hxxps://allured[.]omeda[.]com/pnf/logout[.]do?rURL=hxxps://bloodspoint[.]com/cincinnatiparanormal576

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2023, 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://allured.omeda.com/pnf/logout.do?rURL=https://bloodspoint.com/cincinnatiparanormal576

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133238615140877718"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
540	chrome.exe
540	chrome.exe
4784	chrome.exe
4784	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe
Token: SeShutdownPrivilege	540	chrome.exe
Token: SeCreatePagefilePrivilege	540	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
540	chrome.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4260	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 4432	540	chrome.exe	86
PID 540 wrote to memory of 4432	540	chrome.exe	86
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4744	540	chrome.exe	87
PID 540 wrote to memory of 4604	540	chrome.exe	88
PID 540 wrote to memory of 4604	540	chrome.exe	88
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89
PID 540 wrote to memory of 3036	540	chrome.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://allured.omeda.com/pnf/logout.do?rURL=https://bloodspoint.com/cincinnatiparanormal576
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe6139758,0x7fffe6139768,0x7fffe6139778
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 --field-trial-handle=1768,i,8617643071689998551,13244247414431681744,131072 /prefetch:2
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1768,i,8617643071689998551,13244247414431681744,131072 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1768,i,8617643071689998551,13244247414431681744,131072 /prefetch:8
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=1768,i,8617643071689998551,13244247414431681744,131072 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1768,i,8617643071689998551,13244247414431681744,131072 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4556 --field-trial-handle=1768,i,8617643071689998551,13244247414431681744,131072 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=1768,i,8617643071689998551,13244247414431681744,131072 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5080 --field-trial-handle=1768,i,8617643071689998551,13244247414431681744,131072 /prefetch:8
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1768,i,8617643071689998551,13244247414431681744,131072 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4940 --field-trial-handle=1768,i,8617643071689998551,13244247414431681744,131072 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1752 --field-trial-handle=1768,i,8617643071689998551,13244247414431681744,131072 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5320 --field-trial-handle=1768,i,8617643071689998551,13244247414431681744,131072 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4592 --field-trial-handle=1768,i,8617643071689998551,13244247414431681744,131072 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5000 --field-trial-handle=1768,i,8617643071689998551,13244247414431681744,131072 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5692 --field-trial-handle=1768,i,8617643071689998551,13244247414431681744,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4784

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2340

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3928
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4260.0.1953520888\680663013" -parentBuildID 20221007134813 -prefsHandle 1840 -prefMapHandle 1836 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1be9a48a-d737-4440-8ff1-4bd715d6c864} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" 1916 1791fe18c58 gpu
    3⤵
    PID:2408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4260.1.883748241\84873799" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d14f8917-74c6-495f-b972-ebc5b76fd7da} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" 2316 17911e72e58 socket
    3⤵
    PID:1352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4260.2.166031506\1659496102" -childID 1 -isForBrowser -prefsHandle 3440 -prefMapHandle 3248 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09e29811-6dce-4992-a46d-afd11e7d9dd9} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" 3468 17922a37558 tab
    3⤵
    PID:4148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4260.3.2115637970\193661932" -childID 2 -isForBrowser -prefsHandle 3680 -prefMapHandle 3676 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b38b062-46a3-4a65-be80-6546e1709894} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" 2360 179214f3758 tab
    3⤵
    PID:3156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4260.4.748115037\1657901544" -childID 3 -isForBrowser -prefsHandle 4200 -prefMapHandle 4196 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e550451-cc77-40c4-b29c-70c158f08d59} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" 4212 17911e5b258 tab
    3⤵
    PID:872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4260.5.533434641\1707113622" -childID 4 -isForBrowser -prefsHandle 4980 -prefMapHandle 5000 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b43248e8-f751-4fdd-9186-b6118104ac75} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" 4836 17911e5ee58 tab
    3⤵
    PID:2252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4260.7.252320269\477197211" -childID 6 -isForBrowser -prefsHandle 5420 -prefMapHandle 5424 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a232df0-c262-41d5-84b5-d513cbc58f11} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" 5412 17924cd8058 tab
    3⤵
    PID:704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4260.6.1065941429\1224497026" -childID 5 -isForBrowser -prefsHandle 5228 -prefMapHandle 5232 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1aa5e4c-cb0c-4868-8740-414c09df6a0b} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" 5220 17924cd6b58 tab
    3⤵
    PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
070749eddaa6347004873776224b013c

SHA1
9c1ca5909470076ae4ca295bba2a4bd8fbe3df85

SHA256
21d3cc1acc24c899a0dec3983bcfb316207211177460ae1c3902bc58c1df65e4

SHA512
acb26669623dd00fe4e746e965555d190dc4ec025e67b9e888914fe0f823d35a92904db59ffcaab9af05c7deac9886543668967270fc227cd4baaec3b2b8bea5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
2067ac8d588add106afa352b32a1c34b

SHA1
43ebda4d79736ffc46bc09bbbad3f4d907ed01d3

SHA256
3770cd512094d38877f2a6f9bed728144f21bc3be8edadb1dacc3a1237b0f811

SHA512
ea2a18b284d26a26f4b06878fe27c1030f684b9f93549a69360b61105fe53e94d8e17e7f5df087a6811c69ca6c4cdc1a91f0d29d83c70cd24e826b9a555a5188

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
05751ad8278194bd9c860a317be108bb

SHA1
50f8f2f402047114b149056eced07bddea792c26

SHA256
9ded4a926093f4fc980d0b6a7560e4acb0f1f5eb709e48b328be3a8eb30baadf

SHA512
2ec5704daa0a8f7fb76ee335f4fc0d72aae866d0b150aac25ca0085365371fa5982faced492c93014cb5ee636bac14c8034dd809362741f468e1af498fe9453b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2a387628656df6b48c90aa8383de878c

SHA1
8fc0c08ad15c514d7ab124d3d9a4c949aed7c05e

SHA256
df26eaa9ce9afa6f970651e10505908bebde48389bcac65224b4c4290e665c9e

SHA512
07a68d1d8a0d20ce1dfa96b6b52c6bc1402c25a9320bcbae5cdb5598d6021859153d2f46c597211bbc71bb1aa0709362260bf67ad9c820717a3ba38259aee5ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7d8a1e109c58e8177b2cc2d26a11136e

SHA1
81d300565f6b25d17876a17c05afe9162e2a5c35

SHA256
a196d0f859a2965d87ac383d263d591016a2dc28c9b66ac959763d7a2be75a83

SHA512
5b158a75e4c5d433f5759a48f7e22f9fcf4974ae935302b4497109aa3bc6273aed042271a32500df416925949491affb91cdc45d7496af1582d92882e525a87f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
46905d28fa27b5a069f14727ced62583

SHA1
cd46f9db8ac22717750b60861871380d5004bd54

SHA256
d3842ec0fbbde05c1196d41270d3dcac6c45897086a18a4fc9a469debcf389f1

SHA512
53a1dbdaf7022378304324912af9894456150717200f9ea69b961ec1f2e04a08f1ffecf967dbf1b79d959e74b1e5e37495c91e5063f0b3b6e63f13a6e6047477

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
bd4a10ba1a21d6e242441786b32824cb

SHA1
bfad822d48f488bccd7ad041b719fc6c18c50d0c

SHA256
b1fba336cb7a4b462d9f3c339458159f1743abcd626cd3a98686bafdf6213737

SHA512
fcb1bfb363d90ca76060443059d1271dce39958b0ddb285a3de4d2114a853cab1a410b60003563eb4913057f336097b2703c3d30a531d625f21f8067f02ed104

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
a1291ac8cb6232f7bdfb1ea910ba64e0

SHA1
344c2bd7c9c0e0903b2a089dda335d9210ba739b

SHA256
859008f40986ca73b568a62d0c0135afa24beeb031ceace4b35a19707c0ecab2

SHA512
008dc23b4a631a4ea2caaf888a5cc3bb15746c1bb67bd2e4978461aa301957e22e88b16ce86ff3e1f01b19a5ec632665c4125445f66d108f252a2fa692543902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\activity-stream.discovery_stream.json.tmp

Filesize
143KB

MD5
6aa44fb781d5f1fa2b154453ba1568f9

SHA1
e44dc857ea5ec26922e9d065bd65c0919e8504d3

SHA256
8c783f31508b17406e3c8a93cb3f09a922ef779c8654eaa69b2b53f29f4f5ee1

SHA512
6fdc23b5f092d75b9b698c72bc788ea42c11ad85878e66944f8329a4a73796ffad39f299c282032bcefe9981df29b2cd51c5877a0ca3d579f956c9b47f64c491

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\cache2\entries\D5594A2648EECD01993B5C42919BA64ADBF56052

Filesize
14KB

MD5
78dea33d9bb22094314c6c0d84fcb8fb

SHA1
213a8bd9d51d75900f225162571310227f334313

SHA256
f8ae546bf1af47aed4b20f22197e97f54a9ddd6f8f5d78cedb886d84eedb9745

SHA512
2b99cae34a98226243f1c52d3245a3728a06db81aadd2b998cf3d5414ec40d7cff966a70941f139bd5b77e0f4c3610c72aa95dd22219ac0e5d1d4db7b0080351

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
6KB

MD5
2db0938d3e84f4c5741474e4dbca96d7

SHA1
7403101ad6f00aee1be6fe2a6e0e93cac4f46681

SHA256
f33737c4546484763773b3e238d3bf3238e1064a7b800eeaa840cd9b657866e3

SHA512
967a3548768d712aab311bf0b8b2d628d704255f186712312db2ef89aebcbae66f0738f0412ab1a103c50b99c04fb5d0cf0497af6cbe23cafe1b25c6b5a3ada4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
6KB

MD5
1496f2993dd5e80e626b6245bf38b3ed

SHA1
1eefa159ca98c64a63efb7813550b1ea30a678c9

SHA256
7017ed65096f805a9c29e1889c2de64a791ac1d77bc246a35c1f5db6eeffaac5

SHA512
ce9c69af3e136b7a24722c6ca6f432bae88d6fc677fc5474d089313fdf206c85d65bb0963c1add030c6d8fbaea58d74ae3e7a5eb591e77df1b0a74ea7cb3240e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
6KB

MD5
58af659e38d8d68e8f7b98b425bf45f8

SHA1
cac27c37b21875e006c2366e5ee2b1b393aed014

SHA256
3530ffddfa91901c0ae0fb0305f4ec9c65cf24ed4e302a7a50424db92bdc0dab

SHA512
011049ffa394b60922cdaee9ba5e3a184d44a180d5db78a5d4f05d93253a51da2b0092ceaa8b4fd2601bae183798f67b4f7ebf91d8366fc302d13164f27a5e06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
7KB

MD5
f5aa22d38d58ae30acdd137cedebe6ac

SHA1
f200ac9f7273481f71eb45994d5ede277094ddcc

SHA256
42cc51eb83f21bbd4e090442045a7eaa811dd6b788538ceba1ba9f3c0bcbbb54

SHA512
df7597a5934d79e2ff2fd80875440d14375194c630ac2529d11dedd335587c6e3b8740516b6427ed1f0180e56fada6a95e77c40f1d213ee814a4604d8d1e1a67

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
6KB

MD5
fadb41d4609dfe3757657ebc483f2689

SHA1
95c899870feadab5cb4c4a220eee55f21371bc62

SHA256
a3f1f8cd53eb592e24f9e3bf2b4e120710b66f390761a208abd8e53dc51779b4

SHA512
32e215f0c48a271b569ce33291a583351d8ee6ad50548807602a395febd5670b149ea13c9f597c56edfc74eecd4a3e0f6ab34d7514da63d879735ce810bbd110

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs.js

Filesize
6KB

MD5
feb8a52858c8167a58f36caa1b37f116

SHA1
7ae7f9d2721ae3c579f9e18e4fea679e8c848158

SHA256
adbc4c7b5e775c3d401ae811d5be5a69b844f5937e3d0a416d374dd5a7ec227a

SHA512
109d42ec5b9744b3561d29a9cabdcf2ffb81233935fa5c2d80c39f27b92ae55366c3c51ae3d26cc1a8936635662acbd11af89e54efac374aceaa279f13e7dc16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
abfe86ff4e93c7d7887937e1ea302aa2

SHA1
7ff2fa27c21e49839c1211612105eaf727071549

SHA256
5bf46d911474726f9dafcf6b7918db659bd14448731dadde07529e49f4be14ec

SHA512
e4b1cc14314fc54ad61d66beda5a37a14aaeebac36931abd00bf2fe93b360458be5f17bd47428941297036ff18c601b5ba1e386ece7329c0113c40c7fad463b3

Download Submit