5cfc72e90d884f2902c17c860e3141dc4f33b5a18714f56a51b9df8198a60712

Analysis

max time kernel
1539s
max time network
1599s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
01-03-2024 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

creal.pyc
Size

66KB
MD5

e5d7c4cb17ed6eef9ccf7ae6c18fb76a
SHA1

0af9cce533aafc9b7884852f5c7c96109a27d678
SHA256

7e396b4b77af751baf10f8bba0612d7c98ef5ecd4875503d0f40b488e35adab5
SHA512

3b05c4d3ebd24f152edefab31076ca08cd1a1bf0cb61af4c2e803bfefdcd2ae639b3bb692e9be4425d0688a27055b495acb85d2fe07c65abcacd723fb697d40a
SSDEEP

1536:gSFwCG9FRrr493Bunl08ZZHX8FQmGw9rQJG:gYwCermunRX8viG

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4916	firefox.exe
Token: SeDebugPrivilege	4916	firefox.exe
Token: SeDebugPrivilege	4916	firefox.exe
Token: SeDebugPrivilege	4916	firefox.exe
Token: SeDebugPrivilege	4916	firefox.exe
Token: SeDebugPrivilege	4916	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
4988	OpenWith.exe
4988	OpenWith.exe
4988	OpenWith.exe
4988	OpenWith.exe
4988	OpenWith.exe
4988	OpenWith.exe
4988	OpenWith.exe
4988	OpenWith.exe
4988	OpenWith.exe
4988	OpenWith.exe
4988	OpenWith.exe
4988	OpenWith.exe
4988	OpenWith.exe
4988	OpenWith.exe
4988	OpenWith.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4448	AcroRd32.exe
4916	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 4448	4988	OpenWith.exe	77
PID 4988 wrote to memory of 4448	4988	OpenWith.exe	77
PID 4988 wrote to memory of 4448	4988	OpenWith.exe	77
PID 4448 wrote to memory of 2004	4448	AcroRd32.exe	79
PID 4448 wrote to memory of 2004	4448	AcroRd32.exe	79
PID 4448 wrote to memory of 2004	4448	AcroRd32.exe	79
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4728	2004	RdrCEF.exe	80
PID 2004 wrote to memory of 4624	2004	RdrCEF.exe	81
PID 2004 wrote to memory of 4624	2004	RdrCEF.exe	81
PID 2004 wrote to memory of 4624	2004	RdrCEF.exe	81
PID 2004 wrote to memory of 4624	2004	RdrCEF.exe	81
PID 2004 wrote to memory of 4624	2004	RdrCEF.exe	81
PID 2004 wrote to memory of 4624	2004	RdrCEF.exe	81
PID 2004 wrote to memory of 4624	2004	RdrCEF.exe	81
PID 2004 wrote to memory of 4624	2004	RdrCEF.exe	81
PID 2004 wrote to memory of 4624	2004	RdrCEF.exe	81
PID 2004 wrote to memory of 4624	2004	RdrCEF.exe	81
PID 2004 wrote to memory of 4624	2004	RdrCEF.exe	81
PID 2004 wrote to memory of 4624	2004	RdrCEF.exe	81
PID 2004 wrote to memory of 4624	2004	RdrCEF.exe	81
PID 2004 wrote to memory of 4624	2004	RdrCEF.exe	81
PID 2004 wrote to memory of 4624	2004	RdrCEF.exe	81
PID 2004 wrote to memory of 4624	2004	RdrCEF.exe	81
PID 2004 wrote to memory of 4624	2004	RdrCEF.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\creal.pyc
1⤵
- Modifies registry class
PID:5004

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\creal.pyc"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B512FD4C52BFA8638C17C4FBA8D79D7F --mojo-platform-channel-handle=1608 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4728
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FF8CA112C5C9E8BB2425E37ED63BFDB5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FF8CA112C5C9E8BB2425E37ED63BFDB5 --renderer-client-id=2 --mojo-platform-channel-handle=1636 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:4624
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=993B1ED0622C9527E30DA42B8662519B --mojo-platform-channel-handle=2204 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1952
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EC35E3BBE135C31E06A9A615D1BFCFFA --mojo-platform-channel-handle=1844 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2372
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=ECD391D80601E0C6AAC66D7A43352731 --mojo-platform-channel-handle=1904 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4132

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:220
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.0.377889043\1559169776" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1680 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07015be7-eb7e-41a2-bc75-4c0de46faf84} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 1796 196ea7d7458 gpu
    3⤵
    PID:2324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.1.2000206505\1463694185" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40998521-426c-497e-a0b4-e3181ab79254} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 2152 196df972558 socket
    3⤵
    PID:2040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.2.182383269\1832869108" -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 3028 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d390048e-f674-48a0-ae8b-3710e42eff99} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 3016 196eecd7258 tab
    3⤵
    PID:2348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.3.57435269\1522705646" -childID 2 -isForBrowser -prefsHandle 3536 -prefMapHandle 3532 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c4fa8e8-ae6e-4ca3-9941-0484a965343c} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 3548 196df969058 tab
    3⤵
    PID:4060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.4.138384928\358850326" -childID 3 -isForBrowser -prefsHandle 4184 -prefMapHandle 4180 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {628febe7-de0f-4e34-94c5-cae279a9e9c5} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 4188 196f0377458 tab
    3⤵
    PID:2428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.5.1878221084\975123009" -childID 4 -isForBrowser -prefsHandle 4940 -prefMapHandle 4948 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2c250df-af47-4761-86b8-c5540f819861} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 4916 196f0c22d58 tab
    3⤵
    PID:2072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.6.982471584\1040403465" -childID 5 -isForBrowser -prefsHandle 5080 -prefMapHandle 5084 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ace2b63e-92eb-4b9e-814e-867b42472bb7} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 5068 196f1062f58 tab
    3⤵
    PID:2704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.7.774222771\249125972" -childID 6 -isForBrowser -prefsHandle 5260 -prefMapHandle 5264 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ac28d9b-edd2-4f76-a635-12ef973ac5fd} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 5252 196f111f158 tab
    3⤵
    PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\cswg9rdm.default-release\cache2\doomed\15673

Filesize
9KB

MD5
e5eaf68ed510a8b423ecc794e5c107a1

SHA1
a908cf310a370ede37d2f2a8758ca90b229dd3db

SHA256
7d973860157f8c34299e43ab235d398bf73a97d9d3a1f2d6f2b7ea7976fb52a3

SHA512
7fd7da9c0edeac538f18abbc4110e3ace3acd51c974f91be8032f08c11a6d1f4afc86c6d39e201ca33243f6aaaa4675da0fc83161cef37ba90646a8a9a726443

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\cswg9rdm.default-release\cache2\entries\E66F5AA5E3C285C270CF84BD11111C74D38F245C

Filesize
13KB

MD5
2df2e1cf66b2b23cf1c57fda6b810176

SHA1
cc6a6d4f53a2358d801a7f3955803e80fb49b6d8

SHA256
1742de0cde962dce0e01b74fa082f12b2ec4ea57fb3d81bfecee08e532ea3b41

SHA512
771f8b3cb785fe6a11ea531ab2172aa5390e9d63300e2a6b5b8281ccad73a84a4365de404833bee1873e1d1da8a657c3014087df2c511172555b6e997c1b7f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
7622a37b3b862096e18656a099c80999

SHA1
26550ef7e5cfc8a38b94befa16fa992603012bb7

SHA256
db79740f9245a229c619a6e1b1bbc91c35d063cab0308996a8ce4401926bcf1a

SHA512
d75a130f8bec6d57ba6378ef8a641d4c637187799c4389b81d7e20606da7c8143b4f25ddff2287683c49a4ad355701b9d8ce27407c672aac499efee011041533

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\bookmarkbackups\bookmarks-2024-03-01_11_zny9BuTasRZZm6Iynynjqg==.jsonlz4

Filesize
948B

MD5
ae98d0b399a17fb6d21c01af1c6bc75d

SHA1
f7f13037e4ad2a13755e56b6f34f60a112ace201

SHA256
2e2cec97ad6991610cca2e9fac3aea166d9d7c490be0da762e88ab3348d6b72b

SHA512
5ed03252cb2b60fddae9c6cc79d30890dd13161514b92ec9130223883d03033bfdc98e7e9f0bd5dd2609a9c3d04cb62cf5b72ec58da39c0a0be4cf8ae6295841

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\broadcast-listeners.json

Filesize
216B

MD5
cbbee6148b3bc25903937323838dd0c1

SHA1
740eac86c0cbc1c961b61fd15a65b59bb24a837b

SHA256
08476c2346c91ef100201142b20b7a64082724157ce19f3ab9a2b92e15f24290

SHA512
875b405e6ee776e7b438f1ffa4ec83c6bae39c11ffcb862efcc98e5175b3528d76607ad457ab66979d54d8f588fa7369767a9d20bf73f82937ac5f53ddb680c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
f573f1d9473182cd5dc57772d8414407

SHA1
547ce20f5632f57512490fcb40940fa06b8f9566

SHA256
dd82e443336f7294f12e91b3386a8e92fd61981bcb790844cc83eb03b7de87e3

SHA512
36ca5d4cf162bf081a570bf589aebf9551e1c7a090f6ccb9e00e89fd5b0570b3f0426658a87b8bbff557c729e2560e79f5f7d0c4bc22952026cc9403be77af0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\datareporting\glean\pending_pings\1f7238a9-4942-4106-812e-ffb6b4158736

Filesize
10KB

MD5
c8eddcb56e5ce04c79b0729b10ba4778

SHA1
6c4997ae6e6e2f3a10a097086e54952c2a840b55

SHA256
1316e0bba9662bfd818c996103da0a14bbca16fb298f5d6a6533d0d47e5b6b80

SHA512
0cfa033d0e91191b03dc54fa3ffaf8a98c829e929d556d6eff14a071e49e66fd27b576837ec712c37e65e8b0d72125cb5097df6c521fae293d704ad61a6f64ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\datareporting\glean\pending_pings\723c3c1e-6fe8-455b-81f3-bd6f557d2d1a

Filesize
746B

MD5
d0edda7ab995f1df4a53c16816905daf

SHA1
7fdaf69ceb736936ef57d5f713a9da8fa0822d0d

SHA256
059827bb3959c686b3e6f803d199d5ebc52e4494760d3b90a7514627dd7909b1

SHA512
13517ecd3c8a9ec297bbe705dd42a1ed6cb1db17466ed53fffdf47097241cb60bdcb2ff47c5e145c85a1976297e99830a0630ecba4eeda0a37a7db30fb248bbb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\extensions.json.tmp

Filesize
34KB

MD5
f923fd164367cc2ac075db804ad12089

SHA1
c60825ac3635fc83858d081a7f5b2421d0f6ac77

SHA256
e898c4b0689858a48495228b78c08eeb42b0e391b2d05b5405cdeda80a6b900a

SHA512
a209fcc7a01bcb6dfaf8b1190cc39163c6fac43861ed187adff747e399f9f2e9cd9e74b8049726d38348ea7dd9713e2223539defb3df6ee2ef639c1c06cc67ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\prefs-1.js

Filesize
9KB

MD5
41a494a8353528f9fa460fc38bc99d78

SHA1
c3767514e046b3ef88453cd6398557f250f23eac

SHA256
92d8731f783b447f89a3e8f07bbbb17cb86e1aaa8325804075631acb4c638094

SHA512
80dd59775dae53b4fe7ccc398d5dbea91036dd157300605eb86bcc44cb7875c6d70024a2400321d5257837584cee79d61638cf94e93b4e7728498c4dfd906821

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\prefs-1.js

Filesize
9KB

MD5
507eddcb1c2a402d21c67ebd1f6ed9a0

SHA1
9c9f1157d5724e78ff853a8d352237f3dbd2f5f3

SHA256
6811e78c8d962275643c6ff6057af8e8eb8c6bdd817f5862f5baa6888fcac243

SHA512
6e761b82e379c860f5d599a424d3a5f05d7a6899ff02e0b384abfe2b82c00835c93e88e3a301502678377429a0e28086da7bb7ace9963468a07b933d2a2d5359

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\prefs-1.js

Filesize
9KB

MD5
c7a0da59ed3020d51ab032c5d6491bf0

SHA1
95d80d987e59da5049977e46af919541a571c345

SHA256
ae0238e3b75c3e2ae91dc0c21917485049252a5476ff8a211c5c19f6cc0676e4

SHA512
e21694c3d0fc11a26808b7de914afa0c9bb1447a866d17d4db0cac044d56a22697305cfced3bc3104bb89ef3ad1457ad2785080d035cf172958e89db3cbdcb16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\prefs-1.js

Filesize
7KB

MD5
af140b02ef98f02e220d4c1453a0e3cd

SHA1
fcdc634eb878fb670b40471c1ccd9e61b98ef9c7

SHA256
92e366f45a76a0f9a255cc60bac8407735b7cbf022bf146eba47f69fed99c51d

SHA512
2ded2038e28ba8cbe8be00c1d097d6306bfab41efebd28503a7485e32fe4339522cf7f49a6d747f6e29eee427a4be9ad6a763bcc86fb3aabd3d4f7233d0cae87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\prefs.js

Filesize
10KB

MD5
c92e156c8f29929c13e1297e3ffadc64

SHA1
c9f4424576965c1b4adabb9f4d37c9fb6b05549a

SHA256
86b3b62e9fecb074959f1a9668346f188431dd280d30e938fac722e6e445657c

SHA512
73e0fab0012b27c847be54b3e78f2732937d1096b5be22b6dfa6448d7346b0e3f501c8c615cf36a10f85f5687705d8e224da4704ebfb5fd0f1ecad11f1714b92

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
d8388d7d4469e906f8c9136a6e87f4ba

SHA1
e915b3ae56adb29a2eade37ff479c6cd4c6e2e7f

SHA256
ed75c93cbcc6a9ce34391f6fc5ab107c62b4ce43fc71ae7f26bd85cca5e880ed

SHA512
d9ad62d9e47cab82444b774a9360ee9d28bd165e6269c42c695b66dbb2382f8036f2992070250994f802a681c7b2a12a10903039a42501e9c8197c6eb2fb5e6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
7.8MB

MD5
6f6a29cae0472e8a0df5a53d1a388e8b

SHA1
5c22ddb620048beed13b64051b57cc18f1f66f2e

SHA256
a350eda77aa3ddeac9c57e55466200069918ba47d8f4382d300d742dcdb95a91

SHA512
2d04684b00c8a01e207096ec4c3437e3049fbe0e06af6205f5639e2ccbf4ff8cbe5128e99c026de8311c07735fba18112720a07630f35761eeec09d7344345f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\targeting.snapshot.json

Filesize
3KB

MD5
a582df41c5bd293c314cf8d869ebdff3

SHA1
ca4834f4e33a3cbf370943a35932059281b61e98

SHA256
9dc3d78fefaaeb4c8ef3ba58ce3079c9308d1e2046b285f7c93a1f78dc4e7a49

SHA512
c7906b31e2d4f1ed82e7a3d7efd259acc3b3249c6e28be5f92b7a4fa310a1a1e7a9ec032d8fc2174718359b39295d50a0e80c1385777d0e576493cf19c0abd4a

Download Submit