5665333c2dfd92026f29fc7b5fd99258c34300309b26a5986fc8eff4599d14bd

Analysis

max time kernel
118s
max time network
124s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
18/09/2024, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

218KB
MD5

38606d56dbb1d50d3850cbd97699b46f
SHA1

ea577fc3aadcbba99e706a2522118410fbdaef69
SHA256

5665333c2dfd92026f29fc7b5fd99258c34300309b26a5986fc8eff4599d14bd
SHA512

06384c70977f3c19bfbf8a25fd21d55f5826b5da1be9f17bfa500beef9391911c6d5700f6e00976ac30828f1594dc6dbd896c6c9d5c18568fa0a38afaee224c6
SSDEEP

3072:2Hj4Bp5XgbE8CWGB5hm79pka5/HIk/mIo9SISnCa9LjzMvrDe7qxuCCiMLa9nVsd:2Hj6hM9t

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1184	msedge.exe
1184	msedge.exe
4852	msedge.exe
4852	msedge.exe
2604	identity_helper.exe
2604	identity_helper.exe
436	msedge.exe
436	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	firefox.exe
Token: SeDebugPrivilege	2036	firefox.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 2748	4852	msedge.exe	80
PID 4852 wrote to memory of 2748	4852	msedge.exe	80
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 3884	4852	msedge.exe	82
PID 4852 wrote to memory of 1184	4852	msedge.exe	83
PID 4852 wrote to memory of 1184	4852	msedge.exe	83
PID 4852 wrote to memory of 3840	4852	msedge.exe	84
PID 4852 wrote to memory of 3840	4852	msedge.exe	84
PID 4852 wrote to memory of 3840	4852	msedge.exe	84
PID 4852 wrote to memory of 3840	4852	msedge.exe	84
PID 4852 wrote to memory of 3840	4852	msedge.exe	84
PID 4852 wrote to memory of 3840	4852	msedge.exe	84
PID 4852 wrote to memory of 3840	4852	msedge.exe	84
PID 4852 wrote to memory of 3840	4852	msedge.exe	84
PID 4852 wrote to memory of 3840	4852	msedge.exe	84
PID 4852 wrote to memory of 3840	4852	msedge.exe	84
PID 4852 wrote to memory of 3840	4852	msedge.exe	84
PID 4852 wrote to memory of 3840	4852	msedge.exe	84
PID 4852 wrote to memory of 3840	4852	msedge.exe	84
PID 4852 wrote to memory of 3840	4852	msedge.exe	84
PID 4852 wrote to memory of 3840	4852	msedge.exe	84
PID 4852 wrote to memory of 3840	4852	msedge.exe	84
PID 4852 wrote to memory of 3840	4852	msedge.exe	84
PID 4852 wrote to memory of 3840	4852	msedge.exe	84
PID 4852 wrote to memory of 3840	4852	msedge.exe	84
PID 4852 wrote to memory of 3840	4852	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd0da03cb8,0x7ffd0da03cc8,0x7ffd0da03cd8
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,10245955187307094251,1293551207739931281,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1844 /prefetch:2
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,10245955187307094251,1293551207739931281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,10245955187307094251,1293551207739931281,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10245955187307094251,1293551207739931281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10245955187307094251,1293551207739931281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,10245955187307094251,1293551207739931281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10245955187307094251,1293551207739931281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10245955187307094251,1293551207739931281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,10245955187307094251,1293551207739931281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10245955187307094251,1293551207739931281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10245955187307094251,1293551207739931281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1908,10245955187307094251,1293551207739931281,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2832

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4312

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:664
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a5a24c5-4897-4cc9-aced-d6f3c61a133b} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" gpu
    3⤵
    PID:792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f8a8b70-5547-4ebe-a82c-3c8bade9611a} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" socket
    3⤵
    - Checks processor information in registry
    PID:3740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3052 -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 3040 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2ffd7f2-e341-44bb-bec0-d032c4eb8e9e} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" tab
    3⤵
    PID:5040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3648 -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 3660 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3806d760-988b-4ba5-a4c8-4f8b75a6d31f} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" tab
    3⤵
    PID:2332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4760 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4756 -prefMapHandle 4752 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4dc3a98-1094-44ee-aaed-3655bae1f7e9} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" utility
    3⤵
    - Checks processor information in registry
    PID:5288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 3 -isForBrowser -prefsHandle 5388 -prefMapHandle 5384 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21d662ab-647c-420e-a2e2-e54ec66b3306} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" tab
    3⤵
    PID:5768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5600 -prefMapHandle 5596 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33e231a6-e066-4b7d-a4be-6759f7047a61} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" tab
    3⤵
    PID:5780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 5 -isForBrowser -prefsHandle 5736 -prefMapHandle 5740 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1497e37b-b80c-4fe7-a1d3-c6be66640166} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" tab
    3⤵
    PID:5792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5764 -childID 6 -isForBrowser -prefsHandle 2656 -prefMapHandle 2668 -prefsLen 29355 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad194524-96da-4a48-bad0-c21c442e6a34} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" tab
    3⤵
    PID:6092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8276eab0f8f0c0bb325b5b8c329f64f

SHA1
8ce681e4056936ca8ccd6f487e7cd7cccbae538b

SHA256
847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da

SHA512
42f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
058032c530b52781582253cb245aa731

SHA1
7ca26280e1bfefe40e53e64345a0d795b5303fab

SHA256
1c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e

SHA512
77fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
250B

MD5
1629074ce71fc66aa0923ce2202c97bb

SHA1
6ef63d9d858069b63de237516e3aed747d7b5e0f

SHA256
bb2c84a24c77a22ce5510e3b2a934be9b9570c57956c4f81d1f0e4960c503798

SHA512
386b799c60a597f072d9687f420a4b95e59f0bf49ce429b4bbdd7ce396b1a86d558f9db88c9a11f6bd6440a81f74384920948a6955da03cccf0dba0b2849cffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3aa689d3bb30076b8d25f2abf53de5d3

SHA1
3b87320f457e5967379a5b3dbc9576b6005357c6

SHA256
f56cfe0403007a9595fbc00fa2bc0351cf9fd247f26cc5c02ae68d321942ae00

SHA512
564088dc6a972cb9b635ec0705b658fb2f6b0d6b1a6af3af89f3814fc03052e02eb1783474446f16b32c95d27e0a0ee8542a4e3be2af51ca6da21a46c3525bc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8adb439179a541df4cccccf38c8e7d1d

SHA1
8a58836ca7e11f8b0aac7e6dc1d4750eaa0453cf

SHA256
7214c69f9fd535ee7fd8906ee721d392d999ef558851aafa91ebfe7a375394e0

SHA512
3a5d38e7f34262ffbf8d0f59dc8ba3f160c6f57fba93ec48fe15d651ad838f9bfd5de531c5461c18a56b7ea45921882d469d6e127ac23e2cb94906d907f8072a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
82f5678615ca3db5b53cfea650a5212c

SHA1
ffe1332ab316d7d024a836e53aec7603d37ba94d

SHA256
ea3252177965279b128e7be24bbfadde64eab92bcf900c52bcc775ad2c37865a

SHA512
be726ed4ecd92aba35f759081f1d20149a200ed48e23a54a8a7c807de2a661241465cf11700fc125af7ad0e711006d297687835f82718e23202235e31a08755e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
50036d01e844e005b7fee6a398fcd127

SHA1
f579f5efbaf2f0a67bf0d4c162b2f3aafd875cc9

SHA256
c92d4862028ed401072cda20c784ac2aeaf5d7a34fe4b69f36f53d5eae854ea8

SHA512
c6164f2a61b9a178a3b9f6c62c5e111dc2945e5a25147e9f03f550faf404b36922438247e4847d20d8a0247d51d9856ad0f12110a6eff43ca3a4c46be75f8862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8a14395854ccc1d16994e6a4938b5492

SHA1
507a109134d3a39db10f451ac033d88109fdd88e

SHA256
c9c474201cb6b800496e14b160e44783af0b1b1317b5cbc027434fff26eeded8

SHA512
6453c16ce72f8e48727a612604247d7d257d6fbe96c7ba001be628af37eacbbd0e721763781ca9f46f5a5545e6e9d7cdb9beae29e76e30c8e946832321dd2d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8d62145f35faaea57c0214df8cdae79a

SHA1
5dd6bf1ecf8d218f70631b52496f713f0c73b695

SHA256
72b2f951ec899d53c79a9da9f45a34a3c0a6e0fb5c45f3566b17ce7b36bbc293

SHA512
cbafe7cd5c29722f4f79b6b0d7650f506f0d2685862c6bd1eef34271d53659b2f4bf17d953136ba3e6bd07ceef3722798c4bd9bdf5618d9763451231fff5acf1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\activity-stream.discovery_stream.json

Filesize
33KB

MD5
30b8cdbb868feb5a9da26eddc3f638ca

SHA1
5980237c43f08e8e9a478345c38d560f95ca96ed

SHA256
0ca719878a8d1918ff8258c5b6b9575991945f9e163c977e5bae4e0d4d82dbee

SHA512
79d06fbc599c2dbfca6bab2f77e25ad948786d655b40592d36d84d4893e06a71d800a11ac9d7eca4fbebb94608f47747e5116a2b0cf18673444d650428d2d786

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin

Filesize
6KB

MD5
369229d50d2102b6f310d7c143941103

SHA1
a9fa932bb418e44da532ff5363a43b169c2af953

SHA256
e080056ba2f8bb4b3c2ccc76a11639346b1f23039aeef96d0cf06b9b258a6acf

SHA512
b3eb6be0c34c57b4bf675f31c0a46f3c59ac5277d49c7781bd94ad2e07e60626d57699c2a33dde8ee5d0aa045c3c650d889a090c845e1bd26cc23481b0b806d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin

Filesize
10KB

MD5
e203e2463ea26fc383aa500f2154e323

SHA1
c54463c0cf62e342a13f24165be75b234380d8f5

SHA256
5383fe15ad200c151ef97cc5af2a365a2b6db33f3e60cf0398f5a864221b7cbd

SHA512
33ed23257a779f589ee7f1e3fa82b4158a166c3e0bb217c5ae4a780781d2ff66cb13f1fa08a310c2bd4b779820a69701204009a1376d4034c56f43105f617114

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
4418597c1b47effdbd411e9a860a9675

SHA1
7fdc96c662ec56f2948b058a963830d001920c13

SHA256
f6dc407baa3fb4732dd4d0180bc89195b9b06ead155fae43a46c96c5310795bc

SHA512
4056b538aa34623a2391cd08414257f61bd64fa5e864293454e9f324edcef3ac29feccc5d3e3d4f3a3fb6ae086f81695012b5060da1986037d2338cc9eb0a1c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
898404357f5bb55fdd0ba60e4c700391

SHA1
78c6efbd00b15f4a26be4a4698d38e524d4ae3a7

SHA256
322fb1b89a5f934658a9ed5a4c7a72ce53654e1e3cc793355b553dac67e640cd

SHA512
edc156927ee32b26c35db950d053e40ac96625909b12e22503a7401389faa996e2248da5dc87bd7692703974d61dc7031615d31f444b99d54aa2794d601214d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
697f5fec9b3e2dec8d891e038dce0e16

SHA1
8f9528ea14c533bc4709615b8b0712b604041219

SHA256
b624f87ab781cc0dfd80f93d4eba0e88df129d9789426b12cab5897cc756d4e9

SHA512
4cc7789c11c8e9f5d79b80be3fb119fa4fa45608e94f09772bbff3c690fcafdbc4426cae5e83719d788f1f062f92411d474879f052aa6e08282187e8ed52b0a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
3363a418fae98e85b51fa7c4132b724d

SHA1
4ddb79318f758c18b6782edce99a35e68c67050c

SHA256
127f5c0c07a65d635b5714d3b9d48828e44c2fe5f3bf39a79d59d10717da3562

SHA512
0a50395546ca7cd8f8745363ae975954178cb8f6e3b973bb60350711ae0f067e527aa04a9cc56272a58e7232e82562c2aae80e46eeef66553f14566eb05c9b4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
6e4abfd6377ff5884a8ebc623750ff90

SHA1
a33e40090b4a16c4f946ddffecbefc60130c00fa

SHA256
bb5dccf33a635e647968665de0b5c1810df31a85e63ff6ecb7cb7103e67ce102

SHA512
fc8f270ed4e2fe869916874b87ced661ff187f485d0ab4de83c90037a295e4e99f9846beb44571f976b7f57bb0d029eb0fc0eba79dc399bdf3ac3d4bb3c980f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\0294828e-1720-40cc-ab90-8b599d2c9645

Filesize
671B

MD5
40273ad51de275dee25cfb4a33c7667a

SHA1
e238f06dea66276752d1860267046c4b77a7a619

SHA256
4a3616d26f3c8ab2fe292c336246251cb27f0f0bdd2917846ef92a079a86514e

SHA512
32d803f9b6dd513be2ae5a2d76e744a0b31912dc7f491a2e05db3d36744e2dc7f5bce7b71caf32ab4047f3a35b89380d842bd0ca3a5111765cde4005a5cff6d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\27492a94-f528-40dd-a519-163c70b2b81f

Filesize
23KB

MD5
97fec040753f5e38898f1bf94b0d1853

SHA1
6113f9c83c5e9c6dd1214bc31dce6f74a225e971

SHA256
47dfb97669fd504841c761a7b6b835b4b0266bc93be35a0553b96268e65ffc9c

SHA512
f9c31e6ce73b91df50ca0a5b152f33c84a9da5794e581196e07001a5ea7573ec0233a59afe362ea6fd67f0aa3297f63faece021d4ab46b0b0b5ffde05694a39c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\726a1a0b-2afe-40b1-8f47-98ac6f029271

Filesize
982B

MD5
0e1bb00580e74bbd284b08332ce6c7e5

SHA1
f2a51874ee0b248c0af1db6d8e6fd85796a48735

SHA256
76ae3153496ae19363cbd2ee97a09bb1488d65bb3d5980f002ddf60fb631f061

SHA512
0e32aba25965a175204b456ad95e71d7c6bf1df64c22c9300af6330c3bcce4581118449ec99a2ea70d7de5cb32f94b77f547d2b1461be7fdbdf091cf4586befa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

Filesize
11KB

MD5
b8575a10fe295302882c2fa2e725eab5

SHA1
5a8e7f5a598c84676aab3670bbd6f19268fe0ce4

SHA256
1df39041f95c8de2b401b94ceb26d9f6e7657d58a589ae1b0d925c57b52e44f4

SHA512
339876b11c7c2c0dc65a74c971a78f37ad582082009026e86c2b46421e490a74fe42cbc15870e887a8cdaee895e606ce6bf1c8396c16e2c9b8f85fef9ba8e8d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

Filesize
11KB

MD5
e99b18feebb4c198f2dbd5be090c048c

SHA1
a4c7ecacb498cfa9bbea0e03cf87b3050734aaf8

SHA256
1fa807c0faeb0be0f4cafd8b0e61ded755990e5319f258fd91e5205ea257833e

SHA512
c8023ef7cd4bc0dc6d0a0d7036d4b3c49b944ade2d087d1e2a9725fd07f19cb053b80ca0f3cc74b66dd40e7804f20dd7bea8579fc86fb65b0ba08929a6fc7f63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs.js

Filesize
10KB

MD5
c24e5fd9255c6caa948d44a960117eb9

SHA1
0c3e0c7b288c1dac51bdc48cf9ac8bde6ab5cb07

SHA256
8c033a36ca3d1f74c41407642b478204bd1fcea9dcecdee46c91c39d59758c21

SHA512
52eaafc67e158fb57c156aa05bd2d51be5abf99db211839a1cb9d9cf2dd974faecc6add3f181dbadf35c15fe92ddafb0e3b21ba1bb53816a1be7c695db517356

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\sessionCheckpoints.json

Filesize
228B

MD5
a0821bc1a142e3b5bca852e1090c9f2c

SHA1
e51beb8731e990129d965ddb60530d198c73825f

SHA256
db037b650f36ff45da5df59bc07b0c5948f9e9b7b148ead4454ab84cb04fd0e2

SHA512
997528e2ecd24a7e697d95cd1a2a7de46a3d80b37fd67fac4fb0da0db756b60a24648b7074255dc38f7651302f70894a53c3d789f3d7cd9f80fb91bd0cade4be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
136f2b1b9a45ea73a0a1422d88bdf6a4

SHA1
cd2cd1a8d5d66fa6b413060655495b25cd6f9f00

SHA256
8d29d5d41e0e75b91e65186123828bc1674e9bb5e0825d3096561f87df69507a

SHA512
70b49987ab415637624f95a18529bd67db2a7f47b0d0fde59d6796b1ac122383550392e52678954c085eddb21d0013a9583e90477ffffb303f5bba4f9c0f9fe1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
39036f513ddfa6b444defdfe91fc3477

SHA1
3d715b0b887cb60847d8cc30c134aa36c2b056d4

SHA256
0eca360e779490a85318ca5814c1af3f14162aa30ecb934311de02b436ac6f4d

SHA512
b6a9833b784b75416c577db3605daee250b68153c1db60f9d478b3a1b905f466a5ee87278b45f06b10e71053387599f2c7c6f68022f5c649f7d6cc88c7786703

Download Submit