hxxps://bonosbevvy[.]com/imEi2O7jwqr0/73384

Resubmissions

27/03/2024, 14:55

240327-sapzvaee54 1

27/03/2024, 14:54

240327-sabr8aee49 1

Analysis

max time kernel
264s
max time network
275s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bonosbevvy.com/imEi2O7jwqr0/73384

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2892	msedge.exe
2892	msedge.exe
4964	msedge.exe
4964	msedge.exe
4612	identity_helper.exe
4612	identity_helper.exe
6180	msedge.exe
6180	msedge.exe
6180	msedge.exe
6180	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3128	firefox.exe
Token: SeDebugPrivilege	3128	firefox.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
3128	firefox.exe
3128	firefox.exe
3128	firefox.exe
3128	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
3128	firefox.exe
3128	firefox.exe
3128	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3128	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 2804	4964	msedge.exe	88
PID 4964 wrote to memory of 2804	4964	msedge.exe	88
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 4760	4964	msedge.exe	90
PID 4964 wrote to memory of 2892	4964	msedge.exe	91
PID 4964 wrote to memory of 2892	4964	msedge.exe	91
PID 4964 wrote to memory of 3576	4964	msedge.exe	92
PID 4964 wrote to memory of 3576	4964	msedge.exe	92
PID 4964 wrote to memory of 3576	4964	msedge.exe	92
PID 4964 wrote to memory of 3576	4964	msedge.exe	92
PID 4964 wrote to memory of 3576	4964	msedge.exe	92
PID 4964 wrote to memory of 3576	4964	msedge.exe	92
PID 4964 wrote to memory of 3576	4964	msedge.exe	92
PID 4964 wrote to memory of 3576	4964	msedge.exe	92
PID 4964 wrote to memory of 3576	4964	msedge.exe	92
PID 4964 wrote to memory of 3576	4964	msedge.exe	92
PID 4964 wrote to memory of 3576	4964	msedge.exe	92
PID 4964 wrote to memory of 3576	4964	msedge.exe	92
PID 4964 wrote to memory of 3576	4964	msedge.exe	92
PID 4964 wrote to memory of 3576	4964	msedge.exe	92
PID 4964 wrote to memory of 3576	4964	msedge.exe	92
PID 4964 wrote to memory of 3576	4964	msedge.exe	92
PID 4964 wrote to memory of 3576	4964	msedge.exe	92
PID 4964 wrote to memory of 3576	4964	msedge.exe	92
PID 4964 wrote to memory of 3576	4964	msedge.exe	92
PID 4964 wrote to memory of 3576	4964	msedge.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bonosbevvy.com/imEi2O7jwqr0/73384
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8ad4846f8,0x7ff8ad484708,0x7ff8ad484718
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,7550538335550451453,6511528019117089160,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,7550538335550451453,6511528019117089160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,7550538335550451453,6511528019117089160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7550538335550451453,6511528019117089160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7550538335550451453,6511528019117089160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,7550538335550451453,6511528019117089160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,7550538335550451453,6511528019117089160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,7550538335550451453,6511528019117089160,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7550538335550451453,6511528019117089160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7550538335550451453,6511528019117089160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7550538335550451453,6511528019117089160,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7550538335550451453,6511528019117089160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7550538335550451453,6511528019117089160,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7550538335550451453,6511528019117089160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7550538335550451453,6511528019117089160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7550538335550451453,6511528019117089160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,7550538335550451453,6511528019117089160,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6036 /prefetch:8
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,7550538335550451453,6511528019117089160,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4816 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3156

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5452
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.0.1406613893\263810053" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1856 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f63d330f-50f5-4829-9960-95f3163844d7} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 1980 2366cbf8958 gpu
    3⤵
    PID:440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.1.1977325451\2009208366" -parentBuildID 20221007134813 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b2d8de3-d8b2-4085-83e7-bcbf16ad609d} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 2380 2366cafa558 socket
    3⤵
    - Checks processor information in registry
    PID:5156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.2.748687248\762642958" -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 2900 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df4df987-5a72-46e0-aae5-5ec0b8ab8bed} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 2904 23670cc7558 tab
    3⤵
    PID:6008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.3.74724752\973912480" -childID 2 -isForBrowser -prefsHandle 3640 -prefMapHandle 3636 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbc00110-cb52-4210-a1e2-186e645b9720} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 3648 2366f3c9b58 tab
    3⤵
    PID:5964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.4.378553713\1666507474" -childID 3 -isForBrowser -prefsHandle 4676 -prefMapHandle 4672 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec0b5233-2b12-4a9c-b0e2-e94b6588d6c9} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 4688 23672e57658 tab
    3⤵
    PID:6276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.5.1183425059\1278961617" -childID 4 -isForBrowser -prefsHandle 1724 -prefMapHandle 5080 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6059e7d3-76bd-4835-b0ab-aa86b7bcefe6} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 2948 23660366e58 tab
    3⤵
    PID:6732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.6.640767272\1861381414" -childID 5 -isForBrowser -prefsHandle 5296 -prefMapHandle 5248 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81bf669c-55f7-412c-9b30-f45ba806afc0} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 5284 23673a83a58 tab
    3⤵
    PID:6752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.7.11069868\119823656" -childID 6 -isForBrowser -prefsHandle 5276 -prefMapHandle 5280 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b72b511-1d0d-458e-88ad-3016220455ab} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 5368 23673a84c58 tab
    3⤵
    PID:6760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.8.32347726\2041146635" -childID 7 -isForBrowser -prefsHandle 5676 -prefMapHandle 5372 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b034d833-cc2d-41c2-bc22-378d2a58e7a4} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 5580 23674532558 tab
    3⤵
    PID:6768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e494d16e4b331d7fc483b3ae3b2e0973

SHA1
d13ca61b6404902b716f7b02f0070dec7f36edbf

SHA256
a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165

SHA512
016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0764f5481d3c05f5d391a36463484b49

SHA1
2c96194f04e768ac9d7134bc242808e4d8aeb149

SHA256
cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3

SHA512
a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
190B

MD5
bf4072f178d5242c5781510b22dfcff0

SHA1
56b4f1b44945c22ebe874fedde4d3080546b5dee

SHA256
ae2a8c83f22cab93043de13c954e5e1ff30915fe8139fc07f66c7958b6efa207

SHA512
b2aa160bdd65089d7c3f2a68d94b36b529eb90b1da79bd0fd32198c93f9290be5b078ce0ea2341a7729983ac66a190596d200a16030d0d486bb8dd955a301ce9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
849861f42ee65273ec642f8284c74693

SHA1
cd4cb49616fa05f43a2337010a4dc4a9c7aedf5e

SHA256
a0bfd6052485073ec6654f9dac0187cf5b4fde083d36c1aaffe80612400778a4

SHA512
5d3a4be421212ec5336a6927daeafee4ab4567a1285efea66c864b75cf58d7aa1361774230d88d37eb689209498993208d8a2d93def535833d88b12b328bb249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
75332cb2ca8cf59a8f0de036c80656ec

SHA1
9be56b973417ff86dcf4eead08b479ddb12cd59f

SHA256
a12cb0916746d80b3a325451d57c359ea9f36635997668bd951df639b27a3021

SHA512
5b4805bc8470074e12d7aba0155e62851dd2fb84ec042ee76ede0631883a92d01d007db355b41110dfde27245711fb5addec30bbb9ff96c0f12d8865ae280566

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
50d83c40f735b539a13e387b36ca363b

SHA1
502aef78b5b6c1e055f80e5ab1f5ecfc3049f0f4

SHA256
808efdad42033df5f54e2334f5493573ed02a92aa016484bef0f5b755616f875

SHA512
3159eb398ee22accf01d22d82f319498ed938e7995c66d9b2d862a5df6f436fafb71aa7719a05a5787e3961bed0a29c6e88a55db4b7189055f3a962cbc888b99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
64c33128668763f221ef7f616340be4c

SHA1
c63fec2a6ba28b6d15885b7274c72dbc4ce7b47d

SHA256
e51e93a36cbce0b9f1cadfd9b1d5c3c7addcad4f244a68472419b67225081ec3

SHA512
c058a4fd890852eb819cba527c94a81112d91416d1610ac5fbf2fe2a27054a0d70506f8e7f8497d9f8c1a03731b293607ff96721b1dd21167eef5417825ebfd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d888429e2ce10131e79d400f1f8fc475

SHA1
9d1451172bd201356765722978f2fbe77cbdc09e

SHA256
a737ae3e70a0aee816e3060382912ad5cfd541b9c48206445a6bc442587ee229

SHA512
ac09eacd4187a481b0849bc2869f04cb1515fe5d5bb1b33d1b3413faed616867fd935350cdbdaee7f500972b735c7ed96f9d4c91aa2b5105965da966e70f68cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
65091ca3538933d4032c886941382883

SHA1
47bfdefc5abe6dd4480f6d78f09a06867eecb9ad

SHA256
6c252f3e5612c61281ce0e074bfec27d1a455e5666986cf6267da98ae5c8fb7b

SHA512
d9d7dc0ea3fa53e31f24e14c5da588f47ad54ccba55a65b45d8c07b7b6b2619d7e4bd328026d782dafcd02119f5f79aa0d94876e8e661efc52a3ae96e137a6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
0e42387d46bead5538a42f17c2175870

SHA1
6670727566d40ede8be8f2584fe35bfd46ba4d16

SHA256
134b632979189aba8c20d6abb04937a7ada4b85058e140d40721073136e03b91

SHA512
0e53281ae281c1ffc3190c55fedc99363cf16fb0475669a02c2855219e14a8b14012211a6a6f82c33def241cd991171a593cbf748128044d2538bdef3bade0ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\pending_pings\55577368-d9a0-4cab-8b31-91a79bc65800

Filesize
746B

MD5
146e6069b35f9dd50112f1fe12f7c5e1

SHA1
22290976f67a2986a52134170c4380ba6fbef846

SHA256
289dbbc77685b370820ab4e7f9fbbc9a10f71cae234526fed7f6756abaab842d

SHA512
399bd121e0a6b005db531d75f442845cae76531689ed228fd5e1b850d536b766f074391d40d15589c9013a771fe062029fd18ad2b1878554115a7c8901177c44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\pending_pings\57435528-a1c0-416a-9000-f3e42eb52f00

Filesize
10KB

MD5
fb692ead1a212294b011cca7b88aa2cf

SHA1
2cf941f84043002b9aa04a4c3150564cc4c4bba1

SHA256
8e75d60bfd16d772e8edc612575533c18e1210b12f98f85fe86e546dd1249fbf

SHA512
29cebde82b6ece2951007d6aca0620a5f0010eae7708d6e83617c0c9c31e91626d006e2dde3adba9b503f088cc5a44f1112c91e9cd109f84bacfcf7ad943786a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\prefs-1.js

Filesize
6KB

MD5
ea582e276d921a6981bc67476d1699dd

SHA1
93a21cfd3afe66bc074e685cf0edeabd5a11da5d

SHA256
1a87f7c9e84c7a0950c24317dfd9dd4d40a464ef0c9853214fba6b39799a418b

SHA512
4e23b33e187fc287bab7cd4b599fbb22455e4df1abc11e56ec1937b0a3fae4c9b05ce7b8a1bbdfde79135e9b446bdc1ab1b88c4a50f0fe3e41b66adf8b0664c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
300cacb90b7245a7bf6b02d0fc166e52

SHA1
ec8e74c35c6a42f27c394e4f8119304831c17f30

SHA256
7de133af91ea4a2c4fe91fa6c565d48372393ca4e9b55063d8d06eac8bb00916

SHA512
8f4d939db7b5afa5f3f76095a871895bb2a7272e37aa2506c35eb8133dc903859e494a312642a42537c211a94160b4457727e5574edb097af2aa500d0a5a234d

Download Submit