hxxps://is[.]gd/58qkYt

Analysis

max time kernel
45s
max time network
49s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-12-2024 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://is.gd/58qkYt

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\c3351cfb-816d-48d2-a9ad-58f32bda96ea.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241221232455.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
116	msedge.exe
116	msedge.exe
1444	msedge.exe
1444	msedge.exe
1476	identity_helper.exe
1476	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	932	firefox.exe
Token: SeDebugPrivilege	932	firefox.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
932	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 732	1444	msedge.exe	81
PID 1444 wrote to memory of 732	1444	msedge.exe	81
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 4996	1444	msedge.exe	82
PID 1444 wrote to memory of 116	1444	msedge.exe	83
PID 1444 wrote to memory of 116	1444	msedge.exe	83
PID 1444 wrote to memory of 1424	1444	msedge.exe	84
PID 1444 wrote to memory of 1424	1444	msedge.exe	84
PID 1444 wrote to memory of 1424	1444	msedge.exe	84
PID 1444 wrote to memory of 1424	1444	msedge.exe	84
PID 1444 wrote to memory of 1424	1444	msedge.exe	84
PID 1444 wrote to memory of 1424	1444	msedge.exe	84
PID 1444 wrote to memory of 1424	1444	msedge.exe	84
PID 1444 wrote to memory of 1424	1444	msedge.exe	84
PID 1444 wrote to memory of 1424	1444	msedge.exe	84
PID 1444 wrote to memory of 1424	1444	msedge.exe	84
PID 1444 wrote to memory of 1424	1444	msedge.exe	84
PID 1444 wrote to memory of 1424	1444	msedge.exe	84
PID 1444 wrote to memory of 1424	1444	msedge.exe	84
PID 1444 wrote to memory of 1424	1444	msedge.exe	84
PID 1444 wrote to memory of 1424	1444	msedge.exe	84
PID 1444 wrote to memory of 1424	1444	msedge.exe	84
PID 1444 wrote to memory of 1424	1444	msedge.exe	84
PID 1444 wrote to memory of 1424	1444	msedge.exe	84
PID 1444 wrote to memory of 1424	1444	msedge.exe	84
PID 1444 wrote to memory of 1424	1444	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://is.gd/58qkYt
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffd772446f8,0x7ffd77244708,0x7ffd77244718
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,3050489179751251922,15411349053637943033,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,3050489179751251922,15411349053637943033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,3050489179751251922,15411349053637943033,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3050489179751251922,15411349053637943033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3050489179751251922,15411349053637943033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3050489179751251922,15411349053637943033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3050489179751251922,15411349053637943033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,3050489179751251922,15411349053637943033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 /prefetch:8
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:736
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7ac5f5460,0x7ff7ac5f5470,0x7ff7ac5f5480
    3⤵
    PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,3050489179751251922,15411349053637943033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3050489179751251922,15411349053637943033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3050489179751251922,15411349053637943033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3050489179751251922,15411349053637943033,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3050489179751251922,15411349053637943033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3050489179751251922,15411349053637943033,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:1132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1204

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2928
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2008 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cd28829-b8c6-4d8a-8483-64103ac2ddb7} 932 "\\.\pipe\gecko-crash-server-pipe.932" gpu
    3⤵
    PID:5160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2376 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c8cd3d7-5645-4e71-97e6-0048a9ff3ae3} 932 "\\.\pipe\gecko-crash-server-pipe.932" socket
    3⤵
    - Checks processor information in registry
    PID:5232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3076 -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3088 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1172 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2901d0b2-9f5c-4077-9ec3-404b0838dbb5} 932 "\\.\pipe\gecko-crash-server-pipe.932" tab
    3⤵
    PID:5504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3992 -childID 2 -isForBrowser -prefsHandle 3988 -prefMapHandle 3984 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1172 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4f5d469-70ef-4c42-99ff-593b8308b66d} 932 "\\.\pipe\gecko-crash-server-pipe.932" tab
    3⤵
    PID:5684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4772 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4804 -prefMapHandle 4800 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f16c70c0-054e-4449-a114-dd3b126fbf95} 932 "\\.\pipe\gecko-crash-server-pipe.932" utility
    3⤵
    - Checks processor information in registry
    PID:6232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 3 -isForBrowser -prefsHandle 5208 -prefMapHandle 5376 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1172 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49e32b4c-6761-4f57-a71b-cbdb07793cf7} 932 "\\.\pipe\gecko-crash-server-pipe.932" tab
    3⤵
    PID:7056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 4 -isForBrowser -prefsHandle 5492 -prefMapHandle 5488 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1172 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12b0357c-3667-4800-bdee-8889123e0795} 932 "\\.\pipe\gecko-crash-server-pipe.932" tab
    3⤵
    PID:7080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5696 -childID 5 -isForBrowser -prefsHandle 5704 -prefMapHandle 5708 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1172 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad222bba-1a9a-4380-b38c-26595d5efd79} 932 "\\.\pipe\gecko-crash-server-pipe.932" tab
    3⤵
    PID:7092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aee441ff140ecb5de1df316f0a7338cd

SHA1
82f998907a111d858c67644e9f61d3b32b4cd009

SHA256
5944b21c8bdfb7c6cb0da452f8904a164cc951c6a4bb3a306eaebcad2d611d67

SHA512
54a2c1d4c8791ebc6324c1be052b7b73cbd74057d0ea46400cfd8e60f9a884ade60d838777eba7001cf44c924f63cba1a9708a6c71bf966f63f988c49ca70d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
821b1728a915eae981ab4a4a3e4ce0d1

SHA1
8ba13520c913e33462c653614aece1b6e3c660a2

SHA256
36c38bde1e74c5ee75878f275a411e528c00eaa3091e7c4adfa65b8b7d28fb3b

SHA512
b8fd54808711878ed567f474f174db662e2457b6c246f625e148944532c70d94d87e96ef6febfb657895dd0eadc25906c9106fa75c6b2d3bd37ca6786f03a8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
d1212ca126a0be35b71d1ea9003a0337

SHA1
a5da6f4efc6ad4eec4f1e41b3b3b734abea4b3cf

SHA256
7f4af741be1ecd3038a2eb32c972246ad0cf8a6877ab40f172afc98bf1808c12

SHA512
b309b1158ae919936e716fe0bef5e0fdda6a91e4e08d7be98824caf6cbb5989a280908d94355a1532465a21ab8c61498b360900d443c9fc83c779071e2e1d825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
2827672b91bbe30e932c3c908a6d5ed2

SHA1
b27d05054c95c53423d70530709bf5647f2502f1

SHA256
025553453f24024bbc2f0a6272a18cc442808b64568f205d7a0538ce8e2b8164

SHA512
21817276a9cd5c3075ca20bd2ee413dfee10d41b287c96a3e04a63d03e493c40f8156f2641c48c981f06566ee40acbadbef98da86bb97dc2331fc7703c334209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e259680c4006a224989f58f770ab0ff8

SHA1
9fed8afe5930f96e27fa9ac15d3421ad7466e8cd

SHA256
29bf5a4f8ab987c113e98f7453f5a30dee60394e63b213a528b29570d03a8d96

SHA512
9ebd1aa43d1e517e63e578632e20a519eb6d59c9107167abead6f64280075e80a70d841adc321188a2c77e9449c6519d421556940862d0cfe23fa0f34d86eac4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
006c784211bd5fd076415e3b3c96512b

SHA1
4471940393c85183b33c24d1db297a16acf45cbc

SHA256
d99bcb8eefb8052945b16a5605ab6e6ae3eccdb533a8cc4607d8f047738eb64d

SHA512
fc3c7944ed4a4f9e8c4d08662d148419e1611ddf5da683a340855d4a0b97b2b3bf76f1fc1eb589992a644f75e85f80fc7a4ba297a7062de3f289dbeb6c59ad92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4cd2ca6acdaac3065df88089805f5426

SHA1
83e2ca242b4c81416f629842c7603e38b33bd95d

SHA256
529f705b06132d3f54f80ade74ec7ecf2ec5e95757c487ed626010e494312941

SHA512
85a40b85d39c29da3d33e60852962b0203a2835d6fda3f897f58c35bb0f4d0275ae45966ef15136dbb1f8202b9418124bad5d3cbde6214e264738b1b449b88c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
40054cb73dd68fcf513186a36e7b28b1

SHA1
782f64c46affe72bd6b334c69aae88aa32216b2d

SHA256
136f61f0d620207ec049ca6889378a9e89d998a6ef15fbd2a8095482d8d88118

SHA512
8689097b5b94b64af0be6b51f176041b25f5464bae229b7344df07a29893d5f13498c3f88f6448b956baa7accb460e31f5ffec6eda35f31b0587b5b0a1e63c76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
729df10a7e0b722edf6673d36f2040a3

SHA1
d082d92cb6eb8c0d79c9ea7e67e8b4828c5ea02b

SHA256
e2c498352af617d6d1106ea4d53c59fadc993a1f432068307250cdd0be68f7c0

SHA512
1619048945ed9b48ab2568dc546adf5173f2c60d03ee74f4616c3ffafe7182052b760feea19ce288799448c0f613b5e5592e5c547417fd7705997663439e3270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
79ca5da1731ab237323de4dd9bd19b40

SHA1
297dc20423a1f8c6b3b3a06f4d5a25c3356a2709

SHA256
e37d64199a4e6b01d26842a624e264e6e7c482d73f235380dc2831cc3cf89d9d

SHA512
c07172def8b7b8b734e373b8ef1fbd172cdfc545b42904a514c4080742abc16d92a2e4952258a5dfe1a752496c2b99ac9d10f0408cca26dc53d77ec6818a86bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
8c303eb84fc614dc18444e26bdfe0803

SHA1
bb48a2c3f611444f391480509f6bdaeafa147339

SHA256
1facff993052f1a58186a85a605492464abef9be74fb95ffa8ec9b9b2472356f

SHA512
3973d08f2130793d9438f066205d941f3fe3eca8b3c1837a91e78d877290584e14478f5ac3f1967b4087b6db18b45bc641de72c34b745cf8c084adc82c1bc556

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k0aifmy2.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
7901f9cbe224ebea5e01f5ad6a269274

SHA1
0b07b599377111bc2a324a1af1ea2fcfc97ef6ff

SHA256
a43f49e31185ace600cb9da5ba353790d110506d7dc58d6549924ad768e99c63

SHA512
f17df40a764db460a5594fcae7e623173b7a21a77585201539bdd17860156bdd4839f4a0a6fff8c963312c47ef60e0fe4e497e961181eee13887b88af8000353

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
be4ffc0698ea884b90398acc81c743c8

SHA1
a48d8b1c91cf1b3569b504c8273770dbd80cfcd2

SHA256
5fd60af6df9b790aef0dfc4d007ffa89b34faec5fe2957e8bbcdc99fef768348

SHA512
55a1e7196e7a16675c7990c84ba3819070693b24ebbb850f4fda4a2996519d5454dbc8c28e9e352cf252cee576130733590d1e30390472390fc15e94a1bdd8f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
22875df0cd9c2a68fa48330ed03400cf

SHA1
5cbe3ae8e1c18fa2afdf7b6d2e29e407285bc5b9

SHA256
da4c9188fe72c5760351092771a5cea889458958b64c59d31a967059dbd04c1d

SHA512
dee69671a4b83112ef478d0034e909baf4c020be5fabe3167f9ec2deb6507ff49c7863f396e027bfe1961d21fd14e0823b7e9f10ec90614db0f94fc981a015d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
04a334b8c4bb6c5977a08ac5bc4e591e

SHA1
ca7a035faedf90f8f6516d418c1284dfcf9d9dd5

SHA256
5b0cb851207defef8875aab8b92726d559e2def10aa2ea74acf6608ea35589ad

SHA512
eb0b4583e25dd6dd7ba7b4733b8fd44b5e941e746f67de76b36451d96ff5ad4731f8e76b5fa45345b1e624448f0a07a2f40407b6deb4863b807c036a4cf0ffbd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
0222ea12bea4f47a071674dd3d61ce37

SHA1
23c59ad9de094a47a28fab727e5aac6eddb6f0d6

SHA256
ce00526c9b5a9a1c3a2a779e75cecb592fbd9fa0d17be009406edcb7e67e3eca

SHA512
e20608bb1d18bc523f3a4f559082473c2885c3c7e102db4a5fdc3658702fb3a09a56cc33e81eeea598e150a8fba544641aa2a067e1d76f979bd5fe7495619ad4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
d9b1f11043c609a167d569230d49f1c8

SHA1
638e44a63a38912eca4f062e6b2cb1c5c585cad1

SHA256
b32262b111a218ce1017b132b1c7a5c1983c83a57981c4da81b4d78f9abcc534

SHA512
07ac1c2a22607eae223bea694c70cbbb4562b833b8932f65422d0bb3eeaaa43de769e2bb027c3c94ea230cc41527f64ac81a4d1f30cbd153edf8a57675f9217e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
17757c8d52eb03f77e4afee2b64282ea

SHA1
9ebd2a0df01d771343bb220e3600da82f6e5a945

SHA256
45123f11395be40e4cf1f3edb933aa74ed3dd2d4185deea450ec751462a017e1

SHA512
2bad31339556de51fdee93c58406eb8c08d52083ec2816f88f9eb9d0ae09008d919a41e7ba7ee6eabacc23633f1aceb2d2617fb490bb02f72f3bc5387b79065f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\datareporting\glean\pending_pings\8a48927e-66c7-40f1-b36a-e58bf4059e26

Filesize
982B

MD5
eed05c8475fe76a25294abc03d170156

SHA1
320677ea4e0490ea0471b926d74c7ca2c9bcc140

SHA256
c7dd05038b385b5355242fff2024027448e4ba1bb30bf713e78de745233b2818

SHA512
a50a15a8fc06411a68d6f959b5ebe18dd83b3446e65278d8e8bdac805c192d8727e577edf832f10f901d80c20b7187a454c3e0cd2a859f8d998aa9dc686dcc5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\datareporting\glean\pending_pings\a5812df9-edeb-4440-9801-f41bfcaa904e

Filesize
26KB

MD5
d882b604176be0e44625019f6063a32c

SHA1
42b8a704de821bdf765940c339b95779fb3e5b44

SHA256
26e66071745099dacc20b41431026a3069dcff74d61c4c4226e9b6474e3af05c

SHA512
3084a355d20e8f2f65f30167b0247d90429762d65eddecea255785d721e2784e36c1b37589b7f8cbdbe6ce014d7a7fe8424dda808a9fa2edc6cb07533fa9c3e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\datareporting\glean\pending_pings\bf60246d-75db-4de0-af3b-12ed921b0c76

Filesize
671B

MD5
743c1bf7feb8b0e0ead2c75a3f22be76

SHA1
abd57ab55d01b4a15565e5c5b3d222b68ed8ac08

SHA256
e9faa197fa5d3396a20bc87234bd222d66db9179618b22b8708d3406f5fcc33d

SHA512
ae024489f1716d1be7402e43256be8d1d4bb81acd8b53c7e7c3a4ee218303671ef38e51db6f4ca801c0bf51928ebde1b70013a327483e0d5c54efe3f819e35ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\prefs-1.js

Filesize
10KB

MD5
5e600ca550dd7329059137ef3c25aee3

SHA1
44543ade0bd2e5a3b098c7c94d991bf58ff7808c

SHA256
c5a649b0b2bf2f3d00ab11365ee19256c103c2268054e1a617f20e65f4f32eda

SHA512
e7ee39de446e412a5f2274fccb2a37f9b6e3d8c53b0c9cee0f1caccd9ea8b9e29758eeecf7238e789b64b13e5c1862965c19ad5f136675eab97f4c12dfeb712f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\prefs.js

Filesize
10KB

MD5
953e64d357eea75a942373d805b5bb42

SHA1
c7320212430f5c5e3ce9aa1e07f8c71e9395475e

SHA256
1bc3f455033b300757c50da7b6caf1bc92673ccf3591bd459acfcdcc088491bf

SHA512
60f960f9068fb5242a3df42eb6535ca3c6314824fa86ba3cf6101e4bac157c0c2405f34bdb7ffe4e4a02016ff0ba205026773c72670a3df29608eecf9991db4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\sessionCheckpoints.json

Filesize
228B

MD5
a0821bc1a142e3b5bca852e1090c9f2c

SHA1
e51beb8731e990129d965ddb60530d198c73825f

SHA256
db037b650f36ff45da5df59bc07b0c5948f9e9b7b148ead4454ab84cb04fd0e2

SHA512
997528e2ecd24a7e697d95cd1a2a7de46a3d80b37fd67fac4fb0da0db756b60a24648b7074255dc38f7651302f70894a53c3d789f3d7cd9f80fb91bd0cade4be

Download Submit