71149018bd73a950f3207f8280883700a76783e9fa06d1fd9f443c1a29dbf681

Analysis

max time kernel
59s
max time network
61s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03-10-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hdfree.html
Size

15KB
MD5

275ee6534585c9e8f74433c8ed9b3133
SHA1

e4ee5f5fcea0d9f672149a72919b09e2b7b0425d
SHA256

71149018bd73a950f3207f8280883700a76783e9fa06d1fd9f443c1a29dbf681
SHA512

8a59537902a6000bbdbbadd233fc516671284c5bbc517de3fb92ef04385c8234129e33ab7e92b16aea3e11ae3ef1ce7b0fbd937860cd9d9cb70958dbaef68d3d
SSDEEP

384:zVVu/rpHtjkePQSw6hMxoqwfn2ExsWeBKRY8TKuHnKGwb:PuhVPQSAm4Jxb

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
656	msedge.exe
656	msedge.exe
3416	msedge.exe
3416	msedge.exe
1824	msedge.exe
1824	msedge.exe
1820	identity_helper.exe
1820	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	880	firefox.exe
Token: SeDebugPrivilege	880	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
880	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 4808	3416	msedge.exe	78
PID 3416 wrote to memory of 4808	3416	msedge.exe	78
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 3044	3416	msedge.exe	79
PID 3416 wrote to memory of 656	3416	msedge.exe	80
PID 3416 wrote to memory of 656	3416	msedge.exe	80
PID 3416 wrote to memory of 5048	3416	msedge.exe	81
PID 3416 wrote to memory of 5048	3416	msedge.exe	81
PID 3416 wrote to memory of 5048	3416	msedge.exe	81
PID 3416 wrote to memory of 5048	3416	msedge.exe	81
PID 3416 wrote to memory of 5048	3416	msedge.exe	81
PID 3416 wrote to memory of 5048	3416	msedge.exe	81
PID 3416 wrote to memory of 5048	3416	msedge.exe	81
PID 3416 wrote to memory of 5048	3416	msedge.exe	81
PID 3416 wrote to memory of 5048	3416	msedge.exe	81
PID 3416 wrote to memory of 5048	3416	msedge.exe	81
PID 3416 wrote to memory of 5048	3416	msedge.exe	81
PID 3416 wrote to memory of 5048	3416	msedge.exe	81
PID 3416 wrote to memory of 5048	3416	msedge.exe	81
PID 3416 wrote to memory of 5048	3416	msedge.exe	81
PID 3416 wrote to memory of 5048	3416	msedge.exe	81
PID 3416 wrote to memory of 5048	3416	msedge.exe	81
PID 3416 wrote to memory of 5048	3416	msedge.exe	81
PID 3416 wrote to memory of 5048	3416	msedge.exe	81
PID 3416 wrote to memory of 5048	3416	msedge.exe	81
PID 3416 wrote to memory of 5048	3416	msedge.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\hdfree.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff84bef3cb8,0x7ff84bef3cc8,0x7ff84bef3cd8
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,8079147149703651872,3297673064016787312,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,8079147149703651872,3297673064016787312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,8079147149703651872,3297673064016787312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8079147149703651872,3297673064016787312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8079147149703651872,3297673064016787312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8079147149703651872,3297673064016787312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,8079147149703651872,3297673064016787312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4064 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8079147149703651872,3297673064016787312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,8079147149703651872,3297673064016787312,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,8079147149703651872,3297673064016787312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8079147149703651872,3297673064016787312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8079147149703651872,3297673064016787312,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8079147149703651872,3297673064016787312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8079147149703651872,3297673064016787312,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8079147149703651872,3297673064016787312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:5284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2316

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1932
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a94dd16f-f606-4db0-8e29-e17327e0fc33} 880 "\\.\pipe\gecko-crash-server-pipe.880" gpu
    3⤵
    PID:3048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c8098e7-7f4e-4800-b414-7c59fb720ec3} 880 "\\.\pipe\gecko-crash-server-pipe.880" socket
    3⤵
    PID:2884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3180 -childID 1 -isForBrowser -prefsHandle 3188 -prefMapHandle 2784 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a22f1f63-ce90-448b-a2a8-1f7c8e97f1ab} 880 "\\.\pipe\gecko-crash-server-pipe.880" tab
    3⤵
    PID:1160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3400 -childID 2 -isForBrowser -prefsHandle 3620 -prefMapHandle 2696 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f84445e-21ac-4981-b5be-72b23abca94a} 880 "\\.\pipe\gecko-crash-server-pipe.880" tab
    3⤵
    PID:5072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4220 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4212 -prefMapHandle 4208 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {271dcece-6e80-4f98-a14a-01e4b07a7761} 880 "\\.\pipe\gecko-crash-server-pipe.880" utility
    3⤵
    - Checks processor information in registry
    PID:5596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 3 -isForBrowser -prefsHandle 5520 -prefMapHandle 5524 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21875e75-d17c-4b4b-83ea-601aa0db4435} 880 "\\.\pipe\gecko-crash-server-pipe.880" tab
    3⤵
    PID:5716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 4 -isForBrowser -prefsHandle 5640 -prefMapHandle 5528 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {222dd0fc-75a6-4b32-93ae-c7994b4f245e} 880 "\\.\pipe\gecko-crash-server-pipe.880" tab
    3⤵
    PID:1932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5856 -childID 5 -isForBrowser -prefsHandle 5860 -prefMapHandle 5864 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b2e2e3b-aefb-4d24-87bf-fc28ec8545fe} 880 "\\.\pipe\gecko-crash-server-pipe.880" tab
    3⤵
    PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2ee16858e751901224340cabb25e5704

SHA1
24e0d2d301f282fb8e492e9df0b36603b28477b2

SHA256
e9784fcff01f83f4925f23e3a24bce63314ea503c2091f7309c014895fead33c

SHA512
bd9994c2fb4bf097ce7ffea412a2bed97e3af386108ab6aab0df9472a92d4bd94489bb9c36750a92f9818fa3ea6d1756497f5364611e6ebd36de4cd14e9a0fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea667b2dedf919487c556b97119cf88a

SHA1
0ee7b1da90be47cc31406f4dba755fd083a29762

SHA256
9e7e47ebf490ba409eab3be0314fa695bf28f4764f4875c7568a54337f2df70f

SHA512
832391afcac34fc6c949dee8120f2a5f83ca68c159ff707751d844b085c7496930f0c8fd8313fd8f10a5f5725138be651953934aa79b087ba3c6dd22eaa49c72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1f6e23af252e5b23da963fa78db0e41e

SHA1
05a3500bbd6c7c8cf065ebb8881a6799ce92df68

SHA256
bb69c445d55a28f4d1dc30527766466c01508700a800c896b3aae903618f6484

SHA512
e8add5ad9aba7e49155ba880abb16267244c06418c36fd7e30ec70e8d31777f8afa69c877905123d4be423c9af43fec3337acd32417a9fac2722f406802b0b8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
418501aab81df7b82fd14c5de04fde54

SHA1
e29ef354139f6122f3015de73aa79e0ccba38474

SHA256
ea3960dcef1aeadbab10a5c6a8ff102a42b408d09f8504de5341ab00db6b0d3b

SHA512
198ef2da12a8f2e6f9e3bff31bc58775d1ff57e52f75248b2f2372777c5cb1f1ad0f5c253fba39145015e0fd5a9461e9c1949c4bcebce2fc5fa014f2f836c465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9fb96c93c7666805eee470ea38d35539

SHA1
6a5c8edbe589bae9ba8ddbb1663c33a3fa9aa061

SHA256
6c885917da4c8034b91fe60107e9aa68841e548c69d0a7cf0a389ed1da9dd898

SHA512
cea49b3d0e775d0f2623c1a5cc402b97c94728bfb2bfe3bb1feb5426b2a1ba1a96c0d11e064eb78903c753cddbabfc18729a45db38fefa3a183f23b739d255f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7b9d7ace9ee2442f8fb79a9053ad04f2

SHA1
708f8ba6d35af9706dd477f0a80c557af23ae4ef

SHA256
68fce9d1ae9624cf106f93d1707b77c4e97f13e1a1fcf5adba24df73f0ce3019

SHA512
39f8a4d94aa3d67a20ee47f1a9500844ace9efb65824e01dc35c6eb8e17b6989784470572f9fa4fdec8437b633d4e465543c08d033113094cf4bf4cc116797e5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\adahrqhl.default-release\activity-stream.discovery_stream.json

Filesize
18KB

MD5
153fe1369e9e8e0d29b3ce3fa10ffd59

SHA1
2cf0186741532116f537c543c0f037f95b3b91bc

SHA256
6f297cdace55f52b5dcba27535dac1e6351413f815c1d2de01d41849db736455

SHA512
7a4d653b8f8e09efc89324ae3db8510a18d8024598ae26b6e9ab8dbecd31606183ccad9ae3a0f55d5f367252974e54209d6c7d7a50fac8c348d12ac2e7ceb966

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
c3bb1943299c4e55f0593efed5e930da

SHA1
0ffd726555929085500b30d9df0e1845c6a66a6a

SHA256
19eb0272fe02670a4489f7f387ac083b6d66a1f8c1073911864d20b66ab971f0

SHA512
da6d94f80253d1099cad3eb1cfdf69a7dec3fb80d56ce13243e898e0f79fd8c51ef67c2ef7d2c95e93379a2bd51e1644a01103f0757622a60f076bc62a8444ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
4285d47c1dab97e9eef51d6be59fa161

SHA1
44c381afb314cff9ed4a43ef1fa957008f055bd2

SHA256
a43cffa98f56071a733bcbc642e5d87da30a7b4e6105d0f1bff031e82b4e8990

SHA512
b79c848b775ed67905165be9eadf0ebd1052264cc9c404df7d7fcdab895d51819b733bc50614039c651156c3673b0f768410a65c9818de4e322c1db0a9d46afc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\1cd14d93-5523-4914-9fe1-a114fd32b5a1

Filesize
671B

MD5
f00850ae07673b8e525ab2b8c5d7206d

SHA1
fafebad01f664c14dbf4c15aa83624e0c4bf18fc

SHA256
d226f344ecef4d56788dcdb51140045534597eedd1e15ada95bc2d10a66353fb

SHA512
befcec9b61c620f2d6e23830510dec0bd8e7bf510df020f73031ad10b8c6e053c27111d6e0fe9ef894a8201ff88c1aebddf9db320837b73624004aaf0b0e3abf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\9cf9f55b-72f0-4332-8165-536da10ba29e

Filesize
25KB

MD5
8af7f4ae4f5e893a85d642916e78340f

SHA1
ec7dff26f3fb22a3c030502af570627c6bb55095

SHA256
c03d0cb82f511d1e378f2972f46e2b7203a32d86d5d01e911f88250f9c5300cb

SHA512
307bd916228f194bcb650f0eaf231fce6ed0a2916025d62614c70a1c4d72cb7e55ead67e03e6b08850f34c5fe7de39d3697e9d73873d0e6dfea9fdcdf1d8e5fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\d0a328e7-3452-40f5-84a7-c78b929ee7f0

Filesize
982B

MD5
125499d5ff75c278c7ebf3827b08a613

SHA1
71cc01d352377156e34376a1142ab060a5dd209e

SHA256
5befab291ff9b44b8226169590c401e7913cd33acf2f469e8be985802cbbec00

SHA512
2dfc713d48c29b8ddbc339a8cc814aab584730d3dd17c2f4c6b2768db00e094d3f2e6d23bbb7922dc0fbc06d102871bcc9d3c1f31d44f8d509293fcba64e7aa0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs.js

Filesize
10KB

MD5
7ea9d9e3f42035d4d3c353cb75abb8fb

SHA1
d3aebd1f823a0e878fb1d33abedff07ca0e14cd0

SHA256
d2fa7a7f401a403a9afc7fba9b097f484e1a9cf075976b85b07af78d6aa26cec

SHA512
c97548cd153b85767899244fb2f3fd4f578e6cac182e01d55a7efa4afc6547b00fde3ad731a80d434572af5724f3ddee43c62c9f988a9b4cf9ff4756789ce0bc

Download Submit