hxxp://cpmpri[.]com/r2[.]php?e=oQ%2BR7ZocOs1CTl2BobNHJH49fmxHWVVwUmxJb1JIZE5BWk42Vlo3Y3dSY0xKQzl4Rk9tUnVKc2k4MW1qRWxlWEk4VEUzdm1WNnM4MXJteXQ3RGkyTEZ4TEFIRnF4RlZONGgvRWxBSm1qSjdyNTh1eWQ2RUdDMDVEbm5FTXR2VEQxZWE0MVI4T0dlSkFMNmNhbk9uR1NkQW8vbXRERjR1VEpveDJMZG9CUE02SStOR2RhREJUd3lreU9ERGRpWHdxdFQ1U2pqSDQ3SGRHNmY4cHEyVGc2c3hPUjlXK3p5SGhJcHVlTjh2MWhBWXViREFXY1N0TXVYcUNmOGFYb2wyRE9NNU9MM1c5dFRxVmM3OEY4VUVyL0lEb2hWYnRGWGo3UjdaMklTZDYwVmQ4KzVrOGtDMUtNSlh0OW1maGhLdlBnaUJQUlpUempPZ25BYmhYSmoycGFPNm9KVnBkUTI1cFdtWkVEM0hVbXZaN053Q2NFc1ZVbmI1MzFHbDRCbXZJNW11cnJrZGF5S0ZJczczSTA3NE1NZWd6NG1rd01OTkxJSERFS2wydEVFRkJGTHBaOSsvRkUyNkx3OGc2UG52cjJPSWwxRjhvOUtoYUhpTmpJNXJXK2EyU2FRalB4QXYrWXpPUmg1Z0pZOFV1UnY3U0F0bk5WYTZwM00yd1VGTkptbWxMdlJ4M2J4WjU1d0R1RHVuWmk0RjVTcEtzT2w2bnF5SHRJNGM1U1FTaDBpeHZxZUtIYk4zNWFDaVBsSnJDYUVjTlRMWDZEQXhWbnBueVhnMlRDcUh3dytsenFqYmFjY1F6T0pBQWg5Yzcxb3RhTWVQYjhtK1c0N2drQnpMd2xJSm5ncVliWnkyRkhjUmFhT0Vwb0lsejJqTlcrUEZ3RlhmQi9tRnRPYXVleFFaWStGekU1dEY0TzdzQ0dnSG85cXhZM3dGcHJXUmhEUmJaZkNVWHkycURxcDJFb3phM1pRbkdUMFAyNDdWMU83OGRUY3RNWTFrdFQ0dHZtR0VKdk13WXE0SkFaWmUwRjJUZWJyWGtBZG44UThTZTJLNmQ4YjRpUFFOd2hsNWZ6NW1jY2FyRnlhUGlXbGREc1lQK3ZFcFEyMlJ6bExuUnFhczFzMVpwdEt3VUFRN09YRXppL0RPYzEyQ2VCazU5NEZzMTIvNXg4Tm9YalZJaUpRPQ%3D%3D

General

Target

http://cpmpri.com/r2.php?e=oQ%2BR7ZocOs1CTl2BobNHJH49fmxHWVVwUmxJb1JIZE5BWk42Vlo3Y3dSY0xKQzl4Rk9tUnVKc2k4MW1qRWxlWEk4VEUzdm1WNnM4MXJteXQ3RGkyTEZ4TEFIRnF4RlZONGgvRWxBSm1qSjdyNTh1eWQ2RUdDMDVEbm5FTXR2VEQxZWE0MVI4T0dlSkFMNmNhbk9uR1NkQW8vbXRERjR1VEpveDJMZG9CUE02SStOR2RhREJUd3lreU9ERGRpWHdxdFQ1U2pqSDQ3SGRHNmY4cHEyVGc2c3hPUjlXK3p5SGhJcHVlTjh2MWhBWXViREFXY1N0TXVYcUNmOGFYb2wyRE9NNU9MM1c5dFRxVmM3OEY4VUVyL0lEb2hWYnRGWGo3UjdaMklTZDYwVmQ4KzVrOGtDMUtNSlh0OW1maGhLdlBnaUJQUlpUempPZ25BYmhYSmoycGFPNm9KVnBkUTI1cFdtWkVEM0hVbXZaN053Q2NFc1ZVbmI1MzFHbDRCbXZJNW11cnJrZGF5S0ZJczczSTA3NE1NZWd6NG1rd01OTkxJSERFS2wydEVFRkJGTHBaOSsvRkUyNkx3OGc2UG52cjJPSWwxRjhvOUtoYUhpTmpJNXJXK2EyU2FRalB4QXYrWXpPUmg1Z0pZOFV1UnY3U0F0bk5WYTZwM00yd1VGTkptbWxMdlJ4M2J4WjU1d0R1RHVuWmk0RjVTcEtzT2w2bnF5SHRJNGM1U1FTaDBpeHZxZUtIYk4zNWFDaVBsSnJDYUVjTlRMWDZEQXhWbnBueVhnMlRDcUh3dytsenFqYmFjY1F6T0pBQWg5Yzcxb3RhTWVQYjhtK1c0N2drQnpMd2xJSm5ncVliWnkyRkhjUmFhT0Vwb0lsejJqTlcrUEZ3RlhmQi9tRnRPYXVleFFaWStGekU1dEY0TzdzQ0dnSG85cXhZM3dGcHJXUmhEUmJaZkNVWHkycURxcDJFb3phM1pRbkdUMFAyNDdWMU83OGRUY3RNWTFrdFQ0dHZtR0VKdk13WXE0SkFaWmUwRjJUZWJyWGtBZG44UThTZTJLNmQ4YjRpUFFOd2hsNWZ6NW1jY2FyRnlhUGlXbGREc1lQK3ZFcFEyMlJ6bExuUnFhczFzMVpwdEt3VUFRN09YRXppL0RPYzEyQ2VCazU5NEZzMTIvNXg4Tm9YalZJaUpRPQ%3D%3D

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-894477223-740240645-3565689000-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 3820 firefox.exe
Token: SeDebugPrivilege 3820 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

3820 firefox.exe
3820 firefox.exe
3820 firefox.exe
3820 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

3820 firefox.exe
3820 firefox.exe
3820 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-894477223-740240645-3565689000-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	3820	firefox.exe
Token: SeDebugPrivilege	3820	firefox.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

firefox.exe

pid	process
3820	firefox.exe
3820	firefox.exe
3820	firefox.exe
3820	firefox.exe
3820	firefox.exe
3820	firefox.exe
3820	firefox.exe
3820	firefox.exe
3820	firefox.exe
3820	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4748 wrote to memory of 3820	4748	firefox.exe	firefox.exe
PID 4748 wrote to memory of 3820	4748	firefox.exe	firefox.exe
PID 4748 wrote to memory of 3820	4748	firefox.exe	firefox.exe
PID 4748 wrote to memory of 3820	4748	firefox.exe	firefox.exe
PID 4748 wrote to memory of 3820	4748	firefox.exe	firefox.exe
PID 4748 wrote to memory of 3820	4748	firefox.exe	firefox.exe
PID 4748 wrote to memory of 3820	4748	firefox.exe	firefox.exe
PID 4748 wrote to memory of 3820	4748	firefox.exe	firefox.exe
PID 4748 wrote to memory of 3820	4748	firefox.exe	firefox.exe
PID 4748 wrote to memory of 3820	4748	firefox.exe	firefox.exe
PID 4748 wrote to memory of 3820	4748	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1808	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1808	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1376	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1196	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1196	3820	firefox.exe	firefox.exe
PID 3820 wrote to memory of 1196	3820	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://cpmpri.com/r2.php?e=oQ%2BR7ZocOs1CTl2BobNHJH49fmxHWVVwUmxJb1JIZE5BWk42Vlo3Y3dSY0xKQzl4Rk9tUnVKc2k4MW1qRWxlWEk4VEUzdm1WNnM4MXJteXQ3RGkyTEZ4TEFIRnF4RlZONGgvRWxBSm1qSjdyNTh1eWQ2RUdDMDVEbm5FTXR2VEQxZWE0MVI4T0dlSkFMNmNhbk9uR1NkQW8vbXRERjR1VEpveDJMZG9CUE02SStOR2RhREJUd3lreU9ERGRpWHdxdFQ1U2pqSDQ3SGRHNmY4cHEyVGc2c3hPUjlXK3p5SGhJcHVlTjh2MWhBWXViREFXY1N0TXVYcUNmOGFYb2wyRE9NNU9MM1c5dFRxVmM3OEY4VUVyL0lEb2hWYnRGWGo3UjdaMklTZDYwVmQ4KzVrOGtDMUtNSlh0OW1maGhLdlBnaUJQUlpUempPZ25BYmhYSmoycGFPNm9KVnBkUTI1cFdtWkVEM0hVbXZaN053Q2NFc1ZVbmI1MzFHbDRCbXZJNW11cnJrZGF5S0ZJczczSTA3NE1NZWd6NG1rd01OTkxJSERFS2wydEVFRkJGTHBaOSsvRkUyNkx3OGc2UG52cjJPSWwxRjhvOUtoYUhpTmpJNXJXK2EyU2FRalB4QXYrWXpPUmg1Z0pZOFV1UnY3U0F0bk5WYTZwM00yd1VGTkptbWxMdlJ4M2J4WjU1d0R1RHVuWmk0RjVTcEtzT2w2bnF5SHRJNGM1U1FTaDBpeHZxZUtIYk4zNWFDaVBsSnJDYUVjTlRMWDZEQXhWbnBueVhnMlRDcUh3dytsenFqYmFjY1F6T0pBQWg5Yzcxb3RhTWVQYjhtK1c0N2drQnpMd2xJSm5ncVliWnkyRkhjUmFhT0Vwb0lsejJqTlcrUEZ3RlhmQi9tRnRPYXVleFFaWStGekU1dEY0TzdzQ0dnSG85cXhZM3dGcHJXUmhEUmJaZkNVWHkycURxcDJFb3phM1pRbkdUMFAyNDdWMU83OGRUY3RNWTFrdFQ0dHZtR0VKdk13WXE0SkFaWmUwRjJUZWJyWGtBZG44UThTZTJLNmQ4YjRpUFFOd2hsNWZ6NW1jY2FyRnlhUGlXbGREc1lQK3ZFcFEyMlJ6bExuUnFhczFzMVpwdEt3VUFRN09YRXppL0RPYzEyQ2VCazU5NEZzMTIvNXg4Tm9YalZJaUpRPQ%3D%3D"
1⤵
- Suspicious use of WriteProcessMemory
PID:4748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://cpmpri.com/r2.php?e=oQ%2BR7ZocOs1CTl2BobNHJH49fmxHWVVwUmxJb1JIZE5BWk42Vlo3Y3dSY0xKQzl4Rk9tUnVKc2k4MW1qRWxlWEk4VEUzdm1WNnM4MXJteXQ3RGkyTEZ4TEFIRnF4RlZONGgvRWxBSm1qSjdyNTh1eWQ2RUdDMDVEbm5FTXR2VEQxZWE0MVI4T0dlSkFMNmNhbk9uR1NkQW8vbXRERjR1VEpveDJMZG9CUE02SStOR2RhREJUd3lreU9ERGRpWHdxdFQ1U2pqSDQ3SGRHNmY4cHEyVGc2c3hPUjlXK3p5SGhJcHVlTjh2MWhBWXViREFXY1N0TXVYcUNmOGFYb2wyRE9NNU9MM1c5dFRxVmM3OEY4VUVyL0lEb2hWYnRGWGo3UjdaMklTZDYwVmQ4KzVrOGtDMUtNSlh0OW1maGhLdlBnaUJQUlpUempPZ25BYmhYSmoycGFPNm9KVnBkUTI1cFdtWkVEM0hVbXZaN053Q2NFc1ZVbmI1MzFHbDRCbXZJNW11cnJrZGF5S0ZJczczSTA3NE1NZWd6NG1rd01OTkxJSERFS2wydEVFRkJGTHBaOSsvRkUyNkx3OGc2UG52cjJPSWwxRjhvOUtoYUhpTmpJNXJXK2EyU2FRalB4QXYrWXpPUmg1Z0pZOFV1UnY3U0F0bk5WYTZwM00yd1VGTkptbWxMdlJ4M2J4WjU1d0R1RHVuWmk0RjVTcEtzT2w2bnF5SHRJNGM1U1FTaDBpeHZxZUtIYk4zNWFDaVBsSnJDYUVjTlRMWDZEQXhWbnBueVhnMlRDcUh3dytsenFqYmFjY1F6T0pBQWg5Yzcxb3RhTWVQYjhtK1c0N2drQnpMd2xJSm5ncVliWnkyRkhjUmFhT0Vwb0lsejJqTlcrUEZ3RlhmQi9tRnRPYXVleFFaWStGekU1dEY0TzdzQ0dnSG85cXhZM3dGcHJXUmhEUmJaZkNVWHkycURxcDJFb3phM1pRbkdUMFAyNDdWMU83OGRUY3RNWTFrdFQ0dHZtR0VKdk13WXE0SkFaWmUwRjJUZWJyWGtBZG44UThTZTJLNmQ4YjRpUFFOd2hsNWZ6NW1jY2FyRnlhUGlXbGREc1lQK3ZFcFEyMlJ6bExuUnFhczFzMVpwdEt3VUFRN09YRXppL0RPYzEyQ2VCazU5NEZzMTIvNXg4Tm9YalZJaUpRPQ%3D%3D
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3820

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.0.1565437117\839570753" -parentBuildID 20221007134813 -prefsHandle 1824 -prefMapHandle 1804 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0873281a-306c-45cb-bc23-74220df01966} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 1904 1e64d5d3b58 gpu
3⤵
PID:1808

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.1.655463206\793649985" -parentBuildID 20221007134813 -prefsHandle 2272 -prefMapHandle 2268 -prefsLen 21563 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63545cd3-2708-4fcb-a2be-4c4d2f1d5049} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 2300 1e64d15fa58 socket
3⤵
PID:1376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.2.1178086395\286685998" -childID 1 -isForBrowser -prefsHandle 3476 -prefMapHandle 3472 -prefsLen 21666 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b35b97e-7518-4128-911a-8eadfa2b2a71} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 3204 1e6524d9c58 tab
3⤵
PID:1196

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.3.2102461211\765182066" -childID 2 -isForBrowser -prefsHandle 2980 -prefMapHandle 2860 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb0ed547-7772-43be-9c94-39506fc11c53} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 3556 1e64168f458 tab
3⤵
PID:5064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.4.441222419\216730271" -childID 3 -isForBrowser -prefsHandle 4904 -prefMapHandle 4900 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f41965b-1e14-4036-9291-ee695f766541} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 4916 1e652488758 tab
3⤵
PID:3476

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.5.1350341297\604608945" -childID 4 -isForBrowser -prefsHandle 5052 -prefMapHandle 5056 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be0ca813-9052-4b7d-85a4-a24ac14fbd70} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 5044 1e654225d58 tab
3⤵
PID:4956

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.6.1641087898\404571532" -childID 5 -isForBrowser -prefsHandle 5100 -prefMapHandle 5104 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f944756a-e969-4856-bd02-1325f4237f75} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 5196 1e654e3fa58 tab
3⤵
PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fqbfx32.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
6f9e9fb22e7cacbd7ba2b2109389cb3d

SHA1
368276d8bda3aab0b907f75f467d053084d4f484

SHA256
f2d2fc47b729d6fdafa0ce8ac9a5b9d5341da9632d0c368610857eeeaf807dce

SHA512
601e071f2837abe613a4a827a3974a7b6d1d9e49f299cc95d9991b9212adfb2c5ed7fb06a13e26a6832762f424123e763c419dd21fc2b024fe57057d139d6016

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fqbfx32.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
7e8824f05c17a50c359edbb18d067401

SHA1
48f6a7453fc586cc8e8e61d8a614f83a980e8c30

SHA256
2c7bf452efc2ed6fee67ccbdaef2f3d5a0dc4433c9cf9247863300c4c4be4961

SHA512
7344f92cd48d47dda7e0859c5202ee82daa602c3d08e5db09745d2efd8eedf6e63da94443d1d1e44d577c4e4c49b61c290b834d7bb2c2bec7915cd6698109f35

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fqbfx32.default-release\datareporting\glean\pending_pings\5d60ba70-a518-498c-905a-aa78786b5f28

Filesize
746B

MD5
eee978d2419f56cbd4352765934f6111

SHA1
60af47046c87996e5d4d472bb1f1b935f11ccabb

SHA256
27ef066bdd10fa89ce3e149be0e53e23b415b1b728a3f7d808305fb87f8d7fbe

SHA512
a4af64690777a7178b784fc702166694d648f980acbbcf0dd5416ace7851e2b0525c8382f119cf5806f6ff692c1cf67a82ed64b19585f4c7d6dca60ef7631007

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fqbfx32.default-release\datareporting\glean\pending_pings\6333c40c-5943-46a9-b164-f9a72e6b5d51

Filesize
12KB

MD5
0129bc1d7de451867c2a7a8db38165dd

SHA1
d4fc2c8f126df609e3bccb4597a55891418a95f4

SHA256
e2986ce9aaf610d5e4b89edcfc828d5e63e4dc463e41122f0fd4dcd1a70037ad

SHA512
74b780c3f621a6a78f2f3e036039e023ebc17733cefb0acf17353963339482c38aff033941264507f8a674766683fd5e35617ef87430921c68a40b9dd96f1aff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fqbfx32.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
992B

MD5
8e9f1eb28f2637406f5f219d61aecd29

SHA1
28a90740bfef29334dc1ac31b8b1fc265f8c6fa9

SHA256
610bc7af8d4cd624b6c5d846a813d213ec7ed5add0ea5dd19a7ae1f7519104d2

SHA512
ad2ee3f63bad572ab4efa576fe595c3c03af289118d90c84bcd007f89895d0e4931c546d424258bc0e013195f871877cb8735240e69fc4e685822dddcd207913

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fqbfx32.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
0a1ca86abdb331fe9a865185efb0b866

SHA1
9538b1b49f1ab4356dafa595641086a13c033a09

SHA256
9e75647a8e79327ca1dfc256c59043a98fe4d2f181ba868ad2bfb00dc419eaf4

SHA512
6f0a1e75ffcf1b6c4a552d428e97f59263376acbf1646659623cc33b78df5b01ed7477d5bd29904ba46fa7f64c4c7d87a0dafd1d10ebdd1e7565fc64a2871077

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads