hxxps://uptostream[.]com/assets/coins[.]php

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2023, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://uptostream.com/assets/coins.php

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1576	msedge.exe
1576	msedge.exe
2672	msedge.exe
2672	msedge.exe
1428	identity_helper.exe
1428	identity_helper.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5092	firefox.exe
Token: SeDebugPrivilege	5092	firefox.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5092	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2148	2672	msedge.exe	74
PID 2672 wrote to memory of 2148	2672	msedge.exe	74
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 5088	2672	msedge.exe	87
PID 2672 wrote to memory of 1576	2672	msedge.exe	86
PID 2672 wrote to memory of 1576	2672	msedge.exe	86
PID 2672 wrote to memory of 1424	2672	msedge.exe	88
PID 2672 wrote to memory of 1424	2672	msedge.exe	88
PID 2672 wrote to memory of 1424	2672	msedge.exe	88
PID 2672 wrote to memory of 1424	2672	msedge.exe	88
PID 2672 wrote to memory of 1424	2672	msedge.exe	88
PID 2672 wrote to memory of 1424	2672	msedge.exe	88
PID 2672 wrote to memory of 1424	2672	msedge.exe	88
PID 2672 wrote to memory of 1424	2672	msedge.exe	88
PID 2672 wrote to memory of 1424	2672	msedge.exe	88
PID 2672 wrote to memory of 1424	2672	msedge.exe	88
PID 2672 wrote to memory of 1424	2672	msedge.exe	88
PID 2672 wrote to memory of 1424	2672	msedge.exe	88
PID 2672 wrote to memory of 1424	2672	msedge.exe	88
PID 2672 wrote to memory of 1424	2672	msedge.exe	88
PID 2672 wrote to memory of 1424	2672	msedge.exe	88
PID 2672 wrote to memory of 1424	2672	msedge.exe	88
PID 2672 wrote to memory of 1424	2672	msedge.exe	88
PID 2672 wrote to memory of 1424	2672	msedge.exe	88
PID 2672 wrote to memory of 1424	2672	msedge.exe	88
PID 2672 wrote to memory of 1424	2672	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://uptostream.com/assets/coins.php
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5f5e46f8,0x7ffb5f5e4708,0x7ffb5f5e4718
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,5825887151814804424,9131138743824989163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,5825887151814804424,9131138743824989163,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,5825887151814804424,9131138743824989163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5825887151814804424,9131138743824989163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5825887151814804424,9131138743824989163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5825887151814804424,9131138743824989163,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5825887151814804424,9131138743824989163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,5825887151814804424,9131138743824989163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,5825887151814804424,9131138743824989163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5825887151814804424,9131138743824989163,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5825887151814804424,9131138743824989163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,5825887151814804424,9131138743824989163,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3388 /prefetch:8
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,5825887151814804424,9131138743824989163,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4160 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2868

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1224
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5092.0.438039497\1939264415" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b023e9e-e5dd-44c0-997f-c30836db8e8d} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" 1964 1f79c7ee058 gpu
    3⤵
    PID:2464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5092.1.938151181\619564214" -parentBuildID 20221007134813 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc0cd31a-251f-49b8-9788-d9e3be770166} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" 2364 1f788a71f58 socket
    3⤵
    - Checks processor information in registry
    PID:3020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5092.2.1947584386\1170625787" -childID 1 -isForBrowser -prefsHandle 3244 -prefMapHandle 3240 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11327d97-8fe6-43b4-b47f-64b0c163d040} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" 3472 1f79c75a158 tab
    3⤵
    PID:3104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5092.3.798513582\1624483699" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3564 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02206787-ea23-4611-bce6-b6ff068a6ca6} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" 3580 1f788a62b58 tab
    3⤵
    PID:5104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5092.4.411231125\106422729" -childID 3 -isForBrowser -prefsHandle 4572 -prefMapHandle 4576 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff140a0f-9911-4d20-a95b-730cbae7fe77} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" 4732 1f7a24fab58 tab
    3⤵
    PID:5204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5092.6.1874327605\899864895" -childID 5 -isForBrowser -prefsHandle 5248 -prefMapHandle 5144 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3370a449-d6e8-4df1-931b-fe1cf322a924} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" 5124 1f7a2ad6858 tab
    3⤵
    PID:5596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5092.5.692047446\1520935280" -childID 4 -isForBrowser -prefsHandle 5096 -prefMapHandle 5076 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f9e5afc-b9c3-4e18-81b8-89de6b0fe1f9} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" 5100 1f7a24f8a58 tab
    3⤵
    PID:5588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5092.7.486297425\637729886" -childID 6 -isForBrowser -prefsHandle 5552 -prefMapHandle 5548 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61ce2c05-5c4f-4050-9b9b-e0b5f0631b39} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" 5560 1f7a33b4b58 tab
    3⤵
    PID:5612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5092.8.1510073650\2059437728" -childID 7 -isForBrowser -prefsHandle 6128 -prefMapHandle 5588 -prefsLen 26831 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a53fe650-ae0d-475f-abdf-f37e9a487586} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" 5836 1f7a43f1358 tab
    3⤵
    PID:5260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f6f47b83c67fe32ee32811d6611d269c

SHA1
b32353d1d0ed26e0dd5b5f1f402ffd41a105d025

SHA256
ac1866f15ff34d1df4dafa761dbb7dc2c712fe01ac0e171706ef29e205549cbc

SHA512
6ee068efa9fbd3c972169427be2f6377a1204bf99b61579e4d78643e89e729ad65f2abcc70007fd0dd38428e7cd39010a253d6f9cd5e90409e207ddaf5d6720d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
182B

MD5
c90a8037b2c104341061915d55c372a2

SHA1
d050b1fa614f006d1354666c08428c63b46449ef

SHA256
cf2ed018a1a726de236ac967ad1dca4147754eaf078c91de91380b1b49793a97

SHA512
28ec248a4ecc2d2c315f6156796d63529fc76a2ed0ff3bd9044ab66f413beec9ec77bc6923d3f0d6913e16ff1f054675865132dfa52b5f522800c641619fd724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f4b67433215071b3cab9151179413e49

SHA1
db1dc0c959da0f9a1149c6d29ca27fb1645a63cc

SHA256
d193bffa2832eaa05d2acea4efd0d288439fda7880e29172eedaa4381f3f0a9c

SHA512
3d9c05dc9bee0a346db7c39b6cc02c1d3291d1bf8c47454af99e408a439ea60203b2dba51f7c5816de324b0250678cbbe2cbc4e6945f79e18d43869f57497ea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c51f39d82c0aa3e8e0d08987cebd2581

SHA1
fd70f0a128aff97e08a0958131b69e95107d801e

SHA256
272a6ed022e85badaa0725d8d1687e2a09808fa11b52372f562d2bb5d1b3fad4

SHA512
70e8d713437194dd290d1dcdc4f4c9719c3d82a7220a52f202d1c47b699aa0c4015ef6b7cccc4882f5459bb4368ca1f8fe118b7bc210f8efd5cb008572549c86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1309bbdef584feef9229c819618cc763

SHA1
92f6a4104a3dd7f728845b1d436bc9b3d24a483e

SHA256
d925e900883c6ec43ee1dea27507b5a7131a3b24ab9238380b98b995b7816414

SHA512
7bd886dd0d7572ee11e481da08b0c0b8f69bef03da0fd3fa44c06babe0cba90e51cb791ae360937c23265265a0108a65260f1df3b497b3065c511567cf6ed72c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5544c64f2a8f49dabc19eb84267b1c9b

SHA1
c5b78d63a8bab1c7b985f7ea2f268d0d7809071e

SHA256
a1fcfee2974a77e76a7431a2069db301861ab42dd41769cead8697f41f5a497f

SHA512
38c80d7c810441fc87beff38929473088cf426b0a25a30820d8a060f493350d99bb8521b314afe00578ea54648fce2aa4e55880a83a4f1048c56307991726565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4e4053249066908ecabf4e68ba677772

SHA1
17ff72633bd97adaf6cecb01762731ab118f4168

SHA256
2be716b25e617e07faf6e49975427186353fa0f618061f812dc22a079a78883b

SHA512
eb1a05a9fd23ce2b17ff27a2fba6e30531e9bd232cc9545a3f5ff83efaf021990bb2a64b52116faa48f64c80a7b98a8b664f25c000453104f6ede0a4f11dffef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\bc072231-8625-4faa-814a-a3af9611ab53.tmp

Filesize
12KB

MD5
d5fd2ef279f72f1aa6fec442b898ea1f

SHA1
b65b08c486032da36c26eb54e53fc5ed79273825

SHA256
bcdd96b54565cb307715146c61acda3de41c003e73f1722ff86fd7653076afde

SHA512
6fb2d749c23565178f36cdf8622d14b620fe0c699224a1de319bcc8b8836f60e95ee6b1dc177b893044f9b9945c828d802895f419645ec7ecdc4f84c491c09be

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\activity-stream.discovery_stream.json.tmp

Filesize
152KB

MD5
dd48e48a5f3249d1bad79e1668416241

SHA1
d7e9bd4c99b80b5099fa0863454c61269d4393c4

SHA256
31f7c184c9d065d102f9d56574898bf94cdb10431710bbcc9d56509e484a7f94

SHA512
2c49e920c55fc39badf0f941b9a6345f8e9584b7eeac1156b8b71d65e0bcc5ab2cbc313dab78419c6149d42b1880813c2fc2e18fc5c59809bc9fe102f88a5cb9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\cache2\entries\4B7349D07871FC3028F3B6A89141F666F290095A

Filesize
33KB

MD5
be37aaa47398997cb19cb2245a1d11ef

SHA1
e18454b3c4ddcac74ce6251f79dc8dcb32022192

SHA256
f9cec7a7ad3d89cd2dcbd88dbdf5003b4d4d51c601899f02e72d36fb85e7c9c4

SHA512
970ffb1f6d286f102abc7fc3706382932123593619d6797f925bd352f4970e95ccff1781385472ef152c49cab6b54aa231cc8c9bd8c765a55aad855b5d3ca095

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\prefs-1.js

Filesize
6KB

MD5
4b4ae6dcd99c8ac1ffc5e5cd3f410f8f

SHA1
82d9b4fae7ee3761b9cb4390d129eea9813f0beb

SHA256
6abe81662fc9c145d9b97a682dfd7b4336e2d6549d7ec3d85e5e8fbe843c1a2a

SHA512
bbfe463569de23223ec7f1d8edae869cd65f3529a552d6cbd00caade88b486c214467ae4811e89b283c6c148d7cab6c9d857e840a442c5c8d710882616109a88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
98dc5e809a3ce856534e39c4d2aea6e7

SHA1
5ea0fa79de09fb42ff13fdd2039dbb72257914c3

SHA256
77d0c6f5d37cb78954019073100b84c1470e9b4216d3a38614c107176bf6d80a

SHA512
d9a3b6193afdffb5a39a54b193d3468a713a9198d33dfda0573cc1dc95977f103321c30f047412f5d0d82e431d1e7776104df14ba934d51c9d3f42aa503f1c9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\sessionstore.jsonlz4

Filesize
871B

MD5
1d2ef6c6c2c00c9a8ee310afc7949edd

SHA1
b1f14ebf1c0285f90551cdf5fdc322d2232b7ad5

SHA256
27105dadb9fa05f3a550bfc503a6a40ccaa32a88759cfe7290683db9c3202fb1

SHA512
72c0f4f0e36f392a0900af247db0eb5fcaa7d4e85bc713e0ed1a17dd89e3a9867c4fc7d673eb532f39d7df176c29a302ae7c8d54ad7258db6a78618f33223c65

Download Submit