hxxps://megadb[.]net/download

Resubmissions

12/02/2024, 23:57

240212-3z2p2sef4x 1

12/02/2024, 23:54

240212-3x67raef2s 1

Analysis

max time kernel
148s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
12/02/2024, 23:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://megadb.net/download

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5020	msedge.exe
5020	msedge.exe
2500	msedge.exe
2500	msedge.exe
2436	identity_helper.exe
2436	identity_helper.exe
1572	msedge.exe
1572	msedge.exe
5532	msedge.exe
5532	msedge.exe
5532	msedge.exe
5532	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	firefox.exe
Token: SeDebugPrivilege	2380	firefox.exe
Token: SeDebugPrivilege	2380	firefox.exe
Token: SeDebugPrivilege	2380	firefox.exe
Token: SeDebugPrivilege	2380	firefox.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2380	firefox.exe
2380	firefox.exe
2380	firefox.exe
2380	firefox.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2380	firefox.exe
2380	firefox.exe
2380	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2380	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 4708	2500	msedge.exe	62
PID 2500 wrote to memory of 4708	2500	msedge.exe	62
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 2052	2500	msedge.exe	79
PID 2500 wrote to memory of 5020	2500	msedge.exe	80
PID 2500 wrote to memory of 5020	2500	msedge.exe	80
PID 2500 wrote to memory of 5088	2500	msedge.exe	81
PID 2500 wrote to memory of 5088	2500	msedge.exe	81
PID 2500 wrote to memory of 5088	2500	msedge.exe	81
PID 2500 wrote to memory of 5088	2500	msedge.exe	81
PID 2500 wrote to memory of 5088	2500	msedge.exe	81
PID 2500 wrote to memory of 5088	2500	msedge.exe	81
PID 2500 wrote to memory of 5088	2500	msedge.exe	81
PID 2500 wrote to memory of 5088	2500	msedge.exe	81
PID 2500 wrote to memory of 5088	2500	msedge.exe	81
PID 2500 wrote to memory of 5088	2500	msedge.exe	81
PID 2500 wrote to memory of 5088	2500	msedge.exe	81
PID 2500 wrote to memory of 5088	2500	msedge.exe	81
PID 2500 wrote to memory of 5088	2500	msedge.exe	81
PID 2500 wrote to memory of 5088	2500	msedge.exe	81
PID 2500 wrote to memory of 5088	2500	msedge.exe	81
PID 2500 wrote to memory of 5088	2500	msedge.exe	81
PID 2500 wrote to memory of 5088	2500	msedge.exe	81
PID 2500 wrote to memory of 5088	2500	msedge.exe	81
PID 2500 wrote to memory of 5088	2500	msedge.exe	81
PID 2500 wrote to memory of 5088	2500	msedge.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://megadb.net/download
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffca0153cb8,0x7ffca0153cc8,0x7ffca0153cd8
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,2555178073854099768,14645511176052691290,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,2555178073854099768,14645511176052691290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1724,2555178073854099768,14645511176052691290,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2555178073854099768,14645511176052691290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2555178073854099768,14645511176052691290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2555178073854099768,14645511176052691290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2555178073854099768,14645511176052691290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2555178073854099768,14645511176052691290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1724,2555178073854099768,14645511176052691290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2555178073854099768,14645511176052691290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1724,2555178073854099768,14645511176052691290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1724,2555178073854099768,14645511176052691290,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2555178073854099768,14645511176052691290,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2555178073854099768,14645511176052691290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2555178073854099768,14645511176052691290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2555178073854099768,14645511176052691290,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,2555178073854099768,14645511176052691290,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3460 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4504

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4504
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.0.65728948\1222074269" -parentBuildID 20221007134813 -prefsHandle 1792 -prefMapHandle 1784 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {84c310ea-9c23-4244-bb1a-99a255860fc5} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 1884 223fe9d0758 gpu
    3⤵
    PID:2160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.1.1636690523\1979425659" -parentBuildID 20221007134813 -prefsHandle 2248 -prefMapHandle 2236 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8046aa87-ca6a-4a85-9e81-21e06f66d747} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 2260 223eb26e558 socket
    3⤵
    PID:4296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.2.1992438577\1342920667" -childID 1 -isForBrowser -prefsHandle 3132 -prefMapHandle 1628 -prefsLen 20886 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f1ef263-cc99-4034-8963-b426ebc18566} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 2816 223fe965958 tab
    3⤵
    PID:400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.3.1497281146\1014301956" -childID 2 -isForBrowser -prefsHandle 3468 -prefMapHandle 3464 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {581a7b61-c905-422e-a1ad-c8f516942b41} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 3476 22384923458 tab
    3⤵
    PID:2152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.4.1024208198\260477980" -childID 3 -isForBrowser -prefsHandle 4532 -prefMapHandle 4524 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe0d4400-b33c-48a2-ab79-22d3e24e9150} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 4544 223857dfe58 tab
    3⤵
    PID:2920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.5.689747369\128952743" -childID 4 -isForBrowser -prefsHandle 5160 -prefMapHandle 4796 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61b62e33-24f5-4b4c-b234-16300a7ef98a} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5028 223863f3958 tab
    3⤵
    PID:5288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.7.1194603185\1933634582" -childID 6 -isForBrowser -prefsHandle 5480 -prefMapHandle 5484 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {086bb3bb-7f61-4dde-8ac1-904e355acab5} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5476 223863f3c58 tab
    3⤵
    PID:5304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.6.1211012961\1674325593" -childID 5 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {903b52f9-9e12-4351-9440-d940b50921da} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5280 223863f4858 tab
    3⤵
    PID:5296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.9.131236520\1874396789" -childID 8 -isForBrowser -prefsHandle 5984 -prefMapHandle 5988 -prefsLen 26379 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9a7f38f-6fca-40b6-aff5-474bfb1c0012} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5976 22387747058 tab
    3⤵
    PID:5764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.8.1228365286\1180507670" -childID 7 -isForBrowser -prefsHandle 5836 -prefMapHandle 5832 -prefsLen 26379 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b057007-385e-4f42-976b-c4a5f653e384} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5844 22387745558 tab
    3⤵
    PID:5756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.10.667735617\854560564" -childID 9 -isForBrowser -prefsHandle 3356 -prefMapHandle 2932 -prefsLen 26379 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4bb6eca-14d5-483b-bf54-b9f4578ab000} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 3360 22387228b58 tab
    3⤵
    PID:5964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.11.1504803188\1432134211" -childID 10 -isForBrowser -prefsHandle 4788 -prefMapHandle 5544 -prefsLen 26723 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89549eef-4114-4c46-a17c-be2fd8e49f64} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5796 22387343758 tab
    3⤵
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
552758a7bb19b27354a76866861c4801

SHA1
93a74b56e5bb5aa86a53db413081b3ca7ffb808b

SHA256
53e1302ff50d199fd0002ddb9d4f66fd264b17e73a50e67299adf1243663530c

SHA512
13889bc4ffe240d8a7cf71ca0f2a397f33e38106116f38b5b8fa6c977187899d2d7084d606288f2892d14776460c2fe450adbeb93d2d200caffefe9919076fcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
f90e15457d218a908fd2a626f75ea22a

SHA1
e7817df2315c02b6f071eca5fe77ec995b79b076

SHA256
98cc4927363095c843a1aa3dc43296fc91e30ac87e4d08e15c56454463a0b21e

SHA512
dd085b56b8442e6dfd618694e7a203914f4e7d447d3f68f76fea1175c63d485247e2f6563031d22b8ad8b852e43f4c1b7f62ae4c0fb96071592ed1ae6fee6aae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
9eb6bd544f445fada3b6df6663c733ef

SHA1
af520eca29a4386024cb8f25e8ea0ece22fbe695

SHA256
fca0aa8a458cf048340691ef06fcc71e41bbe119785c6c9ff6fa535a8e0d7fad

SHA512
ab0f7553a10a4ed08035e8ea6d6aa740df687180a09368048dd43c90cf597e56a25b93ac868a6ce1ca126ac72c7dd0546e139e9327ac7c79de73ba1c4f567e6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
55ac56a5e6d537ee7baf861998feeb65

SHA1
b0c84598e877c4629f1994a5751bfb2c497b41d7

SHA256
b7af60c66b0437dc8b36e95c0630d5400c800c8c22a4a437e34d39c9522d6f0a

SHA512
3a5b40600f6e5cd6785c29e7c2029edec7e1e8864ccd7b7648407c2231793b5fa2384787c79fcc835c335dba33df38b839b1cc169620a7229f9d6932f3c1bb9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
eef1c2795e6d450199937952cfc834e1

SHA1
4ea1535c37f70bd48485a3fd41676f447039714a

SHA256
6c9675acdf897a5ab44f6992eb0671a49e0538c790cfacbc3756d91c16810ca5

SHA512
f7a42cc5aaab04f18f5f4846a85f41161517ea053a269b9c2abf3de99e73bae2b8796f860fda4e633c78675d146555f3bc555a89b9112fb7f0d9655cb6882e91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
e38dc8333a3de7bf8b8b6fec68faeb70

SHA1
a7d94cc869a4aa4ca88d884115152158255b2f32

SHA256
9e43648f0e2e8ef46fb4664c74a27e711406f71a8c38ee053fa2ad4b204b9ad3

SHA512
e7e3a788bf0d99ade1d6f5bad47c181327ac10109eaa74991857cb41b91a026c317eb911fa23d3c1046c3646ace112aad7f574ff980742afa3dd403b21ee46da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
520d4ba8336cd67b29708c5f584f9493

SHA1
50e0f8dcb5c399b40e67cd14d53684ea6dfa87bd

SHA256
225336721281789331c429175b43a4bc8e03809e82de4f9634bb808af348aed6

SHA512
f148eee4e9cfe73a71d296fab5a22a69ea3b951a8d27cc68188a0e1dbc6ff17943825c29a14b92cd772e311afd0bd2377dc70e635fa5cc936a65afc9b9637cef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2db3bbe982c3789869206180a1d9ae1b

SHA1
43b16d046d7c110f79b56d2aa3090138c9017bb3

SHA256
6b32beaccffa4f0f23338c7a89f939df9fa72cd34315edc2e9934f6cf7ab44fd

SHA512
db840002945b7792cf665aaf8c4be847509235ebce7684bc5d6fa099d0c57a1a2b64ca167dd801ca62205ac5b220a13316d65f29f8e34d90fb5e0e64ad970750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
63b6255b3f07d9e42bedebea98f2aca2

SHA1
40ebdc3a328e822aec42b2373d092dc73101342f

SHA256
51efbb488012f6ba9fd2182e4f57da8fe07e915e6b2c000fe96617c1d25d349a

SHA512
0e54c65fd7616217d813904524e84af94d966c93b9097053d0253f0e7111883f47aea07016b9d1096c6e6f877fe2c5754c035e82c6a5246418303da8662bf652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9fea99ee444a8ad2a3657b1367b6eb62

SHA1
e73586c731eebd9c55d3ebd0cb5abb03f2403ac3

SHA256
b0b43c859223b4df465c8611b0a32e733f598bf0eb60ff06d996d41968e32d07

SHA512
d1d72b898c9c7beb856b10eb45e2b96f95ec750f010ad87d34ed44021ac26ebe8bd04fa079e8a528f629e7414fb51a389f541b20f2ca739e41a0c5cdfe77401e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5a964f055f83bb73ec2228a02e3d184a

SHA1
d4117911e88d0e9641c1699d85127cfc00fe607f

SHA256
ffd2ddcb78f918742155f98e475ab4079d67ef95bd4f20b3f1acbfe099ee771a

SHA512
c8021ca92f3670fda19e41439558bef2ca4f20756f871668efe259b5acbe0c0a4fdcb12a4a34a06ffeff11d1e311507186c44a7e27eca69eb71bcbad8b3d26b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cec77ca6bdec19f7985e950800871ca2

SHA1
3a029498202ed607632159331b3a8c145133b32d

SHA256
3165417022f58be6afc1b441a53e3fd62f1141e7096c062c578efb922cd57a09

SHA512
dd3abf1bf3481a52fae8d5b88ed506f187a09fab91765d7b62772f10705e933de4791fa01466381ffb0b54d557c46063b1867ae0dd4f2d432f74157865f7403f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60flkfpx.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
0706cd1628b39e3a0b254750c41ecbf6

SHA1
f8c7ed055a9bdfc6f64f121020304715289d25c4

SHA256
f460fb1005ba976b78254f2fe808cb6b3deeb8d4b8682a23ab170a32f0f2a289

SHA512
58eed3d28fdc9c4756e9a773f2c9b641978c037d02d260e8ee32fc3ac71ce77fbfc2a8593024009642231b3026acca3e1c6488ab502a3c57be0d9eaceec7c357

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60flkfpx.default-release\datareporting\glean\pending_pings\60580936-e3ad-4dec-9869-47f456c57155

Filesize
11KB

MD5
8c04fe2fd01a531d2045a7706f7ca42b

SHA1
9f036143ae2dc181e4621d5bb423740db84f742f

SHA256
dcd9be51a6f29b0213642a3de92e022da7556f007cde8c8b09b323ec9ef7ac50

SHA512
e0ebfac107a4ab5600d24249efe595b88a47cd977b81596885ee719e4c3d2cf0028822f965f8bbc19500068ebb5594290632abcfba4ada9052ef03404b981899

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60flkfpx.default-release\datareporting\glean\pending_pings\9abc583b-2ac5-4ef6-92e6-a5c66571dfe5

Filesize
746B

MD5
f6831d5ca1ac8e636b8dc9f211e5d110

SHA1
b8709ad2c9b07f0e5a62bb0dec897097380fdcc3

SHA256
f7f5ec3f69c5ec094fa021aa3b337f4474c17a9fc3e93580cb1656b0894f78ed

SHA512
f433a1fb33425867b2c297dab868638aa1dc74043cb2050aedd5b9d9940f9a375c7f5d9b3aea8f5aafdffd11045cef63814e7ed47e5ceaf6f10d5ee180ba5c7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60flkfpx.default-release\prefs-1.js

Filesize
6KB

MD5
d81e45fc8dd713731afedb1226b0762b

SHA1
93dea847739d3d35283aedc13d51f1cd6d1e8fe4

SHA256
0ae6471d2f205680fa6b4e436ed94e5c6083a0872b67b66f02fcd02b7a61dabd

SHA512
1f1d681812d3d88f38853318e4a2b1b49ab83653f213296ac90a26f0c523a417517ecee3c2f1fe375f5eac2c15abd640cbbfab3e58f89148826a8246d26a8282

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60flkfpx.default-release\prefs-1.js

Filesize
6KB

MD5
2d3d663b6236ed5ef71d577dba8155bc

SHA1
9ea38fa787e1f4ad91d6c496e7afe8260155c592

SHA256
7c4417bd47a65701bb5c50bf5d882157b75eb2ad2ac8053cc2c8ff1e79623624

SHA512
bfcdd7371c4b5b1e846b78e7d40a99937b86ea8d8bbb86f8284912bcb7d5d9d4f659a5380fa03ca8baf1b896441551106cbd20a323fc069c5f3ed19bc173b92f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60flkfpx.default-release\prefs.js

Filesize
6KB

MD5
f19dd0f8d6eb0d6c5e11b65b2a6898dc

SHA1
e3e0ad90a89572f9962a0ee1b5512183f8720fce

SHA256
d8a6656fc994e66a0c7c11f5a522b05076e45a4478de08e16747d4470a2f8990

SHA512
c9bd75b8280e4853f04933b7eb28120c487efc2d9170803a99f38eb7e7effcb5db2c0dac9c9f958c0464d0560b50fd87345d17011c08b8b88582ef19bcf5af80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60flkfpx.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
050f64dc34641333afd741d5503933b3

SHA1
61d27d9a319d24927e037bfb7d3d8053cd797fd1

SHA256
43acc2a7208e703022d87ab0d6a124f7c5a8408219e27767021c1628f9187e6d

SHA512
e2beeebe55795e64274e1a2c38e44333fc245a9c69d02e0b48f1804fed139de345b24d3d654dd695fefea52dbf2b20d1a18c8e72610b008a883d8a6a70378e2a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60flkfpx.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
e5911f9959ac94fdf71aca393e15d769

SHA1
017a06ce6830792f47d560fc0fca5430cbd940bc

SHA256
be3b2e08fad9c69626a198520ff4e048b562169d40e463667a25921e4d937c82

SHA512
33b2159a8cc95b3a9e35124414187ae20fb0530f51484e41b6fcf2161e9c75437e44c9e7e10a8db30d1f7a0d0e56ff8026495563a404a89a710b4049f127391c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60flkfpx.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
10b0cdac25abb6e64c1281f0e1af3d12

SHA1
68e5ed29aecdaffd87681d444e14a3e616b27f43

SHA256
0d32eb424b8fd00ba765504d7a7f6d0f0463fa0415a4d7d827fd43ffed2385ea

SHA512
07a11929ecd64cef59d9ead0e41ae8a53ced211d03eec45b09cb11b264b6d1a789b449a16bcb77b025319fcc500936b0812c2f528153627b27428ec6ec718004

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60flkfpx.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
5407eb6582a59758a264c2730efb19e5

SHA1
5d86be82929c34fda3062c2e8c50ef4e6696b103

SHA256
5b7dc5f983f1a81c0d34cfa471f0a39c7aea8529ef4f010d7a163395d7d94c3c

SHA512
0478a41c146ecbe0ea72be4cab0f90d6e1fc554ac18d15c4ec62a7f0548c6d5facd062e2b412064805e7bd392b30e850f1e3b4a4b906a4ecf730d3c4ad4b8ff9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60flkfpx.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
eff9e68e15a1648d66edb3dd8c4ef4e5

SHA1
4c58d1f5174b49293da80de214b39602f8d58a08

SHA256
af40bc47137b5f75d6cb5423fec020c43b0bacaaffa885cc09650978025e2072

SHA512
d9504c2f061f659abbd452ce45d92b16367ae63ff4a1db92640cdc80d71c843798241718706fda228306c925b57a6ed669ce806f512a3d537bc57d4136fc665f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60flkfpx.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
d440b31fe2a452adb90dcc10cb29abcb

SHA1
ab60f380f519cd4576fec8c9c1118bbd81dacaff

SHA256
d30eb5bdc30728cee15efe5cc31600872cc00cd84cd77e0eb3c6ce7baae94a92

SHA512
1694596e8086ccedbe91d5901023b7f4a980a73346a4e10f6502cc499812758cf3741176508bbec24478de3bf3fd83dc9f3bb05e8b12adfdced57062712b65b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60flkfpx.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
27b285767579cadb0fec596a401313bc

SHA1
9cb5e641e8ef8e6e22e3e05d574fe8024b76fcc7

SHA256
8a9b79e1ddb0d537a3dbba3a1b881781faa859dfb8dbfbffe013eac5b96b518f

SHA512
3319cd573a342decb8255d3551d859554ba64bc1dddfbf1936080e9254e35164c63624c4caa16ea5da15a7b241c53b3ccb3fda636faf1dfee6f982a65e80b6c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60flkfpx.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
a7de09716125a1d3fade96cdd0c40b4e

SHA1
7493f3282411e4c03a59eeb757ee0f9732886276

SHA256
ddfc40fa5fa98c624958ff22d1f712284f887ebed3f6383b6f2c5a7d6cf72a9a

SHA512
57e5ca9db1b0c818d70c5924b42444628aaafc25e58180e97b20541c8fa89f851a2de29c02962c19cf11be58c63f707b2a929def7752fbe649bdc9e07f55a170

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60flkfpx.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
b16764ba3d5c71ce2be64d785b2c5ed8

SHA1
cb30a6fb2a8bbeba6bd22e36c1bae6d9d50c6bc1

SHA256
c3fbdddd99610f87a9c8d7be2723a8bda11edd306537da0d68fb033e68ff9556

SHA512
ce496366f7adf1d3f2ce86645ae1d1c84998f86f9f91e1aa980175b6942b1ad4edaae1a17391771408e8396fe0f7cf5946c56961de5c40debcd1091be8a6020d

Download Submit