460e89b89994f0279284eb1ddb2badf66a7d05abcfe13cf1f2674deb3f08dfa6

Analysis

max time kernel
13s
max time network
43s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
01/07/2024, 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

niplnk.rar
Size

30.2MB
MD5

6d0dd8a949147d97b2204c8bac2110ca
SHA1

734eee92faec856a56f7e9f3c5add0019770be54
SHA256

da2dff46917501495e53a05ece965a25d2e4b70d120346caec19a7789a1e196f
SHA512

ee82c006e92f717a4d014bf9c559f51c41e5f471634f56a3e943c5c5b427739e2d4966bfeb718367bb6928ca2fc4c4b0af661b11423dd983cae63c49a9828374
SSDEEP

786432:VTe/Wuc3sXxDLjPnF6JvZm9HQ9p2IkkTTsBAnz5uhaJP/1Jo25:kxcCDl+vZv9YBkToy1uhaF/jo25

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4468	OpenWith.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
5072	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 1476	4468	OpenWith.exe	73
PID 4468 wrote to memory of 1476	4468	OpenWith.exe	73
PID 4468 wrote to memory of 1476	4468	OpenWith.exe	73
PID 1224 wrote to memory of 5072	1224	firefox.exe	76
PID 1224 wrote to memory of 5072	1224	firefox.exe	76
PID 1224 wrote to memory of 5072	1224	firefox.exe	76
PID 1224 wrote to memory of 5072	1224	firefox.exe	76
PID 1224 wrote to memory of 5072	1224	firefox.exe	76
PID 1224 wrote to memory of 5072	1224	firefox.exe	76
PID 1224 wrote to memory of 5072	1224	firefox.exe	76
PID 1224 wrote to memory of 5072	1224	firefox.exe	76
PID 1224 wrote to memory of 5072	1224	firefox.exe	76
PID 1224 wrote to memory of 5072	1224	firefox.exe	76
PID 1224 wrote to memory of 5072	1224	firefox.exe	76
PID 5072 wrote to memory of 3116	5072	firefox.exe	77
PID 5072 wrote to memory of 3116	5072	firefox.exe	77
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78
PID 5072 wrote to memory of 4828	5072	firefox.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\niplnk.rar
1⤵
- Modifies registry class
PID:1448

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\niplnk.rar"
  2⤵
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:1476
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:4852
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=06DD62AF68E07EC9A64225A68C5A28DC --mojo-platform-channel-handle=1592 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:444
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C9F8EABDC2C783E3F0C7A89220E7D607 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C9F8EABDC2C783E3F0C7A89220E7D607 --renderer-client-id=2 --mojo-platform-channel-handle=1584 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:4152
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7AEC8550EFCAC4BC0E60B3AE791780E2 --mojo-platform-channel-handle=2288 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:360
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F5C34F57B37F8628EB568D965B1FB25A --mojo-platform-channel-handle=1780 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3752
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7FDEA770AB5A45A532471D320AC01ECE --mojo-platform-channel-handle=1888 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4580

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5072.0.614225299\1721377794" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1656 -prefsLen 20845 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16f1bef3-018a-40fc-86be-01a10788415c} 5072 "\\.\pipe\gecko-crash-server-pipe.5072" 1764 17df0cd4558 gpu
    3⤵
    PID:3116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5072.1.1784644653\45710447" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20926 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43639763-bf4e-4a0d-9a46-f5ee84cc7bc5} 5072 "\\.\pipe\gecko-crash-server-pipe.5072" 2120 17df0830e58 socket
    3⤵
    PID:4828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5072.2.1763989353\1895582411" -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 2848 -prefsLen 20964 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5cb5cc6-8319-444c-bfcd-346c1cbc989f} 5072 "\\.\pipe\gecko-crash-server-pipe.5072" 2764 17df4fa3a58 tab
    3⤵
    PID:2400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5072.3.1370489713\707623605" -childID 2 -isForBrowser -prefsHandle 1036 -prefMapHandle 2764 -prefsLen 26214 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b7b86d3-bd9b-48a5-9207-fb064c47b0be} 5072 "\\.\pipe\gecko-crash-server-pipe.5072" 3328 17dde968458 tab
    3⤵
    PID:3184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5072.4.1998596865\558024531" -childID 3 -isForBrowser -prefsHandle 4244 -prefMapHandle 4240 -prefsLen 26273 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41940ac3-5489-470e-ab5d-40a3439e077b} 5072 "\\.\pipe\gecko-crash-server-pipe.5072" 4220 17df5e94258 tab
    3⤵
    PID:3332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5072.5.289426476\1273258240" -childID 4 -isForBrowser -prefsHandle 4916 -prefMapHandle 3740 -prefsLen 26354 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d28d8a7-4c69-4092-bba9-619d41dc5052} 5072 "\\.\pipe\gecko-crash-server-pipe.5072" 4836 17df6abfa58 tab
    3⤵
    PID:932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5072.6.806244429\925682049" -childID 5 -isForBrowser -prefsHandle 5108 -prefMapHandle 5104 -prefsLen 26354 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e06d2d62-fe64-4a99-ae27-c21b8662b17d} 5072 "\\.\pipe\gecko-crash-server-pipe.5072" 5116 17df73d0958 tab
    3⤵
    PID:3708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5072.7.1490076650\210502596" -childID 6 -isForBrowser -prefsHandle 5228 -prefMapHandle 5232 -prefsLen 26354 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07b2b01c-4ca4-491c-aaa9-a38f7aeb041c} 5072 "\\.\pipe\gecko-crash-server-pipe.5072" 5216 17df75e0658 tab
    3⤵
    PID:2288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5072.8.1780257568\941430930" -childID 7 -isForBrowser -prefsHandle 5540 -prefMapHandle 5520 -prefsLen 26433 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4c110e1-438b-4e64-8d43-8f5d246df3a8} 5072 "\\.\pipe\gecko-crash-server-pipe.5072" 5532 17df37ea258 tab
    3⤵
    PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
77a42c2b780ea075cd4eae129ea76f77

SHA1
9254b2938d5e7cdf7cb35feb4d66de4e4fe04b06

SHA256
8b4e9af9620703b7ff384e2a601df435dacdb25672bae4757f8b1c1791d516a8

SHA512
8c216359684f2845dd2c85b43d08ae61a713ee905bd0cf173538ad411c9ca4b0a7af0e985b8cbc924136d9e35d061197673deecba4148b59913d3bde9bf9184c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp

Filesize
27KB

MD5
f2393b2f75427369b057ff3569fc73fb

SHA1
ce1424ebb228b2ec4edbd40db58f468d38d37084

SHA256
c12134ecb217fd6e515c4171e0ba221d1ee7047a3a69003897e5a6b0cc4e203e

SHA512
b70395327635be45e808708882ac32b644a5597d01f8004b4cf927ed43a988aac8cbe2ad3b67c3ca6e7b47af88d90b57a126e3fc7554f7ac83e344e93b163231

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
cdd7910396160d4680f7b26dbcbc3154

SHA1
411451dd334270e94bafb45ef964efa27ded93e0

SHA256
ec6b256ef374138cc33159be2654495e72a43dd3620956f0d281eaac10c89c02

SHA512
88602be0300ef605df818f6aad979786ec27f1ca96ac4bf716976476932c55a48144388af120f081553169a99e777f4e744c155efa297a9b38ec2314729655b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\39dc01d5-f3b6-4702-b974-040ddcffbc27

Filesize
10KB

MD5
9df2d1fa364a8bae8d269caf4b3d080e

SHA1
56ccdb846dbb384dd697ed4eaad90a1d408a3364

SHA256
5a0f77cda5ca95e8e642c1286881336e6b3f63495402855f1780dabd3ca1b0aa

SHA512
fcc3ef488ccc8344d9b0c9f5b2f4f257168be22f6aa629f50aaa0b42fb06704e54b4eaa4237499aead29ee2e400bffe723764ac20b55ece1688ddf60b685b5e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\b88f604c-42b6-45c4-9917-094c539af413

Filesize
746B

MD5
5f8fefa875599c23240278f7691f370b

SHA1
c633ebc661c052746980a43c2998d97e5c5403f1

SHA256
8ed19733606b3fdf48eb42a67893b8c42ed10e47b683246dbeb90e720fd96768

SHA512
b322d1d911d8a53918b98961e5d9b70da90a8c2b340e4fe0cd5461e3e32362958ade20f4cc0586e9fc36d643577423b0d482b73d1599694dd3814b9340d410bd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

Filesize
6KB

MD5
851cb82269f00d289553c1447c7b9c58

SHA1
91cdab107b3fe885a1b41d67ce956190470e9a59

SHA256
bf7282998779d72095775f6c1a6a0c1dd3154fe8df9198fccfd8bed7c654ead0

SHA512
5bb6a3c97e2a73af139efe5942e4d3183fc543f683dd41ef760e52af49d1cff5e4c02702d5bf4b24a9733f42d148cf904411b50efa7929a07f84c3354034c466

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

Filesize
6KB

MD5
404c84a46f6f4a6397135edc5cbd381a

SHA1
f79b0e1fa76029cca1ec72fd2dda80c07061e763

SHA256
16a8540356f0dda0705dec4a15cf8a329f617e08125b5db5c7ccf46a15ddea44

SHA512
a28e8f4c34795b4058548666b4e9b5c517c179b52e514ee9dd0ceb6d0829a904da2f3ec63f41feb14dc1180b5aceef41dcf4c02cdfebe561452eb5153c1f29f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
30a8d29cda7d9590c4a73281d8af2194

SHA1
1b74bbde8a066887f47318b83a3dd8a0b35c17a8

SHA256
00b15b822073d6fcc2ee86f0229d5d5f46be81188c574099d890d8ab69f41785

SHA512
2c93ca5918e739f46a76275c4bce9475690abfcbc91b4985b4ff8b3258b3f22a8919693581b3505eb9ed521363d05988af5124901555655b0fa0d7a9b4cc6687

Download Submit