Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    71s
  • max time network
    64s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2024, 06:57

General

  • Target

    https://drive.google.com/file/d/1VpBRnnC_erXVp06OsZPaNOCorWLbDDet/view?usp=drive_link

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 54 IoCs
  • Suspicious use of SendNotifyMessage 44 IoCs
  • Suspicious use of SetWindowsHookEx 53 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1VpBRnnC_erXVp06OsZPaNOCorWLbDDet/view?usp=drive_link
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2836
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaf3a446f8,0x7ffaf3a44708,0x7ffaf3a44718
      2⤵
        PID:1092
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
        2⤵
          PID:3836
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2416
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
          2⤵
            PID:2760
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
            2⤵
              PID:2768
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
              2⤵
                PID:4060
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
                2⤵
                  PID:232
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
                  2⤵
                    PID:1324
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
                    2⤵
                      PID:3928
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3720 /prefetch:8
                      2⤵
                        PID:4404
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
                        2⤵
                          PID:1860
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
                          2⤵
                            PID:1480
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
                            2⤵
                              PID:2364
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6280 /prefetch:8
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1772
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
                              2⤵
                                PID:2180
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
                                2⤵
                                  PID:2912
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:2428
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:4272
                                  • C:\Windows\system32\OpenWith.exe
                                    C:\Windows\system32\OpenWith.exe -Embedding
                                    1⤵
                                    • Modifies registry class
                                    • Suspicious behavior: GetForegroundWindowSpam
                                    • Suspicious use of SetWindowsHookEx
                                    PID:3952
                                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Arbuzowski_Assets.rbxl"
                                      2⤵
                                      • System Location Discovery: System Language Discovery
                                      • Checks processor information in registry
                                      • Modifies Internet Explorer settings
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of SetWindowsHookEx
                                      PID:4912
                                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:5376
                                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=07DAE3D75F47242285FD1C24A7E6A7EE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=07DAE3D75F47242285FD1C24A7E6A7EE --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:5520
                                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2B4C51A1E3052E115A8DEDE44CCD909F --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:5540
                                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6BA8B579FD9AFC09928BB0656D2FD55B --mojo-platform-channel-handle=2336 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:5756
                                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5C3E53D50544FECBE5434178EC7E2B9A --mojo-platform-channel-handle=2032 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:5852
                                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5AFBE9A94DE6A21D0D273192E5C7A2DE --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:5940
                                  • C:\Windows\System32\rundll32.exe
                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                    1⤵
                                      PID:5532
                                    • C:\Windows\system32\OpenWith.exe
                                      C:\Windows\system32\OpenWith.exe -Embedding
                                      1⤵
                                      • Modifies registry class
                                      • Suspicious behavior: GetForegroundWindowSpam
                                      • Suspicious use of SetWindowsHookEx
                                      PID:6108
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Arbuzowski_Assets.rbxl"
                                        2⤵
                                          PID:2976
                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\Arbuzowski_Assets.rbxl
                                            3⤵
                                            • Checks processor information in registry
                                            • Modifies registry class
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of FindShellTrayWindow
                                            • Suspicious use of SendNotifyMessage
                                            • Suspicious use of SetWindowsHookEx
                                            PID:4080
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1920 -parentBuildID 20240401114208 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {87f2ec76-a8dc-4b19-8dab-bbe72f0b090e} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" gpu
                                              4⤵
                                                PID:5808
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a8421f2-9754-4fb3-8501-a685132548c4} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" socket
                                                4⤵
                                                  PID:5892
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3060 -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 3004 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bc15764-023b-453c-b427-76aae77a4427} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" tab
                                                  4⤵
                                                    PID:548
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3516 -childID 2 -isForBrowser -prefsHandle 3920 -prefMapHandle 1232 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a77b4ed-a0f6-40e8-a532-289f7079dfbc} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" tab
                                                    4⤵
                                                      PID:5840
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4580 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4488 -prefMapHandle 4544 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01a0cec4-69a6-42b0-a7cc-e36c8f1d2ff4} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" utility
                                                      4⤵
                                                      • Checks processor information in registry
                                                      PID:6528
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4896 -childID 3 -isForBrowser -prefsHandle 5620 -prefMapHandle 5592 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15346355-cfda-4805-aa01-a9b45b828830} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" tab
                                                      4⤵
                                                        PID:6252
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4528 -childID 4 -isForBrowser -prefsHandle 5572 -prefMapHandle 5576 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {581204f4-fe1e-4421-90b1-d4cf97767b32} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" tab
                                                        4⤵
                                                          PID:6260
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5956 -childID 5 -isForBrowser -prefsHandle 5844 -prefMapHandle 5848 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {abd182c6-6b8c-48b5-a1a1-9b8a78bbc808} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" tab
                                                          4⤵
                                                            PID:6280

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                      Filesize

                                                      36KB

                                                      MD5

                                                      b30d3becc8731792523d599d949e63f5

                                                      SHA1

                                                      19350257e42d7aee17fb3bf139a9d3adb330fad4

                                                      SHA256

                                                      b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

                                                      SHA512

                                                      523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

                                                    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                      Filesize

                                                      56KB

                                                      MD5

                                                      752a1f26b18748311b691c7d8fc20633

                                                      SHA1

                                                      c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

                                                      SHA256

                                                      111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

                                                      SHA512

                                                      a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

                                                    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                      Filesize

                                                      64KB

                                                      MD5

                                                      c2f951dbb4b98be71a618f3175178fc4

                                                      SHA1

                                                      d7bfd37a777e40020e44aa36be2673da99ad4e9b

                                                      SHA256

                                                      ad679814eae830d02a98353f6ba9532b4db79cb9f80e6caa4f51f489aa77e41a

                                                      SHA512

                                                      3b7e9974c99155bfd89d3ae8c19182df36d60b3752b79ce1b23ea65aa50c9202b189f1ae1c29ff5e58c998408da61679b4229a6607b38ba4784abe377f1a828a

                                                    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                      Filesize

                                                      64KB

                                                      MD5

                                                      33c19c50d64dbb296ab6e38adbdd8c62

                                                      SHA1

                                                      8a80f7b5c872e52d0562cf5353f423b1452a52b2

                                                      SHA256

                                                      84558e7d5bff9a79fe5199b2af786c99eab4bca072756604c891247fb3f8185c

                                                      SHA512

                                                      3176df555dc473e0af960e979fc67e22882e4abfd595be32095be42c1cc17214b87eede304bec78abd4f23131acc6af8027fdadcb52352e522c96077ee26565c

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                      Filesize

                                                      152B

                                                      MD5

                                                      99afa4934d1e3c56bbce114b356e8a99

                                                      SHA1

                                                      3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

                                                      SHA256

                                                      08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

                                                      SHA512

                                                      76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                      Filesize

                                                      152B

                                                      MD5

                                                      443a627d539ca4eab732bad0cbe7332b

                                                      SHA1

                                                      86b18b906a1acd2a22f4b2c78ac3564c394a9569

                                                      SHA256

                                                      1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

                                                      SHA512

                                                      923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                      Filesize

                                                      456B

                                                      MD5

                                                      6635b5bc679ad90c2d9a6f87cd92d212

                                                      SHA1

                                                      2d865de800ef649ff156758d162e24306f37420a

                                                      SHA256

                                                      ae5ee1423cb7a2fac4a5de8f9847401b28c2e4c301ac715aae6a53de0d51972a

                                                      SHA512

                                                      a796ff0190616b4c719c9353c2729680a392ac22ac58237821ce15a1e99d23da4ccd6a7aa0301ed4e1424eaaa479564786c37f33a66705269c99e1107033dcab

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                      Filesize

                                                      3KB

                                                      MD5

                                                      079c39dd894ad92da9f1eb13140ca054

                                                      SHA1

                                                      b9dff1fc97fd941c6400a5a2d3795f974b0f63ca

                                                      SHA256

                                                      0601da6c02158706fa44f9195d5ccd87fa966a99266d369f3ff007dcb2d9f097

                                                      SHA512

                                                      b300a57ac449d8a22182421548d0d1639ce19344e34a20c62246855c3b0ec34e6de0a3dada6b58688d116bc0c216af6ca54044dcc5e8fb8ddcfa43bd493757ed

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                      Filesize

                                                      6KB

                                                      MD5

                                                      66cb1d478972ca9dd20fe521e46631a6

                                                      SHA1

                                                      6300d0d435d898935abeb64732784bc13bea4715

                                                      SHA256

                                                      a220286c7c9a651022ec5768638bb1a241ad73cee65481b89257fad2fdd68a75

                                                      SHA512

                                                      cdb607dc20d92a32bfacef77df1a6c4b72df3d82cc93d062e5636d55d99460b412f76e6a5ec3ed588fa5939d6742588f341753f59601a143d93fdbcc78f99cbb

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                      Filesize

                                                      5KB

                                                      MD5

                                                      f3644bc0ca01d7f6d2d73ad637a8dbc0

                                                      SHA1

                                                      c9611605302b7c2b9ba92231df6a7805f7f8de7b

                                                      SHA256

                                                      f8f83bd90f89fdef13cdb96c2b43b42b56cb02dae89d7a82addb6b0ccac63249

                                                      SHA512

                                                      d34f89dfe13800f94b50728a2013848664d83f55b670a3291d675fe709ce7e0f961c079d9490cab854fd8b74f3a3dde1cf00dbafb66bbef8c08621ff9aa503cf

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                      Filesize

                                                      16B

                                                      MD5

                                                      46295cac801e5d4857d09837238a6394

                                                      SHA1

                                                      44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                      SHA256

                                                      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                      SHA512

                                                      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                      Filesize

                                                      16B

                                                      MD5

                                                      206702161f94c5cd39fadd03f4014d98

                                                      SHA1

                                                      bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                      SHA256

                                                      1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                      SHA512

                                                      0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                      Filesize

                                                      10KB

                                                      MD5

                                                      cc1f233df928c988c370aa9a37174b0b

                                                      SHA1

                                                      560a6fa5483dbb767c855bd9ae7fbca61af3de75

                                                      SHA256

                                                      b8515e53aec70bbc6c4accf7849a57ca36ef51a73b6da5eb59242a922feff481

                                                      SHA512

                                                      cedf389b819c3be4c7d2df31e38eed7399e3b31daa61591c25d4d560e4a158112310e06d649a8dd1baa579972a115c13a6c1e7102248c7af226565e8c637b111

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                      Filesize

                                                      10KB

                                                      MD5

                                                      fca2a40869fc581573678a0db1b60a38

                                                      SHA1

                                                      1e57aa460c58826668a2710678b7efa049e0defe

                                                      SHA256

                                                      e84822d748e4318b9c47f6e1e9249f23e5fcc22498103259773b3712b61a6729

                                                      SHA512

                                                      48c7c613113bfb7625c7a0f04bc428a78ada7661996864edc2c93ad68a8c284178d4d0524451af4152e08b4a8198ab850067e5a0b1fcfd98bdf243316ba5c6b8

                                                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json

                                                      Filesize

                                                      27KB

                                                      MD5

                                                      564e8c1672263f7864e5b83a2ba0cc0d

                                                      SHA1

                                                      a01b963d60d9bf3dbfc8e2393fae705cb94f803f

                                                      SHA256

                                                      41cfbdac2a94a71591b62e9f8aab8b4a7eec8e7b875c4552060e7bf77e50a4d7

                                                      SHA512

                                                      94abb87e60e49801c8f1121af9c6ec35da3ea5c36858a1fdd667bf4d065f1dd2705268d087aec3d09385f9a64807613a42906315b180661196b90971da017be9

                                                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

                                                      Filesize

                                                      15KB

                                                      MD5

                                                      96c542dec016d9ec1ecc4dddfcbaac66

                                                      SHA1

                                                      6199f7648bb744efa58acf7b96fee85d938389e4

                                                      SHA256

                                                      7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                                                      SHA512

                                                      cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

                                                      Filesize

                                                      6KB

                                                      MD5

                                                      3eb48a1ad057c23fb47f5c3ca2d3a0a4

                                                      SHA1

                                                      877c2a5f8bf5cc67d5e7d6e4afd3bb7a14a8ab71

                                                      SHA256

                                                      8b4ae4986d0f17dda3ebd3116c997199e7bc10518baa4c287b47fe8b6df834ae

                                                      SHA512

                                                      6e71408d00f5e2d493ee35d30390e24bdc4cea9c33fccb38f1aa631dbcbd8d22502815e48c02a82ff3f20c7e96acbc226f63a9fdf9d3db25bdd9b78461529bc4

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

                                                      Filesize

                                                      5KB

                                                      MD5

                                                      3a49125eb27e3ea30c6e9d0174acdd4b

                                                      SHA1

                                                      035036617d48e5ab4277961a9cab5d3fb609f712

                                                      SHA256

                                                      c406b732a496639137aca5804170f98927831bf02f9f0c38584ec7e3e74337ae

                                                      SHA512

                                                      bee0abd6c2d986ba87611e2804c03a72e58f64c9f6f12eab0828f0a78483e9c6e55b817d1cbb8b053da4db5d6df394c36ec80bf9d32891684ed82a96429bd5b9

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\d4d53552-926a-4dfe-a9af-357bd16e0957

                                                      Filesize

                                                      982B

                                                      MD5

                                                      ba84b92017e8c31cf31edf3e92d60a06

                                                      SHA1

                                                      921f7491dbe19cc492c5627b19887a4663dddb4e

                                                      SHA256

                                                      8fe32d0a26df3337f06e972d392c77a201c3fbb2c7972596f08cc3e4d607608a

                                                      SHA512

                                                      7d22ff74cd20638ee69135f3dbba78589332264da66e68073294a41b31ff8af297380ee735f539ea0325fef9f11eb718916c9ecb8191d00e86643fe8cca478b2

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\de5a4a77-70a0-476f-96d3-4bca631b84b4

                                                      Filesize

                                                      27KB

                                                      MD5

                                                      a6c98e061432b03a04fbf47f39495266

                                                      SHA1

                                                      c8334d66006ddcfa0aee6da2b150aada616ea871

                                                      SHA256

                                                      149ed2a9221a3770a89e72795cb46b66ab72d196ca082a26631d507207419d89

                                                      SHA512

                                                      d83b9cad5d319ef20e1ec5210565c4424030c62a11a1b9d186ece98c4068c814a0f43c4c7601572f1b9255646551421a6c38d6a077413118576c8fe4246369e0

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\e160f8ef-d40a-406e-8bdb-0fa27d3b91fb

                                                      Filesize

                                                      671B

                                                      MD5

                                                      52910015d8b36d84923c36553ebd90be

                                                      SHA1

                                                      08dc791d324b19f3cf0de8c8009e75ae3ab5360f

                                                      SHA256

                                                      9fb2acc287ef903a5d87150980c152fd8730d430401cf60de807a87e932dc4f4

                                                      SHA512

                                                      598f69f8a616ad5297ead9160fe5c68699e07d4356afb752165ca54d6c24722066862e850184ddccfd6428f91cab621f1b0663da0e840bf653f6b3c7392bf589

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js

                                                      Filesize

                                                      10KB

                                                      MD5

                                                      51ce66ae2497d368b8ae047989680616

                                                      SHA1

                                                      f55c3629ad9ec0d2a4ed9568708b8ddfbd176a6b

                                                      SHA256

                                                      23e5940a4cfafe399c4a9525a00dc50ff39958e69273cf5d9edad7b690344ed9

                                                      SHA512

                                                      adbf6dd2a0acdb41b62757d794478373cbe2f28c74cde99bbc08c934dbfe32e1f501c7caa41f96da356bc4ea28efd9e07207026055f192005f721de3fdc1a400

                                                    • C:\Users\Admin\Downloads\Unconfirmed 928237.crdownload

                                                      Filesize

                                                      253KB

                                                      MD5

                                                      796d66d723ece77bd5d2f9e6dec41b03

                                                      SHA1

                                                      04969cb5552b90f8b44a04f1557855e26d6901a5

                                                      SHA256

                                                      448b29eb01ca755fcbed0406a6ddd3ccc5b62676e6c157ff75ca29ecaaac7917

                                                      SHA512

                                                      1f67021965369d3b81e773047adc12e7775f43392fc51cbe7b076ee147e05bd7ba3707e7699c51bb1f0fb1dbd1489d8448c9913067eca221c048b2453507936f