hxxps://www[.]kinitopet[.]com/

Resubmissions

11/03/2024, 13:39

240311-qyfpzaca6s 6

11/03/2024, 13:36

240311-qwe1naca2w 6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.kinitopet.com/

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
69	drive.google.com
70	drive.google.com

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4800	msedge.exe
4800	msedge.exe
2136	msedge.exe
2136	msedge.exe
4844	identity_helper.exe
4844	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	firefox.exe
Token: SeDebugPrivilege	2916	firefox.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2916	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2528	2136	msedge.exe	90
PID 2136 wrote to memory of 2528	2136	msedge.exe	90
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4564	2136	msedge.exe	91
PID 2136 wrote to memory of 4800	2136	msedge.exe	92
PID 2136 wrote to memory of 4800	2136	msedge.exe	92
PID 2136 wrote to memory of 3984	2136	msedge.exe	93
PID 2136 wrote to memory of 3984	2136	msedge.exe	93
PID 2136 wrote to memory of 3984	2136	msedge.exe	93
PID 2136 wrote to memory of 3984	2136	msedge.exe	93
PID 2136 wrote to memory of 3984	2136	msedge.exe	93
PID 2136 wrote to memory of 3984	2136	msedge.exe	93
PID 2136 wrote to memory of 3984	2136	msedge.exe	93
PID 2136 wrote to memory of 3984	2136	msedge.exe	93
PID 2136 wrote to memory of 3984	2136	msedge.exe	93
PID 2136 wrote to memory of 3984	2136	msedge.exe	93
PID 2136 wrote to memory of 3984	2136	msedge.exe	93
PID 2136 wrote to memory of 3984	2136	msedge.exe	93
PID 2136 wrote to memory of 3984	2136	msedge.exe	93
PID 2136 wrote to memory of 3984	2136	msedge.exe	93
PID 2136 wrote to memory of 3984	2136	msedge.exe	93
PID 2136 wrote to memory of 3984	2136	msedge.exe	93
PID 2136 wrote to memory of 3984	2136	msedge.exe	93
PID 2136 wrote to memory of 3984	2136	msedge.exe	93
PID 2136 wrote to memory of 3984	2136	msedge.exe	93
PID 2136 wrote to memory of 3984	2136	msedge.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.kinitopet.com/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb190946f8,0x7ffb19094708,0x7ffb19094718
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,6654913562414254166,2266035554725503152,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,6654913562414254166,2266035554725503152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,6654913562414254166,2266035554725503152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6654913562414254166,2266035554725503152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6654913562414254166,2266035554725503152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6654913562414254166,2266035554725503152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6654913562414254166,2266035554725503152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6654913562414254166,2266035554725503152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,6654913562414254166,2266035554725503152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,6654913562414254166,2266035554725503152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6654913562414254166,2266035554725503152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6654913562414254166,2266035554725503152,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6654913562414254166,2266035554725503152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6654913562414254166,2266035554725503152,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6654913562414254166,2266035554725503152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6654913562414254166,2266035554725503152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,6654913562414254166,2266035554725503152,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6780 /prefetch:8
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6654913562414254166,2266035554725503152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6654913562414254166,2266035554725503152,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6654913562414254166,2266035554725503152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:1
  2⤵
  PID:1052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4928

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x300
1⤵
PID:812

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5896
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.0.2133634437\1735085284" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf6e3278-4471-4994-a05a-33bf001f10c1} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 1964 278f43e0158 gpu
    3⤵
    PID:5652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.1.1414370934\1298156536" -parentBuildID 20221007134813 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {422bb6c3-cd07-41d2-934f-3979bf6f75a8} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 2364 278e7970758 socket
    3⤵
    PID:5284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.2.1698479357\303717744" -childID 1 -isForBrowser -prefsHandle 3340 -prefMapHandle 3328 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4241958c-4f71-4b9e-9853-343c2993b9d3} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 3520 278f82ded58 tab
    3⤵
    PID:1348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.3.1814924487\1221081197" -childID 2 -isForBrowser -prefsHandle 1300 -prefMapHandle 2508 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29439009-226d-4695-8f4e-29ebc2ef5ad4} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 3184 278e7960d58 tab
    3⤵
    PID:640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.4.1903493639\304588865" -childID 3 -isForBrowser -prefsHandle 4308 -prefMapHandle 4388 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e563e0a0-7628-4f5e-ad07-ce1a4ab1ae1f} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 4300 278f9606c58 tab
    3⤵
    PID:4264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.5.2063128237\1023965723" -childID 4 -isForBrowser -prefsHandle 4880 -prefMapHandle 4984 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81bce63f-a965-427e-91b7-9c1e014b4987} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 5196 278fa00f858 tab
    3⤵
    PID:1732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.6.1312394489\139060678" -childID 5 -isForBrowser -prefsHandle 5336 -prefMapHandle 5340 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72d08eb1-750b-4679-90df-77cf0fd7a4a7} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 5328 278fa8d5758 tab
    3⤵
    PID:5996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.7.749147461\777559307" -childID 6 -isForBrowser -prefsHandle 5524 -prefMapHandle 5528 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {656c3d66-b7bb-4d5d-ae80-eb6e260392d0} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 5516 278fa8d6058 tab
    3⤵
    PID:5988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.8.683585131\8009064" -childID 7 -isForBrowser -prefsHandle 5336 -prefMapHandle 5340 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e726647-917a-4db7-93a4-7f71bec2e348} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 4844 278f462ab58 tab
    3⤵
    PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\47b48753-9dcc-4c77-9ef3-6107012db724.tmp

Filesize
12KB

MD5
25308005aed4ca60f246b31087f12da1

SHA1
13f21d235d1fc193caecb1bad185d05918092a28

SHA256
165cbf41cd6ca146edde57cca5c827f71c7ccb9fe19c4105b78749df594c2a4a

SHA512
16a573ec260386ce733a16146dd8478e5c01d434acf722ae4c9c3aa24f92672c212af754625cfd73c12c9b26c74b4d14ecaf8bb7c99e72eb8418f24620e4107f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f35bb0615bb9816f562b83304e456294

SHA1
1049e2bd3e1bbb4cea572467d7c4a96648659cb4

SHA256
05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71

SHA512
db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1eb86108cb8f5a956fdf48efbd5d06fe

SHA1
7b2b299f753798e4891df2d9cbf30f94b39ef924

SHA256
1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40

SHA512
e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
19KB

MD5
af74c295f992a12e72382402d64f4777

SHA1
78d551c9e50d4949e259bfe9cf3f25abfc73a8e3

SHA256
ce12517f8fb9def470b9541495a592a330033615dcd13a8ecafdb388bd266c1a

SHA512
17b98d8e4e5ca2eefce8c43b4af46beefc85e75847f1b7eec934384e874a58c949f18106aa2f4baa7b7987e7383c164bdc67f2b4f6cf9289afae3c0182cdbbcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
a88cfaee53a240d52bc6a1cd76233e8f

SHA1
4f79a325af44265a04eea6ffa968ececec6b57a4

SHA256
d6725dfcfa0f81b8399bb8dca8ed856739e6a27f12d138083f12c62222741c5a

SHA512
b9a014a028dfe9d019396d34223b65873635c9a8bfc5be187ff6dfca9e2c905f692e001d4189168cfabb85c1537566d97ef09869406ee103cf9321d94639e5ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ca37e67b6dcfec184fc046ed5e985010

SHA1
184eb913bed0ad0032296911d269102389010607

SHA256
b19afa132307e56f25d6fc116165954347b599f10ef5e4329bb7c3004ae0cb99

SHA512
568362c2f6fca095104f540c935a1060550bab9b519270e0791da950c5bc92976d3f2277bbd7644a4ad1fe299ce7cbbf550b80587f8454f30738f31d45b22ff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
33d41a9e7ed1b795382bfe87a813c4d5

SHA1
1ca739560b528cc195c9b9b2c9f55522d21f5bb9

SHA256
f435f22a2517117cb07747e68f0baa09e0775b1962ff4114a0e6ee04986718c1

SHA512
58f8a04030356f61de795cedf355a07bbf146d18468ca65c27366f2188ee9b52845a9d1b3b146c0c3bed94771b4d940fb85e64344497f38d00f4b862ffe19534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
52c0297497aec41baa1c76721d862de7

SHA1
2b9afa0c2f816dd9d64499ab502a0feb1f4ed361

SHA256
548b295cfcccac5ca6b2446c7d88e6390710fcb9c719b3a74a90fe340a35c241

SHA512
e134f4113a5242a8b89ec56685034dabe4075cbe5d24413835c56b18ff492c7e1a5a2728d48f3522b02473f12f9c7552863153c89c1d5d12e7c39fcaf8d8fddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fde8c1e202cfa99558cb14b3cb43971a

SHA1
ffd1151c92100d053645234ad576bd945deff760

SHA256
7bfe99cb15c696ecfcabc1bd0f237455c04e2cd3d26204c8296084a1366381bf

SHA512
3bdc9d74a78c27755ec27a5daec354e24ce1d60d49e41fbaecec31d9699a6a1dab44d6651a9f2bda4f0294fa4a947aaf834e6abf94b62a8ad43ebdd953976e4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9f39b7cc02a2bfe0f902085044f1ff23

SHA1
b144ec39b34c2e0de1096cbf372abcda89e3571e

SHA256
1e390a5096f346b9c35b0e47fb595cb9bd9b03709c53ee2659abff0a4611eae6

SHA512
88dc8ffc61a7f105b43483be4d98a93e4aa098ae0d870bd2cf992618e3ec1ae1e071be580068fe7f9f74e4803c27e757f19cd4a0903e9ae4850a768c3929a65a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
bf030bd62d7864968ed14a01df95c2ee

SHA1
5aca406e20cd2613b09ac62ace0346302e8ebc65

SHA256
f0a4b2526d9f6ba9d27cd42267d1889a6c36a439bacbe2472cde644f189d9310

SHA512
116bfac192a5c91dc3284884fcfbb8340a65d92b16ecfdb5902d9a5a1d1295217a559b94eaf325de99f7eddf09a6e597a57ff51d9fc34a5b1a49e82164fdc3e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
bdacc99163b1aa917331c6f26700c276

SHA1
cf5f544f5436b6fbad8adb3148e43e2a9dacb94b

SHA256
6b6973a98b054c03faa3a27c50fab514d98a81e213352292107df83e3e7db32e

SHA512
9047b27416ed8369ec95ce1d9830cddc88e350b66c95e271e186bc2c78c8c9e49dbf98a3799493f0803a6d3aecfc76f967088c5b31f67f9aab6bcedbff6461e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4ead9dab7b9e5cc816d908d4f11a4a09

SHA1
d73ad6ad89346eef39dac5353e65201ef4f11456

SHA256
b6369485c19f8af0b781db9ebf800f3914c4d31e212ed0c18558e0bf8462c1f3

SHA512
e9f44407ea2b4a6623c05118c11e967974d9c3e66807224f4257de1f7cf22b039c8c5547afd5ba469b0baf1fd079bd2603ebfb27a37af091c5e5b081b33c06a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5172be2fecb5d3df75778c8d263a3a61

SHA1
4a68ae10684daa28a278e4642861aacf43a09c42

SHA256
3d81335c1cb5a1190f5d018a7a3f8081f23916a0dbd66ce57cb70e200ac81918

SHA512
c3addaeda212d1bd90e88b57ffcfcd0f35d0398b2a17963f900851469ec47e8424139c4b0aa99bfc344e16b9d23c802754d38ab616f9fc979c3572ffa755bb34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b47b.TMP

Filesize
539B

MD5
d118286e0bb2f6291ff2f488d0dc1f97

SHA1
f20996d1fe8ed09fd729cb1458dc86cd412f4147

SHA256
86b4dcf1368d1e8a2b54ff109edfd2c3586f77bc24a668c295c4659043b832b1

SHA512
2a776250fc2bdc60217fb74c519a45e87ca32b9bf026579ccf6c50bb9c51ce01133532e74d1f2378d34e399502504d2250456ead829000e267e4639f1bd7aa76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1629c46aac5082386c48d638579a19cb

SHA1
20d764f5c0271ded33943096595812bf84d4c89c

SHA256
6f7030f0cc84c3503c18b331ffa8c372b11c71b67a79aa408a2e984a67b68678

SHA512
f7205976c83002cfda1fee578269030c200edce7550ce0d318cdda070f667eea46428c3f7b213e7061965e5ad43ae70c2c7bdaf5162ca13932ba360c0c49eff8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
edae5bdf7133a6aed85371dfe4814405

SHA1
2b73d6839802b3c30cc8a3b58ea73c5c77b5f31d

SHA256
1bfec8d64b42a2cdaebd498047215c3f9a54c4add6dc27ac09242b121bf68106

SHA512
8c769d7bf06e7a23c148f87be318b3a9f22613a3597fbfb92da90b9196c7833f85a1cad1899a86a4c6b83f97b49894dda9e919f4c66ffd46d09f0d417a020269

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\3cf792b1-73b4-4ad5-9146-4bae03c0abbc

Filesize
746B

MD5
e7c04eb69c2f105c8a168ecea28c5fbd

SHA1
500375df31f82d04f7e6fc385aa0e3905cb857aa

SHA256
8a691590ff35750c37679775c542afd0ec284680d77ae22e741c2b52ca5c561d

SHA512
bb0e4b320a5e1cb4ae9a4321216b20185a41dc602f6893b9d54de746adcc25f156607d67c924c335d354976e865c3ca9f4ff800abf536f323350541edb36d829

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\85ba4ac6-65b5-49ae-bad4-6356ab243aed

Filesize
11KB

MD5
27b9720746a1e83f0baba02349310a9f

SHA1
7bb56b86e30ad6443a729c159a2d22ae491f6340

SHA256
286ae687827345ce3fa26e85e4d1b60810c628b4ca665d7bfb11f05b93e152ee

SHA512
b177b6536992492a23cd0493f9cc5a78eef7bea83392579c5036b7e7d6610302ef76c52360e398e89834de372148f78f02db8278e1e23a6247fe0e852df7df21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs-1.js

Filesize
6KB

MD5
1e41612dfe9dce8dc3effbecb0a0c8f6

SHA1
93624164187bfd250559e87bad3b733a4e5da670

SHA256
63eaa2c58d8ef68b456847f9ab2362d190d98d53dc5803c3f6a6506a813a46b3

SHA512
4456adf8e4b23c56c314bc77ef8929be1dc1cfb547cd3f60431a3fd4d19157caf1e6480b57df20d0bedaa7aa06d73b4df737260fc54db22a6db7afacf91b96b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs-1.js

Filesize
6KB

MD5
2540a5f33151b163acdd1bca00f761a3

SHA1
8993ccf6bf8e0229dee219b914bc1d2cacaf91be

SHA256
2e915a5cf8feb009e125bd3adc337213afccfef6e19b19b09ed0b92be457db47

SHA512
cf8e2605c2fc0e7e045213a7d6df9e74cae6d9a9356a57f772c3c55653baacbf781602a4f0767007af6e7af3093b52c2d66df948f4f96f7fbbb886c9db96c6e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs.js

Filesize
6KB

MD5
80a7aff6c2dbbf00438eead689d2a40f

SHA1
be12323cd917885c20ac9f8a3deefa075f2e6d59

SHA256
d9ce42719a3ef6041cdaf1b06d099f4f1a7af4eeca941bd713c6f0dc85732e0b

SHA512
332d97cb2c6ea7c3f680b20f3f1444d07bf04563238cefe9b57fe10ea3f906131a17afe8e930cb2c2b94488b20510ea058e5bd6dc4533378b1f2a1807b2f6af5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
59c1121f43f17cf09e8148be77910184

SHA1
c3068f666cd24ea0b4b48f2e7ac50b24b4c94ded

SHA256
861e090be1297a29bcc974105a3d858c818d3b2a346673324d1219efaff326bb

SHA512
40fbfa76fae2497fffb1292e1ebd0e98e32739af16f0388977f875b7b2a5a9c815e5ec645c9c638c243a61e2d0d7d5a4f21727bd039e27b4da2e182a01926c48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
77321132ea0b97a6225d570a07835493

SHA1
2fed9553d0082eabb3996d6a4d27470e363d4cd8

SHA256
061c1116645459f441c7f74624a599da96d97710f356baea2721622d4c1b8cde

SHA512
39bd8c45275bd590532d196874051546e236036e8dc7fed5ac5764751a3a275ffe79e7b3b74210a015f7f8ad773318f9ef6231bc0c3b136d9a70ccbceea7cd77

Download Submit