f6caf8ba19294236708171df84a45d7be314a2916de3ecde6826880cf2adc19b

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2023 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

forge-1.20.1-47.2.0-installer.jar
Size

5.6MB
MD5

370c3ad5798813a853ab9a061dceaeb8
SHA1

c54ae08eab3691b85ff129fda3445070292e5d69
SHA256

f6caf8ba19294236708171df84a45d7be314a2916de3ecde6826880cf2adc19b
SHA512

ae0d250e45a1899c0c3a28dd97f1cc7416bc185b5b2d7befdc462f4e5ec681e14dfa2f0fb1d1e93d5e6b88f064d0116e680a272d22157cdf4e58d97ec9572780
SSDEEP

98304:+h4CNcuGIXGMPoGxbz/p6x9fies+YO39p0gY3HMS0udPiKF1ae8JDXnn/gwjVYbR:+LNR3GMAGxbzh6bietDtp0gYXj0udPie

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4468	icacls.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3536	firefox.exe
Token: SeDebugPrivilege	3536	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3536	firefox.exe
3536	firefox.exe
3536	firefox.exe
3536	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3536	firefox.exe
3536	firefox.exe
3536	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
420	java.exe
3536	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 420 wrote to memory of 4468	420	java.exe	85
PID 420 wrote to memory of 4468	420	java.exe	85
PID 2428 wrote to memory of 3536	2428	firefox.exe	103
PID 2428 wrote to memory of 3536	2428	firefox.exe	103
PID 2428 wrote to memory of 3536	2428	firefox.exe	103
PID 2428 wrote to memory of 3536	2428	firefox.exe	103
PID 2428 wrote to memory of 3536	2428	firefox.exe	103
PID 2428 wrote to memory of 3536	2428	firefox.exe	103
PID 2428 wrote to memory of 3536	2428	firefox.exe	103
PID 2428 wrote to memory of 3536	2428	firefox.exe	103
PID 2428 wrote to memory of 3536	2428	firefox.exe	103
PID 2428 wrote to memory of 3536	2428	firefox.exe	103
PID 2428 wrote to memory of 3536	2428	firefox.exe	103
PID 3536 wrote to memory of 2420	3536	firefox.exe	104
PID 3536 wrote to memory of 2420	3536	firefox.exe	104
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 4796	3536	firefox.exe	105
PID 3536 wrote to memory of 1116	3536	firefox.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\forge-1.20.1-47.2.0-installer.jar
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:420
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:4468

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.0.821462472\241885751" -parentBuildID 20221007134813 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e3e7a0f-d59c-4f73-b743-56314f99aad4} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 1984 1b08a504d58 gpu
    3⤵
    PID:2420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.1.1694548210\359731476" -parentBuildID 20221007134813 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b59b250a-f843-4870-81e3-8d0c3e5beabc} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 2380 1b0ffaf7258 socket
    3⤵
    PID:4796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.2.1302400262\1697210423" -childID 1 -isForBrowser -prefsHandle 3100 -prefMapHandle 3116 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18578f69-d193-40c2-b08f-7acddbcfab4a} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 3088 1b08d4c0558 tab
    3⤵
    PID:1116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.3.1004807164\1310280013" -childID 2 -isForBrowser -prefsHandle 3616 -prefMapHandle 3612 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faf94b5c-9c79-4724-8443-fd66b5ca6321} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 3628 1b08bf1c058 tab
    3⤵
    PID:2996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.4.668073526\565388865" -childID 3 -isForBrowser -prefsHandle 4548 -prefMapHandle 4544 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {305a5ba6-db67-4f50-aead-445a92a1e1e7} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 4556 1b08eff4a58 tab
    3⤵
    PID:1064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.7.356417269\734952641" -childID 6 -isForBrowser -prefsHandle 5416 -prefMapHandle 5420 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fa465b3-d860-4176-831a-609095360f75} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 5408 1b0fc92d558 tab
    3⤵
    PID:5088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.6.954466575\991288533" -childID 5 -isForBrowser -prefsHandle 5232 -prefMapHandle 5236 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3121f71-7ebb-44f3-8be7-3994bf82056f} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 5224 1b08f881f58 tab
    3⤵
    PID:3756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.5.795833353\1476850432" -childID 4 -isForBrowser -prefsHandle 5100 -prefMapHandle 5096 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bff4d03e-a02b-415c-a878-8eb2bd668f4c} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 4768 1b08f881958 tab
    3⤵
    PID:3080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.8.2004523863\1317355376" -childID 7 -isForBrowser -prefsHandle 5956 -prefMapHandle 5952 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68f594f0-9a92-420e-b7ce-b913088fc439} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 5968 1b091922b58 tab
    3⤵
    PID:5420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.9.1710002549\1657610883" -childID 8 -isForBrowser -prefsHandle 4716 -prefMapHandle 4712 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81704859-1c88-4832-b866-90705b88229e} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 4872 1b08f872a58 tab
    3⤵
    PID:5848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.10.171703090\1418168640" -childID 9 -isForBrowser -prefsHandle 5364 -prefMapHandle 4612 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bdb73fe-e5d5-4181-b567-86d85d0658ae} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 6204 1b08f2b8c58 tab
    3⤵
    PID:3592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.12.480774523\1771048888" -childID 11 -isForBrowser -prefsHandle 4864 -prefMapHandle 3544 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ea3bcc8-8d86-48b6-85ae-a61427e93162} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 4924 1b091be4a58 tab
    3⤵
    PID:6104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.11.902301793\811725915" -childID 10 -isForBrowser -prefsHandle 3588 -prefMapHandle 3148 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d038cac-2bdc-4dbd-b46d-75bbfb817167} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 3552 1b0ff732658 tab
    3⤵
    PID:6044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.13.1063064071\2114039724" -childID 12 -isForBrowser -prefsHandle 6072 -prefMapHandle 5992 -prefsLen 27096 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73c64a07-dbb4-4db6-92b6-78934a500eac} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 6060 1b08eff4158 tab
    3⤵
    PID:1080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.14.1090783075\464257884" -parentBuildID 20221007134813 -prefsHandle 6304 -prefMapHandle 4696 -prefsLen 27096 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88513acc-d386-449f-b741-d91d7dad074e} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 5504 1b0915f3e58 rdd
    3⤵
    PID:5684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.15.1361976650\1307721361" -childID 13 -isForBrowser -prefsHandle 6168 -prefMapHandle 6248 -prefsLen 27096 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11c63154-cda2-412e-be12-54dca9028349} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 6316 1b090de9958 tab
    3⤵
    PID:5224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.16.984933639\358374999" -childID 14 -isForBrowser -prefsHandle 4152 -prefMapHandle 4856 -prefsLen 27096 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbe761a7-b0e8-4349-b5ca-a0e65b17b8f3} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 5620 1b0fc965658 tab
    3⤵
    PID:932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.17.2007342851\1300265121" -childID 15 -isForBrowser -prefsHandle 5092 -prefMapHandle 5704 -prefsLen 27096 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ccf6d950-88aa-464e-beca-2ac35bbd914f} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 6176 1b091be6258 tab
    3⤵
    PID:2852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.18.1648176520\1328957275" -childID 16 -isForBrowser -prefsHandle 4860 -prefMapHandle 5108 -prefsLen 27232 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c9cccb0-e96b-4374-90d5-4e608750207e} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 5576 1b08bc93858 tab
    3⤵
    PID:5216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.19.1182508040\249068438" -childID 17 -isForBrowser -prefsHandle 5048 -prefMapHandle 5660 -prefsLen 27232 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ced57a0-3000-4c0d-9e9e-e5eb7ffd03cc} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 10252 1b08f698458 tab
    3⤵
    PID:6064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.20.566542026\1544891251" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5660 -prefMapHandle 5048 -prefsLen 27232 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {216ae643-e5ee-4590-ae5f-768b8d6faecd} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 5964 1b091476458 utility
    3⤵
    PID:5676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3536.21.2067942210\767062183" -childID 18 -isForBrowser -prefsHandle 2880 -prefMapHandle 3132 -prefsLen 27232 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e099593c-a328-40f8-82da-d9fafc0d6f16} 3536 "\\.\pipe\gecko-crash-server-pipe.3536" 5348 1b091127958 tab
    3⤵
    PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
9285901f9712c56e4e8f6d4f7b00dc89

SHA1
d6f852c6c5b38df44b07c3b00f8b65d3ecf6faa6

SHA256
7dfd1b384e725977c55bbb1bbe30677340678dfb1f5e856679cb0856cf10147a

SHA512
830469b81fd75ec0f97908fb5963d24bebef4280cc338e744fc0769b05dc7d56fc2787c18f6a3806eb028395e8ec4eebe2bb188b250ce1e09d5b01c043c98e06

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
f0463988247d93b923c45ce9b4030621

SHA1
d58ee2cc38ad4df5d3a3b5cc7ecf26f36fe81262

SHA256
903633cf38917162f2ddc8b2eae8f37ed3cce3e9455521c765cd5916bf6d235e

SHA512
1efc9d8b2d7ee1c79fd50b56813447416962e7aad75b9b9b77fc1d53e15db96856c0a4982d01f10c6078fc27a040b20c85836dd272cc06862627b0a2eb10d7fb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\cache2\doomed\10967

Filesize
17KB

MD5
438316f152a882d6385f082559962593

SHA1
056932252b1d0b51248e345f3f32a88afb883d8e

SHA256
adb10c3259a2c53f1e031cd7a73316f31305192569e84abd71ee17ea03a1bcff

SHA512
36edba20687c59ff2335533479279269f6c8ab66fb7aeb8bc2ac5b9b84de6a79c825e4a4b83693761e9ecfa0d5a052832a7855a18f900e51d382523609d4e2a3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\cache2\doomed\31643

Filesize
16KB

MD5
6f10ab7bdd0360aebe6e624969b70da9

SHA1
1533d3ad28d21fc3a45907b35d9bbb186bbd7167

SHA256
3d1b83356bb32f15e82e37048d8e41856b945496df8221c32e18c943e99ced2b

SHA512
a3cbde06a6a7621ebe60fb4997150f474a3ea0e8358607b8b76fc30ef7e6b79b2b88a8120f750cb54f312fb2806708986ac709110b8ebad905b5ad33c6cf0b58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\cache2\doomed\7624

Filesize
15KB

MD5
bec21e30e5dd72e74cada1cd954ed7d7

SHA1
00cbc321af536c8ab9ea8fde37e486d94cce10a7

SHA256
56f29bbf201400bf43721198e5476ab317fa16c26d634e86586c57395c2df2ca

SHA512
e0f45e25b68d92f608169d1fbe4c31ff95dc477e9ca1638485eb183d3a5189ceeb4e021cd0e444ff87299712fed2d0eb1ca581518295a8b4f2511356f9a18e2b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\cache2\doomed\9783

Filesize
14KB

MD5
b431216c714cd9098f27b4eeb2dac2f4

SHA1
3abdd39653e277886b1a370d00391495d74adea8

SHA256
06fbff5bea4d09831ca08c6de3909d1db23c1945efc59cd2357b8b64c9c612a4

SHA512
7c28dc4cc93d0f0f76ef73ababad37722c8cfebf7eace0ff7deeac44b9b9038aca800c1736bebce1fe2a670c41cac9511c07c8c7fd5329d862dbb4d53133df1e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\cache2\entries\E1EE0C5EBB70C63108FDA33EAA6AFA852C05247B

Filesize
43KB

MD5
849190998d804122c3b862be050c6a14

SHA1
07c51ea9acab816ec9e46dd913b95608efadd896

SHA256
2db097c75dad99e41f67a5a20991e320b7957d2c0e555c604e42b2afcc7da280

SHA512
e81424973362d7e02fb58f606ce830e81f5e8cdfc929a58f1b6f7e84fec72f12780cca1593af2244ee47c2290f7992cea5b576880b556cbfa08f674731d8c8b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs-1.js

Filesize
7KB

MD5
a73b428bf096740f1659aa0029097d9f

SHA1
c18a0654f14256daa775c0b7fd04dd9535caaea6

SHA256
e110c9a95ade9963ac0a5bd70a790c6fc8525b9d3a85840ec82489b3d6628667

SHA512
723c7e2ea3aae659f7c9a7bde4e053140d5c7b770de391cde24eaa2b99a10ffd66d89a6ce8d697cd1a306f9b267b4b7474edbde47ecdae8d3ef1d9f640912cce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs.js

Filesize
6KB

MD5
8bde36d0afa56439c5b9cce0aab143c0

SHA1
44ac97152375de6d786fe1ca9cc55fc223573b25

SHA256
5dba80eb362a7dd9c286f5f9e471468799723b5e8d235bc5b478c34e684c6364

SHA512
f30d9fbc610be66213f1788ad8a47fed450488edcb9b1a46cceea62b946d9cfe6c27d04f3a2c5e6f1469d79deb7b0e249da1c6e9149f128592586d3e570236f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs.js

Filesize
6KB

MD5
15799276e279e905a0dc76b0d64b1b23

SHA1
1d74e80aa1253ef112a9ceca941c3d95941af741

SHA256
0c640c1038883070a72cfc299d483a96c7a450ab024ac8db26f49f110ab6e560

SHA512
cfdf5b94fa363d21bf2cc2ea85f888fcf8cd9423f7b8c1e170e1d189450a2025a2b05f9eb65a09b4eaf4542f7be4f3cee22e636c104e4046b8ffd0e10b6d74d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
16ef4ca56f828a8b621a513f463e502f

SHA1
f56289b54f86cc65e61a205511f6fe1619a4e3eb

SHA256
fbea2d60f75e8f755d5d7fbb079e7e0a0c20fe36abaf0ace934e8261e29ed970

SHA512
a99403716c50b1902b012c5e0bfa5b53c86c6397ef4f4da93fd35b207e7db78175827f9c572c125c3d8fd32b529980d7a731601f9eb8f8435df73948d8c12b31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
0f56c436d8d3ad924202fb01d6c32564

SHA1
5621d3a74f770a3d5349a8b6ba057e1f133b8bab

SHA256
d4a2e6afe254d7741fc20ebb2a89b03bef9a4d734a90a2fc0ddfc83ef121ce78

SHA512
fda5e59887e99dbcc34465825193f659e66b970db852f3f811a90e6cf84923117a2c7b166dcd7e80c7eb71dddecdf0cfedba9ab291008e10103cf716a621bf18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
bc2e26349cde75d18420a4260019b283

SHA1
e3ed57d834371fdd81cbae46e83544c898c9e9bf

SHA256
8adc411f8c5800abce11e257c7a17ac4dca8f37421745c181629cc96e4572109

SHA512
730f2f833f735ca323f8d2aa1e0b8deb2c7eb83892522901a9bc76c1544926d5e0eb04eb3c306b6e68d8cd2c4d0c4d985223c41cd401495553573c8e52314ee3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
0c501095644e15bb0819bcc21b787bbd

SHA1
738d38c1b94b529df12161da62dd7afdf9548ae6

SHA256
88478088c155be6fc89d11f676cfa37b376008e07a66ca2953776c302c1e85f6

SHA512
d819b4e527c32850cd77a685f25689a6ef047a546059eb2a5ada03fc2cea2075f787178eb5b260f87d0671954cf9d1f0a6896ff5012b1ab7e85da417f0978b5b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
358b164c0088efb171443f8c2f8b7d0d

SHA1
6b8549e35aa090576943e42714b7c72a31b59dd7

SHA256
a1a59759cc4bf95de790dca6a3ed325c37eb7438b0aef49fec205362329861de

SHA512
3e9ee9fd5da818e162320f605ce61d04d0b46ad3919b16deb7489a66668676c37af905913d61fea7746457de61edc7653ba01804cde0830fe50a9db4b92277dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
3d9ba7cb54791d9e49b45556645aa10e

SHA1
84ee80783037a88b617174c5375197f7a548761e

SHA256
8ca3b860e4c483bcee19c4cbc1c3924cb163d6e65107edac2f922a5799f21094

SHA512
8bb1eef1798458f4c00e58a81c1ee14bcefeae0feee40fef27d9d377e423bb8cb91c7c1e5294941295cc28a6676d8faa53225a17e82b828f8820ecbb9914bd0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
738d6aefe7da3b998e1a30a30ebb1721

SHA1
0a3fef1bcf1b90b2f57f76a70cfe5faed95da5ed

SHA256
71f9f3565ff64cfb501631fd8d5440c2eeac0f27963f0dd67a89dcf8c5800c67

SHA512
8ff1c638400c0de2f22802ef22348ffc5d79635cbb1229734d78f11fb4cc06d7302b1b218b573224766302053409a67953eda899481fb2dc41582367ea8203c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2171031483YattIedMb.sqlite

Filesize
48KB

MD5
b185c872e62146024ce78ad0adbe2ff8

SHA1
611c7c747b95231ba3d8e32e437aec407eb0e878

SHA256
dc3b1138e6927bbac87a4f4a419e153e9c78c50fa892a7ac7653be5ef9f570a4

SHA512
05b5d3d83e852ed2c20949a6e0806601cd42bc7c8e38f1b01e22790f582527e96180c5faf90be7d4adf8630f3f690ea5e5c1843df6c4c09ab1be484e7795fdc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
176KB

MD5
462e47ccb1e49650bc2a40d29096011f

SHA1
c4c6fddfb7b18ca202e4a6be88d0681d018f63a5

SHA256
2790ba32b52f2b892db39f107dfd2cf73a1233e2cfebb536c5224dd6a051b338

SHA512
4b10962c4b71e4cab06e9bb1e5f9abf32e97644ae287d9c1065c58615dfbb3249029905be17661825b165f8d23c58a4b6e4ed60ed6afbd407c0371f95210ab53

Download Submit
memory/420-61-0x00000228802C0000-0x00000228802D0000-memory.dmp

Filesize
64KB

Download
memory/420-62-0x00000228802D0000-0x00000228802E0000-memory.dmp

Filesize
64KB

Download
memory/420-70-0x0000022880370000-0x0000022880380000-memory.dmp

Filesize
64KB

Download
memory/420-72-0x0000022880390000-0x00000228803A0000-memory.dmp

Filesize
64KB

Download
memory/420-71-0x0000022880380000-0x0000022880390000-memory.dmp

Filesize
64KB

Download
memory/420-73-0x0000022880000000-0x0000022881000000-memory.dmp

Filesize
16.0MB

Download
memory/420-74-0x0000022880000000-0x0000022881000000-memory.dmp

Filesize
16.0MB

Download
memory/420-68-0x0000022880350000-0x0000022880360000-memory.dmp

Filesize
64KB

Download
memory/420-69-0x0000022880000000-0x0000022881000000-memory.dmp

Filesize
16.0MB

Download
memory/420-66-0x0000022880330000-0x0000022880340000-memory.dmp

Filesize
64KB

Download
memory/420-65-0x0000022880320000-0x0000022880330000-memory.dmp

Filesize
64KB

Download
memory/420-63-0x00000228802E0000-0x00000228802F0000-memory.dmp

Filesize
64KB

Download
memory/420-64-0x0000022880300000-0x0000022880310000-memory.dmp

Filesize
64KB

Download
memory/420-67-0x0000022880340000-0x0000022880350000-memory.dmp

Filesize
64KB

Download
memory/420-60-0x0000022880000000-0x0000022881000000-memory.dmp

Filesize
16.0MB

Download
memory/420-6-0x0000022880000000-0x0000022881000000-memory.dmp

Filesize
16.0MB

Download
memory/420-59-0x0000022880360000-0x0000022880370000-memory.dmp

Filesize
64KB

Download
memory/420-58-0x0000022880310000-0x0000022880320000-memory.dmp

Filesize
64KB

Download
memory/420-57-0x0000022880280000-0x0000022880290000-memory.dmp

Filesize
64KB

Download
memory/420-52-0x0000022880000000-0x0000022881000000-memory.dmp

Filesize
16.0MB

Download
memory/420-49-0x00000228F5200000-0x00000228F5201000-memory.dmp

Filesize
4KB

Download
memory/420-40-0x0000022880000000-0x0000022881000000-memory.dmp

Filesize
16.0MB

Download
memory/420-24-0x0000022880000000-0x0000022881000000-memory.dmp

Filesize
16.0MB

Download
memory/420-21-0x00000228F5200000-0x00000228F5201000-memory.dmp

Filesize
4KB

Download
memory/420-12-0x00000228F5200000-0x00000228F5201000-memory.dmp

Filesize
4KB

Download