Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
26-05-2024 16:20
Behavioral task
behavioral1
Sample
Expensive 3.1.exe
Resource
win10-20240404-en
General
-
Target
Expensive 3.1.exe
-
Size
73KB
-
MD5
6fb5db1fb4f6db383d3ec9635bafcc8f
-
SHA1
a2cc6012448bacc9d0cb0f5c5cfc88c2ced1c29e
-
SHA256
1c4c132a522839dcd922c7495f381c08c9a142fac9ba23da02b017599c0d2f56
-
SHA512
c0c87534b5f0e26631ea169c5540d5893d52b0dce1d0482cfc7916014af9e3d3101840d1e9e5e2b9b8ee2717e2f1976b3b7d2f7832e3e17197e8372292b32604
-
SSDEEP
1536:cZwa23E9lZVp7PmzogbZMuUW+b1pHjFGlqiyJ6SDOKJxENaM:cR2AlZrWog2uUW+b1pjBfOKJCR
Malware Config
Extracted
xworm
loss-winners.gl.at.ply.gg:61007
-
Install_directory
%AppData%
-
install_file
Expensive 3.1.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4908-0-0x0000000000320000-0x0000000000338000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1760 powershell.exe 2176 powershell.exe 3576 powershell.exe 5088 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
hfyfju.exepid process 4380 hfyfju.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Expensive 3.1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Expensive 3.1 = "C:\\Users\\Admin\\AppData\\Roaming\\Expensive 3.1.exe" Expensive 3.1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 59 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeExpensive 3.1.exepid process 1760 powershell.exe 1760 powershell.exe 1760 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 5088 powershell.exe 5088 powershell.exe 5088 powershell.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe 4908 Expensive 3.1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Expensive 3.1.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4908 Expensive 3.1.exe Token: SeDebugPrivilege 1760 powershell.exe Token: SeIncreaseQuotaPrivilege 1760 powershell.exe Token: SeSecurityPrivilege 1760 powershell.exe Token: SeTakeOwnershipPrivilege 1760 powershell.exe Token: SeLoadDriverPrivilege 1760 powershell.exe Token: SeSystemProfilePrivilege 1760 powershell.exe Token: SeSystemtimePrivilege 1760 powershell.exe Token: SeProfSingleProcessPrivilege 1760 powershell.exe Token: SeIncBasePriorityPrivilege 1760 powershell.exe Token: SeCreatePagefilePrivilege 1760 powershell.exe Token: SeBackupPrivilege 1760 powershell.exe Token: SeRestorePrivilege 1760 powershell.exe Token: SeShutdownPrivilege 1760 powershell.exe Token: SeDebugPrivilege 1760 powershell.exe Token: SeSystemEnvironmentPrivilege 1760 powershell.exe Token: SeRemoteShutdownPrivilege 1760 powershell.exe Token: SeUndockPrivilege 1760 powershell.exe Token: SeManageVolumePrivilege 1760 powershell.exe Token: 33 1760 powershell.exe Token: 34 1760 powershell.exe Token: 35 1760 powershell.exe Token: 36 1760 powershell.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeIncreaseQuotaPrivilege 2176 powershell.exe Token: SeSecurityPrivilege 2176 powershell.exe Token: SeTakeOwnershipPrivilege 2176 powershell.exe Token: SeLoadDriverPrivilege 2176 powershell.exe Token: SeSystemProfilePrivilege 2176 powershell.exe Token: SeSystemtimePrivilege 2176 powershell.exe Token: SeProfSingleProcessPrivilege 2176 powershell.exe Token: SeIncBasePriorityPrivilege 2176 powershell.exe Token: SeCreatePagefilePrivilege 2176 powershell.exe Token: SeBackupPrivilege 2176 powershell.exe Token: SeRestorePrivilege 2176 powershell.exe Token: SeShutdownPrivilege 2176 powershell.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeSystemEnvironmentPrivilege 2176 powershell.exe Token: SeRemoteShutdownPrivilege 2176 powershell.exe Token: SeUndockPrivilege 2176 powershell.exe Token: SeManageVolumePrivilege 2176 powershell.exe Token: 33 2176 powershell.exe Token: 34 2176 powershell.exe Token: 35 2176 powershell.exe Token: 36 2176 powershell.exe Token: SeDebugPrivilege 3576 powershell.exe Token: SeIncreaseQuotaPrivilege 3576 powershell.exe Token: SeSecurityPrivilege 3576 powershell.exe Token: SeTakeOwnershipPrivilege 3576 powershell.exe Token: SeLoadDriverPrivilege 3576 powershell.exe Token: SeSystemProfilePrivilege 3576 powershell.exe Token: SeSystemtimePrivilege 3576 powershell.exe Token: SeProfSingleProcessPrivilege 3576 powershell.exe Token: SeIncBasePriorityPrivilege 3576 powershell.exe Token: SeCreatePagefilePrivilege 3576 powershell.exe Token: SeBackupPrivilege 3576 powershell.exe Token: SeRestorePrivilege 3576 powershell.exe Token: SeShutdownPrivilege 3576 powershell.exe Token: SeDebugPrivilege 3576 powershell.exe Token: SeSystemEnvironmentPrivilege 3576 powershell.exe Token: SeRemoteShutdownPrivilege 3576 powershell.exe Token: SeUndockPrivilege 3576 powershell.exe Token: SeManageVolumePrivilege 3576 powershell.exe Token: 33 3576 powershell.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid process 2808 firefox.exe 2808 firefox.exe 2808 firefox.exe 2808 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 2808 firefox.exe 2808 firefox.exe 2808 firefox.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Expensive 3.1.exefirefox.exepid process 4908 Expensive 3.1.exe 2808 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Expensive 3.1.exefirefox.exefirefox.exedescription pid process target process PID 4908 wrote to memory of 1760 4908 Expensive 3.1.exe powershell.exe PID 4908 wrote to memory of 1760 4908 Expensive 3.1.exe powershell.exe PID 4908 wrote to memory of 2176 4908 Expensive 3.1.exe powershell.exe PID 4908 wrote to memory of 2176 4908 Expensive 3.1.exe powershell.exe PID 4908 wrote to memory of 3576 4908 Expensive 3.1.exe powershell.exe PID 4908 wrote to memory of 3576 4908 Expensive 3.1.exe powershell.exe PID 4908 wrote to memory of 5088 4908 Expensive 3.1.exe powershell.exe PID 4908 wrote to memory of 5088 4908 Expensive 3.1.exe powershell.exe PID 3756 wrote to memory of 2808 3756 firefox.exe firefox.exe PID 3756 wrote to memory of 2808 3756 firefox.exe firefox.exe PID 3756 wrote to memory of 2808 3756 firefox.exe firefox.exe PID 3756 wrote to memory of 2808 3756 firefox.exe firefox.exe PID 3756 wrote to memory of 2808 3756 firefox.exe firefox.exe PID 3756 wrote to memory of 2808 3756 firefox.exe firefox.exe PID 3756 wrote to memory of 2808 3756 firefox.exe firefox.exe PID 3756 wrote to memory of 2808 3756 firefox.exe firefox.exe PID 3756 wrote to memory of 2808 3756 firefox.exe firefox.exe PID 3756 wrote to memory of 2808 3756 firefox.exe firefox.exe PID 3756 wrote to memory of 2808 3756 firefox.exe firefox.exe PID 2808 wrote to memory of 1684 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 1684 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe PID 2808 wrote to memory of 4772 2808 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe"C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive 3.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Expensive 3.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive 3.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5088
-
-
C:\Users\Admin\AppData\Local\Temp\hfyfju.exe"C:\Users\Admin\AppData\Local\Temp\hfyfju.exe"2⤵
- Executes dropped EXE
PID:4380
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2808.0.277929906\626789989" -parentBuildID 20221007134813 -prefsHandle 1696 -prefMapHandle 1684 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e79d528-ee1f-44bb-8fef-61d968a535b5} 2808 "\\.\pipe\gecko-crash-server-pipe.2808" 1764 275223d9b58 gpu3⤵PID:1684
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2808.1.1392330921\219663541" -parentBuildID 20221007134813 -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e2b51a8-3e9c-442b-aa48-82a5864bd5c9} 2808 "\\.\pipe\gecko-crash-server-pipe.2808" 2116 27517371958 socket3⤵PID:4772
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2808.2.618080536\165990387" -childID 1 -isForBrowser -prefsHandle 3028 -prefMapHandle 3024 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef474198-bf4c-4506-a542-8de5bb53ba8e} 2808 "\\.\pipe\gecko-crash-server-pipe.2808" 2656 275266cd858 tab3⤵PID:2216
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2808.3.2004111893\469675472" -childID 2 -isForBrowser -prefsHandle 2268 -prefMapHandle 3224 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcef15f2-9366-408d-b3c0-0f4152ee3b8b} 2808 "\\.\pipe\gecko-crash-server-pipe.2808" 1036 27524bc7858 tab3⤵PID:452
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2808.4.1059018891\1447186868" -childID 3 -isForBrowser -prefsHandle 4060 -prefMapHandle 4056 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2723c54-0818-4887-81b4-50bdd08f1654} 2808 "\\.\pipe\gecko-crash-server-pipe.2808" 4068 27524ea2358 tab3⤵PID:376
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2808.5.1930587587\409430609" -childID 4 -isForBrowser -prefsHandle 3868 -prefMapHandle 4772 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1512c104-fc22-4de3-84f5-3dce2f97ca5f} 2808 "\\.\pipe\gecko-crash-server-pipe.2808" 4784 2751736c458 tab3⤵PID:216
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2808.6.909279474\1141349359" -childID 5 -isForBrowser -prefsHandle 4924 -prefMapHandle 4928 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fae3fd9-7576-4fc7-9631-fd83fa2f1e51} 2808 "\\.\pipe\gecko-crash-server-pipe.2808" 4916 275289fa858 tab3⤵PID:1136
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2808.7.1174175431\1842900860" -childID 6 -isForBrowser -prefsHandle 5116 -prefMapHandle 4812 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95752acb-cf54-4107-a6a5-4846c65dd32c} 2808 "\\.\pipe\gecko-crash-server-pipe.2808" 5104 275289fb458 tab3⤵PID:1384
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2808.8.1750181846\1675046087" -childID 7 -isForBrowser -prefsHandle 5584 -prefMapHandle 5588 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c803dd8-c13f-4429-bc92-f3a1fa0b4ab3} 2808 "\\.\pipe\gecko-crash-server-pipe.2808" 5164 275228a3e58 tab3⤵PID:4136
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2808.9.1127425457\1324528028" -parentBuildID 20221007134813 -prefsHandle 4148 -prefMapHandle 4132 -prefsLen 26503 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {890492b6-3354-4fde-af6d-c77134823729} 2808 "\\.\pipe\gecko-crash-server-pipe.2808" 4124 2752a664458 rdd3⤵PID:2176
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2808.10.652610821\1341242717" -childID 8 -isForBrowser -prefsHandle 5732 -prefMapHandle 2628 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {186af45f-9e7e-4f1c-b5f4-833c2cca9fdc} 2808 "\\.\pipe\gecko-crash-server-pipe.2808" 1552 2752ab61358 tab3⤵PID:1584
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2808.11.876878333\1129928772" -childID 9 -isForBrowser -prefsHandle 5044 -prefMapHandle 5060 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7c4baec-c1aa-458c-a164-dd7e507276c5} 2808 "\\.\pipe\gecko-crash-server-pipe.2808" 5056 275289fd258 tab3⤵PID:216
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD5e822e1f73c47816d5b581732084d0a67
SHA1e2fce74961a863f28b383dae067d8d51bf6864dd
SHA256afc3ef7885290c6bfb780733a3201908f4d23ac6007ec5935ae6a7e1572a4f64
SHA512ca6bf61a2cbd0dbe346a482ac6516df29fbf1c8fb1fd6d3d7b29bb96391f251d40ab31d580d5da09daed3e51a6c44da2a174c96373c01a02a9d3d2a41f7fc3cd
-
Filesize
1KB
MD57468b8c4cf9ec26331802d1ec0ed8db5
SHA184f5e7e315f48efbcdae2733e604df253a05efb2
SHA2569fdab88bf70d19a51713244d01f674d72f771203e4a9d8965fd3e8225d1e03db
SHA512b2495a37d1918bd3529fe3834004f206027efc1ffaa91e82cf6c490f919da56d822c11e933ce75e68359699d66576cbc3b59c1aa46779a2a45adb0ec86f25f16
-
Filesize
1KB
MD5fdf0af9a31169e02167f5ff6121def60
SHA1e21552ea949918cac9be60147fbd8511ec4f8581
SHA256a55a50825bd5f285d2180fe765317eeeee9c3b4544e1cd26d4c5f3aa0219749d
SHA51286019c7647c62ac9ecf6253ab35bd01c26d45dbd415430a1243e57cfcb755a511fd9049a43e92a144a5ccb16311298d9efbd64f5d95c90350aab17fbb5b623b3
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
10KB
MD5424755b9f13cdb742d503836bf09e63e
SHA1b4cdc234fdca58519edf14fa3b0bb3a522249440
SHA256e0e95c4be30bc2199018c4a44b4df874ee991665d0aff048e39b1c905cc9da56
SHA51229dd79ca6d2e451da0b0597c1d6b4cd860a8641438f139dcd3ecc02ecd0a638feb28e41b2088fc2e360b27f5c343b1843889686070307bdb26077593791972b7
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5cc6f49c9e9389c615e8bad2292740d57
SHA1b011b3ed39181887b1167372738bc683f84df108
SHA256e058cb27a5f998bf52c73e9516d4c8e6cabf11cfe4b038bd57625be6cfe927eb
SHA512a4408bd3e9ddd51487e91b97666b1d0f009fbae4818d7f55ee9df66741ad65b777621b5b45fc535b2b2c22b7aba6b0bcb6b8d70094832ff56034ed648f70286b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\1a945001-7aa4-4f87-8f1e-819497fdbc81
Filesize11KB
MD5f55c0aec6d8b797d39ebc6ef2cb53a61
SHA161fc3cc78e1c5aae38217d233a9cbd228a55fff2
SHA2566b4d37bb4258b715cb94698b09ac17ef568fcc4d5a422b51d9e571993dd6e87e
SHA51202fc3269d249eebb62e1c50254ce4927f786fc8d5fd9b9a18a08c951afce0bf8e5186c555272916834c7aeb6c230a77dc4fede255de5e0cf4b69c3f39541678c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\59822dd9-2818-431d-a1ad-a5c97628f0b5
Filesize746B
MD5a235add7a96c90aab785c8912846777b
SHA1df06cda7e66ca1a361fe92bece7548e195f8a4e0
SHA2562c45564249507886d360056a9c9fd1ab63b55450166dc063bed9ecf0b8fbd751
SHA51226a3e315abfdcbd0682385446bde3d354edf93e34df38723bb16ed9bd83d8306b5f0eb660f9c40486c9cb87048ab97e08d6a4d973f6189e86dedfbcb351fd2f7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5c56b8a688d068ccd66651fc2a8a78993
SHA12e6cc13f2fc4131c1e9e5e6223f5b8a19d4e9c65
SHA2561c711cec1e8e6330317b1a34ff723f77fad49b8f077fb0f19310094283f1ce61
SHA512e8cedc795b5f950c1d2bb6049badf7078ad54953780a2cd215ba7021059d0195219c5101e75729fd136da04cdcc4bf3b90f6f246d312e952a48c01e64b28aec8
-
Filesize
6KB
MD5c6aec7bb2f16895bcb0cd2b8e4ecb781
SHA144fd038fd69c53ec0a01a299f8ad7f4fb80a7dae
SHA256566f585f10e7ef62c3e4b358f56c04d7ee001349762807674bcd4c7c659308fc
SHA5123e86f55dd5fc8405f59eb943b32f036b84a42f141242be818d5d08e6f597777ee1ad8fe631b712a56396240b8ab5738b120d9975e9ec8252ce51da2b20f4d6de
-
Filesize
6KB
MD51f813f2c00b2ceb4b4db5d8c810ce83f
SHA10f152eb4f1a5aeecf048e548e88918a2aab5deb6
SHA2561fb151960e3478a2176d567d6700c307700bdd96b4fc226ee43dd0bf387476b6
SHA5125065c4ce68246a9176623de34c6aceff47ae66f5454160ba3fa62c08cc476953631557b4110e18165ef00e4fceecf71446e93766de938de310655379cd1c76c1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5275d1edfa909af043202674a6c2c164c
SHA1c1009a2c6c138a71ed7fc1c993f6d7272278624a
SHA256e51891e273526860be98c912fbe84331a3a1047578cef6f788a3ca5be56a3bca
SHA512b082e5977b46081c48b55d2b7ea6cd4d956542ec51fc472d213f6c40f4178a30818e1a60cb0a277901228149e8a40fc7b2eb327c85721dbb16f068d7e49f6df1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize8KB
MD51b51d2631d704d1014046b5358876a64
SHA1d06ab6b0f159646fd83ce15b9c6e832daadde6c2
SHA256bada4f7ce92cdcd1b6a9ecceb8b829951200eda929a51e9e617b8029fa151263
SHA5126bc89d8e96171a68e11e4a4fefa710f104b6f227bc08f3526ebe0e955d5adafb65f4a279683684a4217493203fdae2eea461d63126a744b9ce5775d77835b74e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD503e8bc03bddb3458a279383cae0cf9c8
SHA13f58c0d63aa2f2a3d4dd892fe3dfb09c3afcc2b4
SHA25640eec3c576009e0461d326d42fadec7d51deecfe2f6193f8a99cfd0fe2c72f8d
SHA512e8db90dddf6e5ad43937b46032f3bff086f4988d7b3d8ab0e991f0f545e36e40d060fd3fb4a88acc918ffab0e80fc475df89e1890cc5f25de3abad5c9d5c2f17
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD57f868e557b098795d645df9ea302427f
SHA1001f3306144559b4049a8ab139b4139f51e59c0e
SHA256b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5
SHA51256fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a