690c8a63769d444fad47b7ddecee7f24c9333aa735d0bd46587d0df5cf15cde5

Analysis

max time kernel
150s
max time network
157s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
20/02/2024, 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MediaCreationTool22H2.exe
Size

18.6MB
MD5

aa2ad37bb74c05a49417e3d2f1bd89ce
SHA1

1bf5f814ffe801b4e6f118e829c0d2821d78a60a
SHA256

690c8a63769d444fad47b7ddecee7f24c9333aa735d0bd46587d0df5cf15cde5
SHA512

fab34ccbefbcdcec8f823840c16ae564812d0e063319c4eb4cc1112cf775b8764fea59d0bbafd4774d84b56e08c24056fa96f27425c4060e12eb547c2ae086cc
SSDEEP

196608:MmtHa+5hH1km/Sf7byFXKEBmih9S5rQ5FNFl001p4Ki:Y+5RB/SDbyFBH9eQD/l00/4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-455411700-4159991363-783884305-1000\Control Panel\International\Geo\Nation	SetupHost.Exe

Executes dropped EXE 2 IoCs

pid	Process
448	SetupHost.Exe
4212	DiagTrackRunner.exe

Loads dropped DLL 13 IoCs

pid	Process
448	SetupHost.Exe
448	SetupHost.Exe
448	SetupHost.Exe
448	SetupHost.Exe
448	SetupHost.Exe
448	SetupHost.Exe
448	SetupHost.Exe
448	SetupHost.Exe
448	SetupHost.Exe
448	SetupHost.Exe
448	SetupHost.Exe
448	SetupHost.Exe
4212	DiagTrackRunner.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	SetupHost.Exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	SetupHost.Exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\MoSetup\BlueBox.log	MediaCreationTool22H2.exe
File opened for modification	C:\Windows\Panther\DlTel.etl	SetupHost.Exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SetupHost.Exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DiagTrackRunner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SetupHost.Exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DiagTrackRunner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-455411700-4159991363-783884305-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA	SetupHost.Exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
448	SetupHost.Exe
448	SetupHost.Exe
448	SetupHost.Exe
448	SetupHost.Exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeBackupPrivilege	2964	MediaCreationTool22H2.exe
Token: SeRestorePrivilege	2964	MediaCreationTool22H2.exe
Token: SeBackupPrivilege	2964	MediaCreationTool22H2.exe
Token: SeRestorePrivilege	2964	MediaCreationTool22H2.exe
Token: SeBackupPrivilege	448	SetupHost.Exe
Token: SeRestorePrivilege	448	SetupHost.Exe
Token: SeBackupPrivilege	448	SetupHost.Exe
Token: SeRestorePrivilege	448	SetupHost.Exe
Token: SeDebugPrivilege	4212	DiagTrackRunner.exe
Token: SeDebugPrivilege	4212	DiagTrackRunner.exe
Token: SeDebugPrivilege	4212	DiagTrackRunner.exe
Token: SeDebugPrivilege	4212	DiagTrackRunner.exe
Token: SeBackupPrivilege	2964	MediaCreationTool22H2.exe
Token: SeRestorePrivilege	2964	MediaCreationTool22H2.exe
Token: SeDebugPrivilege	3224	firefox.exe
Token: SeDebugPrivilege	3224	firefox.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
448	SetupHost.Exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe

Suspicious use of SendNotifyMessage 23 IoCs

pid	Process
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2964	MediaCreationTool22H2.exe
448	SetupHost.Exe
3224	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 448	2964	MediaCreationTool22H2.exe	74
PID 2964 wrote to memory of 448	2964	MediaCreationTool22H2.exe	74
PID 2964 wrote to memory of 448	2964	MediaCreationTool22H2.exe	74
PID 448 wrote to memory of 4212	448	SetupHost.Exe	79
PID 448 wrote to memory of 4212	448	SetupHost.Exe	79
PID 448 wrote to memory of 4212	448	SetupHost.Exe	79
PID 1448 wrote to memory of 3224	1448	firefox.exe	83
PID 1448 wrote to memory of 3224	1448	firefox.exe	83
PID 1448 wrote to memory of 3224	1448	firefox.exe	83
PID 1448 wrote to memory of 3224	1448	firefox.exe	83
PID 1448 wrote to memory of 3224	1448	firefox.exe	83
PID 1448 wrote to memory of 3224	1448	firefox.exe	83
PID 1448 wrote to memory of 3224	1448	firefox.exe	83
PID 1448 wrote to memory of 3224	1448	firefox.exe	83
PID 1448 wrote to memory of 3224	1448	firefox.exe	83
PID 1448 wrote to memory of 3224	1448	firefox.exe	83
PID 1448 wrote to memory of 3224	1448	firefox.exe	83
PID 3224 wrote to memory of 4236	3224	firefox.exe	84
PID 3224 wrote to memory of 4236	3224	firefox.exe	84
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85
PID 3224 wrote to memory of 3568	3224	firefox.exe	85

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection	DiagTrackRunner.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MediaCreationTool22H2.exe
"C:\Users\Admin\AppData\Local\Temp\MediaCreationTool22H2.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964
- C:\$Windows.~WS\Sources\SetupHost.Exe
  "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - Drops file in Windows directory
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\$Windows.~WS\Sources\DiagTrackRunner.exe
    C:\$Windows.~WS\Sources\DiagTrackRunner.exe /UploadEtlFilesOnly
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4212

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2664

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.0.1886073129\1602978040" -parentBuildID 20221007134813 -prefsHandle 1688 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b98a104-8ea2-45fa-98ea-950ae98b1777} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 1780 18e46fd7e58 gpu
    3⤵
    PID:4236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.1.784829209\2089381901" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2116 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68402c9e-2644-4151-be1d-43f2716ba9bb} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 2136 18e3bf72558 socket
    3⤵
    PID:3568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.2.684794443\1142235106" -childID 1 -isForBrowser -prefsHandle 2792 -prefMapHandle 2740 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba523c64-cdaf-4754-beda-fe0a539b2d95} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 2868 18e4b1a3858 tab
    3⤵
    PID:4864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.3.1853024606\1675404439" -childID 2 -isForBrowser -prefsHandle 3092 -prefMapHandle 3564 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {781ce3d8-9912-4f8d-bb22-23b3d7b1db06} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 3628 18e49869858 tab
    3⤵
    PID:2772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.4.1448811072\106775982" -childID 3 -isForBrowser -prefsHandle 4144 -prefMapHandle 4140 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {992d392e-cb01-4231-ac01-4d5f8db85076} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 4120 18e4c1b6b58 tab
    3⤵
    PID:4700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.7.189233118\73945077" -childID 6 -isForBrowser -prefsHandle 5072 -prefMapHandle 5076 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d24e0cf-a868-4955-9deb-e7f7f51b1caa} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 5060 18e4d76b558 tab
    3⤵
    PID:1020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.6.879390471\1681034359" -childID 5 -isForBrowser -prefsHandle 4804 -prefMapHandle 4872 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5926e8f8-3f09-41ed-96d0-5b616948dab3} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 4812 18e4b714658 tab
    3⤵
    PID:1932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.5.1597227617\871186125" -childID 4 -isForBrowser -prefsHandle 4832 -prefMapHandle 4820 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8053b0a0-0763-466e-953d-267022a7ea54} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 4840 18e3bf68a58 tab
    3⤵
    PID:1944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.8.354764411\6304979" -childID 7 -isForBrowser -prefsHandle 5644 -prefMapHandle 5628 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ba8060c-42e3-4902-b9b7-bc5e4b917daf} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 5504 18e4d5de258 tab
    3⤵
    PID:2800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.9.1169316804\358220150" -childID 8 -isForBrowser -prefsHandle 5952 -prefMapHandle 5948 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed7139a7-d7e9-4bb5-85e1-79fd25b1c555} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 5960 18e4f577358 tab
    3⤵
    PID:4428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.10.2003544096\302406892" -parentBuildID 20221007134813 -prefsHandle 6120 -prefMapHandle 6160 -prefsLen 26328 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a4a8735-4c47-470a-a83b-2caf02c144c2} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 5980 18e4f578e58 rdd
    3⤵
    PID:2860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.11.1489613719\1259968118" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5924 -prefMapHandle 6180 -prefsLen 26328 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52cacaf7-dee5-4edf-bdf8-f67e8d4fbaf5} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 6276 18e4f7fc958 utility
    3⤵
    PID:5124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.12.1955800527\1794135830" -childID 9 -isForBrowser -prefsHandle 4160 -prefMapHandle 4156 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5aac399b-ba19-4f6f-832f-ddcc851bc8a2} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 6648 18e3bf71c58 tab
    3⤵
    PID:5468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.13.1674165923\100799913" -childID 10 -isForBrowser -prefsHandle 4856 -prefMapHandle 3124 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {334c32f1-f585-4ffd-bb41-0fa7a090ab82} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 4784 18e3bf2e758 tab
    3⤵
    PID:5700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.14.1004475952\1748375841" -childID 11 -isForBrowser -prefsHandle 5692 -prefMapHandle 5708 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9dd8ae7-fcc6-4754-b5af-822079bfc62f} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 5680 18e4c1b8358 tab
    3⤵
    PID:5976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Windows.~WS\Sources\DiagTrackRunner.exe

Filesize
77KB

MD5
76f30a1e149792d2542a253b920cbef6

SHA1
9040e0873df5cc2a64b850d1b8159b77528ba62c

SHA256
488cbc8330952dd13b797bb40e4e30610ed03483c25919c39555f7b334a3c159

SHA512
ec39861a3f39f88aad52975974c988ae76376a09136d95f5d4fedd60ee7ec252736d882cef77298d82d786e0dad13c61148b29d7c5fb7ba7d7c74b05de9d7e84

Download Submit
C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll

Filesize
2.0MB

MD5
23747858cd299937cad2d9a9bf5e6b22

SHA1
646c75e4bfcd1472cd9378a7640d39ae84d4708e

SHA256
701437d40ba25472b1cf9ce37a41eecfe5f56fbc3a2c606a3043408845ad7fb5

SHA512
afcc2f544ac6a6ce04e0c35658dfdbdb5608a356184eb72c9078b553970c2c8d8514906ced547e2847c26a5bea1529bf64cde854c8c46371a99eeac611cd3d5c

Download Submit
C:\$Windows.~WS\Sources\Panther\DlTel-Merge.etl

Filesize
192KB

MD5
752a756a4a6714473e4b8362625b7298

SHA1
85023978ec9cb9d74ce90f686fbe10c9df448c52

SHA256
bae1d803959ba54d50780bfde6a90b8a95a1514fbcfeb5f781ba7ed03d18a54e

SHA512
6256086309b07899dff60637d2e4095b347b1beebf5ac6b72cf3c61cf12712f91fc52c085ed55e223d34e7bc897dd41359d739cc60370694685c14827551505b

Download Submit
C:\$Windows.~WS\Sources\SetupCore.dll

Filesize
2.1MB

MD5
55a4344e76136460be2c8547c38567b4

SHA1
83400b9a3bc4f1d935258a80b3e7636baaa618cb

SHA256
a9ac64ec515d04589dfc38b25d68d01f281bbb794d0df9ec4205fe473703aef5

SHA512
a8ad61caf69891ee31c48401ec87d3bb92db5e64c9fe878ee33e072fd6e5406db9a747485d1cf93f615072e6c565c36715700571dcd974c6eb7a76a7630d0f43

Download Submit
C:\$Windows.~WS\Sources\SetupHost.exe

Filesize
682KB

MD5
a5d94f9587f97e9c674447447721b77f

SHA1
1c130f95c82ab28a4a11a7ed41eb9ea9f613a339

SHA256
f33e7bce0ca712baac95557823096f929f78927e521c0448ed237f429141efd9

SHA512
e5e35480a489b0f63a2938a1c4ea19aca197a16020bb330662b62e98759fb5f7b6056416dc1d8894e433607c5b4fb3e7ae61f0d2fa3c7455dd000916ec3d5d62

Download Submit
C:\$Windows.~WS\Sources\SetupMgr.dll

Filesize
729KB

MD5
59d1a173f6b27a8a1cc367ca9ff6e560

SHA1
15b2c60011d97b99c4cd2eedb62ccab14d748df6

SHA256
45c2ee2387026a50f0c6b9c9119f39b6d2b6505312dbdf352399fd41e8deb78f

SHA512
a14d89fcf4964f7929936a16c0ef9d4896d14913b3e5bc050cd7044a1a0da50e58520de80a7966832f514365d031012d0e1829cd7b93d1b547812f8abbcf7557

Download Submit
C:\$Windows.~WS\Sources\SetupPlatform.dll

Filesize
3.1MB

MD5
3f42bc715fa1d2f3096ebee7cffe45bf

SHA1
c1e76ff63149ebe3d2c3e854c84e0ed0a335a281

SHA256
266774d442a4be2c619e9e30425f009992a541b762eb01f295d31554c305102c

SHA512
069ef6ef5683b979c4fcc771a661f50635911469aba32cde1008abfb49e1a633f2ab9be6326060b2a7e77b13bd8a8b9c2070955f11cd291bc98d4c3da38c8277

Download Submit
C:\$Windows.~WS\Sources\SetupPlatform.ini

Filesize
95B

MD5
c776e498a6f7a1fb27e5fc27fe388b74

SHA1
c3ce0f2cc7c378ba29f5f6f16d3e8c20ee0ef7cc

SHA256
ab33a7e5006b133c7dd1cb2b620ede7f3478b5bcefec9356e001d5e71fff0923

SHA512
430d86f12e8f39ab3259c1f49b8f3769b34298bdb1bd07e23e73037a2526dc4916bac52246ffd00042d98c3179959f34dc80efd69a7912af1833a99722574ceb

Download Submit
C:\$Windows.~WS\Sources\WDSCORE.dll

Filesize
196KB

MD5
07f3fac5518c90b22dfb9778ea280d0a

SHA1
6d20ff953a0c5aabc1970e80a5f96aedd830db9b

SHA256
65467bf1fbf10c2a399fe532b780f3604fda5b00db8319787cb6867bede4b90e

SHA512
f86447c3dd0ad11022b208ba04c7b62cddf57b1035f4b1e18aae3e6764b6dce53fbeaa68cb5ce3ab75ba08293474dc18e9a3f5ce6df43a01701abd9180e07ace

Download Submit
C:\$Windows.~WS\Sources\WDSUTIL.dll

Filesize
231KB

MD5
818e76521dad2369e8f713aecda42145

SHA1
df047d531b34433f5139beaa886af72136fd1537

SHA256
eab16299b69323fca094f2d214a5bc5fbf973040b7ccd187415edf985f46b21d

SHA512
2414e9db470251251796de54000dc4067697068f7fd38c6bf443b367c9ec8e05cb1d75455d6dbd8bd08419fe13cc99deccb44086cd32bd72ea76f743ef239d4b

Download Submit
C:\$Windows.~WS\Sources\products.cab

Filesize
43KB

MD5
52b7d0637974ed697dd8aa819ed3c8b0

SHA1
e81a7094362964e9ae69580b91a1e72207be667d

SHA256
7677dd6247c5768737b643911894374939aac5ae2dea158c272511fdd2ac52bf

SHA512
173a5893612a789f51ee9d914ae26e1faec557dcfab4ddb8aa8c8baa7690ca456af117e14e2b6d004c963573cb67a02f0e2760cc8c609287587dc335f9c4c1a8

Download Submit
C:\$Windows.~WS\Sources\products.xml

Filesize
2.7MB

MD5
f9c1df5c8718468b892af250f6d7b78e

SHA1
040da263bc223436f929dbc1f2ab88198e299610

SHA256
76fcc8eeacb7da966441a7e0ac8b79cc095f13682abb92ee5a614c52f72ce54c

SHA512
edeb708e50f815ef022bd9275255dd3644b07597e9a90736364fbb7206b77ba44953d61735def7e2653a12442fd623baff0630793b507eccf4508e772ba02a39

Download Submit
C:\$Windows.~WS\Sources\setupplatform.cfg

Filesize
10KB

MD5
033e7adc314c248cc29a9f14906c21e5

SHA1
6b31f8a23514b4e98217cd05be08e7967eca7048

SHA256
c40fddbb16853406d12d30e01e170de8474728bb8ec24794db721de0a7f67927

SHA512
46b46d548f5a2269e886a9f6873d97549eeb92c7294114c62baf7805ac423e4d3aa3a50cd7b3294be03e22c271f6bef1134adf797d9f838962ef5b42e8ecd19e

Download Submit
C:\$Windows.~WS\Sources\unbcl.dll

Filesize
816KB

MD5
5d52a4efac5b4b7530b388aeb6f9cb67

SHA1
4b5d32a6caecec6e261f5ba7bae392609a6a0f65

SHA256
137eca75b268556503e26cd5987dddac5eb0831ed4ce5ea3b0d34b5645a31abd

SHA512
f7f88c4229c97bf598f995cf31a8adff73089ef8d26143cc839a30d63221fb66b185e12ae20bc17f14712723bb20c34f6e546f6be961164deeae268703322756

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hp78bw39.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
f91083cd23c0deb60a874b8bfd13ea1b

SHA1
d7be56f4c4ae7146a179cb1627922424abe6b9fa

SHA256
70852e6cee2681ff8b90add62e595c82935b779aabe04fa1ef13ba7d39ab91ff

SHA512
a9b40327836f601cfb16f8379b3df90bc0d28e4d0a243037ed7d47e27b698e58bce12f2228f0ffc97f3de893dfd6515693c4c13e1aa72c752b405c39ea491ba1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hp78bw39.default-release\datareporting\glean\pending_pings\15bd6103-7919-4edb-9040-73452744498c

Filesize
746B

MD5
28df90f461d568a5fc313f8a679c68ac

SHA1
d656c192f60b2ad3730e49e3c838c86489ca81d1

SHA256
0e694979123b5d68c02939e64a7aae6c7f7d79db5f071da3f65f18ed01ad9d6b

SHA512
037c204584e3263687d3cd3473fc5428ea42b213c786f747699188597c25d63591db9a152cd621a9d25f8192eab64e1b16025aca16d58218130e521a84c85b7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hp78bw39.default-release\datareporting\glean\pending_pings\60e76278-c70a-464e-bb1a-5fc2be1a222b

Filesize
11KB

MD5
5167809af2bcb4302ed77c4ab6e938e0

SHA1
caa9b258577b1e19f21813c3accc1e9dcdfbb574

SHA256
fa7550b6eaadbc867fb7d51df981f246bbe62e935c60fa0055fdb0ba881abc92

SHA512
352191db7287274bfcb3c88b07e9d05a9ba825a8c08402aa26ed89884298d03b80193fa1b663b0fc4245c54324092f682bb26eadda9321a0e9a1cb8611534299

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hp78bw39.default-release\prefs-1.js

Filesize
6KB

MD5
6badacb470fee7f79d5fccd7376f5333

SHA1
294214f1b771a561d260ad6ee423522c93ac70bd

SHA256
6cbb009a2259ca1e43a318e792776d1da4e06d7b6ba5571679383eac708e5e71

SHA512
d18f9a6605b663ccac807c7ccefafd14e95ea73d88fe13dbf90e840521c34d53a43b985dddedce2a0466e659c3fb3b0781894f12fa42fd46fcf9e8a3cf7c4329

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hp78bw39.default-release\prefs-1.js

Filesize
6KB

MD5
5c3b6ecaa0f786b0bf2c8ee4b338af5b

SHA1
2086a09b9bc28717b1f14124a6af9349aea8c24f

SHA256
2f7a250e02c2361ff931fa1bffcbaf07cfabb53c371a7e3e807b288c5f356e6d

SHA512
0fc1b82ba115a8c474386dc01565c6af7da0a60463425cc52d94b8be87367031e99574ba8058a2c7c23daacbe5b7120ac31466e6165a11c2f2daf9873571cffb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hp78bw39.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
7fe021ed879e38ae388e1d773dc2e8bc

SHA1
c7f96cdc3dace0def01a9765b89e2561cf7f6080

SHA256
5a6c72b71e1e19d93e4bda646657265e10b1ade5170ba223354844d696111192

SHA512
8bbdb3f2dc0ada3175954bc4d1f79f5d1a6614d862d7bcd0e8b3ad373ba73ba8256ad268415b0db5bd5dd28ffe4a08f6ec5dadc6d71a3ca0d3a1682d673d178a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hp78bw39.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
b46d6e76f0334e744bb386f9f47a9a07

SHA1
b4f3d8f6bacd8aa7b763cb9910a5d3f6863624e4

SHA256
6b8600eb3213ee0b93112120f02867d45875fc0db39e596cc1b4850e050ff15a

SHA512
5cfa7c4a6d67c0c788f04c6cf0c170f3955846ae7d7aea5a1e64c812a8b14005bbcc2215d9867d9ff0c2a510d34063b18f6c120d153fe24f7614e0fb3ad28424

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hp78bw39.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
569ebe6b9138ccc23027eb2bd21af67a

SHA1
7b74043c46a3915f287cecb5e9800148877da779

SHA256
0b72e76ea54050883b5907dc72d75fc31ec3c63a968b8d953d8dafe361f80015

SHA512
301c4a274a476ad518e4ce5243ad9a4633337f2eefe1e43667cba5e9209941c7dcc6ab7bbb827a460d0419acd8c5ccba2596829c404f8d4c738173cd343fc21e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hp78bw39.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
e1eade1b6394d3bba1de52131f8d14ee

SHA1
65638e0b1a8f105c5f337f2f88b74fe8694769b9

SHA256
8f668c3ffd75dc217925e93e93be1db10df390189ec7f7a0ad686d7654a10619

SHA512
069878058e00b00fd436fc033b0db4e3b7dc50550344dabf87a509ba27bc740d62166d81e360865f4228a4808224fedfd1cc6ab39001e461ef1e006ae0423e35

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hp78bw39.default-release\storage\default\https+++www.youtube.com\cache\morgue\7\{fb52be0d-aa83-4543-b4ee-d2afdacddd07}.final

Filesize
192B

MD5
2a252393b98be6348c4ba18003cc3471

SHA1
40f75302fcbe4a8ac2e33a8d9daf801abc2a9598

SHA256
04cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee

SHA512
07af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hp78bw39.default-release\storage\default\https+++www.youtube.com\idb\2605521838yCt7-%iCt7-%rfe4sap5o.sqlite

Filesize
48KB

MD5
1a4b5782ef3aede272cce94a29ea2daf

SHA1
625d4830ada86118129d83cbccae5f8927829348

SHA256
143445eb05e4057ccfbd7cff5661f5dd5029995e46c23bf233e033a62d72aba7

SHA512
99e5cf4b17a85a788798262232fced455f881cc563ac10c8207800dfa3b4bee6bbcaf31846a2c63bdd8c8907d510671e31f841adb87297c63c2d34e682b605ed

Download Submit
\$Windows.~WS\Sources\DiagTrack.dll

Filesize
901KB

MD5
6c3f6a6bc5ede978e9dfe1acce386339

SHA1
3b7b51d762c593e92123f9365a896ed64ee26a7a

SHA256
b55d66f2943f1c63ea9b39dae88aa2a4f91775cefffefd263bd302866a7bd91c

SHA512
3f87064354a0f55f36aa272c5918d208b8a77fffb7965e9b50727c06fd8d8db5e6695636a7db37926fe444c91e4a4a7dc892ef5ef57676ba9515216d5e5f94ff

Download Submit
\$Windows.~WS\Sources\MediaSetupUIMgr.dll

Filesize
24KB

MD5
d7c228ed28ddfcb531534faa99d82c48

SHA1
ff11b141bd6520f42b7c00818bec24c96aa895ed

SHA256
353ebd0674c4a69fbd2a81bd72065f32320b7299450bcb107363fde553789644

SHA512
503c503e283c6cd64ea6f422aa841b48459ec1eca0b34c5a7446278e9540fb9680cec420b5195104b7617aa05f452eee30190ddbea999a820858ec3fdb8bb70e

Download Submit
\$Windows.~WS\Sources\WinDlp.dll

Filesize
1.1MB

MD5
6f12ba2d5cb564f73d9813d105e5c1fe

SHA1
b634e34149f99f4336efc0c5de5e850c61be48e1

SHA256
26b66b81267dfda7a78890f20a4ed0d104db1cd350d2d9f649fdb496b6c11333

SHA512
4462f38b0a4eca1d09eb747853cc15c804e2e42e91812604a0aef25de06d5fa5a5a4d79731aeb462f61ed46d63dd904d0a943919aabd5adb771f94c63e6a175a

Download Submit
\$Windows.~WS\Sources\setupplatform.dll

Filesize
6.9MB

MD5
0db2eb7b159d7289dfbdf3ca29d44704

SHA1
57a9aa7409a9040a701855bf610f68e5a9cfea24

SHA256
cbeec25c578f4e8eae81bb8829c3b7bc81648da6f63eeb4a606b9a66660d6d91

SHA512
8eada149f0c90df794d26efe8af2c90df1b8172b33ccc6639f3f1a18671aa34493a6d466b4bf2357075094bc13129e5001623b2388c39ed6fa4239b4e9ef6328

Download Submit
\$Windows.~WS\Sources\setupplatform.dll

Filesize
576KB

MD5
e61279836eff142a69e541ad42ab8931

SHA1
5705d6a73755683aad49e5252e366b72c58f3a45

SHA256
471ee70a6c56ed73d9373cd5d257e9f8fccf2c460a6dca3dac1fee5c05b6c73c

SHA512
de779968b710357ffcd7c004c470523f10728cc6dfc314fc1d6c4e146c5f29c366f0e3e3163a96a8d2d0b97fa14cc5da02d79f0a5a2fc2a9e95c54184b9c24ff

Download Submit
\$Windows.~WS\Sources\unbcl.dll

Filesize
241KB

MD5
867efc68bc5796e4f27764d8911ca50b

SHA1
bfeeea5a416ff0d251eedb2bfaaf9d5e9ad44053

SHA256
cc011ec47aa748a85db4677ba3b652c7135c6f4c38bb993ab74c2bea6c7a9e45

SHA512
b124b62df775189aa6414251c46157a45c7276423f7f1d94ba28e00a71ce018d66a6f0c0d48b39c55ed9b12009724f2d07688c78c35ccf2efca7d05b3d705afc

Download Submit