umbral | 47b6d570f10e809b2c4fbb6f5ab66c3da279be5712da38fc7ac6290448b0f7d9

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-02-2024 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CUBAN RAGE vmp.exe
Size

232KB
MD5

87b7d9c30c4dd5804beeb10117f96c5e
SHA1

4f43662188420cba6486ab0ff90d46bf0fbbea97
SHA256

47b6d570f10e809b2c4fbb6f5ab66c3da279be5712da38fc7ac6290448b0f7d9
SHA512

733dffbc8fbda53f71556cf75f462d013c1b13ec29f633d499d95a7a1181c3752a57f7be46cb1621f024f019575dc32f4add61ccd938f9128070f26decb0be21
SSDEEP

6144:dloZM+rIkd8g+EtXHkv/iD4PVqP/1+mpYsl3ySX+ib8e1m5Si:/oZtL+EP8PVqP/1+mpYsl3ySXVCH

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/memory/1712-0-0x0000000000040000-0x0000000000080000-memory.dmp	family_umbral
behavioral1/memory/1712-2-0x0000000002240000-0x00000000022C0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	CUBAN RAGE vmp.exe
Token: SeIncreaseQuotaPrivilege	2596	wmic.exe
Token: SeSecurityPrivilege	2596	wmic.exe
Token: SeTakeOwnershipPrivilege	2596	wmic.exe
Token: SeLoadDriverPrivilege	2596	wmic.exe
Token: SeSystemProfilePrivilege	2596	wmic.exe
Token: SeSystemtimePrivilege	2596	wmic.exe
Token: SeProfSingleProcessPrivilege	2596	wmic.exe
Token: SeIncBasePriorityPrivilege	2596	wmic.exe
Token: SeCreatePagefilePrivilege	2596	wmic.exe
Token: SeBackupPrivilege	2596	wmic.exe
Token: SeRestorePrivilege	2596	wmic.exe
Token: SeShutdownPrivilege	2596	wmic.exe
Token: SeDebugPrivilege	2596	wmic.exe
Token: SeSystemEnvironmentPrivilege	2596	wmic.exe
Token: SeRemoteShutdownPrivilege	2596	wmic.exe
Token: SeUndockPrivilege	2596	wmic.exe
Token: SeManageVolumePrivilege	2596	wmic.exe
Token: 33	2596	wmic.exe
Token: 34	2596	wmic.exe
Token: 35	2596	wmic.exe
Token: SeIncreaseQuotaPrivilege	2596	wmic.exe
Token: SeSecurityPrivilege	2596	wmic.exe
Token: SeTakeOwnershipPrivilege	2596	wmic.exe
Token: SeLoadDriverPrivilege	2596	wmic.exe
Token: SeSystemProfilePrivilege	2596	wmic.exe
Token: SeSystemtimePrivilege	2596	wmic.exe
Token: SeProfSingleProcessPrivilege	2596	wmic.exe
Token: SeIncBasePriorityPrivilege	2596	wmic.exe
Token: SeCreatePagefilePrivilege	2596	wmic.exe
Token: SeBackupPrivilege	2596	wmic.exe
Token: SeRestorePrivilege	2596	wmic.exe
Token: SeShutdownPrivilege	2596	wmic.exe
Token: SeDebugPrivilege	2596	wmic.exe
Token: SeSystemEnvironmentPrivilege	2596	wmic.exe
Token: SeRemoteShutdownPrivilege	2596	wmic.exe
Token: SeUndockPrivilege	2596	wmic.exe
Token: SeManageVolumePrivilege	2596	wmic.exe
Token: 33	2596	wmic.exe
Token: 34	2596	wmic.exe
Token: 35	2596	wmic.exe
Token: SeDebugPrivilege	1372	firefox.exe
Token: SeDebugPrivilege	1372	firefox.exe
Token: SeDebugPrivilege	1372	firefox.exe
Token: SeDebugPrivilege	1372	firefox.exe
Token: SeDebugPrivilege	1372	firefox.exe
Token: SeDebugPrivilege	1372	firefox.exe
Token: SeDebugPrivilege	1372	firefox.exe
Token: SeDebugPrivilege	1372	firefox.exe
Token: SeDebugPrivilege	1372	firefox.exe
Token: SeDebugPrivilege	1372	firefox.exe
Token: SeDebugPrivilege	1372	firefox.exe
Token: SeDebugPrivilege	1372	firefox.exe
Token: SeDebugPrivilege	1372	firefox.exe
Token: SeDebugPrivilege	1372	firefox.exe
Token: SeDebugPrivilege	1372	firefox.exe
Token: SeDebugPrivilege	1372	firefox.exe
Token: SeDebugPrivilege	1372	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1372	firefox.exe
1372	firefox.exe
1372	firefox.exe
1372	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1372	firefox.exe
1372	firefox.exe
1372	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1372	firefox.exe
1372	firefox.exe
1372	firefox.exe
1372	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2596	1712	CUBAN RAGE vmp.exe	28
PID 1712 wrote to memory of 2596	1712	CUBAN RAGE vmp.exe	28
PID 1712 wrote to memory of 2596	1712	CUBAN RAGE vmp.exe	28
PID 1600 wrote to memory of 1372	1600	firefox.exe	34
PID 1600 wrote to memory of 1372	1600	firefox.exe	34
PID 1600 wrote to memory of 1372	1600	firefox.exe	34
PID 1600 wrote to memory of 1372	1600	firefox.exe	34
PID 1600 wrote to memory of 1372	1600	firefox.exe	34
PID 1600 wrote to memory of 1372	1600	firefox.exe	34
PID 1600 wrote to memory of 1372	1600	firefox.exe	34
PID 1600 wrote to memory of 1372	1600	firefox.exe	34
PID 1600 wrote to memory of 1372	1600	firefox.exe	34
PID 1600 wrote to memory of 1372	1600	firefox.exe	34
PID 1600 wrote to memory of 1372	1600	firefox.exe	34
PID 1600 wrote to memory of 1372	1600	firefox.exe	34
PID 1372 wrote to memory of 2280	1372	firefox.exe	35
PID 1372 wrote to memory of 2280	1372	firefox.exe	35
PID 1372 wrote to memory of 2280	1372	firefox.exe	35
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 2488	1372	firefox.exe	36
PID 1372 wrote to memory of 1944	1372	firefox.exe	37
PID 1372 wrote to memory of 1944	1372	firefox.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CUBAN RAGE vmp.exe
"C:\Users\Admin\AppData\Local\Temp\CUBAN RAGE vmp.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2596

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2700

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1372.0.224639994\402071868" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1164 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc8c2911-9f5d-4334-8899-1b2ad7a467f1} 1372 "\\.\pipe\gecko-crash-server-pipe.1372" 1292 105d9258 gpu
    3⤵
    PID:2280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1372.1.148731935\1193306206" -parentBuildID 20221007134813 -prefsHandle 1468 -prefMapHandle 1464 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {915c3136-258f-49ac-aeba-7ad54ce326b4} 1372 "\\.\pipe\gecko-crash-server-pipe.1372" 1480 e9f9258 socket
    3⤵
    PID:2488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1372.2.1710187464\1712813933" -childID 1 -isForBrowser -prefsHandle 1860 -prefMapHandle 1932 -prefsLen 20868 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13a297da-2d64-4a58-8de7-6be75aaa5771} 1372 "\\.\pipe\gecko-crash-server-pipe.1372" 1892 1055f858 tab
    3⤵
    PID:1944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1372.3.194532206\1371630832" -childID 2 -isForBrowser -prefsHandle 2400 -prefMapHandle 780 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a384c41d-6113-480f-9459-c3f6ded4fbb7} 1372 "\\.\pipe\gecko-crash-server-pipe.1372" 612 e5dc58 tab
    3⤵
    PID:1456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1372.4.2007300136\1553082531" -childID 3 -isForBrowser -prefsHandle 2872 -prefMapHandle 2868 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f23a094e-93be-4a69-ac3f-2e1c7108cc92} 1372 "\\.\pipe\gecko-crash-server-pipe.1372" 2884 e62558 tab
    3⤵
    PID:3040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1372.5.1607095150\958991738" -childID 4 -isForBrowser -prefsHandle 3536 -prefMapHandle 3700 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b416d097-cae8-4ff9-af0e-485c6d170f69} 1372 "\\.\pipe\gecko-crash-server-pipe.1372" 3692 1eabb258 tab
    3⤵
    PID:2664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1372.6.1011541635\608238126" -childID 5 -isForBrowser -prefsHandle 3808 -prefMapHandle 3812 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd123895-d7da-45a4-af7c-6c25b78234dd} 1372 "\\.\pipe\gecko-crash-server-pipe.1372" 3796 1ec38658 tab
    3⤵
    PID:2432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1372.7.1474384341\944641677" -childID 6 -isForBrowser -prefsHandle 3984 -prefMapHandle 3988 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a71e6173-d695-4d8f-a175-ed45516eea62} 1372 "\\.\pipe\gecko-crash-server-pipe.1372" 3972 1ec38058 tab
    3⤵
    PID:2408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1372.8.1433404036\229418354" -childID 7 -isForBrowser -prefsHandle 612 -prefMapHandle 2404 -prefsLen 26426 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c981354-cea4-47e6-bf6f-c07e7cf6f5fd} 1372 "\\.\pipe\gecko-crash-server-pipe.1372" 2992 21fca358 tab
    3⤵
    PID:1936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1372.9.549480412\1789824925" -childID 8 -isForBrowser -prefsHandle 5124 -prefMapHandle 5128 -prefsLen 26691 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {743684ae-81c7-44a9-984d-5111dc77f18d} 1372 "\\.\pipe\gecko-crash-server-pipe.1372" 5108 24d44b58 tab
    3⤵
    PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9bot8sq2.default-release\cache2\doomed\5351

Filesize
9KB

MD5
4c606745996d807fade1caa0c62e78cd

SHA1
26d817ca0c9ca11d5a755390dd3a41f06b32389b

SHA256
06adb10aba28654028ae38b97f2314a3e66888c95af7a5566caa240f7ac3bec1

SHA512
5d5f0db60e345a61acad7501ba16082cdce1cee07c7c3f5bf59d245a26d7e1ed4b3dfe4cfb8e73f0d35bd8b20b4689d850ea73262c13135860e9f8c4283df06b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9bot8sq2.default-release\cache2\entries\50A63A2998FC18A2B4EE131F466727551D65BD8D

Filesize
57KB

MD5
7ff3956eb6fd2cb269a80e923725bac1

SHA1
f70068f5ae8064ac014607018fc7ef154e965bdb

SHA256
f62ab18f2c59721abdf51ca6a04e04618d75f9cfbb3669e9f99ef6172f91fe14

SHA512
7edd9963fb9f23b44997be4e3d36858285c9fd1b8c8e7a7583503da3bd62fa4faa46265312df01bb13822bbed6af552b786880e114a936c4f0366cd9e5a4fe98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
9ebc6e9145b360d01d4d6a96398c1976

SHA1
2f82a60330670f383eb29e5774818875ecf79af3

SHA256
c1e2b558087f13a1e68cc58e5fbdfff2cd2ba9422e728281b00ecac16529a7ee

SHA512
446eb850b3c76bc4b637db10cdf744319ff3a56d66b9e418594c81f7ddaf7eaa34c91f7efb6e7d468e6ee03c1fb61c6eed3a7b4a92cda619299b967b9a5b682e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\datareporting\glean\pending_pings\4e0b1acb-6513-490f-b69d-9b0cfa640b75

Filesize
745B

MD5
81f4d35587aa39b35154c556faaad8d7

SHA1
2e5080d1c564c9fef55acda0877cbb8022b4b60a

SHA256
a4c6d01d7d1a44a45beb88e75773407a7fffb18674e7f85b0b3b838c394a0953

SHA512
2eb4917b70ed704ae185ae140c232d88390de60298c3e304b8110ef79f55221f6c748b5b6dfa8293836df3c798c442be621dcd5fb29bccaf3f55e6a1b7bc7f31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\datareporting\glean\pending_pings\6b75c257-ed8a-4e3a-9e07-69b83b0de87f

Filesize
12KB

MD5
2b653708b8938e5a29140abcd992cf50

SHA1
eafba318cb879481dc81c0f938bea2ef149f5ab1

SHA256
e2bda2cd56ec3cf506dbcf6facf4a0c349400fa1fb7767b0dc96da3cdeef58e8

SHA512
10b64ed53efa35f05b839ab6fc901fabc9e2d4384833da93b0bfcf639801e3620784c048ee65e3fe93fe679db2bb5fa11a0e08412680f5ea5b83cfa4abba372a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\prefs-1.js

Filesize
6KB

MD5
1d1c198362daab321602531f28928a85

SHA1
70309341c3aa30a6447f0284205549e6ac70dde4

SHA256
b9c2b0b580edd1d21b3a29efe631831f316ff07a8da8516c9feaf0b2a706c7b6

SHA512
86d77b24d8c98b47b0b5aa48021428ab60efb5d5cfc4cc3327082d44ecd94690e5b9b5e1dc6ccb2e736e88b4a128d132a887e1b6ad35c015f769dbbb736510e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\prefs-1.js

Filesize
6KB

MD5
b0596b8a8398948fd43f15b8dc524e5d

SHA1
7f42eff734a54774ff3f46b4327b9c1444a8db24

SHA256
785bbdb510713cfaadc46d397f8fe7aa833bc52ad1dfe678d61bdd30bedbbf99

SHA512
65025c4cf741391ec449d9374a7c13d9964f9c68cdf00124f9a512ecbf0a7cc903781b87c55e500869a3ec5a98dd2679d9b736145b646cb78274ec119ebb1c5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
23aab684a351c9dcd1612f5ae101681e

SHA1
c24154b1a5ced3a744ab9d5a39b8d12d0b742ff5

SHA256
272e4c4d3a05dfc350721c28e79bde8264cc023e2b594307f4edec91d81604d1

SHA512
5c4cd9a7b3d5f9eca56c02d4af56d1148f804ba1aec6441a7caba560f01c7d6f14726b2c8e22010a4186e33a349db05decf54adae649555e9b66eca8ddf54671

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
59b573c3541fc5569172f208ae00fd98

SHA1
d624dcebacaaee62e68a69777c8a14c906190c81

SHA256
8b5e611e7c5a00233e17d31c5d8386410639929763c81144678e6888492184e8

SHA512
4c35232d4becad6161702c5ffd96301eb10ce736275ba73522513bb66e6f99f097769b4f13e0511f97dd9f00395402ca9be6629027d1b3d1ec3ae3db5e6f6625

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
934B

MD5
f259502b5223fb659390d0ae279ff62f

SHA1
4d0d09f1545da73cfaa632e12db8d07152633680

SHA256
17ac9da560f9a20c6804f0a7cc49785a1b413ffeba269e87646993aaa93a7973

SHA512
4c1f6c44fa057fff62f7683e8057331579db58039a1f4af22bade3690fcc492957603eee1a5d4ec2ccdef9370b48a208a0c192e65dd65b68d9b003cf57b1482d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
aad5d4ad7dbacf8532a76f76b86888a8

SHA1
a72f2386ab6fc48ad57e77bb325ccde5a6a41080

SHA256
12a08643dead0d9d1cb808c67135601ee81b808d707cc58982f5ddb010726899

SHA512
32db148b2796b0d1a288d2b7eb05bf77f106c07457eeb03dfac998e12caea4a23d3481933817c1cde3766362da786353793ccb47ceb15df2d0ae81d6b1e98224

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
ddc7a02d6b1aaa72fa2af2f7e917240d

SHA1
2d0a504c2368a73171d3263240024d52ee5027f7

SHA256
ba97ca12b03172a00666fd7a93b554d997172ec579a37e6436d9b1e54250d646

SHA512
e36f2f294366ad7afd6aeeeb06f662811b49f3cf6ff27d5e31ec162162de193a4f0f002fc7a5d436c54eb650fc0e840064071e0d571d2b6640712772853a9fcf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
6fcd384b730f7d94385c56f1a458bd20

SHA1
f54a3b1923bddcf366eb87b4b96fdb541270c52e

SHA256
e86454f0b925884685eae1f4c6a99d3d4155bc61f5dd27c9823b642183b8c5da

SHA512
7a528c018b3c27782abdec74af79a174580b8c260d6bbe68610c8a30da9787254ea1e057b37e5959ef437039fba4b4af4e8b3ac86b333c4f5b5994298c0a69db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
aa90d2048a8e37ce693101292e7470d8

SHA1
5279b4849339ffd9ae6a4c811d00aa7a7c982b5e

SHA256
078560d64d560094916095949981a279a65d45b6eb72b31e11d1f328dd9a0a15

SHA512
67413922101a8e1eb4dfde0f61929bc2f8203de4a75a80334c2dea81af0eb00572a13a81fe0c970426b743576796983eba8585812865ecdf64125250d241976c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
c1ae3a60955c28ffde34bf065345e9fc

SHA1
429ee37d4e9d6f497710511935baecc09388d4bd

SHA256
3ef01ea5724ff1e8636f22415b86bf2f6ad6ced6922004655c34331779194857

SHA512
6e76202100df87ae40e6a103a8a8b572ee187c6703462f71077f6ca596d5cf9123d8555df26dd1aef1df35b3b34c29b6e21779e0d47ec6e4cf65581bc7b15fee

Download Submit
memory/1712-0-0x0000000000040000-0x0000000000080000-memory.dmp

Filesize
256KB

Download
memory/1712-2-0x0000000002240000-0x00000000022C0000-memory.dmp

Filesize
512KB

Download
memory/1712-3-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/1712-1-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download