hxxp://metafastcare[.]services/--kTZKZzEfXbPBjF911vNGGqLdcArdijwc

Resubmissions

22/11/2023, 00:34

231122-aw1pcsab9y 1

22/11/2023, 00:32

231122-avm2waab9t 1

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2023, 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://metafastcare.services/--kTZKZzEfXbPBjF911vNGGqLdcArdijwc

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2152	msedge.exe
2152	msedge.exe
5996	msedge.exe
5996	msedge.exe
4164	identity_helper.exe
4164	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3220	firefox.exe
Token: SeDebugPrivilege	3220	firefox.exe
Token: SeDebugPrivilege	3220	firefox.exe
Token: SeDebugPrivilege	3220	firefox.exe
Token: SeDebugPrivilege	3220	firefox.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
3220	firefox.exe
3220	firefox.exe
3220	firefox.exe
3220	firefox.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
3220	firefox.exe
3220	firefox.exe
3220	firefox.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3220	firefox.exe
3220	firefox.exe
3220	firefox.exe
3220	firefox.exe
3220	firefox.exe
3220	firefox.exe
3220	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 3220	636	firefox.exe	86
PID 636 wrote to memory of 3220	636	firefox.exe	86
PID 636 wrote to memory of 3220	636	firefox.exe	86
PID 636 wrote to memory of 3220	636	firefox.exe	86
PID 636 wrote to memory of 3220	636	firefox.exe	86
PID 636 wrote to memory of 3220	636	firefox.exe	86
PID 636 wrote to memory of 3220	636	firefox.exe	86
PID 636 wrote to memory of 3220	636	firefox.exe	86
PID 636 wrote to memory of 3220	636	firefox.exe	86
PID 636 wrote to memory of 3220	636	firefox.exe	86
PID 636 wrote to memory of 3220	636	firefox.exe	86
PID 3220 wrote to memory of 4072	3220	firefox.exe	88
PID 3220 wrote to memory of 4072	3220	firefox.exe	88
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 552	3220	firefox.exe	89
PID 3220 wrote to memory of 2516	3220	firefox.exe	90
PID 3220 wrote to memory of 2516	3220	firefox.exe	90
PID 3220 wrote to memory of 2516	3220	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://metafastcare.services/--kTZKZzEfXbPBjF911vNGGqLdcArdijwc"
1⤵
- Suspicious use of WriteProcessMemory
PID:636
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://metafastcare.services/--kTZKZzEfXbPBjF911vNGGqLdcArdijwc
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3220.0.1520179117\1549990395" -parentBuildID 20221007134813 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c371d4c-a383-41b2-bee2-c8dff46c98d9} 3220 "\\.\pipe\gecko-crash-server-pipe.3220" 1960 1d90f6deb58 gpu
    3⤵
    PID:4072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3220.1.850797323\917484096" -parentBuildID 20221007134813 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ec3fca2-6afb-48c8-ad36-67da63c85669} 3220 "\\.\pipe\gecko-crash-server-pipe.3220" 2384 1d90f3fa558 socket
    3⤵
    PID:552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3220.2.820597635\1624065434" -childID 1 -isForBrowser -prefsHandle 3176 -prefMapHandle 3172 -prefsLen 21792 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17b3f9e7-8182-46b1-a667-9706f87f664c} 3220 "\\.\pipe\gecko-crash-server-pipe.3220" 3164 1d9133dd658 tab
    3⤵
    PID:2516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3220.3.299154024\1315425502" -childID 2 -isForBrowser -prefsHandle 3768 -prefMapHandle 3764 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8da7500a-4a7a-47ba-a9ff-ed1eba75ad04} 3220 "\\.\pipe\gecko-crash-server-pipe.3220" 3780 1d902c62558 tab
    3⤵
    PID:3412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3220.5.401481264\1400408727" -childID 4 -isForBrowser -prefsHandle 4956 -prefMapHandle 4960 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {afc5787a-f7ba-4c68-be0f-f75b289fe694} 3220 "\\.\pipe\gecko-crash-server-pipe.3220" 4944 1d915957258 tab
    3⤵
    PID:4668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3220.4.836269129\503313779" -childID 3 -isForBrowser -prefsHandle 4832 -prefMapHandle 4260 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a99fa1cf-0ad0-41e6-bb93-78dc9b400bab} 3220 "\\.\pipe\gecko-crash-server-pipe.3220" 4820 1d915957858 tab
    3⤵
    PID:3032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3220.6.1681475752\1537315879" -childID 5 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e44048be-21c7-48f7-94e8-403be43cce50} 3220 "\\.\pipe\gecko-crash-server-pipe.3220" 5256 1d913389558 tab
    3⤵
    PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0xf8,0x130,0x7ff801ef46f8,0x7ff801ef4708,0x7ff801ef4718
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,15847931046320910083,2672937236055789302,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,15847931046320910083,2672937236055789302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,15847931046320910083,2672937236055789302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15847931046320910083,2672937236055789302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15847931046320910083,2672937236055789302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15847931046320910083,2672937236055789302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15847931046320910083,2672937236055789302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,15847931046320910083,2672937236055789302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 /prefetch:8
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,15847931046320910083,2672937236055789302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15847931046320910083,2672937236055789302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2452 /prefetch:1
  2⤵
  PID:336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15847931046320910083,2672937236055789302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15847931046320910083,2672937236055789302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:6408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15847931046320910083,2672937236055789302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:6688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15847931046320910083,2672937236055789302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:6696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
25KB

MD5
e54111166e8f0a563aa8d3074909a17b

SHA1
84109786dc2f2d9ff76ef1660c04e522f4c28605

SHA256
486f4d6950c16f5d5ecfaee686c78d7f619a5c66afd5d97a9125b6d0f160141d

SHA512
3ef5594e048610c8a2cce392db1726b979b74aca28cb4c9508ab0486c70716989a1bda27c172207d5a0ec2a21aff06ae53185cec115bd033425b886e8291082a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
a57f912152f8bca15c3e328cf2c1135e

SHA1
47f3f5593336552ca5601872effa6db97196058e

SHA256
5249853bfbe89bdcb9fcddf9f977ba94446694da6f975cadb2b2135828fb7875

SHA512
fb5ba7e7daf7ef81aa55d32f5cd6c817a151871b86246f745654949c5e4ca08280af6018dc5d0b47efcdf75e830a539b1a70773d00391d19e315dd3d90259354

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
69b19c6ff108906787041563fde29270

SHA1
289b39ed6995fe957c3c05d2f776c3745f6ef27b

SHA256
852a3159708b7aa8a23f37fd975c77ea3758d7c7647f00895cee92420da1e731

SHA512
9bdd0e9c83bfc4b0e241cdbb8e92a407a09fa12fcfb09c0747fd40c7f568e35ba0d3f483e786b33677901224085dcc887a02ea5574996dbb34b2c96fa1c10874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d991480cf003ab3ca83ba6c3de3c9a68

SHA1
7570e9347236a9f748616b67b61213542187b2a6

SHA256
9e9f74b37c603770619f4be0eaf33fcc2acda3fb1ed517efea66caca2dc8971a

SHA512
0440b444cade5acb0f7180af2be4802f26a92fae87a948cefbb6e26f14e7a00d2b9c26d07c4ff1a840059ad1c14d3a5a288e7aa68c8b077696ae669a5ea671dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
34c58ca6d273f1438e9cecca985002af

SHA1
b90b1188ab6688414f800887c73bad551fbe4eca

SHA256
3b08e1e6f7c785c5f54a8ac1cf2ca94ed1a6ba2629fdbff3b4eb6bedb523dce8

SHA512
c3dbf60f680f812608d3a9e3a8a095a2e0a736b244c39c63f162ec1d6572bef150e4bac3570eae2341941802b484779741ce504c2c08b5f9dd18a37a7c06c4d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ac88a1a8debf41191439ee35adcab561

SHA1
3f43ca276857d955b37a92126ca00ddb41e5cbfa

SHA256
b39ac00641fe15e0d64e644f3aab6dbfc2b864319b3e0de0104a19d8b36ab7bd

SHA512
14520b367b4859631ee1f21a18543003fca31a096427e33b3b101eaeab35e1e313889174e10d6da79d148ae71f1517123110f8da45fac8609ce5e4a36b1b4e2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3a748249c8b0e04e77ad0d6723e564ff

SHA1
5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729

SHA256
f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed

SHA512
53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
20187c240f4046f147195b2e9c6f54fb

SHA1
8154bf6e0e3b46ba3cbb52ea4b9f8b73bef24a7e

SHA256
7de9c02dbda1ded0094cf3b0ef68ad5e735cad8099df787e3dc93d280e59ed18

SHA512
e036dabcf4ea69e601a58d012c693d8c1a931e57ac3822561e8e7df5c2091fac2232efeb9be1b58c4bfc10694bb305a5d3e608e5bba7845109e0b76d17785df3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
1e2cccc08bfb6aeb569b981cf43fc68d

SHA1
4285f63be4e8941f2476eefd1c42a950212d82fd

SHA256
a8fbc8563784b1359a6667d7220f528dbbf3ac3f2e792d11a43623eee0752e22

SHA512
d2fb2c17493ac819e674e593d0f279df21245aeb2b4277ed2f251202cdd92d9a758c16d38ed36f424ea661b41269b6b8d82036301449aaa2563c27ab0259482c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\cache2\doomed\4555

Filesize
1KB

MD5
a016da190490c526f590f2d319c997eb

SHA1
7a84462cf4d1d3f961b9bd51d07019980861f502

SHA256
cbc156bb5b194d737042d5969e71153a9fb4283dcf66fbfbc39338d3531c9bdb

SHA512
ebd7f20f5de8d8bc0cfcb4825331d2795712b3eef79141ca85e808193af1ef6d2c48835ca9b4c7b805b39cd3469009dd2e172e61e2f33c0a2847b5034164968b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\cache2\entries\577A586685F8D27BD5B926CE96132B84424D8EA4

Filesize
13KB

MD5
283c47a652a3170082c32d279e9eec0f

SHA1
60bc0a2e8a6cb62613fdc839dce159a66ab3a0f1

SHA256
cf2ec6f6d826440f2b7e5c014701d0e90647e73b6a0c2e23b50b96a3335d315c

SHA512
04524f8cf544484f82461c72e7850b5290ee8e8a894f69e198de23d1ea741d2131340e78db85beff8e032a5ee77488c247fc5cc8ee4c953d8fb2c5836ccd64e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
14KB

MD5
bbd1569cc4f0b88b8fe506edfcf134de

SHA1
de19d461b266ccf4dd83999c2273a3ee64cb8298

SHA256
011330cd644fbc5a9c4bd5194788594055771b845a51fb4fb563bfc4a5d084aa

SHA512
8c65fba490f578f4955eacebb52fa363bb77fedf3f87c25a29075abf9a32fb45f39bbf9c001aff46491372ee168139e662369c1c57c9f5c230bceb6e14d46200

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\prefs-1.js

Filesize
6KB

MD5
6b1fb510f2cd1553f0209ef2ab7c5eba

SHA1
eaf4c8e73442abbfcbbf5c4bbb42866c7e3b59ab

SHA256
58af1fe822d4a931aa916803c85dcaf15e2ae426d94a64468431e2699487b78b

SHA512
fd84f41d1c0f06d5b6f9437802b7ba9966fafa83a2a1bddbe36e86e5fc6343ccff414f62fefd984ea020b241148af256393a3bc7e9d901197c75ce299d1377b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\prefs-1.js

Filesize
7KB

MD5
02d6320c3b1321ed841ce98e7035e038

SHA1
ffcacc5f2f39e7dd1c4f152b095eb370656667dc

SHA256
3c328bca0aaeafb04f9d7b414fd6ede8ced2a741d46f154d4f327f0d04ed5db8

SHA512
b25b9c99d4dd4f19854ac4bf85b7da138158cd32340c3d581e1206fdfc49c0ace06f0feb151dce67b2b6f12220261c79791bf33eb9e549f0ea8435fcd639e36f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\prefs-1.js

Filesize
8KB

MD5
0fd7c277670e53f76df9b0f779cee93c

SHA1
c9a6e76c01f8755d877ab0025a3f4c4cfeb60bc1

SHA256
a4b19247cb3816ccb998d7f4328078c415edf015c08c816e8e0fec09c7cd840f

SHA512
032f891b046469fb79b02d849b9930dd971c334e48d2bf34158e3fefa0334bb24dd34674081be0f34c2a47dc428f5b9fd333a2b1a81912a772148c32f0d43a4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\prefs.js

Filesize
6KB

MD5
d4a251135d5f5e7c56fbf647596af839

SHA1
de3afcdde512480044f5dc9bd8a8f0e22d1405e1

SHA256
297879f52b55200770990a7a7192b3394c839a1a0f2d14a8b3e707f63bb0924a

SHA512
1a1022c3b1d0e0431efb5094c3e33677e376727bc7a637608480af5cc06413ff97cf03003e2fc39677cbf0d3ea0ed43bd2f99cbdd925660812b358eff1c76e12

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
34KB

MD5
6be7feb22b23d1332417b6afd7f5b063

SHA1
fc3d33fe106bee12ad946c25df217206b639fd0e

SHA256
6f908a04161ffe959778e47098c8d36c5681586191c372dec09f3ee53e2c523f

SHA512
852f224d7a3a638eff21f948fb85f649df4ba21c595289d27f7248b94f5c4d5082df466a2a375245d52b93243b6b115694181408c6ba2d6cb6794a6f46e42140

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
34KB

MD5
31b3274d456244b7a3beac4a35d1c2b6

SHA1
5d8954b633e6d696d4a120799312e815efbf8426

SHA256
6058f3dc744fd286fec7aab2bd46d5833189811a0496e916873b45baef38c8ec

SHA512
52e293afe50885f1b8da31148a0e527c932dd216d20ea1c427b7944c69468f77034f3ff60afe8e454a0bf7bfa790023f0c857a7f68a9841653897159dab66662

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
34KB

MD5
b9f77a8885f1d14cd670d976201b5eed

SHA1
7757d317a559ab0e6c0f7f9e64a5ac9f43978900

SHA256
8cc28160c8662bd10209961732414885439da61902b1122e6f2e0a15769d3040

SHA512
2e4d9d178ea83f912fb6d14e8a2647c3d117e5a59ee382db66021cc5cd9de276ee44597b78f35d9d44271449b6c63c73d6b553b3705cf7b0c0534e190d596623

Download Submit