89903de7d6abe4a8ac9c774b841f1f512d31e12cf88b79bb994597a0cab3e98c

Analysis

max time kernel
67s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup/idman642build22.exe
Size

11.7MB
MD5

d342739ae85e84dbb6602c388d5a347a
SHA1

d7969ebf3cca7f1f7480c8d4941adb0ad7fdfe40
SHA256

8c2d993b89a21b98d3bfdfa425cde853431f1e5e311954456393b218ab5513ce
SHA512

715d2949cc95ae92d6360846dad8569de509a6bf74903995556cdeceedb0f2f0ed8ba812b32dfa18b0f6d0cbc2cc7bae23c2a96cd864bbdecdd4c45711f3c94c
SSDEEP

196608:L/5p+6e05RM1a4+nlWa04WcNMnfZUT1JhH/TbrqafM3wZDUUDMBdD2pewf2RKjs:VxeCRM1a4SXpwQ1fL3q7AZIvdKpb+Ss

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3848	IDM1.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idman642build22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDM1.tmp

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4364	msedge.exe
4364	msedge.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3916	firefox.exe
Token: SeDebugPrivilege	3916	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3916	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 3848	2916	idman642build22.exe	82
PID 2916 wrote to memory of 3848	2916	idman642build22.exe	82
PID 2916 wrote to memory of 3848	2916	idman642build22.exe	82
PID 4492 wrote to memory of 976	4492	msedge.exe	101
PID 4492 wrote to memory of 976	4492	msedge.exe	101
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 1808	4492	msedge.exe	102
PID 4492 wrote to memory of 4364	4492	msedge.exe	103
PID 4492 wrote to memory of 4364	4492	msedge.exe	103
PID 4492 wrote to memory of 2448	4492	msedge.exe	104
PID 4492 wrote to memory of 2448	4492	msedge.exe	104
PID 4492 wrote to memory of 2448	4492	msedge.exe	104
PID 4492 wrote to memory of 2448	4492	msedge.exe	104
PID 4492 wrote to memory of 2448	4492	msedge.exe	104
PID 4492 wrote to memory of 2448	4492	msedge.exe	104
PID 4492 wrote to memory of 2448	4492	msedge.exe	104
PID 4492 wrote to memory of 2448	4492	msedge.exe	104
PID 4492 wrote to memory of 2448	4492	msedge.exe	104
PID 4492 wrote to memory of 2448	4492	msedge.exe	104
PID 4492 wrote to memory of 2448	4492	msedge.exe	104
PID 4492 wrote to memory of 2448	4492	msedge.exe	104
PID 4492 wrote to memory of 2448	4492	msedge.exe	104
PID 4492 wrote to memory of 2448	4492	msedge.exe	104
PID 4492 wrote to memory of 2448	4492	msedge.exe	104
PID 4492 wrote to memory of 2448	4492	msedge.exe	104
PID 4492 wrote to memory of 2448	4492	msedge.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Setup\idman642build22.exe
"C:\Users\Admin\AppData\Local\Temp\Setup\idman642build22.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
  "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault97b7bd79h4e2ah47e7h8a88hfcd938ac09cd
1⤵
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbc37946f8,0x7ffbc3794708,0x7ffbc3794718
  2⤵
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12883439908286246626,6906173118049519934,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,12883439908286246626,6906173118049519934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,12883439908286246626,6906173118049519934,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:2448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:2948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3908
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5f4f343-d320-4954-a764-818a7a8efe8c} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" gpu
    3⤵
    PID:3612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbacd284-e4e9-4cab-9b3f-d66530721e21} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" socket
    3⤵
    PID:3676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 1 -isForBrowser -prefsHandle 2988 -prefMapHandle 3224 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d06b38d-3792-4ee4-b1f3-3268ab8aa4aa} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:3908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3984 -childID 2 -isForBrowser -prefsHandle 3976 -prefMapHandle 3972 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0087337d-b616-4ebf-9df1-c9196cbd44eb} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:5260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4808 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4620 -prefMapHandle 4616 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24910ad6-0706-4ae2-a5f9-07d293d68c16} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" utility
    3⤵
    - Checks processor information in registry
    PID:6060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5220 -childID 3 -isForBrowser -prefsHandle 5268 -prefMapHandle 5264 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {024f37ca-8e7c-411b-b6ec-1d92cf8830e7} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:5648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 4 -isForBrowser -prefsHandle 5392 -prefMapHandle 5396 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9740f30-4bd8-4233-b99f-4d66b621f1cb} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:5660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5580 -childID 5 -isForBrowser -prefsHandle 5588 -prefMapHandle 5592 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ddc2d5e-1eca-42b3-a1f1-77fae51519b6} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:5672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6096 -childID 6 -isForBrowser -prefsHandle 6080 -prefMapHandle 6084 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1508dd8-5366-445d-af06-c93fde624332} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:5800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 7 -isForBrowser -prefsHandle 2700 -prefMapHandle 4704 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fea9a8b-d4a9-4285-8219-de36e8af821a} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:6100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6464 -childID 8 -isForBrowser -prefsHandle 6120 -prefMapHandle 6108 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2985538e-250e-4a8b-b75f-22984609ea6b} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:4976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6924 -childID 9 -isForBrowser -prefsHandle 6168 -prefMapHandle 6184 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fdc5889-4ffa-408d-826a-b6666a7f44da} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:6056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7088 -childID 10 -isForBrowser -prefsHandle 7008 -prefMapHandle 7012 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59e284ff-691f-4f2c-b3b4-377dd0c6f743} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:2432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7324 -childID 11 -isForBrowser -prefsHandle 7388 -prefMapHandle 7384 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcb59b10-2fba-4bcc-a218-5a7ff8b236ca} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:5600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7532 -childID 12 -isForBrowser -prefsHandle 7680 -prefMapHandle 7676 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a085a59-a909-4800-a7b3-195c1e6bc451} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:4260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7912 -childID 13 -isForBrowser -prefsHandle 7840 -prefMapHandle 7844 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {187178cf-4d5d-4891-9f28-32ff1799a01d} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:6284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7920 -childID 14 -isForBrowser -prefsHandle 7828 -prefMapHandle 7832 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c4009de-1b9f-4519-b721-1f8f4e8bd8a7} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:6292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7928 -childID 15 -isForBrowser -prefsHandle 7816 -prefMapHandle 7820 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62eb6fd8-3319-4340-9b28-b1d3c6e0cfcb} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:6300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c370f98fc8a0826c1482dadb02ce0bbb

SHA1
d61f2d6d89111451b07059e8d1836ca269a5fcf1

SHA256
df960ea72cd380077e01ec38ce2b9521228f4554ffdc234444936da70b508214

SHA512
30427b07c91883a3f0e131449645a75f211bc5c15b86cba280c0a71548906b19a21332f19f9469af121e5b7d200cb55f065324f5eff68adc753bb5a477f66722

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e0086d1e999488202dec6de368ff4354

SHA1
aa530a79d50898691ef51f4c8e109068ee4b541a

SHA256
6f523b0b757e99fdc4bff1b3b01e1b3a79f16481e83b850b7487b105041ff166

SHA512
4643578a80514f1e75e5d9eb54fc9e45a74b609fe0e2c2f5b7e8eef095e98af7fc4f085a4ed05148984d9e66795d06e645814b4c6d2660d903e0b06898b19c46

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
22501ce9c37c64f639fb3ddc287a0cbd

SHA1
baeddb26dbad77fc3156149aeb87ba02ca263e52

SHA256
196b12d1c8b5ab7cf9c448dbd72d63845c166fcd8ddb48863fab4fd6bf035757

SHA512
d2e2a985da66a3eed69966d43c8333eed3e0742086913ce503baa5fe85eec80eb8381e350a70757c2df8466d8d1f64d81d102152a53f92b2d1bdaf2e36cd39d5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\cache2\entries\7D3068195A30D049CC263CE0A0641E65E92E39CF

Filesize
1.0MB

MD5
d00313cbf89844fccc27c526233bfdbd

SHA1
906a8b3ae067c348b19318bbedb28f11962e486e

SHA256
c6968e41e0421843164380c38df431fe30daa0e5aadca8acd929b999f9ff9bc8

SHA512
13a69f3978050efa08e46cc656bba27660bca251307db223efcac648db87e58ff5dc94d297dc3451d29cdea3a85557f52aa283289dcf0a73af1d8fd516ee7318

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp

Filesize
162KB

MD5
1c734d0ded634d8e17a87aba3d44f41d

SHA1
4974769d1b1442c48dd6b6fb8b3741df36f21425

SHA256
645ee6e64ed04825b25964d992d0205963498bb9d61f5a52be7e76ddb2074003

SHA512
20239782f4e30157fdfc02a3793ac7bde7ed74400de4cffa812805d680789ea7be5c2c765924d32f74807d80100cccc14b453d3d7e006dd4aeee60dec98af4c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\AlternateServices.bin

Filesize
8KB

MD5
9125230198ee32e69e76a569d0adfcf6

SHA1
4eede72d405f2a066543f8c98fedb8ff81c8fd15

SHA256
93983a026918614b977f1fea6c6224646b2419dc80953e52c0d0d6b20a4d1082

SHA512
1bca121af5ac797d6e24b146645a4ef712d2feb51b4f6d3f241134f83777c389432c9b5948c3f4976913725f25617025ca94fc654c3d614df8d1dcc0051bc7a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
60ecc3ed97f320e7fc6b0f4a53cf8a7a

SHA1
c93482d9cfb8f94fb2c9025abc4a8e764774a0fb

SHA256
0e5f87f6fa00bb104fd76abccf3a973ae30d46117f69e7167072747e78157fd4

SHA512
994adfd3c66d109aa77c0fba0c9ed53dcc61d75ce3a6f9f912e71526f4ee1b47dc22ddf5a209e65b77ca7ac9e310186b3e3952830d41acee2c52ae0c9cc80c77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
a41da8eb2e1bce39bbdd9e1bfb842649

SHA1
ab2142785782d89d37d392e232cbd8ba544d668c

SHA256
a32af0255cbd418e868f155ed6e3bffe46e65c361209503c10bfb65ad1c56a8f

SHA512
d0b6c070eb3b07f52d32e34a87944b6b6d9371afaf7c17d43ae92f91ee0b070e2f05336161d16a29633411cb90fb785ac73030232dc968e4f263e9bbe48827a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
0b26d35c2a5a529efc5a8ff2344b13ac

SHA1
2f0e6ce11bf82bb7cee23f623e7315817a25182b

SHA256
ba903acab81eebeb0269bdb30036f2368f1407b5f53283cd8f0192925ef79a05

SHA512
e5d6a137eb75acc1da5990c50849a4c7211cef49b6f228d1fe979ef1ad370ec316b62c653bef86fa21546aae32dcb27469a9d26891587a9555c0bf9b69427ad3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\70331764-0372-4eb4-8919-1e1e58568ca0

Filesize
659B

MD5
85c8eb32f07081ddd14f5b0dc348714a

SHA1
d9245ab1a240a284172933695e8aba7a5857aa5c

SHA256
4398fa34a8580def1d991702e28b2839ec77c2664c22d89485f06f10d70721f2

SHA512
0a9b7d0ac38a1944dcea2501705cb21ce52883d8f3f1f8f588d4fee6cbf5b3e7b63e01607e0c33c58bc13f715d71c1b4b514dad04f60ff19b300bbeac55c2874

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\f8ea2f69-b84e-4821-9c6a-359afd8593ff

Filesize
982B

MD5
ab690e8ec0d42792cb6cc644dd87c9d1

SHA1
d61c280469b2591c3f403e3fec0fc2e19c92272f

SHA256
e4820dd0a8e88367788432fcfff0f13c0082c41a3d1083bfa070baa8e3503b20

SHA512
f790cb1ec3d55d4f2dea9290cae6e5b25d1c743d3993f31336e7911f6cef92a67a83a977610b8ebb5cefa3d76457e8e8c4a221e9cd43febcab6a56845e976b27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs-1.js

Filesize
11KB

MD5
3caabfa5daafee625714fb331fe9d585

SHA1
5694267d60a3cce16d2b7ce478e8439dd37357a5

SHA256
be4ee9ab4f5abb5281170491502aac5fea43a7ecc6d4e1873c97a7a014395bfc

SHA512
e675eed0bef0ffcc1df20d56580261783395635155bda8b7489c02e2498e18a82e02e513b9e2eee46f5d0a118cc06b0789784d8f1078ec4fa5d409b786eef229

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs.js

Filesize
11KB

MD5
1c501f375af5145117d71376e3ba4091

SHA1
e685b433d7247d45f4f72a3d4c3ef30a2c311c65

SHA256
6a1a98baea2db64ef651c22f12dcc11ed835c196514642316b17e7b7b4883ac5

SHA512
7140e5369edb89623f5971c135f91a4b578323d935143fb3459f1d3759c6c3b247a21cda6864f24198b43ae22f02fad5f50ded935a3afd0fbbcbe1802cc1df61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
67aab989bb0cecf0b990f9ec6cf5033a

SHA1
f9be351e2c570066e794f5ec12c2223dd46bb372

SHA256
b2464e15868af09dd54445d8981592a0f3ae100801b1993b3e68b8d3a171044f

SHA512
452f9e334c14ef26b1d9ef2cb7210629f954981b40e93d9550dd1a4e429354bae9ce3ef43f9224fed01b4d944657bbb01f516e587150835812abf550893b5fe2

Download Submit
memory/3848-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3848-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download