umbral | 66ea5b27209bd7926f3715108d7c7b37fa171f8fa91697e8b14810835c0ddb39

Analysis

max time kernel
117s
max time network
97s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
20-05-2024 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spotifyfired.exe
Size

231KB
MD5

6a7d1aab031a0780d99a655022b65180
SHA1

fbb429c748a66a57203e20af2815788a2999c9c1
SHA256

66ea5b27209bd7926f3715108d7c7b37fa171f8fa91697e8b14810835c0ddb39
SHA512

5680eb4868060d3d16bc38fdba2aba2f50cb189bd0929260cde6890e1551e545125d8e2383848ff740ed2f406b1d0a45aa4b5ac0cab8b5b526ca35a877bce8d5
SSDEEP

6144:xloZM+rIkd8g+EtXHkv/iD4Cno2p3cw/ceHp0AV3h6lS8e1mdl2i:DoZtL+EP8So2p3cw/ceHp0AVsi4l7

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/1292-0-0x000001E13BB40000-0x000001E13BB80000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4780	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	spotifyfired.exe
Token: SeIncreaseQuotaPrivilege	3512	wmic.exe
Token: SeSecurityPrivilege	3512	wmic.exe
Token: SeTakeOwnershipPrivilege	3512	wmic.exe
Token: SeLoadDriverPrivilege	3512	wmic.exe
Token: SeSystemProfilePrivilege	3512	wmic.exe
Token: SeSystemtimePrivilege	3512	wmic.exe
Token: SeProfSingleProcessPrivilege	3512	wmic.exe
Token: SeIncBasePriorityPrivilege	3512	wmic.exe
Token: SeCreatePagefilePrivilege	3512	wmic.exe
Token: SeBackupPrivilege	3512	wmic.exe
Token: SeRestorePrivilege	3512	wmic.exe
Token: SeShutdownPrivilege	3512	wmic.exe
Token: SeDebugPrivilege	3512	wmic.exe
Token: SeSystemEnvironmentPrivilege	3512	wmic.exe
Token: SeRemoteShutdownPrivilege	3512	wmic.exe
Token: SeUndockPrivilege	3512	wmic.exe
Token: SeManageVolumePrivilege	3512	wmic.exe
Token: 33	3512	wmic.exe
Token: 34	3512	wmic.exe
Token: 35	3512	wmic.exe
Token: 36	3512	wmic.exe
Token: SeIncreaseQuotaPrivilege	3512	wmic.exe
Token: SeSecurityPrivilege	3512	wmic.exe
Token: SeTakeOwnershipPrivilege	3512	wmic.exe
Token: SeLoadDriverPrivilege	3512	wmic.exe
Token: SeSystemProfilePrivilege	3512	wmic.exe
Token: SeSystemtimePrivilege	3512	wmic.exe
Token: SeProfSingleProcessPrivilege	3512	wmic.exe
Token: SeIncBasePriorityPrivilege	3512	wmic.exe
Token: SeCreatePagefilePrivilege	3512	wmic.exe
Token: SeBackupPrivilege	3512	wmic.exe
Token: SeRestorePrivilege	3512	wmic.exe
Token: SeShutdownPrivilege	3512	wmic.exe
Token: SeDebugPrivilege	3512	wmic.exe
Token: SeSystemEnvironmentPrivilege	3512	wmic.exe
Token: SeRemoteShutdownPrivilege	3512	wmic.exe
Token: SeUndockPrivilege	3512	wmic.exe
Token: SeManageVolumePrivilege	3512	wmic.exe
Token: 33	3512	wmic.exe
Token: 34	3512	wmic.exe
Token: 35	3512	wmic.exe
Token: 36	3512	wmic.exe
Token: SeDebugPrivilege	4780	taskmgr.exe
Token: SeSystemProfilePrivilege	4780	taskmgr.exe
Token: SeCreateGlobalPrivilege	4780	taskmgr.exe
Token: SeDebugPrivilege	1708	firefox.exe
Token: SeDebugPrivilege	1708	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
1708	firefox.exe
1708	firefox.exe
1708	firefox.exe
1708	firefox.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
1708	firefox.exe
1708	firefox.exe
1708	firefox.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1708	firefox.exe
1708	firefox.exe
1708	firefox.exe
1708	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 3512	1292	spotifyfired.exe	73
PID 1292 wrote to memory of 3512	1292	spotifyfired.exe	73
PID 3144 wrote to memory of 1708	3144	firefox.exe	79
PID 3144 wrote to memory of 1708	3144	firefox.exe	79
PID 3144 wrote to memory of 1708	3144	firefox.exe	79
PID 3144 wrote to memory of 1708	3144	firefox.exe	79
PID 3144 wrote to memory of 1708	3144	firefox.exe	79
PID 3144 wrote to memory of 1708	3144	firefox.exe	79
PID 3144 wrote to memory of 1708	3144	firefox.exe	79
PID 3144 wrote to memory of 1708	3144	firefox.exe	79
PID 3144 wrote to memory of 1708	3144	firefox.exe	79
PID 3144 wrote to memory of 1708	3144	firefox.exe	79
PID 3144 wrote to memory of 1708	3144	firefox.exe	79
PID 1708 wrote to memory of 1936	1708	firefox.exe	80
PID 1708 wrote to memory of 1936	1708	firefox.exe	80
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 2024	1708	firefox.exe	81
PID 1708 wrote to memory of 376	1708	firefox.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\spotifyfired.exe
"C:\Users\Admin\AppData\Local\Temp\spotifyfired.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3512

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4780

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.0.671387105\598451568" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1672 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49699175-0901-4c12-8fb8-1e38a8c758a8} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 1776 291d22d7858 gpu
    3⤵
    PID:1936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.1.1022204043\2119272715" -parentBuildID 20221007134813 -prefsHandle 2104 -prefMapHandle 2100 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83cbedef-a270-4f62-ab3d-a2a5cbe84bdc} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 2128 291d1e31458 socket
    3⤵
    PID:2024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.2.1197531141\1082609264" -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 3076 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ac357b1-d950-442d-83ea-ebe93ec0e5b2} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 3092 291d6719d58 tab
    3⤵
    PID:376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.3.465420436\281489253" -childID 2 -isForBrowser -prefsHandle 3384 -prefMapHandle 3380 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbc50eb0-57a3-4a7c-a71d-279a7e2aa266} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 3396 291d4e03558 tab
    3⤵
    PID:704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.4.191200749\1788802785" -childID 3 -isForBrowser -prefsHandle 4328 -prefMapHandle 2892 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {879d9677-64df-4b60-8371-fb42ebc0e684} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 4300 291d83a5d58 tab
    3⤵
    PID:396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.5.1085356476\249498942" -childID 4 -isForBrowser -prefsHandle 4752 -prefMapHandle 4748 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {533fbdd9-772a-4da2-bc11-2839a332b274} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 4760 291d8726858 tab
    3⤵
    PID:2628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.6.1845068653\216131980" -childID 5 -isForBrowser -prefsHandle 4892 -prefMapHandle 4896 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {108027c5-1f62-4c4b-9679-a2a23270c7af} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 4976 291d8726e58 tab
    3⤵
    PID:5068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.7.1356210670\353286628" -childID 6 -isForBrowser -prefsHandle 4776 -prefMapHandle 4780 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {629da8a8-a51e-426c-a185-6d250c03c83f} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 4884 291d88a8258 tab
    3⤵
    PID:2588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.8.1318361427\1700114429" -childID 7 -isForBrowser -prefsHandle 5628 -prefMapHandle 5632 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c24468f4-966d-40d9-819d-ff0cdb911ac5} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 4652 291d9fa4358 tab
    3⤵
    PID:2980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.9.1166434233\1443500414" -childID 8 -isForBrowser -prefsHandle 2892 -prefMapHandle 4308 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a66e337-d8b7-49aa-9148-c49b5a8ebafc} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 4772 291da0dfb58 tab
    3⤵
    PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
9e7fd2f56e0f382499ddb7cfaf565c49

SHA1
8589ef6be3eddafba3712917959f1122c30a4ff6

SHA256
229cc25c02afa3d1c399933678dffa309d649d6da08b18137886f8afef6b0287

SHA512
b3f1f8c489e0efb16fc8d781979bf0a07dd98b057ff9bb445262d819bf3db76f8f99dfad6ca4141251b3cc9f51cdf699a2db1b897851a37738803537c96ce3c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\19039eb6-29e3-4860-b4fe-e9e53e4bbe86

Filesize
11KB

MD5
b82b0feb14b7d867ce26e59ecf169bb2

SHA1
da5d8bf72219d916ad790b5910da505e56a72f0a

SHA256
9826b2bdf7178614abc94e46d2904d5a883a067e5ef69280aa1a84284650c98b

SHA512
ff8c324e9b0870b5ff1af08c1f8d9133a44b591451ebbd4b75e333f8b9be49d1f45a8331f8c016f6a29c6929209ae0e5945bbf1e985c34b1690b5029a7ef822b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\97755ed0-53b9-4c7a-a6ea-fa89d1105f4e

Filesize
746B

MD5
6dfa14e3ee40a0f3358577c87eb29df6

SHA1
1f09b7bbaa0d28ba938f609c0fc7315522331f67

SHA256
8f9253e595673f7c8da495074992f794e9981e6e79b2caeb071fe5719be3b6bd

SHA512
26b080c7fe60d1727b1daf85b9dfdd15495e0550c8b62bd4b6875fe3f4ef20cff8bc7a59da024a68ae1b50da1d504d42f38d71937a2db548cc47d6ca1c1a9cdd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
764e63fc07c117994aaddc7042fced12

SHA1
2367753575296e71b9d375c3547acc80c4248d97

SHA256
9a7b3d6a0c56af11bd9008a9d8ed264c6940c2d2ee3466d1bfe7b46ff0c264d6

SHA512
33d110462c208e59aaa5557161a597041c4cf34b3f03335982b2f61fbe5a1114639170967615c589b50a349249a8a9b8fc93c24bf6e42b072741917919876cb7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
113fc501f0e00d1bbb3ae91a3774e57a

SHA1
35309cbc8290b528d4166ea59bdc4c75004a2fec

SHA256
4646ef9033e03847cb9330ec4eac5f24ecb8f2bea8f1706862c2df220666b3bd

SHA512
a736dce57154728cd7c609ed62f1b5812837ecc9a1143babd51037c7b89057b566d724263997b78376c366f0807f8bf854d726ddf0ee0c41911402157b2f5c65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
2a11dbbec9a051ab27e8575b10db5ada

SHA1
d6bd746ee87e25ef4cb02b8c3106d17518b35f90

SHA256
c7d01d8c07d041199582c0797ad10c8226bcaba2c673ef61d9931659eeb1460a

SHA512
b885ac93fe5a5efc44fea470f81b9860e3aa9f91ce30c739f6872fb8e86266b34010cf1dde5bbc27200828ae2baac6e485d0777304a6754362603a928f00ecf4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
48e70e627459afc3eb24dffe216a690a

SHA1
fa5c8d1b942d4a2ff7d7dcc74b941da03dc28492

SHA256
bdc176f73a82c972cd32a53f7d6d4c88e2eca12a800dc60a2d068f72fa7e7305

SHA512
dc013ceb43207da668eb16ec626e5d9adf3b73db9b3753cc6a05a64cb7250cc6f9926e04d34b29c1763513578ac10417ad82bdc366ffb55ae515c50fde45cf93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
7109c261648b45b355a95284ef8eddf6

SHA1
14501d188f7df3b50becfa3e261f5f10189fd4cf

SHA256
1cc6714bc73f13ab3c5c6399f6adecf0d2bf6dd303fc9b0631a242359e01275c

SHA512
ed33b7c919ef1e2616fd96dd8ea0f92b4405a6803c41e14f979fef3f48a92e006c827cb1dd5ab2714756a5ef01f6f7d48b215bfb719b574a23fe3ccbcb947ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
1e1864e9675640f180ee76387d78ec72

SHA1
33b33ef2d9b9171472104daf5c7c433465b5bcb7

SHA256
783bbaa6e25deda56f68c95e7c7150d846dad63cbe722817cd2c18335b48bae4

SHA512
7942e3c10429346b01ab01f704164c7a7b562ada18c60c23cdc1a41bf784c4a90f1bf87109217fd3dcf3f53cc986b322ef6a0998ee41892bec052165387e5035

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
9ed0c54928c18bd27f5c07cc48646572

SHA1
6529ea325d44404c6c2801d008724dda6e07a415

SHA256
f21bd5a4c93986f37827e6be8909fa467b302be41a544555bcefee5fb92566fe

SHA512
9fd0f85b9bc390f045f6fa78a63a3f599efa263e4cfbb82c2773ab90206b3444d0cd7292bef2d6c96abad20ac17b2b267a599ba51f4c78a0d9d6623bb2fd5ed9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
eafb1a664634cf360b704d6909f77f64

SHA1
e80103ce01004ae87d419a91be13810252ac82df

SHA256
4fcda2a36950e57bb0e001500b48e1b8df4c05d8990615d5590e5fc594cdef60

SHA512
930b5d571e51a6d2e73c32bbc1b74f2bcb75504ae2bd5d0e80391c4cbb14584d18d0168ff5956cbfb29e8fefa060a09f4532cab796abbc8189d6146db087fefb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
7f868e557b098795d645df9ea302427f

SHA1
001f3306144559b4049a8ab139b4139f51e59c0e

SHA256
b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5

SHA512
56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a

Download Submit
C:\Users\Admin\Downloads\eset_internet_security_live_installer.8mNZRGS0.exe.part

Filesize
24KB

MD5
39b3ff2b4454566a9cc05060326fba6a

SHA1
07a22c475b0aecd865bce5bf9aead42a250e11d7

SHA256
2e342951b5bfad231743f61f7aac2ec0f0d3d5ef982aa22b00ebf7786eb458f2

SHA512
fc8f51b9ba26d4beaa2636f6459765c627d29f527616f7dc76ee0e27c5eb02fbea553962a4ed0bb13feb288c0bf5f734f64e7f687411fd38b7be085f99b0b78e

Download Submit
memory/1292-4-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

Filesize
9.9MB

Download
memory/1292-0-0x000001E13BB40000-0x000001E13BB80000-memory.dmp

Filesize
256KB

Download
memory/1292-2-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

Filesize
9.9MB

Download
memory/1292-1-0x00007FFAEF893000-0x00007FFAEF894000-memory.dmp

Filesize
4KB

Download