ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
Size

1.2MB
MD5

62bb0c12c38ed88d6de4e6fc5d769ba3
SHA1

73282ff435b02089e9c776dd4bedd0d67a0582f8
SHA256

ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf
SHA512

a4906f77454574245e10196133f8e6ec9dbfb49a8722c5e9d23eb0fe76383e4bb389e900fd921904f9b7b6053f57750f9e9bc03354ec4c6cd855c74571ebb0e1
SSDEEP

24576:kqDEvCTbMWu7rQYlBQcBiT6rprG8aXT2Sbly7TWEPje:kTvC/MTQYxsWR7aXT2dW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	872	firefox.exe
Token: SeDebugPrivilege	872	firefox.exe
Token: SeDebugPrivilege	872	firefox.exe
Token: SeDebugPrivilege	872	firefox.exe
Token: SeDebugPrivilege	872	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
872	firefox.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
872	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 3384	3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe	88
PID 3376 wrote to memory of 3384	3376	ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe	88
PID 3384 wrote to memory of 872	3384	firefox.exe	90
PID 3384 wrote to memory of 872	3384	firefox.exe	90
PID 3384 wrote to memory of 872	3384	firefox.exe	90
PID 3384 wrote to memory of 872	3384	firefox.exe	90
PID 3384 wrote to memory of 872	3384	firefox.exe	90
PID 3384 wrote to memory of 872	3384	firefox.exe	90
PID 3384 wrote to memory of 872	3384	firefox.exe	90
PID 3384 wrote to memory of 872	3384	firefox.exe	90
PID 3384 wrote to memory of 872	3384	firefox.exe	90
PID 3384 wrote to memory of 872	3384	firefox.exe	90
PID 3384 wrote to memory of 872	3384	firefox.exe	90
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4964	872	firefox.exe	91
PID 872 wrote to memory of 4316	872	firefox.exe	92
PID 872 wrote to memory of 4316	872	firefox.exe	92
PID 872 wrote to memory of 4316	872	firefox.exe	92
PID 872 wrote to memory of 4316	872	firefox.exe	92
PID 872 wrote to memory of 4316	872	firefox.exe	92
PID 872 wrote to memory of 4316	872	firefox.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe
"C:\Users\Admin\AppData\Local\Temp\ec6878c05196b2bd85796a9b69dd4d76e36f91b9220696a5a4a6f1633412accf.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:872
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {518c9f68-3558-4555-b19d-07cbd6e7f008} 872 "\\.\pipe\gecko-crash-server-pipe.872" gpu
      4⤵
      PID:4964
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c47baf79-3932-4ea9-9916-1ecf0693a676} 872 "\\.\pipe\gecko-crash-server-pipe.872" socket
      4⤵
      PID:4316
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3060 -childID 1 -isForBrowser -prefsHandle 3052 -prefMapHandle 3048 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ec8f03b-f5de-4434-a24a-01df2da19f41} 872 "\\.\pipe\gecko-crash-server-pipe.872" tab
      4⤵
      PID:1332
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3868 -childID 2 -isForBrowser -prefsHandle 3876 -prefMapHandle 2988 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f2e299b-c647-4148-9b7a-c8e0543798e8} 872 "\\.\pipe\gecko-crash-server-pipe.872" tab
      4⤵
      PID:864
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4548 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2792 -prefMapHandle 4540 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2684a1c4-2c92-4863-8808-2905c8cab651} 872 "\\.\pipe\gecko-crash-server-pipe.872" utility
      4⤵
      Checks processor information in registry
      PID:1924
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4496 -childID 3 -isForBrowser -prefsHandle 5480 -prefMapHandle 4884 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71c01646-8b96-4a0b-b42d-89798690fac9} 872 "\\.\pipe\gecko-crash-server-pipe.872" tab
      4⤵
      PID:3124
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 4 -isForBrowser -prefsHandle 5616 -prefMapHandle 5624 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ddfccad-127d-4300-a1a3-7c4e3573ab16} 872 "\\.\pipe\gecko-crash-server-pipe.872" tab
      4⤵
      PID:1868
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5840 -childID 5 -isForBrowser -prefsHandle 5496 -prefMapHandle 5472 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c31111bd-4e70-4528-8559-0be5e13f7d1c} 872 "\\.\pipe\gecko-crash-server-pipe.872" tab
      4⤵
      PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
d132443d53a8dbdcc70517a11bcb747e

SHA1
7b8293f48c593bb3553068f06e1ae30b5bf78971

SHA256
ee2512bb6222a222344cbf0d0b0054ce8c121f784bd5279859b608ad10291b92

SHA512
07e444eb2fe22e99841ff36fce666be604cad6edde1301407df077da12f5b490454ac0686714c8427f3175bb8895a83969601d0d1f8dc69b0601b2dae0bccf9a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

Filesize
13KB

MD5
05a32dcc64df2af86f15592fa269e1b7

SHA1
7772e02e8b7aa6656eb375efc3282b793afc5e22

SHA256
7db53c8d57e252a2438d9a2e440abdd91720b9b3bfebebe3575a006883d239f0

SHA512
225c1e30d536c6603e164c0aab93a5bf2573ecef4ed9b16c9532e0e27e4cf04796dd9225199f401e50d9b8566d4167cda215c936dffa837bab1f84d83a220d05

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
5ea4055d7cf6f4a6e258cd6939991da9

SHA1
2c764d62d68bbffd24f72ababb55abfea60475e4

SHA256
b6a9a0a946da78973010ef1f97e0688710bb07d369997405bac54273a50b1164

SHA512
eb693de508754bda16cb9de37c37a50743a58f6cdac41b38b79cd73b9321fc6498d807071b59fc4f5975f81eb9dcbc9843f79a16d7e9815698c4d2ee2643f8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin

Filesize
17KB

MD5
94a973feb7d6f86c8a5165fd6fe9ef9e

SHA1
142a1a9c543e0639acf60073c0227224edc4b28d

SHA256
1f0c2eb0380bed28e427840926f2c82483313e939d657520fbe71c51d4d30b1f

SHA512
10abb473ba67134482547dbb5f57c78cae15389e8d417e3962c10542af75b9759069167e3ad1651224daaa5eb9453da76cea683c879a96c8609f684d4c23fb2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin

Filesize
8KB

MD5
3c0aa6bd481ec839eadecd277249b893

SHA1
9cff5bb6b765f8fac39e6758c3e0d9ff927053c6

SHA256
beb9584adac2632266b4d8206ec09fe32995a6273c7a6b7fcca475a0b2fbc752

SHA512
381c61b9001a444406b735b4adb4b6960e6dc88e5958ca0ea9048f82e9ddbbc74f98b5b18382cba81ed5758f6981fe02130aa555d15a1188a5492c19c60f13b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin

Filesize
12KB

MD5
b3289b624c93d07b9420178b617a2276

SHA1
0c6514912be1cb06a2b3154102f48c25e44cc9c5

SHA256
78804b5b9a3de751a059263f6bc5c7a1c4bb63b7f7a0f86df5fa6de875cf124c

SHA512
793eae09550401e1aff6e335c9d0af70d7b3fe7ba973c5406ea60830ea2cee911f310c8f3eb80310bf967c53a149e3e8ac89c5403cd6a5c976712ce27ca52f53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
3d4a275e4facdc881c091467b8d5fbef

SHA1
ae96ecf3ccfcf3e1d564f55b71d1fbc014962048

SHA256
903b80a28ec8936aa62d9a38661bc056e9a7c9b0f437cb949be45729a3b32f38

SHA512
de28968fd4022fc9137d6f87aad7042c0cf20c7c82f1a2a645d84243b55c0a254db2a5bce80bd9fcc160a06c0f308331fae466d89f84fa2a29440b951a320897

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
587863459ec89ec5b38521a1cfa47675

SHA1
bb525bb186ffaa6712362cfe4e585ab66bb719e5

SHA256
0e0f7e28bf3a9c6079b21e88f0feead44c424307aa271e9643332cbe59beb54a

SHA512
f0aac6221791864881c3ce164fecfbca8908a3d56b6117eb86a4725bf1ce93cb0d110bfa95821c5c90e9264a5c03e906e2ee35379c90fb594154becf70a0845c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\5bdfd9b4-fb87-4a93-92c9-416eee47e52e

Filesize
982B

MD5
f5216a2eb27e3f96172c7c06cbd20530

SHA1
d7297b4d55f22a056a2258bf834ae8d4e719edf2

SHA256
8152679eed684a70aab48491dd4baf84365b4e09b03618d990ab566103c39435

SHA512
e15750bd0f3af47c551ba850da3191e6900965dcd2a0a6b198e6650a7bbe40e54838410868e3ec5e795009515d1c451e6f0f57c0c77e1dab36ad4b80722f9632

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\82fde5f5-e406-407c-bf7a-a2fc0263c74a

Filesize
26KB

MD5
1adce28064c45cf6fbf09e288a7d3962

SHA1
4cd86f5a0cba969d39f76c9d81317b6f2680f844

SHA256
d4bb7ca4ce260c77cbe631d3b98d6aa306f102da476d9f18c2e877864e04b14e

SHA512
ba550a1f9aeb7f2df71de0e08755243993fc0c1f84a095a4e713be7ed7175df9d90e39692727fb6f0088a776ad4eb3762f3a31098b7872fca916c309cf55830b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\9a4ff2ce-0a73-4b69-93b9-95789c4a922a

Filesize
671B

MD5
faf39a2312fab233636f9b894cad3254

SHA1
f79c78d6ebaacb38acaaa600195102c11501fa1e

SHA256
7c482cda5e4e30c81b67013d70e532419e83704771dfff796556dce8c154d6af

SHA512
f3eba07b9d8bff55dc893bfe9a0acda53a872abf0d1de4f1084d91e165c58f39ffa765c226cb3ca9d82c5118ca154dca4d670f7edc7f54a0e08cb8155eadfae1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\prefs-1.js

Filesize
12KB

MD5
f911ce851f0d4a4c3da45bf3a9e46a7c

SHA1
05a4744158a51eb94e6b2d98b64a87c95e1e8733

SHA256
d421a10865ec1a09a65880533ef790bdd55fd2c153c194e3036a8e36964d9625

SHA512
cb51c88567a3c4cdc4a76a97b216a1accab222b03417eabf0716895fc84c87e26ffb7b0aaec34f28cef99d0536c5be849a675e48bbfdd7cc2e571678e0fca2d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\prefs.js

Filesize
11KB

MD5
531f1bc6f5f73b8662b09f1d21736c32

SHA1
93f71f8388bd1649ed685c89d477810cfe954de6

SHA256
fadaa1fb62c65f1c642ddd6be45cd92c05def60317536e83adc6346b55453a8c

SHA512
240ac14aab9448b44cbabcdaa677998ab39371f46de50531629f620aac33c0488e0a5aceba593966c0aaa08a03ec73456720f3001e647c7277d349e531440fc3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\prefs.js

Filesize
8KB

MD5
19493676546a4d319931cf92a32373c1

SHA1
84c93d5fc1ff341ea11bc1340753fb046b3a919a

SHA256
b9d05de9970acfcc2fad7d30cf4184d5ab9fec67f6ae42162542f8640afb9b7f

SHA512
497f6164b099e751f22a66d4d41d363bdd4f954f18ebd48d6d02f16c39acbb9fb211983a17eee87efe519aea45a393c1e9d9919cd4a935ddb4d9139739243d88

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads