d506190cfb232589ed9ee89299341cccd39730d082924edf8624324816b053ee

Analysis

max time kernel
332s
max time network
341s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
09-03-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MultiSoft
Size

241KB
MD5

d40dc7d242d05bd7dcb02f7ccd472fbf
SHA1

81ed530b218794cf1ad8cd02109d28cf0eba743a
SHA256

d506190cfb232589ed9ee89299341cccd39730d082924edf8624324816b053ee
SHA512

a839547044dc05432b65fe45fe7df7c40853be3b1385e763a10ad31d8a9bc601d37ad31e753a3baad6e2153d7b403d563fd2e17de506792c2869872e833bf361
SSDEEP

6144:VDuqJvfWKVSgE29xxspm0n1vuz3L9UvZJT3CqbMrhryfQNRPaCieMjAkvCJv1Vi5:NfWKVSgE29xxspm0n1vuz3L9UvZJT3Cc

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
59	camo.githubusercontent.com
63	camo.githubusercontent.com

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	644	firefox.exe
Token: SeDebugPrivilege	644	firefox.exe
Token: SeDebugPrivilege	644	firefox.exe
Token: SeDebugPrivilege	644	firefox.exe
Token: SeDebugPrivilege	644	firefox.exe
Token: SeDebugPrivilege	644	firefox.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe
644	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 644	2984	firefox.exe	84
PID 2984 wrote to memory of 644	2984	firefox.exe	84
PID 2984 wrote to memory of 644	2984	firefox.exe	84
PID 2984 wrote to memory of 644	2984	firefox.exe	84
PID 2984 wrote to memory of 644	2984	firefox.exe	84
PID 2984 wrote to memory of 644	2984	firefox.exe	84
PID 2984 wrote to memory of 644	2984	firefox.exe	84
PID 2984 wrote to memory of 644	2984	firefox.exe	84
PID 2984 wrote to memory of 644	2984	firefox.exe	84
PID 2984 wrote to memory of 644	2984	firefox.exe	84
PID 2984 wrote to memory of 644	2984	firefox.exe	84
PID 644 wrote to memory of 4480	644	firefox.exe	85
PID 644 wrote to memory of 4480	644	firefox.exe	85
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3268	644	firefox.exe	86
PID 644 wrote to memory of 3352	644	firefox.exe	87
PID 644 wrote to memory of 3352	644	firefox.exe	87
PID 644 wrote to memory of 3352	644	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\MultiSoft
1⤵
PID:4876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.0.54694520\666806762" -parentBuildID 20221007134813 -prefsHandle 1796 -prefMapHandle 1788 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a9bacd8-7f01-48aa-83e3-072a9ed3cf75} 644 "\\.\pipe\gecko-crash-server-pipe.644" 1888 1e8613fa458 gpu
    3⤵
    PID:4480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.1.297405664\279178282" -parentBuildID 20221007134813 -prefsHandle 2252 -prefMapHandle 2240 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f7e2166-2e98-47d7-b286-61c9c09e8080} 644 "\\.\pipe\gecko-crash-server-pipe.644" 2264 1e860e38a58 socket
    3⤵
    PID:3268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.2.262030286\164602922" -childID 1 -isForBrowser -prefsHandle 1656 -prefMapHandle 2876 -prefsLen 20886 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fef7896-e340-478e-af4e-166a2074e510} 644 "\\.\pipe\gecko-crash-server-pipe.644" 2992 1e8666a0158 tab
    3⤵
    PID:3352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.3.328704663\1245457533" -childID 2 -isForBrowser -prefsHandle 3436 -prefMapHandle 3432 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fe04510-856d-4224-b8f5-5d47b6bbb461} 644 "\\.\pipe\gecko-crash-server-pipe.644" 3448 1e855362858 tab
    3⤵
    PID:4388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.4.153050393\936398634" -childID 3 -isForBrowser -prefsHandle 4460 -prefMapHandle 4456 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {972b001d-74f9-47eb-a688-d5fa8ed7d966} 644 "\\.\pipe\gecko-crash-server-pipe.644" 4472 1e8681d5058 tab
    3⤵
    PID:1808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.5.1958504476\747591123" -childID 4 -isForBrowser -prefsHandle 5100 -prefMapHandle 5092 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c144220-3b49-48e4-b8fc-f945fb41344d} 644 "\\.\pipe\gecko-crash-server-pipe.644" 5116 1e867ac3558 tab
    3⤵
    PID:3568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.6.1310711596\1643177639" -childID 5 -isForBrowser -prefsHandle 5252 -prefMapHandle 5256 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5500c612-ec09-4fc8-b68f-451720632cee} 644 "\\.\pipe\gecko-crash-server-pipe.644" 5244 1e8689f4558 tab
    3⤵
    PID:792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.7.801411549\1365021429" -childID 6 -isForBrowser -prefsHandle 5440 -prefMapHandle 5444 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b724cd7c-5ef2-4a4c-b8fd-7e755e73e0bc} 644 "\\.\pipe\gecko-crash-server-pipe.644" 5432 1e8689f7e58 tab
    3⤵
    PID:1348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.8.1659988115\876227449" -childID 7 -isForBrowser -prefsHandle 5820 -prefMapHandle 5792 -prefsLen 26548 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fdb2f11-8868-4620-a366-adfe38f4fd37} 644 "\\.\pipe\gecko-crash-server-pipe.644" 5832 1e86a0e5f58 tab
    3⤵
    PID:3360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.9.1682245185\772573910" -childID 8 -isForBrowser -prefsHandle 5132 -prefMapHandle 5148 -prefsLen 26723 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4f9704d-7d07-4a43-9798-45dc8c1738a8} 644 "\\.\pipe\gecko-crash-server-pipe.644" 6132 1e867ac3558 tab
    3⤵
    PID:756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.10.778964109\650345990" -childID 9 -isForBrowser -prefsHandle 6328 -prefMapHandle 6312 -prefsLen 26723 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf1dd839-7575-4ee8-9a2c-d803c97e8f9a} 644 "\\.\pipe\gecko-crash-server-pipe.644" 6288 1e86a057e58 tab
    3⤵
    PID:1420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.11.342909410\1196173949" -childID 10 -isForBrowser -prefsHandle 5264 -prefMapHandle 6284 -prefsLen 26723 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a6bcdfc-4034-4e25-b142-4bae966e7747} 644 "\\.\pipe\gecko-crash-server-pipe.644" 5316 1e86a0e3558 tab
    3⤵
    PID:3056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.12.1980859992\1852710377" -childID 11 -isForBrowser -prefsHandle 5316 -prefMapHandle 6484 -prefsLen 26828 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0047269c-fe48-4c58-a171-39af5b93f180} 644 "\\.\pipe\gecko-crash-server-pipe.644" 6012 1e869834b58 tab
    3⤵
    PID:3756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.13.323305025\1728370699" -childID 12 -isForBrowser -prefsHandle 10520 -prefMapHandle 10548 -prefsLen 26828 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26ce9869-79d3-40e0-a380-cdf04c4cb052} 644 "\\.\pipe\gecko-crash-server-pipe.644" 10700 1e86c373b58 tab
    3⤵
    PID:3928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.14.1923219965\367383174" -childID 13 -isForBrowser -prefsHandle 10676 -prefMapHandle 10584 -prefsLen 26828 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {833bbe69-7c14-4a1e-b21c-fd20f3765eb3} 644 "\\.\pipe\gecko-crash-server-pipe.644" 10552 1e86ccb5358 tab
    3⤵
    PID:1968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.15.1035895391\1079361176" -childID 14 -isForBrowser -prefsHandle 10164 -prefMapHandle 10160 -prefsLen 26828 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5cde7ac-2ae4-4aee-8741-f74be9e94635} 644 "\\.\pipe\gecko-crash-server-pipe.644" 10176 1e86ccf9558 tab
    3⤵
    PID:5324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.16.1674863536\567854865" -childID 15 -isForBrowser -prefsHandle 9948 -prefMapHandle 9944 -prefsLen 26828 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b83c1caf-1b0d-4d60-9ca0-c8c48759be09} 644 "\\.\pipe\gecko-crash-server-pipe.644" 10036 1e86cfde558 tab
    3⤵
    PID:5464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.17.1309893785\1050493169" -childID 16 -isForBrowser -prefsHandle 9688 -prefMapHandle 9684 -prefsLen 26828 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a76c46c-5ec6-485f-a8d0-f88d7a426e50} 644 "\\.\pipe\gecko-crash-server-pipe.644" 9700 1e86cfdee58 tab
    3⤵
    PID:5528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.18.536374410\159357280" -childID 17 -isForBrowser -prefsHandle 9624 -prefMapHandle 9620 -prefsLen 26828 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe9038e0-8941-4d89-a8b4-a515b3a80fd0} 644 "\\.\pipe\gecko-crash-server-pipe.644" 9632 1e86cfdf458 tab
    3⤵
    PID:5536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.19.1925672736\1552192653" -childID 18 -isForBrowser -prefsHandle 9116 -prefMapHandle 9112 -prefsLen 26828 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5207076d-f344-487f-99ae-fcdca4828e4c} 644 "\\.\pipe\gecko-crash-server-pipe.644" 9124 1e86cee5558 tab
    3⤵
    PID:5916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.20.119060284\925475044" -childID 19 -isForBrowser -prefsHandle 9652 -prefMapHandle 9072 -prefsLen 26828 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f50736d8-16ea-4d13-8cc0-696ba1acf49e} 644 "\\.\pipe\gecko-crash-server-pipe.644" 9132 1e86b935b58 tab
    3⤵
    PID:5280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.21.1546414058\145128646" -childID 20 -isForBrowser -prefsHandle 8952 -prefMapHandle 8948 -prefsLen 26828 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f06a044c-cd45-49ec-af29-a4494422036b} 644 "\\.\pipe\gecko-crash-server-pipe.644" 8964 1e86c7c2a58 tab
    3⤵
    PID:5296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.22.1253110804\1514420149" -childID 21 -isForBrowser -prefsHandle 4236 -prefMapHandle 10224 -prefsLen 26837 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {974ddf21-e479-4f78-92bc-f7770cfcf69c} 644 "\\.\pipe\gecko-crash-server-pipe.644" 10620 1e85536f858 tab
    3⤵
    PID:5600

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\obahtjhr.default-release\cache2\doomed\14382

Filesize
23KB

MD5
95fc9cac16167dff75905e70ce4c7e3f

SHA1
e6eb8eb595b2b9818a25d2d4370f162377ba8685

SHA256
7ffdb278a5473ee8f150fc9ca246b65562e835bec829af3a32b1ce362e9d9da4

SHA512
2b7a434ed269432de88881f1d61cbae5cd0d5adde0b02f79826490bcd250f6864a2f8617a9c310c401491a32bbd8e1d5fcfdf958e16575dfcd021b00e3b1b9bf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\obahtjhr.default-release\cache2\entries\45514F58EE166DE19E4DE720A21DDF1DA12F6C6C

Filesize
203KB

MD5
57705ce229ce4801aa817d59d3408b47

SHA1
1df5f6cc296f961e8785574d6bf751d147756f86

SHA256
43531332df3af62e641b91a579bd20e3b0ab19e6c02fe4412d7d0a3c0bb494ed

SHA512
c12d40fbe53c4d99e3dcdf440d236c94139a8ad239ecfd375d82d447dcaf4f14c27b6b0ba8c8b8024b8c4a0f0421290348ce1b42d1dfce2178e63a9597233c82

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\obahtjhr.default-release\cache2\entries\4E0C28FF25B34AA6D81276C14EFAA147A7403E02

Filesize
57KB

MD5
2b2fa270fe785162b090da1b444dd781

SHA1
0ca60c8cb23176c117efb7fe2c3ae64f93cd7b6b

SHA256
232f52487fbcf27b164d5b5e02f535f8ed71480d2a6de538b0257f5cae07102b

SHA512
e0eaf69ee9c4d28c6c01f8f77c3d8df695b946e71d8cebff9fae1328f751f0a972c7669f59c788dd65783cb77e653f4958b17ce61543c466badcc6c3a2ef6006

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\obahtjhr.default-release\cache2\entries\564B712143D080F7444181C4847758A00C626393

Filesize
41KB

MD5
38eee7cbeb88208c8cc7954f261c0303

SHA1
8819e96d2d861dc88a77a75c727ef174d26a3156

SHA256
8f727ad9580992f5724cbe011e27e53c98b138d2d13144c699867746ad4e973a

SHA512
459567244b6ca0fb6a823b984616073299b3b50869fd521cd387db6f3115d580f8345d64b4cb71e823b3f0bafceec52b7253afa642587dc1d2e9d930f94b7707

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\obahtjhr.default-release\cache2\entries\677B80A25A006EDCC273545819E7C8B9A97E5201

Filesize
41KB

MD5
b469f062d947f71a83333b549eb83c98

SHA1
ce630c3bce4da18a862629ea41f9b678a7e77e14

SHA256
b41509682e2a60bc2e41826e77827c9c194504a87f1fed8153a8cf9f864ba235

SHA512
b772feb5ca27a1fc70634df9ecc4e7bd97192adad6f54ecf985bcf3045694cd691e234b32b589d55eb88ab77ca545a2182c5c5b816c0e585cef66bdcfbecff20

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\obahtjhr.default-release\cache2\entries\B593400C004AF31BFEA6FFE327487132E8085C28

Filesize
22KB

MD5
8da3b3478b7d523f82bd7d7df0a09c7d

SHA1
402f53a590c271afd77bda362e1afe3d759bfa00

SHA256
3085321e64fa9513b2b4ba0724242d4e6c5139de28497643fbc49de4940bc2e0

SHA512
561208c196570898a4be55779b6f7adcee31e6d250ac3ab7a5abc46feb820f3f6b1a380b446f735fe5234f7d3b5ffea61409bc7128b8d6c2cf2203f4147e32cd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\obahtjhr.default-release\cache2\entries\DEA90BDA59571768FD3B98EF498B9B95BE03448A

Filesize
33KB

MD5
c7a2ba19cf8382773767e00c4a9a7b49

SHA1
e0373f57b5eccf6b8905a531b6a70bcdeb73baca

SHA256
efe38c95a59a86b072595ab2794b18da0dbfa753f58f66e23d26d17195208143

SHA512
aac0ff1115de322736c6ad6e2353361ba7d70d232b0abf3ac8a7ebbaa7f7e3c301db7a038b47da056e8a15107994c0b428657d6a290dc096a4e25ff9b9239a74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
21416f88519e117e799d0c1770fdb81d

SHA1
5dba6c7a1cc80acb1dc4495171b64fcad47ac634

SHA256
7278f65ce5a367c119781a1dc8c3fe1cb6c757e734795f7e594e95fa9661356d

SHA512
1f5f309ec500fd61e481965ab39c80386e1951bc10e299ee597a6a917ac15e2b940834b6cc0489024eb5b80fc2389735c90eb4e4509ea9cb8fb8a9f96318718b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
16KB

MD5
22037d37a8f31ba838c5dac579e7598f

SHA1
8bd2a6b6690abf9b672a27ad49b44dc89f4bab06

SHA256
09364e897c0570365ea0e95c303f2fac84f57820e2d958b151faa66d3f767be4

SHA512
e838b3e2b6fd74803a9e13d07a3ca67f41af060924f0395bab8c824a752b3698e36166ab7a4936c98142100334216e4e7d884c172dd86940443fe17f534dd37c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
4d694d783d04020af45a4a07b6722101

SHA1
e50aa2ac57b8a729e56c8c3644cd687dd4449173

SHA256
debe406979aabdfe6394241b6006e81cf41797e6d22c36f53dad327578d8469a

SHA512
19b3b561ea6da03976c125c25ffef8220e83c4b34d8bbb7d5816c217c5f11812f3d58e71a27bafd7b7a13aee7e584ab7a7e27f954efd18215fc2697ea6541c93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\datareporting\glean\pending_pings\7b860940-19ae-42c4-ad2e-59c086a339c6

Filesize
1KB

MD5
a19dbef053082c85a7bd79535d9b2cd6

SHA1
6fbce57976cafc8a4f7c7b9a9a5d2772bf4dd723

SHA256
159da809a89c6b926ebe1e35af8b4f2f10e5ecd23f4235e5c3dbac25e35e7dac

SHA512
e52a5cfd1966db9962fd6cb518f70ed15e5fcc7827e43bd10fe067d0f36ff30322c4790a09710b2fa051de0bb55701180956ae2d59c660a03674c7acd633dd65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\datareporting\glean\pending_pings\8e722e9b-6423-403b-870b-70db9ef90500

Filesize
9KB

MD5
5032c79e587303c0dd07fe2b1e046aa0

SHA1
fe41a27e26804ef06cf9f78f46d74a31b2b4c0ef

SHA256
cc2d9d4f03f715aff7d0e849b506f793e0aaeb3310c33d938e76d0a3e0dd23c9

SHA512
e4ceef106c96ceae6c7e4f815d07594a198f6ffb65769b4798381c4e60ba4de0373d221fe18baa5d1141caaccd7dd87156ed51e4d1a6138e3d9f725e7722ac47

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\datareporting\glean\pending_pings\ecb2b5bf-8354-42bf-8d45-2c24d4dbbbb5

Filesize
856B

MD5
2993199c149cfe7cae43e298af64838e

SHA1
59d41a01e79103225c7acf6f396b860a36883364

SHA256
cfdb0d09cf1e77a74c53a4bd78949c536a546221fdc3b40e7edb716d0c581581

SHA512
4d446d27a3d024d0cfac427474cb833d04aa3876809134288412bed51077c819572b712e0896c36240dec12c1b0b43a385ffa1e1116d1e34a07e5d5f69c8ae53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\datareporting\glean\pending_pings\f5e81e6c-099e-4104-bfaf-ab27751c1d3b

Filesize
746B

MD5
b36e6ea45bbed015aab62c1ec5c6470b

SHA1
bdf7410fab10cd9bfabed81fb485f8278261ce16

SHA256
d01576a4a214636675753892cead5580dc780b5523e4ca04aa1efd65c42657ba

SHA512
cd4dacddee05e183e5bebd481a044c66aced742364f3cd408f057751a6d894c5de31f39c84589eb71babe76ef201e08d1d96279003e203107a25727eff8421ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\prefs-1.js

Filesize
6KB

MD5
70b4db7c6c0cde84693b78c75d84e9f2

SHA1
99461d96653ce66bcac74f1c385d9cdab4081f2a

SHA256
24eef8bd2f59d2096e47672f9bcfdc9a1182d96631fbe2b0c3d665e9df087553

SHA512
32c8fa0ab7de865390dbdda35f319840df5c59d0bafa12d41f1a7df13bed530977ac56b8dd6e2a3cc159824f33eb29e27580659159e0c3be5f9b209875de3815

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\prefs-1.js

Filesize
6KB

MD5
ea1548b824bdbfb86dcf5d6d875d381d

SHA1
674416fa9b7ce4aea055e5c1d1c1995b366099dc

SHA256
72caf71b518682533607d104930dcbf2b2d3e46c0a585bc9288003f5c1fbb8e0

SHA512
d7cc82c6b82f3a81e2e46095044445595246474976c58f89e733a898b02ae5f422b4d02668badcea593780b7ff2f9cc55a789185e1df2133f7849b692b962784

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\prefs.js

Filesize
6KB

MD5
2688e68a7586f8d92c6d4831e655864a

SHA1
f8062d4533aa1d3a055c9a9f486c587561544e30

SHA256
302777515138e576224360cb12efa7c36f838b96dfecbd6f99a5e6561843f80e

SHA512
067857b8ea159274a47fe8eca4d0ccdaf167e34d8cec26dc53a4ecfb82cd28fa412cc0f948fee1a892b0afb2f83c4cd2f3cc21f70c350326d34ef992d947bfe9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\prefs.js

Filesize
6KB

MD5
c567a1b06d238eb3b9f0facf9de53a08

SHA1
4c927d0c2183ce78f902c1416aff68cd97677218

SHA256
a53e47b13aa1135fec0782c17c9a91f188991d03b85e469c6c9e39b4d2ea1dc0

SHA512
40211e5b5ce13a2f3e0bf064ace4e4470fcf9a8735991e26d0e1b316a87569e5cb5fd5b5cd848dde770c162de36bf5684c01392a78ac1edfee9745fd833a4a8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\prefs.js

Filesize
6KB

MD5
f7ba5ee5c0a4e91bba7ea6b30caff6c8

SHA1
11d6d3ab59ae59294761e51f5f41305ae33f368e

SHA256
f89cd12b7c53ee0043aa39ba006b3188f585a4ee37c92985ee87432c66b521c0

SHA512
5b73e5b1d7342bc3ef7ebedca4a7600e37c3c7bb0c7d33decacd10e9b4a00a5ed1d5d887e5949f6ee172ba03e2eb15a10d554650f65a325ba186cafc21785de5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
cf335b75bf9b7acba97d59722d0f8346

SHA1
0b92f901271cd89b9f83a1c909b2079fc63bb3c9

SHA256
1c104f940b1843cb93a8d996928c9989b04ea46296511fde019dfc0e374700aa

SHA512
0ffb99d962f138dde229a528602834fedeee6a122f97325546d8a2d8992b959abab8d974d22f46b0e9edeef46975a130f4f3d1f951203a47c4e50eee7fea1136

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
5f714801465c2165a3d312060939c4c3

SHA1
b79b78ca2bdad951aa2145eca19c661a5638e5da

SHA256
bc83bc8d24b892dbf91274f94a8a147d682090d34e54f9f4bc773d15d61c93b8

SHA512
ad0c5334fba898cec82895c3f855f4a8fd01bfd0fd38608d91675eda6da3f3c06e29365e1c39efb4bf3236683b9af84ca3a086ae03eb434c744f34c702d3567d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
93d56cda09cec78cf81d173170ed085e

SHA1
73de6f3f7a59784ee0629bf45f508b0f377b1d26

SHA256
1b5ec9aa10e30cd329362132b2b8f73c9a42c333f75907ceb5c550720fdda210

SHA512
dd54dcb1dbacc23b95dcdec75a9e63595f4befaa6f49fa8516b25e019b0fb3342a4ef7a3d8a6715593ae76797fd7254962b303231eb7a729bf6b4539e6608cb0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
6aac6c0ad8d2dacbc09fc0289891d56c

SHA1
82c02178b31e6ecff72a3877681472b08708f631

SHA256
3825070452b444e5d0cd395ab86c49e60a065ad57321a33a561c7e33a41256c5

SHA512
95b49e1c5ceb3e3785ca22520d620a64962905e92ec90b61a7bcecf77328dc6c3eba2f3d3e92e5637ab63df2c693511df5bf933457e487a2150ffe8fa3988181

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
f665de540d38fec0a921df0a1af32dc1

SHA1
0986ec3e9a753cad73fa8a4ef6701903237b5f8a

SHA256
01751e566af8baec2b1d8ff6e8817f2a088d6fa676fba9d29c65b6e249793ebc

SHA512
bcb6ab0250a8b9f8f795754817ffaed4104342976744776266860123f256da20433777146936902190056a9e7514d72b7359d5fe6c39e173418ba98a96e2293a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
ece0ada11b1c10a391603122b2dc057f

SHA1
7a7bb742b6b81ea85fc23ab213469fe919eed871

SHA256
31c607de40f95dbc56cf81e27eb909d3cc7178ab8afe02d4d485ab11f80c1cc9

SHA512
6e8077b22d42ab635f25c4015af40298330c257e723522d84b5d1d16de2d89519f328090f0c7f3a411684e5f62eb223de001d290b0f7a8feb1fec2632debae85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
da57c906e71ed1a5da15a7b5a082a215

SHA1
81abfe0a104328b6705d1df615e47e8b1bc6e708

SHA256
5bc3599e31a0959d3cc52290f094bb551f535b90247b1b935da1a2c045c58bac

SHA512
5895f6c7908f860bc857dd1d349fe91d94db93dfebc7b241a1c6cd6e1d7d37a6c564f4c4a8634f119bca3dbd3f941939b3b84f76b2222668d54e55e6e5ff64ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
5a26473aba5c728293b412e10456c539

SHA1
9b52c0f342a3dba73f7907b8a89a842b8b33b2a7

SHA256
4a4f936d48cf2c71b0b2fa1d6bce02f750d3c25cd8df174f896d924706862720

SHA512
0f8cd5c97656fedfb2ab038bb4bace8152baef6fb3d7009d35dcf165f17545371aeb0613c442ee577fbc25275ae34ff3b239f81e26983ea5fa69ab87b8f89284

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
a120d7a09b952471c64107e2dfd745a0

SHA1
1fe362a4401822cf411a618a2a46a02412c576b3

SHA256
5556afba17e5041383a003e520709d345f177be7b36c519becbb124b7bac918c

SHA512
509f4cd738383ab15c03f202696eda190cf576f86acd582034086ab5a0b4df45ee4685576bb7eef6826fc166f0b06a4eceb87a98e87f3fb5e1dd24c4db73c989

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
1865cb9ec538557900f73c5268e98c88

SHA1
e6980ba844f6f111c860e5513abff281737927de

SHA256
3fe596294a366a03df5e25d3f44363d4559d57660fb7ea3ca3ce374ee1685406

SHA512
98fb81506024f47c5ce9db2531453a82767a29214f664f9016ec5901a1824f0c5c5845ebca0e6d14af7a89775851430f33ef5039d6d7aeaaaa6ffb19f4983176

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
ad17c99508571a825bfc4872b7f0abba

SHA1
e4d5bcb9f5710f1fa7c49c05087487dd15e024a5

SHA256
3425a2d1f9ca68f9608fc910439406cd495d5f537d30f395cd417b0fa8ad3a27

SHA512
e24dd48678f88e051b5c6ec5a10015297ee02f420cc041027fbd83300e86a9d0bd7a11a97f6bda8547a7c66524078e887a73b1aede3e04faf7b96966edad40e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
e237cd72070dea216848e9491269d39f

SHA1
b8e8460a5b91ec6617ec6182eaf1a2cb0ea2f43b

SHA256
c716a316418f5203c85933d7150459406015ff627bd783e167e0e0b8170d3eaf

SHA512
e8ad470fe60201375e9b21579d80bf6d4e2473ec9e5fd38201d56b0e2230661e909cccaaf4e23ac744c1a2a1ecc00b24d3a6e3e52371203750bcd8b1883897db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
be522250a2e18a3585b4d2e9a4cd8cab

SHA1
4970de29669ca62ff77027c9e4e03e077c796698

SHA256
32e4c62a20bdece40215ef29cb7eda78562514545dedb11bcdb2b91adfc0d79e

SHA512
e61a223f3dd72261cc0a6340e9e08c6811f992e102bcd77df2f23ff058029a245694ddd3f7a920a54bd26147d71af0f9ea845f5651ea6f9f52a6c91c18f8cf00

Download Submit