hxxps://www[.]google[.]com/url?q=hxxps://www[.]google[.]com/url?q%3DdCSMjVnvsqsqaP8pEWWm%26rct%3DSpPq9HncUaCXUtCZusX0%26sa%3Dt%26esrc%3DuZR6jk9A67Rj7RZhLuPE%26source%3D%26cd%3Deh0xIKCKpKh7i4kTt26p%26cad%3DVEVtMkQKVNr1KW4fxShi%26ved%3DNTDACygNXetEDbRT8YiY%26uact%3D%2520%26url%3Damp%252F%E2%80%8Breid%C2%ADopur%C2%ADificador%E2%

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.google.com/url?q=https://www.google.com/url?q%3DdCSMjVnvsqsqaP8pEWWm%26rct%3DSpPq9HncUaCXUtCZusX0%26sa%3Dt%26esrc%3DuZR6jk9A67Rj7RZhLuPE%26source%3D%26cd%3Deh0xIKCKpKh7i4kTt26p%26cad%3DVEVtMkQKVNr1KW4fxShi%26ved%3DNTDACygNXetEDbRT8YiY%26uact%3D%2520%26url%3Damp%252F%E2%80%8Breid%C2%ADopur%C2%ADificador%E2%

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4500	msedge.exe
4500	msedge.exe
1284	msedge.exe
1284	msedge.exe
5092	identity_helper.exe
5092	identity_helper.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	firefox.exe
Token: SeDebugPrivilege	4436	firefox.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 3008	1284	msedge.exe	83
PID 1284 wrote to memory of 3008	1284	msedge.exe	83
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 2548	1284	msedge.exe	85
PID 1284 wrote to memory of 4500	1284	msedge.exe	86
PID 1284 wrote to memory of 4500	1284	msedge.exe	86
PID 1284 wrote to memory of 4484	1284	msedge.exe	87
PID 1284 wrote to memory of 4484	1284	msedge.exe	87
PID 1284 wrote to memory of 4484	1284	msedge.exe	87
PID 1284 wrote to memory of 4484	1284	msedge.exe	87
PID 1284 wrote to memory of 4484	1284	msedge.exe	87
PID 1284 wrote to memory of 4484	1284	msedge.exe	87
PID 1284 wrote to memory of 4484	1284	msedge.exe	87
PID 1284 wrote to memory of 4484	1284	msedge.exe	87
PID 1284 wrote to memory of 4484	1284	msedge.exe	87
PID 1284 wrote to memory of 4484	1284	msedge.exe	87
PID 1284 wrote to memory of 4484	1284	msedge.exe	87
PID 1284 wrote to memory of 4484	1284	msedge.exe	87
PID 1284 wrote to memory of 4484	1284	msedge.exe	87
PID 1284 wrote to memory of 4484	1284	msedge.exe	87
PID 1284 wrote to memory of 4484	1284	msedge.exe	87
PID 1284 wrote to memory of 4484	1284	msedge.exe	87
PID 1284 wrote to memory of 4484	1284	msedge.exe	87
PID 1284 wrote to memory of 4484	1284	msedge.exe	87
PID 1284 wrote to memory of 4484	1284	msedge.exe	87
PID 1284 wrote to memory of 4484	1284	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/url?q=https://www.google.com/url?q%3DdCSMjVnvsqsqaP8pEWWm%26rct%3DSpPq9HncUaCXUtCZusX0%26sa%3Dt%26esrc%3DuZR6jk9A67Rj7RZhLuPE%26source%3D%26cd%3Deh0xIKCKpKh7i4kTt26p%26cad%3DVEVtMkQKVNr1KW4fxShi%26ved%3DNTDACygNXetEDbRT8YiY%26uact%3D%2520%26url%3Damp%252F%E2%80%8Breid%C2%ADopur%C2%ADificador%E2%
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb12546f8,0x7ffcb1254708,0x7ffcb1254718
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,4437236488411028947,5880220059844814162,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,4437236488411028947,5880220059844814162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,4437236488411028947,5880220059844814162,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4437236488411028947,5880220059844814162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4437236488411028947,5880220059844814162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,4437236488411028947,5880220059844814162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,4437236488411028947,5880220059844814162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4437236488411028947,5880220059844814162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4437236488411028947,5880220059844814162,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4437236488411028947,5880220059844814162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4437236488411028947,5880220059844814162,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4437236488411028947,5880220059844814162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,4437236488411028947,5880220059844814162,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4816 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,4437236488411028947,5880220059844814162,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3508

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2544
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {70c0999c-ac43-4cca-819e-a4a890ddabba} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" gpu
    3⤵
    PID:3184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f6ab037-040e-45ac-8fb6-38d8c3432cd5} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" socket
    3⤵
    PID:4340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3268 -childID 1 -isForBrowser -prefsHandle 3360 -prefMapHandle 3184 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30874cec-65af-4105-9526-43a6edbe1bfa} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" tab
    3⤵
    PID:4544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3956 -childID 2 -isForBrowser -prefsHandle 3944 -prefMapHandle 3596 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60b39b27-a78c-4239-8788-6283e29e2af8} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" tab
    3⤵
    PID:3292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4764 -prefMapHandle 4760 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e482d925-a8d1-4794-9b87-0947993b6943} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" utility
    3⤵
    - Checks processor information in registry
    PID:5384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 3 -isForBrowser -prefsHandle 5336 -prefMapHandle 5332 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f48ad16a-4421-4200-afc0-282f971b5147} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" tab
    3⤵
    PID:5800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 4 -isForBrowser -prefsHandle 5508 -prefMapHandle 5516 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {809979c2-64d4-4b37-a38e-d0b11ea9da05} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" tab
    3⤵
    PID:5812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5668 -childID 5 -isForBrowser -prefsHandle 5676 -prefMapHandle 5680 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad89a380-ad9c-4e25-91ee-7acbe33c5fd7} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" tab
    3⤵
    PID:5824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 6 -isForBrowser -prefsHandle 2952 -prefMapHandle 3076 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e53e3e75-a627-4e9e-8f01-24f07873b0fa} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" tab
    3⤵
    PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7006aacd11b992cd29fca21e619e86ea

SHA1
f224b726a114d4c73d7379236739d5fbb8e7f7b7

SHA256
3c434b96841d5a0fa0a04a6b503c3c4d46f1c4e3a1be77853175e5680e182814

SHA512
6de169882c0e01217c4ca01f6ead8e5ebb316a77558e51cd862532dbf9147d9e267f8db667ff6e9fa33164243724f5e437cb882392382f3cae1072dadb762c1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b80cf20d9e8cf6a579981bfaab1bdce2

SHA1
171a886be3a882bd04206295ce7f1db5b8b7035e

SHA256
10d995b136b604440ac4033b2222543975779068a321d7bddf675d0cb2a4c2b1

SHA512
0233b34866be1afd214a1c8a9dcf8328d16246b3a5ef142295333547b4cfdc787c8627439a2ca03c20cb49107f7428d39696143b71f56b7f1f05029b3a14376a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
5192a19a05826f549533bc65b8e6ab05

SHA1
d8ca822b19afcb0dc66239c0a09b8c31754861ca

SHA256
8e0b60e0c6f65bffd0b7fd2acb493ff40aedf5590fc19b77db16114169b836cd

SHA512
a8912a45628b7996c1e09b01144d3dc418522f7213105031a829a1b7676e56af24e455c5fba6dacccd9f204e3e45f60ab514c06524010134bf61131b8c31ff0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
f033342ccf4bd675267b63ecb567c857

SHA1
702e4a8f610d4e1b8376828303f6397365953227

SHA256
e9e066414c172d64ae0756f49f5898cb68dffa2d08c70805d3714612b5d10a44

SHA512
1074d1e7c225129c3f18b2f569261f84fa8e2b09422fd1d53e0dfb6e5adf59e6f39d55669c117f2d44eba1f08e296299c7f0f818800b36eb6b39f6a5dcb1c222

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
3662ec811e3e98fb74dc08f0b0162b44

SHA1
89bb11d377656f8a51c82315d322e4dce9e65b25

SHA256
b24994e9af7540ac567e4321ccf80aad7025399ea316584fadd6060c0268e554

SHA512
e5e8526adfb1c56de271f49d389e8f90cb5f536cb5a29425e3401200a35b2d2da9bca3bb1c5be01f2b65c90564d1bf6b9b0adab095b6c48cc031e1b80308cfdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
db9e52d3a4199ca62be37454facb8128

SHA1
a24705c8c9c17147c571580386a0290ed6e0f81a

SHA256
feecc31ce07b109e6f57a92a615d12d7bbd2c1867f48eee8af289e2860f13efb

SHA512
8e5e3791dbaf90ca77fc3367fc4c1822fdc82fc5768bf9bbd4ff1d7f245eec63cd2a7c0e588c08fa6aca1717184f2aac010b9a6423d0c52ce5e2532e79cecf83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
815B

MD5
8f1b5bcf67bf31c605b532fda5b08fc1

SHA1
ccbaeb5bb2d57f421ee3a3a20f87348461fbb3af

SHA256
4d525e33d521d7b7f771314d1de2e644718bbc7699757c75ae8a45d165f08c34

SHA512
088cc8e92fc5d750c59506e182f5daad24c0f28701533609c0f8a0eba6ed0cc5bcc31a2fc8f2ce1ce21fac098351069f1fe816505fd4816bb39de6a6a02ca915

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2532663420bc3a6a0486d1abcd1a7de6

SHA1
8478505ed228e0c926295993e26a26996e79bfa8

SHA256
71940cea681d9533cfb5bc4512823aeacab02d5954defbb8051eb9645645c67f

SHA512
2d97ad5333f408a08233085f7f2c4daf6e5e5e37d0b48870e8cd66635aedbbb96afbbd487a3638e5aae46c64b0ca44dbfc6113880faeddbd6349aa53d643f35a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6280b77e2688f7970048bc2ad2eef536

SHA1
d1133ee10705a5657503736d422bb116a1c7f6e9

SHA256
7de20ccf277dc15182653524e5305ab3294e046fffe6d88685e017e459f8d2ad

SHA512
15f066d622a83b8a6cc8a89fba6f931ecc036af72a69bda809dba8704f0eb7f565e3ac03706c4fd9bc1c4702b19e73106ee71bc0a07c110c1fe20636f19a2d57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af6bd932a222392bb5a17f432420f1d0

SHA1
e383b07d31d86ea9a18b84ef7f4f16c1097d5f10

SHA256
c8719f741c17863793eddfa3f88d2cace27eb68d03b7efca69be397e6e9ff3cf

SHA512
d64b249012cf4fdab58e245251c2c059d28c0b4d59777511f789a19fa6f9056802f82cc6e8f92642e32f6c3141e3f26781bda381972a674258295485a61a7880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2bf413d1599d640c14c9907e1f935731

SHA1
7f476b5635c912efae8f12d9620a76da87ea7088

SHA256
5f790ba3e33bfc96aea6866a20f826557b680215a2b160624db13eed3b9e0d0d

SHA512
bc30263bf43345d2dd86a9844d545a8385174758bf385995856593294deb79406c341759b22f3e7fa245dd2889c87aaa2e8d9dd71c50b864a449663937db1d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
44b42eaac8d1b0ba3b9affc328ef54bd

SHA1
1c8ecd6c249b61c748f9d306d7d4541186544091

SHA256
0607e29b9e3171f39ec5410b405f862ad5a3216686ab7786856f49d917e901c5

SHA512
df0ba9813bea576af29cae60b6f36ca0958fb26f8ea28ae30c0a002bde8e433077cd3da711d5ca2627d25a735cf2016914d0b7c868cd5603c83aac6f89b5bb8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
41be04a584f0e8f510032a92e5ffb36a

SHA1
50f3456902ae0475a5fa876f3ce1dda19ac376e8

SHA256
6754095af61061220c876b63d10ddfffb99dfef1f3b2048563681132334fea7b

SHA512
ef600f5c1a41237f38e11144933b691568c46af6c6d9d964260259904cd3253ae1b384aebc0711bb6a65e003c412470ee7d69cc391bd50cd0051be899d312034

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yeb58ys6.default-release\activity-stream.discovery_stream.json.tmp

Filesize
27KB

MD5
b4ab16fa39d4ebdb1482b7e40687acf3

SHA1
90171bfbe2ad7af0b8a1b08edbec134dad2a41ff

SHA256
3808519af73b66d9f8f74964bcec3ae7543aabfded1c4502d0d75cdd6e3d86e1

SHA512
bfe81f04e3c74d0bf94b4dade20166617568e1777d49e76ea10b71fd2cc6893e4df512b7a00bdf6d0d77a301533912f69a1604bcd25a35dd26b482634f4a65a6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yeb58ys6.default-release\cache2\entries\10A0222AFA26BA84074326BA5AAF691B1EB56EDC

Filesize
32KB

MD5
fc91094b4f8cb2c617b75a0ec1aca5f7

SHA1
5d82fe3ab52e52eea7a0927897cc82ada3ad1854

SHA256
f16ee45abd69226de9e5c1e21875c9b0b89860ffaf839a67ebfea6886ff49c85

SHA512
e726876ac3f5da079e936d2728d7784bf4688104131dfbf51e4c7ed56e16f5a4e7fe5bc139f75237c1ce339fa9642c765d0fed7057a8e8cd19f747d11fb86b4a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yeb58ys6.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\AlternateServices.bin

Filesize
8KB

MD5
633ac332284d0dd9e59885b595526bf1

SHA1
456377c97a6a0bc4d72d2ee90a3a09ac83f5493f

SHA256
7c2f9355b536f0f6fdacc04d3091e94a5b29d41e154859bd92c606417520f3e0

SHA512
aad8aa2791cacc52eebe6f4a99a9e1b3e9eb0c759ea6e0e919f7b51dac4404eb866e7ca217b94f272c361bd0f00737eff0052340d538d8fbd4ca295d1015f23d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
813264e3e76e00c76a310d2d3db67449

SHA1
ed083e61b2e1ec3eff189f4b894154f995673176

SHA256
8d836b75e2018ae6e2fb02d53445505dfbdc7799138fb98b33e54882cdd4fbad

SHA512
9cc42231e3b1364e21b040a37b724f533eb73a0a8ae515beadbdad678c49bb1998d34b6a455c95bcf6de650d44232be8cf32fc29cc863df156085f1b79763e3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
627fbf43ab9d87d7ed9883e9a4e32ab1

SHA1
e5cd0ea571644bbb91493d87dd14b35ac02a8e75

SHA256
356507b1cb5d1b778a758abfc755154fc638a65b01531317418bd3dd34292c4a

SHA512
c1ccb293ddee378b5e98202f2e8139020667f27c8758695273b9d8fa71a5591b3e7cd781b5d55873d028d77cf998b21c49ca5a975cba9052a7a7c4a97543e225

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\pending_pings\4de56383-d402-45a1-811d-3e157ae96894

Filesize
29KB

MD5
d0e8d671099b601f11046f6c521e3e23

SHA1
9aa9b1545e13dce2ca4d57c018d900fb426a19ce

SHA256
276a522f20d1e50ef80a6f418266b390777d9d4cb1dbb013cb85fb08206d1302

SHA512
f213d22e9b7add14ae68f151d10695e34bdade607ea5415b69317c41e06f312a785e1f741c41a10a7e776098416ad29e004bac4da62307e7d0213f471efb22ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\pending_pings\bf7bee08-4179-4d26-b70c-5e453cc476bb

Filesize
982B

MD5
4c65f68086d01b403071cbaa12063ef1

SHA1
f49559accc6ecb3e90d8ed224d6b3da462f6c00f

SHA256
894d3a42bee0d1f810134ea091d2e07e117f26f21a40456a97c6530a6795884b

SHA512
066dc882d238a433601d43fcf33b31cb7dc2c3084ef25f86e8c548cd79cb863bcbd87b30f0881964e5ed49fe5de54b4c04a04d9b1a88a00bbd798d7d63d71e80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\pending_pings\d50d97a0-1603-4e38-9c93-272189b9a8ad

Filesize
671B

MD5
8ebccc741adb2d55190818a0012f62ce

SHA1
d1de1199932115ad3d71f032c11dacec44151a06

SHA256
a2a7e412dafb27ac1200e4830cd312dbe9f0d3fa0518a1dc33437381708f4cb4

SHA512
d21b72cdb68e30b55cbbbbc49ecd249ea20d82a6645adeca2e91040d1799288b813f128f320f6a9eee8aa4fc44a57fea7e58b542e21984bca114780d3d9d9c32

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\prefs-1.js

Filesize
11KB

MD5
3c8be9762074fcf180c61983a8933af5

SHA1
85458be682a33eefb72a715a6a3eb33a63fc00da

SHA256
0b88121c4701d97f7609def3a298faf7b75cb176f648304fa81892ce7ef4d879

SHA512
b35a13c266f1de909c292fca5b41eb42b278a92b6674c42bd5af58947e8a92d913fdf63d553632207f5b84702e6b9cb29a2fbfbb43c3a627b931c02050cdc253

Download Submit