e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
13-07-2024 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
Size

1.2MB
MD5

a03b7450450167319f29f315fb6d091c
SHA1

358a6040b87db54ad2462425539d2f4c2a031466
SHA256

e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1
SHA512

fdc7541e1ef09e7b70d1248c4d334e34abd957f7d978ad516938a2fbe39a146d17d3db0c8db5c5edde501cdbe09f62e7d1ee74a157c621513d4bdef0c1f4dc34
SSDEEP

24576:FqDEvCTbMWu7rQYlBQcBiT6rprG8aLZ2Sbly7TWEPje:FTvC/MTQYxsWR7aLZ2dW

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1200	firefox.exe
Token: SeDebugPrivilege	1200	firefox.exe
Token: SeDebugPrivilege	1200	firefox.exe
Token: SeDebugPrivilege	1200	firefox.exe
Token: SeDebugPrivilege	1200	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1200	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 3636	1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe	82
PID 1388 wrote to memory of 3636	1388	e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe	82
PID 3636 wrote to memory of 1200	3636	firefox.exe	85
PID 3636 wrote to memory of 1200	3636	firefox.exe	85
PID 3636 wrote to memory of 1200	3636	firefox.exe	85
PID 3636 wrote to memory of 1200	3636	firefox.exe	85
PID 3636 wrote to memory of 1200	3636	firefox.exe	85
PID 3636 wrote to memory of 1200	3636	firefox.exe	85
PID 3636 wrote to memory of 1200	3636	firefox.exe	85
PID 3636 wrote to memory of 1200	3636	firefox.exe	85
PID 3636 wrote to memory of 1200	3636	firefox.exe	85
PID 3636 wrote to memory of 1200	3636	firefox.exe	85
PID 3636 wrote to memory of 1200	3636	firefox.exe	85
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2352	1200	firefox.exe	86
PID 1200 wrote to memory of 2712	1200	firefox.exe	87
PID 1200 wrote to memory of 2712	1200	firefox.exe	87
PID 1200 wrote to memory of 2712	1200	firefox.exe	87
PID 1200 wrote to memory of 2712	1200	firefox.exe	87
PID 1200 wrote to memory of 2712	1200	firefox.exe	87
PID 1200 wrote to memory of 2712	1200	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe
"C:\Users\Admin\AppData\Local\Temp\e97b452ca89e3d666f8c4cc380ea15365e29e5c033627012f63a5d2a3f12c4c1.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1904 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9626d35-ae13-4063-be55-4e86fadeffce} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" gpu
      4⤵
      PID:2352
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {183e33a4-ecde-419f-9d8d-85424667884d} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" socket
      4⤵
      PID:2712
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3296 -childID 1 -isForBrowser -prefsHandle 3288 -prefMapHandle 3284 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74118743-e49f-43fd-be29-a111a9e8c9eb} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" tab
      4⤵
      PID:4008
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3848 -childID 2 -isForBrowser -prefsHandle 3840 -prefMapHandle 3828 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb0fb3e4-d654-4d0e-839c-51e5372f02bc} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" tab
      4⤵
      PID:3516
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4608 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4600 -prefMapHandle 4588 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68ef5dc4-2a7e-4041-a724-94d11f54055a} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" utility
      4⤵
      Checks processor information in registry
      PID:5164
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 3 -isForBrowser -prefsHandle 5636 -prefMapHandle 5632 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57c615e4-0fc9-45fb-a5a7-2e8aa9c8f725} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" tab
      4⤵
      PID:6132
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 4 -isForBrowser -prefsHandle 5824 -prefMapHandle 5820 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0364aed1-010f-4f9a-8673-1b7d61e2eedc} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" tab
      4⤵
      PID:1636
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6016 -childID 5 -isForBrowser -prefsHandle 6024 -prefMapHandle 6028 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3072c3e6-7465-4fed-a93a-7ddd15e606f4} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" tab
      4⤵
      PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9orreff.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
0dbb2e27677e8af420af465d94a775d7

SHA1
53e37b3b70986a7f10d5db4addf8bae5d04bfece

SHA256
132c7ede8075fbd9d8c3993760804d1d793ceaa89fe347ae1d521067f9f19150

SHA512
b90e456950f22b935ff206bdf1256d1a9738f6c3ba8ed0f0df1e433342f858e194df962979bf480aea4500ad980fa36c49843abceca61b157d8f7a1d25a616f0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9orreff.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

Filesize
13KB

MD5
0e5a345f88d1e88de5aed436cfbc8cb7

SHA1
fc96e549286896fb9094a43993b547f8286d3c1d

SHA256
727922a8df2e78bad7b1a82b69b0b093f4605f14f84991c85784a932d4a1c024

SHA512
5674f3a95d3219f4faadcff0b6206e2a907dd413ce3af7e98e628acd2b6fb2ea74085a29c131cb6e73a900e7f6d0137627598d59a795f871ab2c03314a2068f3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9orreff.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
53eaa059279d1135a396e589b2eff6a2

SHA1
ddd0849163d4ce2554936d5a4860c63bab3518eb

SHA256
9e0c677386f28b58dd8803063faa94a6cb7d29c61910724b0a1082f4ac262c36

SHA512
bdef6bb4e0763ac167f09b6bb9a4612ed1c85b6c1eeb2bdfa796846ddc7d632bdc1a38aac1cd63bce00595dce7121b077e5640acc59e88a2eda185cbc65935b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\AlternateServices.bin

Filesize
8KB

MD5
77a372a8a4a7fd52d085641b63458349

SHA1
ed6e71e89ba9d7ba2a0d3ea4578d2adcc48f9004

SHA256
09cc45018eddf68f8e271a075e14d86569ceee4a7f8f2738ffd3e7dafd523278

SHA512
e8d39b38e5a0b24e75a04179ca7cb0f937f631a839005496ef14dba936c3c62df3f0a26deed3bfabd541fee875212f8f807299c19c548bf8f8c6cf20f085a243

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\AlternateServices.bin

Filesize
12KB

MD5
0a1ebc3168ea543b0423c5059d08c9f7

SHA1
6b6849599cc8681e5ff825da55ea6654e8f6932a

SHA256
cb49a04d45be602684da2f317e3affe3495e4aa4b02c7a951320be1506972006

SHA512
8f9d358c04a0adc4d3fe702f0e1ad995ecc5a888b701bb2cb97e1436e930d8ad77cf038b1354c308f27ca06388060de1f8f0319ef7cdc2f354748eef2b8c8680

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
1ce4382f59f9395be2d9bf171542c6b1

SHA1
976beffbdbe456496a0c2895ad973b0c6e6e6a9b

SHA256
e4cb0304739515a2c47dbe024ab59dfa7f40b7fa69d743592f042d335c3105f0

SHA512
f12a398fadb4890ecde0673131d7d98618f646f8418ab8731567561d537f85a22b2ca4dc06cf6c7433dd16a483510759420b587686963d3f42219a410c8306d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
ab3c0b75ad3693f37ffa9591270b262b

SHA1
6457b6619780416a9acb037ddef8e1b041ef4d65

SHA256
3f486904a5ffadbe7303115b676fa3d95d417da2d5691218d0bc80cb80ac8ed7

SHA512
2c8f1b2478b0d147f9f7ad49f38bc34dfa20e40a5557040cf5d875b75e7cda2e1520da78809182241d322a7b58f9781887642736fd6519b12a9d9eb35f32f027

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
04d0b5396947c71256399b6e8864e33e

SHA1
07ee951603a8a5c1362d88c229d950e5f4f96775

SHA256
c1c82c9517cef22c1dcab2222156939fcb6bf2413395d11b41387a742a96066f

SHA512
4b1e5e0f4e76e065a5917deec2b05ebf2eb7efefe342ce7961138617fa847a52b89b0982ce8357ba3eedcf97ea5e9674719d627fcef22456511f459af10fd8ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
938163f39a67c5c43c86d6f2fa9d8ec1

SHA1
c526188a5df291a3b1839e874a4b7f62194101c0

SHA256
fc1fa67accc47b0235c2d6cf825402c960696f5479ed433d8db1fe5b9325bf08

SHA512
806564a06df598b7130dac607fa0900af4c96ac3b8f8443084731eaace0d621a71eb368c98b3fdffcaf65e8dc901a3e9c01b33a0fd39421985d26f0137ef356f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
d56d2966bbf297dce8cea4e2b08d3ca8

SHA1
7395c9e32d7362903834d2866b4e7e22c2eee5f6

SHA256
e5e2205347562055e200ed15798895cb12ccd9d0f674a16a0948227b5f92475e

SHA512
35d43b7e5a0600e9b3aeb176649ca20cb4a55642a124303993bbe160c85165e52c2fcfa91587fa35bbb8818a3a1a5c454e5aecd3b9c19f06d75eb528dde93946

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\pending_pings\1a3e87f0-4a9b-4255-a12d-78ef5f7e16a8

Filesize
671B

MD5
0906b3411475ddac4285aace24932dd9

SHA1
a24e85624fa66f7b3a311d560d9895fa90fab614

SHA256
315a6cb50f098002b05f48a936425ef226de8a3f79e5c2c9c98bc14851b632c1

SHA512
4e102600b43f2964a79da72fb41830544be977888ad4da0e1273530c74098f68290af5d0c5b66e98c2fb7b6074b47aa49c85f7e03bab1b268b08c12ab74e94ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\pending_pings\913b1f62-b770-44d0-8fd7-fac6f37d8e6e

Filesize
982B

MD5
d6cb0fdd7639bf2070cf5fdab3fb96fc

SHA1
490685b1ff758804ee37168864dc68b89e36c8a6

SHA256
23f01c98da12fa0eb55d9e69b61321f845b92184887556c506626a9d3f2e27b3

SHA512
10bbbe3cee3f53822d60a3681761c7cc756675ed1a821d4fa3d06203adc73e5606c8b6ae7b43629d25e1e99ff00b6f7773d34c5945a58a1b65a51b2c12c92213

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\pending_pings\950d0e7a-a4b0-4a38-8b5b-1444ad0e796c

Filesize
25KB

MD5
0b78ddbffc00309d80cc2c78410a0710

SHA1
5d54883c7dce3ea45ae1762a5573cd6fe1d75ef9

SHA256
2a9e0d885cf839f5668d7d1b24f019cfe74dacc9ee03748f065a28d35ba7f2f1

SHA512
617ddd16e281455085ce5d1ecd666959ff22d17e134396c872ce14fadc717c0d9dd02d249d3c3d6224f9dd4d979609f5c277888842df70e8a934873108fe330c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\prefs-1.js

Filesize
13KB

MD5
a941f7d83e8f9b80102ade751ef9f889

SHA1
b732047adf8021023a8291858ae7b5879c731b5e

SHA256
777773154b81b0b59ea19cdb38844b62a9468977f00bb904c24ca5e5169ca5c9

SHA512
a1565daddb4052a3b459e4663315b23c7d42f6d7b42ef8dab8855bad9828ffc663d5cbf397e3d5434cb76a3e4fc1a49d80ffb509997e4377dc9925c2537be1b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\prefs.js

Filesize
16KB

MD5
4b323f58ee6ac114c6552dd82c906526

SHA1
c68c93bad2237aeb10b497aff4d797cac3bfad88

SHA256
f3a8c82c9edad843f53d9c6724c8e5e3a9df5221c1b374f77c8e2b6858b79165

SHA512
47d5027c68aed3ada69097f6bb31ce4fd10bd2270dfa029b696d645f947c56a83e95643aca94b4cf6fe2436bb9badc061b0e00e2aa064d2dc5c86f27f3764ce9

Download Submit