00ee889c55c2005020c4e11e4f334fa7611ed8f9111aabc85dda551c88b045c7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

id=746904.html
Size

51KB
MD5

97124c199890a1cd071e9edace4a6041
SHA1

a5ffb8c9c9e6c244c0dcede7a91a33cdb0f88309
SHA256

00ee889c55c2005020c4e11e4f334fa7611ed8f9111aabc85dda551c88b045c7
SHA512

76d3cd3b840d3b437c79c1b07be713ad8df7188111a69855671eaa684da5dba717b78a7503a10da3f5b1b98a4f528163401f453b15bcbdae65fb5a018eba2193
SSDEEP

1536:Ol+Md7yPdr0sO/TGRKC9IYkPwJ333DI5I5BuKtEL17kmLWoL:9CL1oi

Score

5^/10

steam discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand STEAM.
phishing steam
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3820	msedge.exe
3820	msedge.exe
2604	msedge.exe
2604	msedge.exe
336	identity_helper.exe
336	identity_helper.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4604	firefox.exe
Token: SeDebugPrivilege	4604	firefox.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4604	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 4052	2604	msedge.exe	83
PID 2604 wrote to memory of 4052	2604	msedge.exe	83
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3220	2604	msedge.exe	84
PID 2604 wrote to memory of 3820	2604	msedge.exe	85
PID 2604 wrote to memory of 3820	2604	msedge.exe	85
PID 2604 wrote to memory of 2052	2604	msedge.exe	86
PID 2604 wrote to memory of 2052	2604	msedge.exe	86
PID 2604 wrote to memory of 2052	2604	msedge.exe	86
PID 2604 wrote to memory of 2052	2604	msedge.exe	86
PID 2604 wrote to memory of 2052	2604	msedge.exe	86
PID 2604 wrote to memory of 2052	2604	msedge.exe	86
PID 2604 wrote to memory of 2052	2604	msedge.exe	86
PID 2604 wrote to memory of 2052	2604	msedge.exe	86
PID 2604 wrote to memory of 2052	2604	msedge.exe	86
PID 2604 wrote to memory of 2052	2604	msedge.exe	86
PID 2604 wrote to memory of 2052	2604	msedge.exe	86
PID 2604 wrote to memory of 2052	2604	msedge.exe	86
PID 2604 wrote to memory of 2052	2604	msedge.exe	86
PID 2604 wrote to memory of 2052	2604	msedge.exe	86
PID 2604 wrote to memory of 2052	2604	msedge.exe	86
PID 2604 wrote to memory of 2052	2604	msedge.exe	86
PID 2604 wrote to memory of 2052	2604	msedge.exe	86
PID 2604 wrote to memory of 2052	2604	msedge.exe	86
PID 2604 wrote to memory of 2052	2604	msedge.exe	86
PID 2604 wrote to memory of 2052	2604	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\id=746904.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa4bdc46f8,0x7ffa4bdc4708,0x7ffa4bdc4718
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,7198457079190875926,11393630679371218695,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,7198457079190875926,11393630679371218695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,7198457079190875926,11393630679371218695,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7198457079190875926,11393630679371218695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7198457079190875926,11393630679371218695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,7198457079190875926,11393630679371218695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:796
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,7198457079190875926,11393630679371218695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7198457079190875926,11393630679371218695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2308 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7198457079190875926,11393630679371218695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7198457079190875926,11393630679371218695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7198457079190875926,11393630679371218695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,7198457079190875926,11393630679371218695,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2028 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7198457079190875926,11393630679371218695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1184 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7198457079190875926,11393630679371218695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1284 /prefetch:1
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7198457079190875926,11393630679371218695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1148 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7198457079190875926,11393630679371218695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,7198457079190875926,11393630679371218695,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5448 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1616

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4884
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2036 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd00cec4-4358-43fc-a9dc-dfea2f44561e} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" gpu
    3⤵
    PID:1988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2440 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c99a283-6fe6-42b3-a66b-c7531792e4f7} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" socket
    3⤵
    PID:2024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2824 -childID 1 -isForBrowser -prefsHandle 3020 -prefMapHandle 2932 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {407fd03c-9758-4901-bf56-dfb2fab2cf37} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" tab
    3⤵
    PID:1260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3872 -childID 2 -isForBrowser -prefsHandle 3864 -prefMapHandle 3860 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eaaee839-1513-481c-9bc4-cbfd7938f7dd} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" tab
    3⤵
    PID:3240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4960 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4952 -prefMapHandle 4948 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f3cd42f-fe92-4385-bf37-fc7b933a8705} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" utility
    3⤵
    - Checks processor information in registry
    PID:5788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5340 -childID 3 -isForBrowser -prefsHandle 5348 -prefMapHandle 5252 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9d1367e-7b99-4f8b-ae63-5f0b8683cb54} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" tab
    3⤵
    PID:5304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 4 -isForBrowser -prefsHandle 5560 -prefMapHandle 5556 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2dc985d-83a1-4136-9b32-6a7b26ed082e} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" tab
    3⤵
    PID:5292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 5 -isForBrowser -prefsHandle 5452 -prefMapHandle 5456 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bea4123-e81c-4ad2-8f18-9da2ff318a3d} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" tab
    3⤵
    PID:5276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
421B

MD5
d896d559da8e4520556e4f467f1a5f1c

SHA1
279e25aa4f2a7854cc65a841643ae70b4c52fe31

SHA256
1582be2c995897c8bbbb3698fa42c3b3e5e624c08fcdebc31e9e683fad6b05a1

SHA512
b722934cbcfedc8c1f905403dd1df7db7f8ceb57f94723c75a9e815cae291c5adeea9ef5cfa0a44d5b310802842f0a98582673866a3aa91a0e5415d4757830b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
622a62c5e102bb810ee2197352c348c7

SHA1
119de08b992f390d78ee5fb57c790ce3a27304ab

SHA256
604010e6f51900b2f280849d25c1d59c807831cadc5622513407c3e992081c68

SHA512
ab4d554225dee55df771815941ff9a9c3dc4b2d40d153afa7ff10d3310c5328a24fb12b4475281ddda1269ab6f8a25f8b23fac0a13e916692a027b181cdeaa7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cc4324e0bf66ae64b1d30ddf4ab99c48

SHA1
d5960d99af6316c903186dfd158947aa203baa39

SHA256
fa5bed2a3b80a7b5bb69ce06fced0020d71a0cbe8b34ddeef8c36d498fffd5d2

SHA512
bec9554b658d5d7114f9d189e21b8c8529574fa4b06754b3fda78030725254af1f2cfe3b08796336dd7ae3318a4f06eb06d11b524e89ed30905f86015929f926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8691e0fbcc344ed3e0e658ea03198887

SHA1
385a670b7bc58bb59a4ef873b0edabee66fdc9f2

SHA256
77322162df76daf4b58b2a7abea60b87efbc06f52581ce393a8df05a416b602b

SHA512
7dc6914a8ba7227faa1b48d9d435184c0eb363e057d4d8a69478f955b6545544bcc5cbbfabe8227596ee0fd1fb64af813ff66445e246b66231c74671ce79504f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8a84bc31f7a2fdcc5f9654a2e407820b

SHA1
8fc9f075de21298bd36ba9938a77499c8da3e568

SHA256
4b29b80249dc2278d9c7e22447119a0774fa4015f0b3cf28a8bd635a25716163

SHA512
09f0369737552bb86236fca365317ab5f963b5236626dc07ef99b65391d79d9e1afa3bfa914704dc8c3c150e4d01fff57ef559a8e44186c0e6c0040cbf1cadb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
16016a3a80d736117098e2f2073839ed

SHA1
aa8b8e922dede5a3ebe5ee06bd631e4cc8ef1642

SHA256
4517b9b15fab66d56625b9fb5cf77b896c13df8d0a8647a0f09a208140a7228d

SHA512
78eeb35e2c055db8a1345c8d9825901e3be5f77ee7180274060476cf0e7107f4b3f3af7c9697c192def9abafef03e2c5b31193d46af0c0836b03aa037ffc679c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
d7001051e6e9941ab474f6f9e938faed

SHA1
2f9a18cd8bae4e00fd5157eafa1d1b76c123daa9

SHA256
8333addaf0f610705fd6263bfb45fb260839573daf3815d9d926fcae566b7663

SHA512
5cc899573aeb4570bf4db3d004a5578af91845b807dbb507c6a09fee8d5f870a0afb8680e22f4ee3e13df8b5fa4f51225066145cd46e7301435a60da17fcdc30

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

Filesize
6KB

MD5
7020e12354af1921702416b5f85a2894

SHA1
83d7a7e1194bce298d86c4b6acf80da662659d63

SHA256
ac870ad457dd046ba01c8a54a957637cc63fdcdf81bc1fca1d7b8d7cdbcbbec4

SHA512
0dc7c73c511adc45bd9c96e682f8be4c71594eef42dbe8eedf2c74a9ceeb61b69f5abd547fe01e35b993c4a835242ecb9366b29dbc2adfcbee3f939097d2052f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

Filesize
6KB

MD5
4d001ae24502294c9aa8252dc81e586f

SHA1
e76b7b0f535dabcd5177395917e25ec93f4a8688

SHA256
6e8bf5fc4ac9892bbc5991681f1df654bb4916919b8a8b50458ff62326dd3a25

SHA512
028291cad82db49461ab5f7752c106b0315cf376ead75eea282a363c72fdeb2b0148c8082be11f7c8426e48c6de7790c3e7f49ed26df1c61883ebc100ef47e87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
7ba713416e1b278119681bde5154ae55

SHA1
6ec955150c5c0cc297fbc19ff468e90e133611be

SHA256
f71a2ed73705eb76fdbb5e32b87fa41ee40749c0ca6be418f8e2daa788bba23e

SHA512
d316ca2df398d8261bbea70ca0c90219b62e895e37af14f587e997d6c6034294bb4e6cc4c21912f811a2066a6620b0d97de870f33689f645e4d0903635e034ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
2cfe324acc8cf42900e366464e51ae61

SHA1
168c9434eb0fb786a3233eb02f6c160716c755ca

SHA256
25f3314c34d9ab122652ce88ff58ab27fc3e2b79414c8f91656a7df633e9013e

SHA512
d43e79978cf676bd5c52657cdf24d2c699b5681695c0d7d6c7f9c6f6eddb797efdb2d95f2a26d6ee37096c2b02d2562c63d814fec81f0fe35153a5de65cca7de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\0cc780aa-a558-4451-a11b-61620041d0c5

Filesize
982B

MD5
8aa52e4ef3650d00a69ed7af0fd8acb3

SHA1
fce6cfe630a60011922dafb84099c75a93b60400

SHA256
34f64f27192d924ed34a5280b2a9ed8db87b9bc0023bc69380d87bf2f44f1126

SHA512
c230166df2be25bfdad6ea7c3d7e452e46a7cb86396235bc6fd063d604e2a674c632b5a011536bb023f36a270b0e28e530627845b6fe7684ba4f69d903cc1317

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\66a08ff6-b6d2-4de5-ae83-ca4537864972

Filesize
671B

MD5
6f5dc9359a1e2cc8a888e154c2315607

SHA1
987c69ddc2eed3fe4331cf0307d31f7aa1e6477d

SHA256
9327caeb26371ee996f9c7928ec88de89a441dddb1f8bdd4157eaedf4912b329

SHA512
612f720e5033a69c55504ffcc453a0ec60eb93a10ea467e39079e92073156bc84d94ceee49063139ec9473d5bf9526210c3568c75f25f7be46732fbbdce82793

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\f2d9ca99-69f0-4fb9-8a7e-7d483da67ccd

Filesize
25KB

MD5
daac8aee35347812b001526a9e6e5acf

SHA1
355e2ca34a3416151bc8e7cffb2ad1575c64cd3b

SHA256
eac4c7d3f61e9b4be1eed0eca2c4228a9fff16d71dcfe2967cd3f5ca6d2ec2c4

SHA512
261b5fd108c4a797403b6ed658d03bac6d9839f9533ffed0f2705d75b4bc0d99af16eecf2c4ae8a217da203db625843146edd1ceb8a60a9c1ae8b2dd80a99cad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js

Filesize
9KB

MD5
cdafd6cb9c08ab15b9f1bbdbf230f6ff

SHA1
ec7b4c1497f2b6ed8e3eea4d530a81f2f2d677a8

SHA256
c29855afc6dac9ca03c8bd78e790bd76da14ec2ef66839f94ed77271735de161

SHA512
fece470bea7fdf29e89ada52ae4ac59201b89a0fc14ac10600eeed7dea64472dbf5ceb20939f2edefc0d5deed6d4991b468a36df71ca49e241eb7305fcc35a6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs.js

Filesize
10KB

MD5
1776415c575d1f90eb589416c44b90c8

SHA1
323a7811cb4719f97694632cbd2dcdd44216e7c7

SHA256
edba326a860d083076b286598dcd9ef9180b3b6f6fe2ba625b20bdd58213e26c

SHA512
afa6176d6e69c7f6c445d8101641731b79eec94d228c1834582daaeb60c1b2555b63cbfa9e3958b214f5c03c9e662ae2be884f47e46847dbf511f162d0c9bb15

Download Submit