hxxps://rbxidle[.]com

Analysis

max time kernel
749s
max time network
749s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29-11-2024 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://rbxidle.com

Score

7^/10

discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: sweetalert2@11
phishing
A potential corporate email address has been identified in the URL: theme-dark@5
phishing

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241129002338.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\4d8fe3b0-f363-4e03-afa6-1bf24216bc76.tmp	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1096	msedge.exe
1096	msedge.exe
4944	msedge.exe
4944	msedge.exe
4500	identity_helper.exe
4500	identity_helper.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	firefox.exe
Token: SeDebugPrivilege	2576	firefox.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2576	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 4736	4944	msedge.exe	80
PID 4944 wrote to memory of 4736	4944	msedge.exe	80
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 384	4944	msedge.exe	81
PID 4944 wrote to memory of 1096	4944	msedge.exe	82
PID 4944 wrote to memory of 1096	4944	msedge.exe	82
PID 4944 wrote to memory of 564	4944	msedge.exe	83
PID 4944 wrote to memory of 564	4944	msedge.exe	83
PID 4944 wrote to memory of 564	4944	msedge.exe	83
PID 4944 wrote to memory of 564	4944	msedge.exe	83
PID 4944 wrote to memory of 564	4944	msedge.exe	83
PID 4944 wrote to memory of 564	4944	msedge.exe	83
PID 4944 wrote to memory of 564	4944	msedge.exe	83
PID 4944 wrote to memory of 564	4944	msedge.exe	83
PID 4944 wrote to memory of 564	4944	msedge.exe	83
PID 4944 wrote to memory of 564	4944	msedge.exe	83
PID 4944 wrote to memory of 564	4944	msedge.exe	83
PID 4944 wrote to memory of 564	4944	msedge.exe	83
PID 4944 wrote to memory of 564	4944	msedge.exe	83
PID 4944 wrote to memory of 564	4944	msedge.exe	83
PID 4944 wrote to memory of 564	4944	msedge.exe	83
PID 4944 wrote to memory of 564	4944	msedge.exe	83
PID 4944 wrote to memory of 564	4944	msedge.exe	83
PID 4944 wrote to memory of 564	4944	msedge.exe	83
PID 4944 wrote to memory of 564	4944	msedge.exe	83
PID 4944 wrote to memory of 564	4944	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://rbxidle.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffd777946f8,0x7ffd77794708,0x7ffd77794718
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,15305298297400235883,17059755838042759537,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2336 /prefetch:2
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,15305298297400235883,17059755838042759537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,15305298297400235883,17059755838042759537,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2444 /prefetch:8
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,15305298297400235883,17059755838042759537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,15305298297400235883,17059755838042759537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,15305298297400235883,17059755838042759537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1120
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6bc1d5460,0x7ff6bc1d5470,0x7ff6bc1d5480
    3⤵
    PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,15305298297400235883,17059755838042759537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,15305298297400235883,17059755838042759537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,15305298297400235883,17059755838042759537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,15305298297400235883,17059755838042759537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,15305298297400235883,17059755838042759537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,15305298297400235883,17059755838042759537,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3220 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4724

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4928
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {39b5427b-d800-4ccb-bf3d-06c44d981385} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" gpu
    3⤵
    PID:4800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9afaf53f-78e9-4f7f-9ce2-34166cc12d43} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" socket
    3⤵
    PID:2600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2964 -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 3092 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9023f3c1-a3d0-4ad4-9036-1a2620d39a38} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" tab
    3⤵
    PID:3476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4320 -childID 2 -isForBrowser -prefsHandle 4312 -prefMapHandle 4308 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fb183b6-6177-498e-966b-f11e59dafc32} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" tab
    3⤵
    PID:4384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4836 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4804 -prefMapHandle 4812 -prefsLen 29145 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb79cc40-2c02-40f7-8c38-ea8ffa2130ce} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" utility
    3⤵
    - Checks processor information in registry
    PID:3248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5152 -childID 3 -isForBrowser -prefsHandle 5328 -prefMapHandle 5172 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00f654a1-a3b8-44ad-8917-70a355a88beb} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" tab
    3⤵
    PID:2016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 4 -isForBrowser -prefsHandle 5464 -prefMapHandle 5472 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16b58cee-0487-4630-979e-20b3d1198f73} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" tab
    3⤵
    PID:2728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 5 -isForBrowser -prefsHandle 5556 -prefMapHandle 5660 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4a69bbd-74cd-45b5-ab0b-0d83cdb1a266} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" tab
    3⤵
    PID:864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6064 -childID 6 -isForBrowser -prefsHandle 6056 -prefMapHandle 6048 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9ea7171-873a-45f0-bc0c-cbcfcaccae8b} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" tab
    3⤵
    PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5d9c9a841c4d3c390d06a3cc8d508ae6

SHA1
052145bf6c75ab8d907fc83b33ef0af2173a313f

SHA256
915ea0e3e872d2b2e7d0e0ca30f282675139c787fec8043a6e92b9ef68b4f67d

SHA512
8243684857e1c359872b8e795a0e5f2ee56b0c0c1e1c7e5d264c2c28476e9830981bb95244f44c3b2ed334c3e1228f3d6245cce2f3d1f34cdbce8e2af55b4c85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e87625b4a77de67df5a963bf1f1b9f24

SHA1
727c79941debbd77b12d0a016164bae1dd3f127c

SHA256
07ecc7bd328990f44b189112a1a738861b0f4528097d4371e1ab0c46d8819f4e

SHA512
000d74220ba78628b727441c1b3f8813eec7fc97ff9aa6963eb2ab08d09525fa03935b32e86458c42e573b828a22b0b229af02b47eee511dc83de4ed3b5e726b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
8d84f8eee1ada565bec23f653c07b156

SHA1
03112c0ebe75d86560dcbc747972414174abbd63

SHA256
78987624a024c197db2bc9b9ac598eb13a2bfde074c1262e2083ea8af8fc7ed6

SHA512
751087ea3c4b5d53326587c1fd04c18c588c3350687e5705f8e1593855dc15329f4e13af2cc422dd03e12f47b16b16c0061d2fea5210e42ac1dc3b7e0e060e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57d263.TMP

Filesize
48B

MD5
3f87b75269999db725e5b993bd6d1b8a

SHA1
5d8f88f0219ca79476c8eed09415fd175d83b500

SHA256
075632c5a87d012202fe0911610d1c9d7b88e475e2dea51ef267faa399c26a38

SHA512
3f38ff28a5cfedc2df444583693b756a6b5bc9fa812d14322251dad1b30a130fcf839b1430f5dd20a7feebcc9aa9f05cf43108c2117daa59390b47903f14ffc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
78e40417b9031bae6efa353a3102b810

SHA1
2d659bd33bda2592ce360349eada6beae2d6f93e

SHA256
4d6aff44983fe203878e72794feefd6c5f675e6eb021e66c58d8ccb9a994c15e

SHA512
7584da41a6e2634d628b69b586feee28ba3a29fbab88f88927bc3f219ac18e085a9146d47ac8796d36f27d0dc6cff3675ee01e343a318fab8df1a57a18a084da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
71ee4cba3aab9f4062d5ac8ffcf3c36f

SHA1
fe3521bb4a4b7d8d378626e2750b3a34a210690b

SHA256
510f09fa70d5f74b96c36b4c819defef417fb93085a2632253f9e0fce1d5b8cf

SHA512
91c71ff434ffc31db091f3843c6b6154a8874b93aef8d7d3b6459e1a39e01d03e0c8d8259e153e13c80ab6bed43433f1035bb1f7613d60ca20867d518c1cc16d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8ca119e4b19160577b0fa3bb3dfd65e7

SHA1
cd378579e51b30e80f565db50a6ac83282fbeefe

SHA256
6485a4a515be7d94a613fd7a98833f957c1b4afca4d1e7b9e94f5431c000d933

SHA512
6ddd0647bac56c1ed665a361a6a2f0d0a8e122eb28de06e6c1d3ceee50073db619d1f30e053c4ea6b5f8c9b76e119fe59f9ca33a053097891b92b109ca2d9b7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fd6ff12312176f1c8c4e899dd26c6cea

SHA1
967e5f42544aa6a2dcf998f35ff9fc8f529dbed2

SHA256
b2b9af5ab7493d314831c921bd6fc33bd81546a29754b932dfcf3f231f057159

SHA512
685c961c8078ec8c516e348472935bda80aba8cdf88123a41947eea759e3d434a39401c86883c885650b4430c08943751b731e4180ae514a658e97330d847d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5867bd2e387f260634bb3da1f24f4e85

SHA1
9e02822a534b3b0a940691c452ce51cb2a6ba047

SHA256
16a39ef2a0b07b19f523f7c89c90b0f47478544e06f5c65a9c1ff87c1120e293

SHA512
1c29b9e49262cb4f0c9bdc3d9db5732bb04112b56e337fd8a3c4132027cbc0eced95993c0bed2eadd01c8eeaaf30cc4813baab4b7e5fe490eb2e71294c579c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2313c13918fccbfb308c727a2d2df41d

SHA1
9dbbe8cfca61468f8aee42da6a243231fd96169f

SHA256
588c83bfa97fb145d3ea1c5cbe759113b48467e27bfcd02dca53c93b558637e9

SHA512
64f8b71f729be595268e0eacabf964827efda30078ad6675e59389630d133f39211a3891ad3eb00ca7760dee151bee110130dd02a77d7fc62642a48fc77b888d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
137094a3453899bc0bc86df52edd9186

SHA1
66bc2c2b45b63826bb233156bab8ce31c593ba99

SHA256
72d823cac2d49660cdd20ebf4d3ac222c4dd15aae6e5ac4a64f993ef5c4fdd44

SHA512
f8f149c9eab06e8d7e1aa62145f0fc588dc36fc521ef4dceceb80a191b72d79586d920feb5f3b1d19595109cc6d608c143e32f521a4da1068c708a2538899ada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
364592d2cc18adf665987584bf528cba

SHA1
d1225b2b8ee4038b0c42229833acc543deeab0f6

SHA256
bd97dd6797bb763681cfb1fc3cc21a44a273aab1d9a4f4f9332675c662d2136c

SHA512
0e852db825e451464cbcfda95eae2dfe780874bd20e7b467604962428007d1735ece752aa5901d468708a68d66d029271d5567b39c530d2d44b875abbff9aa40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
aaa4b176b9e25352e7478317057908a5

SHA1
6dda9412747754d663df2c2102dc29d0c7b8ae8a

SHA256
cfe0ad77053e9072c510bf104c2b8592cd53dad0e45fd2b9f1a444ed09707273

SHA512
6c81f0ebc03805b6f82edbb82f1652c91f6b42383a7b711355f08ba231d72940eae0ecc4329cb17f572b4d792da1a6948eef0fabbee59662a674d6dd5ed695b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
39d9971a2ea82e3d43af5ee073a8b691

SHA1
78c3472a797433a8efda6fa1173af6a35fd9a288

SHA256
d663886fff0b7ef2c0833b6b5b90462048076c88de2134ba9ffa9737dec8e873

SHA512
2a21f1a7714692a1935c2e4cd5ef6473e7bcbd1fe0b2626788440db00af4f7f2324e6d632c99c9d232bb37528f9c038cfda96420dcfa2b7e930545a5b7e49920

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\b323b0c3-9c6d-4b92-945e-6c5c8d749ff5.tmp

Filesize
11KB

MD5
ab2d203dc54efb806719d82d56243a4d

SHA1
dfabbfa19822219d6018875b89d8f57e72ebe1ed

SHA256
b692778a2e0201d25bd8b9f2cff012a00b900d80508e7f03acd2dd1443091a31

SHA512
147d764b53ddb5dff5839bb2a9799252256f0771931bbf9af7a309727ff6183bfcf0d6ffbf752b3df9dd833be3627080bc83d8ce55ab29718ecaadc9fbe04f9c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e2dtnzpu.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
a42f17d439a5fe698ea5aba26b7b6a4e

SHA1
7efb55400480a0bbae1c19f0f7b3ebc17d786053

SHA256
56d87306eb2b1b16b06eacccd62214b7d5d36c1b6c157f9dea9321ced1c80d41

SHA512
58e4567154d479d5f8d5e51a3b15c8f9e6d8fe38fb7a9d5d6835e8102aca01529d2d96745608471681e279b2db93ce356dc58a6c5e96a8cc9d4a79592ac2b269

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
f4bd9b08cc7abcba0b76446d0f3ff711

SHA1
464400ec677094197edba3f5264689f2ce3f735d

SHA256
f0aab09567a4640a0de549dc0d09de5f61a7d19b270a6b2d9ef662cf5c21fb10

SHA512
a248118e080d59b68aa6583e842cadf73737523f1af33947bd53c1b87b7ac4e2948ab744d377bc68325a38f34015554f519a6b3695e15aed5e9fff48a197307d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
6998b1681b728cef61c6a6d0390db961

SHA1
fd4e514b2f2f1c467432b7e384391dd35f1f611a

SHA256
91c059866c22fd53339948d4316bb7a67bd9c4c0fc07da35ec3be5844dec4bd7

SHA512
8552c252b22b0db4ccf8586d123cb2d7b590a08e0598164b10a9cbbe76af46d0e7307221623c6fb997ece9523ef2b9d3d4f0eb5f9b72d2ff988d2e0aa12ad688

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2dtnzpu.default-release\AlternateServices.bin

Filesize
6KB

MD5
74e09088d23a8321185d239d488a8391

SHA1
91fc5bc9358035cf6a2d2b2e2d816cf45d6961f3

SHA256
d9b57bcd0fa1ba53a84665f4c2a9700ecb17fec61971694983060b49f3bdf18a

SHA512
5858dad847dc686ff53284b772431632f19a2b06bee069cc19d468136330d7d78ab41e3bd90f407c1b3eae4c7ecb8b9230115d694845848615f0401a52dd779d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2dtnzpu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
02e62bef559d40c0ff0814c26308b44a

SHA1
c138f10a8f520d3e1b90729cb18e98517c354b2f

SHA256
caae10d8ea120ea525a69c976520637d1194917dccc9727884bb9c22dd655f0e

SHA512
c00730465f36b1b6b68b281e78f63d556930b082e318dcb3f25041d848ace74f308596a0bd4b531ba329107928f41670053498434371cf6f7c04ae68956129f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2dtnzpu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
0de5e5129c2a0a14a5ab805b46647e33

SHA1
f410b9d0be6582915e209e83c49c8f00b44243fc

SHA256
0f73c221680e0ef30584d4d981763482a0ccdb57e9b334900cd88941f59228c5

SHA512
92583d0face9abd4f7bc87e6ca96f18e0a4ad93b2627f289c317294ed7e11f49ede0b88342665325e5c6e28d40eaecc3e1e0e75608a8e95d64d97d446baa2fc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2dtnzpu.default-release\datareporting\glean\pending_pings\04b7113e-c126-4ca6-91e5-db267a9171e1

Filesize
659B

MD5
cf96a97b3c5de49a28bae50ab81cf917

SHA1
cf5e2a03632c91706edf193aec29c7456db1a882

SHA256
d37ebb9561d98934395422eaa71b6877fed175b1b1c49e13d81370bfeaaf0aeb

SHA512
c6ca2521dec4a518bf930fc4ce96e9748c4f1785b2e86abde06993b8b1d8b36d5a8fdc2c3c63c158a28d08c1524fa5d63704245fb7381399041e2da6df30916d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2dtnzpu.default-release\datareporting\glean\pending_pings\b476cc2a-5541-40d9-8df0-74b1f7247d3e

Filesize
982B

MD5
cef24c10dcd09d43fed3af12c8f36bab

SHA1
46bd0078cd18b407bb348b2bfbca8821138d8da6

SHA256
a7d579ac8f19c1dda34d4dfb3f664dbafbc9a6465cd0574c5eec362dcac0f7cc

SHA512
d465821e9f145e8247f4c606392b4114e2ff4e6b49b3ffa859bf9d2146a443a60098a8944cdf62c9e1b71413de45243dc2852a8492863bb485c3b68215a49913

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2dtnzpu.default-release\prefs.js

Filesize
10KB

MD5
ad17daff42ff57b355cb92fbe772f0f9

SHA1
f0df90b83119ed43f8581b8f8bfbedff5215de1b

SHA256
8280dd00257be8b550f55d7ea5fb83663780b450b3dffa3eb4089cf543ba2769

SHA512
f48b06cb12f7aecee94b568fbd8eb368c3e9dae46988f337b44975134dc4bf0fdd346f83acf604ee626bf323e0b467311d14ecce5b57a4c7831b65ee28bd8001

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2dtnzpu.default-release\prefs.js

Filesize
10KB

MD5
613f1105a183b21169c682e623edd358

SHA1
69edf5a0cb0f90932e60748b9dada19bca40f5d7

SHA256
3694187a9227a202590887b66d8b3576bbcadc71ca0b2da67bb4be0678d6e39e

SHA512
aa5907480907b0459031312a294bb3a66e02f6f43babd37a396de38bfd45f8325af667bba6b8e13e105d10febaa39030703e47ead5a4894986a3e0fab486aae8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2dtnzpu.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
e9b66a84a0dffdb6b04038183d9c8425

SHA1
a2636c868573590332cb71f00bd1847e43974918

SHA256
e5a5e34c21a0253c0814e774c91b14399897ed5ce41608e5d4a130aaa972ab17

SHA512
72b128828e0517bf1613eb58d13bc24a87fba907ecc4f11b1ab7b84807698159fbfc2d739ae2f3ac9797b3efeb73ac82862f8317fbdf4acea5d31f27d79558dc

Download Submit