bfc092b384976e97153bae0e29359461bfd65fce5ad8188d6460de57bc680eaf

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
Size

1.2MB
MD5

dd831eb4a822421a497990d84a0fd578
SHA1

aa7ee9cd7fcdb6e0f15c57f6f99c83c320480f3b
SHA256

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95
SHA512

5a894b58d5d6b3a6abedb687caa16c06344d87b6d8e5bfb39d5b9806a7b51f3003e3ae83871683d086a760ea987a42bff511d4cb4d723a9e52744ea8aaf9b73e
SSDEEP

24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aLY2Sbly7TWEPje:4TvC/MTQYxsWR7aLY2dW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

firefox.exe

description	pid	process
Token: SeDebugPrivilege	3960	firefox.exe
Token: SeDebugPrivilege	3960	firefox.exe
Token: SeDebugPrivilege	3960	firefox.exe
Token: SeDebugPrivilege	3960	firefox.exe
Token: SeDebugPrivilege	3960	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exefirefox.exe

pid	process
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exefirefox.exe

pid	process
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
3960	firefox.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

3960 firefox.exe

pid	process
3960	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exefirefox.exefirefox.exe

description	pid	process	target process
PID 1048 wrote to memory of 4636	1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe	firefox.exe
PID 1048 wrote to memory of 4636	1048	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe	firefox.exe
PID 4636 wrote to memory of 3960	4636	firefox.exe	firefox.exe
PID 4636 wrote to memory of 3960	4636	firefox.exe	firefox.exe
PID 4636 wrote to memory of 3960	4636	firefox.exe	firefox.exe
PID 4636 wrote to memory of 3960	4636	firefox.exe	firefox.exe
PID 4636 wrote to memory of 3960	4636	firefox.exe	firefox.exe
PID 4636 wrote to memory of 3960	4636	firefox.exe	firefox.exe
PID 4636 wrote to memory of 3960	4636	firefox.exe	firefox.exe
PID 4636 wrote to memory of 3960	4636	firefox.exe	firefox.exe
PID 4636 wrote to memory of 3960	4636	firefox.exe	firefox.exe
PID 4636 wrote to memory of 3960	4636	firefox.exe	firefox.exe
PID 4636 wrote to memory of 3960	4636	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 1160	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 4260	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 4260	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 4260	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 4260	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 4260	3960	firefox.exe	firefox.exe
PID 3960 wrote to memory of 4260	3960	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1\4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
"C:\Users\Admin\AppData\Local\Temp\1\4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1048

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
2⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ccb904e3-ca9e-4b34-8cc7-bf7f719b42a2} 3960 "\\.\pipe\gecko-crash-server-pipe.3960" gpu
4⤵
PID:1160

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98844bd7-b1ba-4b83-a560-523136bf7635} 3960 "\\.\pipe\gecko-crash-server-pipe.3960" socket
4⤵
PID:4260

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3436 -childID 1 -isForBrowser -prefsHandle 3468 -prefMapHandle 3456 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5ec5a8b-87bf-48f0-939f-e661edcc1c05} 3960 "\\.\pipe\gecko-crash-server-pipe.3960" tab
4⤵
PID:1352

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4052 -childID 2 -isForBrowser -prefsHandle 4048 -prefMapHandle 4044 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa04bf4b-7ba2-4e9e-9fa8-58bce822681e} 3960 "\\.\pipe\gecko-crash-server-pipe.3960" tab
4⤵
PID:920

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4732 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4780 -prefMapHandle 4820 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b2def3b-a866-4c43-b78e-40b017bf61c8} 3960 "\\.\pipe\gecko-crash-server-pipe.3960" utility
4⤵
- Checks processor information in registry
PID:1684

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5188 -childID 3 -isForBrowser -prefsHandle 5320 -prefMapHandle 5316 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {829a9a35-d929-4d69-8935-ffd3f9850eed} 3960 "\\.\pipe\gecko-crash-server-pipe.3960" tab
4⤵
PID:1688

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5548 -childID 4 -isForBrowser -prefsHandle 5544 -prefMapHandle 5456 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed5d0197-96b6-4d58-9d35-8ed9b2aee96f} 3960 "\\.\pipe\gecko-crash-server-pipe.3960" tab
4⤵
PID:3284

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 5 -isForBrowser -prefsHandle 5688 -prefMapHandle 5696 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a55c18b-4b6b-4fd8-9eb1-2d6e70385bb9} 3960 "\\.\pipe\gecko-crash-server-pipe.3960" tab
4⤵
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zirruo9e.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
1f1970298cac50c0797131d0adc82453

SHA1
b7b3b5a57067b60c885fdaec15951f9e7496940a

SHA256
2a16d2321b0c53fb6138bc809bc26dd595141d25009aa69559e51234cdbf7d65

SHA512
1bf66d9d6cade1924c2395211cb5ac17631590096b7b56126fc617bfed55b392e1454c5a5be0fbb70a120db96695813e9fdca81a71e69c8ffe27a34f8da9dad8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zirruo9e.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
955e47fdee0c88254a89b7c9e5e0353c

SHA1
4412583d8da245760390e3b19ff463a07c421b1c

SHA256
b1af557315acb90ab3d18037d4844f638a0f8fe953e053babc1325033fa3eb85

SHA512
926f506d002eb0c442a7e13285386cd2269dae3497a65fa99b87404e597f6d3d3f4a39f68959675e0f863861e289a766f198ce98807995303d618afa1885e125

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\AlternateServices.bin

Filesize
12KB

MD5
ca09bb1d5b09438e8eab2091f7a1e649

SHA1
7625c2dc946c5b2eeab94f8bc15e71a86254b965

SHA256
249a9a68fd42e614697e7cf4d7327d88a4752fd8b4e6f79713ef0ea35f219524

SHA512
6adc2a1642a35e7f4a88c9531377661ddb358a6f63bb19af17e0561fd4cde19ae22a7985606071e0365412090ce8822e99e3c29d20dfb8bfcf13ef4fa0ef0214

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
3fc4600e78d5806f840ddd3d3d5e950f

SHA1
b233f7a29a4bc507ef9463718b868c00cf64af8c

SHA256
64f5c1bdeb1e9f1be1a6630b43ca04fccc512aca42b7442ea1e19fab8a722cb1

SHA512
9031bdebe153cfa72660f2fd0b217fd2b9c5f79aa0062f1e83e315f0a9146ede3814ff3750e5c77199968ba8ac5983b3e9311f5d9fdba4eb6b83e1215a932bad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
972cffc72b8108c555ab9b6ad397f13c

SHA1
87b6635adac7cb5df5403238e5914d4c82ed44a9

SHA256
546c61be6328775f1494aaad70474c112f7df7282f787b21921233b2dd5059cf

SHA512
da17bcdc505fc7fede2b8177c6ea2d102fa094be49e612a56e7e43d51a67e9f57aa675f4b8a5c99a0d019d871066ca963f848facbaa6f7706e36d01799ef692c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
f52071eefcd2eacb9fa334abbdfc340b

SHA1
20eb5ac75bd4a05ab36e5c0bee5581b845c630f8

SHA256
be8e4676a7c9aae123b16a1b29270168c62f832f92181de74ded466a59c26dad

SHA512
ae3e2abde6baaed3a45708537eba65761f1002333f363335d4c886a89ff6d77194d65f6248f9c713095d4f206741e380bcea83717548e0b5c0c156051398236e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
cda1b247b5b530edb4365886fc78ed0d

SHA1
81b68424ad2b2b615b1ca754b92b693e7e0d3fe0

SHA256
0a3e6a550c0a4be89bd211d188064a520e7d42ded81faaa5f7c441135f3301c1

SHA512
43a5e0f279593310785515b709765b4ae0e0fce331aed647b69689031ada4d0130e45ee223d64e75261c0dc1a7e70d35709971c348a47ed20c2ed95ddc5ce9b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\894917c9-ae6a-4e9d-9ceb-2fcd2ce46f67

Filesize
982B

MD5
2fb4b841c1c3b5b7faa879b8d367a2d3

SHA1
5e025cf7924d5d78a7e569b614e23539cebd28aa

SHA256
4b504ba21a2e729072ca1affdbe83563977ca089b06073a4a706ed04e3c2cd68

SHA512
5030ce0174db722a13b5432e6b979d6ba481392c5c3a1b9704eb9f1f04ce8e45cf1678025152cb38025240012bb8f5a804c5c705223517155f41efd4e1ff3a3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\e227ee08-22a9-4ad4-b2b3-1295e60bf9c5

Filesize
26KB

MD5
e5ec9ff53649ec1e3ae17067c3468caf

SHA1
3df343990341e2c2ca739d201d4d19733a623b91

SHA256
7ab9b058aa26f497581d2466ac5ee2de737b9fc7c60b594cdc4720665d30f270

SHA512
c97ae56416269ea544b678e0db46fb1352e70cfe6ed603c70d236d6ab2bb8a803ca4b9e19f409ff7d150ca9d86bb62cee37f954b93ded6009460a2a6d47ab687

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\f7e8cc7f-8f97-474b-8e1b-00e84fab5f4d

Filesize
671B

MD5
b65715a6a71aa5471f2352111d4fd98e

SHA1
3da70c14f4016ed6bdfc90544c7a4d096ce3e7e2

SHA256
81ace5571ce8391e08775586b45164a49f4b3bc765a83fa6af16301d53618674

SHA512
0321d2f014f3e99174b7aa58bd979b189dca10cf3e0a04109a2a2461c977ebd341393d99c46f8d76e39aca96c68200cb931317b25f5b835bcf79d2f7dd3c7e1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs-1.js

Filesize
11KB

MD5
3698c4f701d13ee470b4f00c52dd883a

SHA1
2202929a70752c25d24e984d6992fe147c96443c

SHA256
289bde21346b487b7591401344f5048b046f269f484f637ec17cd8bd1a1ed826

SHA512
5fd465a830c59f3db310d8dfbe4d820ee0e4ac34f604d5c8119721f7f89a05a09a052cf42bb851f182ffbff5ad76c0bf40eced3b533d3800ec9c42b6b9e9a7f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs-1.js

Filesize
12KB

MD5
adca2779c90739b5a04db6da325ea00a

SHA1
7d8adcd9f0b356b03f6697b90e27328dc3eccc40

SHA256
a1264031904d4328ed67f4662fb394e887515103542c909fc887b4af99697f8a

SHA512
db35075e41b858020895ad1f3c1e3b446dda6c0f911086ec77dcacb734e819a93c4f7d60760cb9f5a20f04c26a7b5b2790b3f310796f733bf82b91c0fefbf3e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs-1.js

Filesize
16KB

MD5
c24cfacd84a327105e9c2d973aa35728

SHA1
919f52d158751f7be55a4825281ac6e1edc5b194

SHA256
972d9a106aa464910ed44b0ee15a17874b20c9a78a0b2bbc1b72c24b0bde9ba3

SHA512
9c80de46118efe6cd2164933ebb8475aceddcdbf3bb7572ef47788b499d34ced3fbfe1c17c7be50d488cac3d61e8581e22ee94d4b93134da52f58969d0065cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs.js

Filesize
8KB

MD5
9b738fb38891c8922e23a4baee693f44

SHA1
2ff370d25c2a197e9b0d35fc71db4a97b2bd0310

SHA256
8813ad750866bb38356a08a31448b1eb0798daf0d14fe22ee6093a4aed71f0d8

SHA512
8a1056eddf53e01f5c26f646518427ea1c44ec57ea4cc211e97666f072d7d855385c0638349d1cec5f4f95b5585c0157014ad820fe170f89cf4c31d86dfbc76f

Download Submit