039,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:1896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3204

C:\Users\Admin\AppData\Local\Temp\Temp1_Domain.zip\Domain\bin\rbxcompile.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Domain.zip\Domain\bin\rbxcompile.exe"
1⤵
PID:468

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2416
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Domain\Domain\domain.py"
  2⤵
  PID:4980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\Domain\Domain\domain.py
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5020
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 25757 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {64ee1bb7-8ea8-4eb2-96ba-d40bc3ad2038} 5020 "\\.\pipe\gecko-crash-server-pipe.5020" gpu
      4⤵
      PID:3856
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2428 -prefsLen 26677 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {465fc1b5-cbf0-40d9-9451-28aa14986e9e} 5020 "\\.\pipe\gecko-crash-server-pipe.5020" socket
      4⤵
      PID:4832
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3164 -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 2980 -prefsLen 26818 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {159bd3cf-7171-49f5-af12-471895ce7572} 5020 "\\.\pipe\gecko-crash-server-pipe.5020" tab
      4⤵
      PID:5204
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2728 -childID 2 -isForBrowser -prefsHandle 3676 -prefMapHandle 2700 -prefsLen 31167 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {daebbc6a-a210-4de8-be2b-47f07ae07316} 5020 "\\.\pipe\gecko-crash-server-pipe.5020" tab
      4⤵
      PID:5380
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4160 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4188 -prefMapHandle 4184 -prefsLen 31167 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec5fd81c-1e67-4fc6-b2d0-519febbd8f55} 5020 "\\.\pipe\gecko-crash-server-pipe.5020" utility
      4⤵
      Checks processor information in registry
      PID:4916
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5356 -childID 3 -isForBrowser -prefsHandle 5344 -prefMapHandle 5336 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3211db51-ed42-4ace-a5ca-83152c18c9e8} 5020 "\\.\pipe\gecko-crash-server-pipe.5020" tab
      4⤵
      PID:5916
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 4 -isForBrowser -prefsHandle 5488 -prefMapHandle 5336 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72e997d2-805a-45a6-945c-5e921148d6c3} 5020 "\\.\pipe\gecko-crash-server-pipe.5020" tab
      4⤵
      PID:5948
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 5 -isForBrowser -prefsHandle 5656 -prefMapHandle 5664 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95999983-dd77-4e36-be71-7fd884b7c273} 5020 "\\.\pipe\gecko-crash-server-pipe.5020" tab
      4⤵
      PID:5976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
75c9f57baeefeecd6c184627de951c1e

SHA1
52e0468e13cbfc9f15fc62cc27ce14367a996cff

SHA256
648ba270261690bb792f95d017e134d81a612ef4fc76dc41921c9e5b8f46d98f

SHA512
c4570cc4bb4894de3ecc8eee6cd8bfa5809ea401ceef683557fb170175ff4294cc21cdc6834db4e79e5e82d3bf16105894fff83290d26343423324bc486d4a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
10fa19df148444a77ceec60cabd2ce21

SHA1
685b599c497668166ede4945d8885d204fd8d70f

SHA256
c3b5deb970d0f06a05c8111da90330ffe25da195aafa4e182211669484d1964b

SHA512
3518ce16fef66c59e0bdb772db51aeaa9042c44ca399be61ca3d9979351f93655393236711cf2b1988d5f90a5b9318a7569a8cef3374fc745a8f9aa8323691ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6332121e7c6b888916cb45dd1c29462e

SHA1
63855727edfd909d87ca20565bad61a8e18c89c2

SHA256
7b1ef3e5db965184a6aa4ff7d870592bd9540c8b1a9221025f21f957f1ac7831

SHA512
71047125f2cdab89929ce1a3ca41b6beb80c56141952e8e7c661ecdb5576688b9f4ae123941d5ee48f7f654dd5c800cccb375a5da16500c7120026f614fbd726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c89b775cc2b9b9b79064b2159cc88c98

SHA1
45d67a283d0d32e4fe8d540afa5a95fa788d5585

SHA256
16bc840009e5b52ddb036f08f2c11f70633da7d11d3b23ac4a74f46d231b4f7d

SHA512
1bff705d961d70ba3370b9d78722559ebf12d299325f57162704168f7a7e4f897e920973918b3afb6d5924a8c6f5f437b3a5907da8ca2fe7db700635dc140947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
39773e9e3f3b2719f83d05dd1b665138

SHA1
9d9d4804d1a215ee220fb752b882782dcd97ef62

SHA256
ff3ff2a59aeb1ef1574e976a2b6830262b3afe4edb752bd0b1a766ad512985ec

SHA512
5f655b8730326ac9d1bf0e5100bac9adf34cdb4f36c33d5c86dcf202c325de4bbe9b4c4e75589a7f913f93ecdac55c20b72becfe1a3d7592fc78de5f960bbc96

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
26a0694573f1341ce88ad4bd465fd64e

SHA1
c2970e756b5a2ae9f5024fd0a665d56d73736f2c

SHA256
0956612a64c90db4ac4484fcfbe76992ea85565b008920247dd4b5de9d0b79f1

SHA512
5ace7215539c055bba1d353521202be2a35555ae9458878cfa4ab5420a61e70af2e175aaec56d8df9d5db329294b23ce8bb72b16f3e04a715ebab7c6ad8af9bd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
af0eb436ba34b4c449a18814507dfee5

SHA1
a8e8d8c609357f536b57678a7ba5e2392bbd9e2b

SHA256
5a916610a1e582ac2592410129fda324b8f958254a85987adf1de57a69b202aa

SHA512
554b95771eaf522c37892f0a3df2323914e2d15984fcb160f7e1517911068b45ffe565356bf58ef2e8eb2fa4b7103cb4beddc6cac62a882dcfb7a21051d72861

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\03470d53-e7fb-47ea-a1ea-9565a8d64c00

Filesize
671B

MD5
ce02fe6439d0ff78d92ceb5589f92eae

SHA1
36b69055d47708c6af438cd5b9305f4cee77ebea

SHA256
8c3ab04edaeb8d3f0fb509efa78d19bf769d7adbc2c255f11aacc84846468266

SHA512
826bdc69cd8a716d93ccc912652300063ebcd57f05fd067ff9c7e70ef26360e1c9bb70eaf8bb2c79ed7d0ec619b40b626ecfed6275feb2e3033f9c849834921a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\26981e16-c7a7-4c06-8692-e4df9d91ef7f

Filesize
27KB

MD5
228d6059da2d3c3c4780c894a426a8f7

SHA1
00894d66d5a99617bba7ac017b7640512230fcf2

SHA256
340e0e2c96ab4853a184d1e6875c221d0de75583a9c847a9a9ec18c367c2310b

SHA512
a4ebcad310d991d8519371919937953d5f08d35ea0ab0739b9bcb81a368f610020587b43d90a06459a34a7e45ce1ad507d9a55ec907bb4281525f6ef923f3b28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\4bf2e55a-93a1-4d55-bf75-c36b1ee11429

Filesize
982B

MD5
ee4dec6d834c628f442fb8e6c1a56a44

SHA1
96fb3f134e26a3f076a691e6e237f8ae0c63e95f

SHA256
a7d872aa3c39c680ce79814399cd18dae318f0248c4b4cd917f2c36283ca79d0

SHA512
d7cc88d2914c2230e51e0ebb848362cadf24d10fd80ac5171e8eb777e961a18a201dd7594c1fd5d1ef0a671356e8718dbc04637d0b17f0bb860cb81751f2b9a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs.js

Filesize
8KB

MD5
b8f9933e9df458359538b6726c0d11cc

SHA1
e5d862cc03bf0c2b63b3329e277d49c3d3462d32

SHA256
f11f66fc58c4e197509ecacd36cdc9c29df2b7f92c18627ba848be0a207aa38f

SHA512
c7e0b1c22b53b1ac1f5514878426cb08cfd852ee50bd55225386d982cc404a1e841850b1e610c55baad0b333ae2e42061e5d386efa3c8b76ad764100b5776530

Download Submit
C:\Users\Admin\Downloads\Domain.zip

Filesize
840KB

MD5
44181a804c3e38f3c735b1b6efb8d5db

SHA1
e8bc080643287a971690e4e0d9f3b87b348013ba

SHA256
d4c8845ab6a2415b48bf5539f0d912f4d4f61e898e4e1c839c56784aae3631d2

SHA512
ff8ff0d0ab5e049d60b758482d079bab3e7c5e2094358276ec9e448899139e017052d8830c00dea5d900ff069f8a65b0ee9587c5e855c6106f0fbd9e03a418c6

Download Submit