hxxps://hr-notice-zzivm[.]formstack[.]com/forms/corporate_policy

Analysis

max time kernel
138s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://hr-notice-zzivm.formstack.com/forms/corporate_policy

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 35 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	firefox.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2156	2648	firefox.exe	83
PID 2648 wrote to memory of 2156	2648	firefox.exe	83
PID 2648 wrote to memory of 2156	2648	firefox.exe	83
PID 2648 wrote to memory of 2156	2648	firefox.exe	83
PID 2648 wrote to memory of 2156	2648	firefox.exe	83
PID 2648 wrote to memory of 2156	2648	firefox.exe	83
PID 2648 wrote to memory of 2156	2648	firefox.exe	83
PID 2648 wrote to memory of 2156	2648	firefox.exe	83
PID 2648 wrote to memory of 2156	2648	firefox.exe	83
PID 2648 wrote to memory of 2156	2648	firefox.exe	83
PID 2648 wrote to memory of 2156	2648	firefox.exe	83
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2328	2156	firefox.exe	84
PID 2156 wrote to memory of 2240	2156	firefox.exe	85
PID 2156 wrote to memory of 2240	2156	firefox.exe	85
PID 2156 wrote to memory of 2240	2156	firefox.exe	85
PID 2156 wrote to memory of 2240	2156	firefox.exe	85
PID 2156 wrote to memory of 2240	2156	firefox.exe	85
PID 2156 wrote to memory of 2240	2156	firefox.exe	85
PID 2156 wrote to memory of 2240	2156	firefox.exe	85
PID 2156 wrote to memory of 2240	2156	firefox.exe	85
PID 2156 wrote to memory of 2240	2156	firefox.exe	85
PID 2156 wrote to memory of 2240	2156	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://hr-notice-zzivm.formstack.com/forms/corporate_policy"
1⤵
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://hr-notice-zzivm.formstack.com/forms/corporate_policy
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.0.2119373702\525396654" -parentBuildID 20230214051806 -prefsHandle 1728 -prefMapHandle 1720 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0054cce9-703d-450f-aa02-4b725822a5f3} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 1820 2e34681be58 gpu
    3⤵
    PID:2328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.1.332162493\507963374" -parentBuildID 20230214051806 -prefsHandle 2400 -prefMapHandle 2388 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f69f4208-39ec-45cb-8b44-e1b30446f976} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 2412 2e332586c58 socket
    3⤵
    PID:2240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.2.2084636445\1367600048" -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 3028 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9be06544-00ee-4799-a113-7de4f3498cf7} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 3100 2e349731958 tab
    3⤵
    PID:4588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.3.241053535\1038475609" -childID 2 -isForBrowser -prefsHandle 3532 -prefMapHandle 3320 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de2fe509-9d9b-4c55-907e-893f4c1a6f95} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 3520 2e34b3e6f58 tab
    3⤵
    PID:1276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.4.1987021790\1798899782" -childID 3 -isForBrowser -prefsHandle 5168 -prefMapHandle 5164 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c072e6b-cf4d-4a64-bbed-08f69f53acdf} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 5180 2e34c8b1c58 tab
    3⤵
    PID:2204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.5.498056266\320620615" -childID 4 -isForBrowser -prefsHandle 5320 -prefMapHandle 5328 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {513b5259-d05c-4cb7-b768-16188e7c16e2} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 5312 2e34d01ca58 tab
    3⤵
    PID:1932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.6.656730425\1293052747" -childID 5 -isForBrowser -prefsHandle 5192 -prefMapHandle 5304 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83571ecb-f34c-4185-8a10-ecc2f8f6cd8a} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 5524 2e34d01cd58 tab
    3⤵
    PID:4952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.7.1128424507\639091440" -childID 6 -isForBrowser -prefsHandle 5956 -prefMapHandle 5984 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8538d91-2dc3-472a-941e-84a25f5cbf12} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 5916 2e34de31c58 tab
    3⤵
    PID:2844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.8.451677020\1688291126" -childID 7 -isForBrowser -prefsHandle 6164 -prefMapHandle 6168 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f611cfec-38f8-4250-8688-ff33887471e0} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 6248 2e34deaeb58 tab
    3⤵
    PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kqdoq520.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
68e972aa9ecbf6901227316c1adf769f

SHA1
33b63277f9c08405f8fe54b808dd553cd6cb0cb1

SHA256
2dec8cc22a9b1a406fbd0a87b40d69c7a0f2b36ecd7fc4e9a2980a8e6e6203c7

SHA512
d9ecdaf99f51dfc66e07bb7d292f22c143188bf305b46118656d91504f828ba21d0d186383a582dbab006c2a47486306d979deb83ede048013f57fae523a1782

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kqdoq520.default-release\cache2\entries\4C931F78712F6ACB21574D56445C89BDDAF13E78

Filesize
16KB

MD5
08d9192cadd4e70487e3093c75093a05

SHA1
eb3df6168930fc793a679b4473cee7f8541bca15

SHA256
4e174d3c8085b430c55134da67ad15d101db48abf4717064947115b00e425ed6

SHA512
f74acdf467d8401b50b9d9ea122c20cacbaf89356b768fbabfa6b9de8822b7915fb9979d2b5fdda3d9e3a9f2b9c92ca571b03282c4e49d91a1833e85f02060a8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kqdoq520.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649

Filesize
13KB

MD5
a797b9af4352f4ebd6e672f405870fca

SHA1
e3899adc088d4f80a7378e4721c5ecbc303b9aec

SHA256
2fb6e4f36f493eb943ac760966534bb99a1c196f0bba700cb0a4d7feeac37583

SHA512
018e89f732ca4ee90df6422becb7d8b3414aa7c4bf3a451a00290c9169bc019de4aa5772039a9ba52e43719fe604b978a4603f085fb76b75ce81c71f6665a5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\prefs-1.js

Filesize
6KB

MD5
3ebf0dd382a63f915d78ee0f16d98bf5

SHA1
c1ed868c44fe92f52c5ef75a26e15475eb6699a7

SHA256
ea45c44eab9cfbbeced5abd3f5d3cd6bf3eb4dd92188a8480c96c03dad56c67d

SHA512
ecc4e7610cf5709a11df09af3a06541e895a1689de6338094169e485822fd94736a7d34c40667c301edfe28bbe9353a310a7998288b34752f6d32568bfd239ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\prefs-1.js

Filesize
7KB

MD5
bf1137cc9d961487f727de1359935a69

SHA1
8f4bad1ebacb94ed2f97c634a584ec6917e0f24b

SHA256
a0b651bb96b92da550e111f664790c7a3b80c84f53892d1ac210eefe4994a0ea

SHA512
7c65f8a9c859431dddfeb274aedf3b7976963733f50cc1cd2c62ca900f11030b3ced562e6996572a6457b6100a5eb6e0b755815351a2b5e47c2555fc2195c593

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\prefs-1.js

Filesize
8KB

MD5
17075724a589c3f2e85e5eaf5cc6bfca

SHA1
8574853d63f144ec5ae7e7d60b30d94e5067de33

SHA256
52eb1533badff314b90ecc886f068d7b114320d0c1bd8aac62dedef09b09fa46

SHA512
5e90fbe878d31bca9ec3b1967d04f8687cd2ac9a99a9525e21181c03183d0d48ba8c722f7c726e8713e7977bdaca007107e360b20b0199822cff41e704c572e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\prefs.js

Filesize
6KB

MD5
a2796be4f80e010128fc0bd5cfcd8177

SHA1
c87c2834efa1c628a7ba59c7f43f12c53dfdb441

SHA256
bbfa4ef62666ce98407b3f4bba0bf9684dcf3470332135867d9dfd6de00de75e

SHA512
8c34fa2d33e6a154013e7e96db70a99c4541f613001e8f2af43c673752a7c91e5ce27187e2f0a4ac8e1e34d8c3811ac318ced3c4d67d84b181e74c7db5f931e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
7bbb5e20dfc777cbbdced40e1e61f92c

SHA1
56b03a202a10d12b4bcf44ed339c75e40ad98c8b

SHA256
936ba3314d6c525c215e03b563244306c757880b3208f3c53a5c56cb3a0720d5

SHA512
5b98e72108bd8d0e142bd9f15402849593809d1d7315ebd5078b843b47e67b3794dc5d3a0b78fda657938d19355e17b4a7f39fb0a159cd9ac803eca3a88456f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
8c259f4a9014550fc088307098b34c27

SHA1
1150cb6255cca2d4fc7ffe5886108d245e4292de

SHA256
e31714ae113f4bef0afc370f60aaa8061900ec859ee016abcf1446e64eaef063

SHA512
5df971dd2fd6a4d500616e721b209d03b6819b017a33d6e890b88d8b768d59500aace24be8362f53645167683e7963e6e2092e1f0793b57beda73591c22a0473

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
de74d86763fa3a25647119fca56a4465

SHA1
6080462caf9fac2a6a21c317048d1c4cea9b318b

SHA256
aa715c05702a9c989b7497b28e80f9c05e17175cb3502aa7d3583db1f90fdc5a

SHA512
772f1665c1ac612971a1781c2ba0260613ebba6b65ce5e87c02cd5e2a1553467b2c69658e5f2cd966ed3686b7ef5aaad14ff1dd35e4c35c575f7723957192804

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
3cfd8bc14c8ce3a4d92833dc1826fb34

SHA1
27ccf6f688c02da05cf93ad1c9bb6eeee34b3b06

SHA256
3890c01b6fde29ab434692dabdd0f66c0d382029b72c229d234455858cd490f7

SHA512
b3c2ea9f8c44dbf3fa27477d14cb52243e5ce302f97675734ee6a05e2865c7cc6f1b01266fb1e84a328413bd657b7fc4a45f670d1daa17e4de7b7c24b008b44c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
9348990a555c61b8ce0c03681ada64ec

SHA1
536d6227b1b75c3ef26820601b4b2437114fad82

SHA256
00196d7826743619c2faeb4c544f8bbb1080e6997dae2d66cef3119e5b73b9ba

SHA512
a1dc047ecdb8e36a651d240dd8ac9ea7cc3a280734d043b9ec61193e9c88fa878ebc1519df30be1a557ea78687fe4a6aa83a1d0b31b0dfb2afccc325c887cebe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
fde2fe846461353d07f733d23cd307e7

SHA1
c8a1e7e3375cf8cba6675f18b72b2821330dfcc9

SHA256
02758a94dcb57ca60dc8a74191155d3b4dddc33565b534f857b81f4376c4ae1e

SHA512
6172f37fcdb62cd7661171efb3d0602700304325baca9fa73e121dc2b8e68743ba58086c19562d4023cccb607a072c4e33d35413c1276592bc10045760c58cda

Download Submit