bfc092b384976e97153bae0e29359461bfd65fce5ad8188d6460de57bc680eaf

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
Size

1.2MB
MD5

dd831eb4a822421a497990d84a0fd578
SHA1

aa7ee9cd7fcdb6e0f15c57f6f99c83c320480f3b
SHA256

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95
SHA512

5a894b58d5d6b3a6abedb687caa16c06344d87b6d8e5bfb39d5b9806a7b51f3003e3ae83871683d086a760ea987a42bff511d4cb4d723a9e52744ea8aaf9b73e
SSDEEP

24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aLY2Sbly7TWEPje:4TvC/MTQYxsWR7aLY2dW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	228	firefox.exe
Token: SeDebugPrivilege	228	firefox.exe
Token: SeDebugPrivilege	228	firefox.exe
Token: SeDebugPrivilege	228	firefox.exe
Token: SeDebugPrivilege	228	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
228	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 4704	4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe	84
PID 4684 wrote to memory of 4704	4684	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe	84
PID 4704 wrote to memory of 228	4704	firefox.exe	86
PID 4704 wrote to memory of 228	4704	firefox.exe	86
PID 4704 wrote to memory of 228	4704	firefox.exe	86
PID 4704 wrote to memory of 228	4704	firefox.exe	86
PID 4704 wrote to memory of 228	4704	firefox.exe	86
PID 4704 wrote to memory of 228	4704	firefox.exe	86
PID 4704 wrote to memory of 228	4704	firefox.exe	86
PID 4704 wrote to memory of 228	4704	firefox.exe	86
PID 4704 wrote to memory of 228	4704	firefox.exe	86
PID 4704 wrote to memory of 228	4704	firefox.exe	86
PID 4704 wrote to memory of 228	4704	firefox.exe	86
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1128	228	firefox.exe	87
PID 228 wrote to memory of 1660	228	firefox.exe	88
PID 228 wrote to memory of 1660	228	firefox.exe	88
PID 228 wrote to memory of 1660	228	firefox.exe	88
PID 228 wrote to memory of 1660	228	firefox.exe	88
PID 228 wrote to memory of 1660	228	firefox.exe	88
PID 228 wrote to memory of 1660	228	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1\4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
"C:\Users\Admin\AppData\Local\Temp\1\4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 25757 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c402a3bb-fa99-4a40-ad93-19d4f11b9309} 228 "\\.\pipe\gecko-crash-server-pipe.228" gpu
      4⤵
      PID:1128
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2324 -prefMapHandle 2384 -prefsLen 26677 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c3bed8b-7132-41aa-9af1-70a87ba525d6} 228 "\\.\pipe\gecko-crash-server-pipe.228" socket
      4⤵
      PID:1660
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2676 -childID 1 -isForBrowser -prefsHandle 3112 -prefMapHandle 3264 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a02b8c97-1827-43cb-a6bf-104eba50712a} 228 "\\.\pipe\gecko-crash-server-pipe.228" tab
      4⤵
      PID:348
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4144 -childID 2 -isForBrowser -prefsHandle 4136 -prefMapHandle 4132 -prefsLen 31167 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {859b35fb-09f4-4750-ba54-d57c70c43f14} 228 "\\.\pipe\gecko-crash-server-pipe.228" tab
      4⤵
      PID:4408
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4704 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4712 -prefMapHandle 4720 -prefsLen 31167 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55ace776-9f1f-4511-bd00-1226626162dc} 228 "\\.\pipe\gecko-crash-server-pipe.228" utility
      4⤵
      Checks processor information in registry
      PID:2600
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5084 -childID 3 -isForBrowser -prefsHandle 5108 -prefMapHandle 5104 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {021da278-60f4-4ff1-8545-a9a0795c5668} 228 "\\.\pipe\gecko-crash-server-pipe.228" tab
      4⤵
      PID:692
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5296 -childID 4 -isForBrowser -prefsHandle 5304 -prefMapHandle 5312 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93a3df1c-6f8b-4fb6-bc12-d507bc6c713a} 228 "\\.\pipe\gecko-crash-server-pipe.228" tab
      4⤵
      PID:3048
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 5 -isForBrowser -prefsHandle 5528 -prefMapHandle 5492 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e4bbdcc-fd61-4aea-b20a-961f6ffc8cd2} 228 "\\.\pipe\gecko-crash-server-pipe.228" tab
      4⤵
      PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1l89xtkq.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
02e460e26214c8d2440b6aef4ffa224c

SHA1
d8c42e10a10422284d518f23df10defabb6f919f

SHA256
1582d323500e1b6eb7a469dece052c1131da96227d8a975bc7841cd7dee150a8

SHA512
01df7c7fbd77ac0eaf1e0c67038ad1c366d11011e388a7bc5ed5daa2820bd975c0a2434c0ac7c894cbd3274391a465320e864bc43da597f2d48ae19fcd6f16d6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1l89xtkq.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
fd91b7700ace7b356b55ef2e39ccb6e7

SHA1
5a7326060bc6bfdd4aff058f958e180a92bf86e0

SHA256
489eb1eed6330c811a415fd72653df3c448fb11514d10586dd8bf0704dd6be2c

SHA512
51249e55d7974dfbc5c55e74f649e8a69214a45bcdcde83435ca4914833c60adddbe10b8179f35f3a20d5daf5337afc2668ed9b71d9d0955e45433e41e95578a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\AlternateServices.bin

Filesize
8KB

MD5
29cd4fb1594cd4bd5c7ebcf7de1e68e4

SHA1
8a480859f7888d93e065f5fc7886adbe9f316f80

SHA256
f453bee7ddb2286ad258d7d9f0adc635f4b37b5e6d3e6615e18e5907fee88ab6

SHA512
e5f76b4d60845da7b8060d3d49ee8993b4de0c27c70122045d0bbccf86f5b62d601503c60bfc88278e44e7c4e74e453e3b84c5bbcb71627a33c68a931d38bd8a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\AlternateServices.bin

Filesize
12KB

MD5
f90fa6ed6c97bc5c9412d3fe37a48d2e

SHA1
133baf8331bfcf80d2c9fe8d29d3d260c25f71e9

SHA256
455947d5c5fae71033f3bc0c73d30739f68feca026b443893c908cf0fcb5e403

SHA512
e5217fdbe67d05f2f342720e6279c54f063818086de8a4d85c8c53c303853648377b2f0eaa60527cbfa293e98e71a6a3476e66fbe12abec2a8bf542769fed14d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
665f6ae93651e1c6f72fa648c2d38e0d

SHA1
9f87fd9d9e1712050e42c3b01afc11af323aaac0

SHA256
e4c8c481d08850431ef8776d782f59cf10a5380cef407194c185ee2fef7ea52b

SHA512
df3838c3a15041647d2a4b361734364ec0d33c804e507ed311a996f118473a7670c3e1bb2395ef2d555f9897a99f9e6a5481eabc941525e47ec4e0a402fc4e51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
ea4e0b94328178b8345cf68c8f9b3fe0

SHA1
6d5051fe58c3bb8802f635481b9ba5fa10081527

SHA256
ec92621bac755ed77ef9c5b9306af320808a95b549c10447cee7ec7827e29ef2

SHA512
4085ec5317eb5b2102fb57ae26d85386dddea87bddad1ff64df235131b5a5b44ccd54db0413ae7d46a32c4a312c917452ee4dcc843129fd32e364324b2338590

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
cb98228fb7fecc0953b219679dce17e4

SHA1
8ffb079e14a767d05394ef5cacc7e788326900f0

SHA256
8a2472de3d15770443d65865f3066c9715e5aa8ccd4b2262703d1530538635b3

SHA512
81f3280f8085bb981de50ae7bf07d603fd5ec4f2e29497318b430a97c4a38f3261435ff351ad9870c52f52ff15c2c89b12467e22c9563aae6c6af100982befcd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\datareporting\glean\pending_pings\063285bc-5ff3-447e-849d-1a4118b7d17a

Filesize
982B

MD5
c2612df9324b16e53f04678cb3c4f5f6

SHA1
fc67bd3092b95dfbd507f3d0fa9a0c841b6706bd

SHA256
db5a8b1a0100f1631e21f709a8a4e72c6207bfa70a0b7f661b8bd4b8d3bf0727

SHA512
e6770c99a99bd28159cb3ddd3990946996c10553cf969e49bbfe636f75a1f175701e84a1da6a8ad643cf161cb5622bfc423975623551beddb591eebd56b25c20

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\datareporting\glean\pending_pings\6a29042e-1f86-4b1c-bd48-ef57ba93fc9f

Filesize
671B

MD5
ce12d02564b5104329afb9e9b96d29c2

SHA1
6d51580490ae1a4ce38301112a53a1208407425d

SHA256
eeb6ff598d15af924d4ea6b40b6231e28081c4b03aa06a46ed16002c4d25646b

SHA512
46ba0a83a4b4a3babbc752ad4e479646c6cd9985c2aa8b2e157207f1af4374a83807f0f266caa3109e69db12bd37c9eb06d9f09fc9321b4103bd4e45af78037f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\datareporting\glean\pending_pings\fc71cc56-47fe-476c-9ec3-2adf550ea451

Filesize
27KB

MD5
f2365f0a35a3c03b0e37d385566ffeb9

SHA1
65aa7448896dd0b0f3e6662a0992c740d1ee7c52

SHA256
b6ba7e8270551e0f4ba701c37346af6b22f2d142612702ff78279e8a89b84dc1

SHA512
3f8fe1dd2dad51bf4d10fc1be614f029d56ada435f65b3a76b65302c05decb899baba0d876c75881a1de7ceb24d1d28b4f365a94b0710783fde485d9536706a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\prefs-1.js

Filesize
11KB

MD5
42b5e8d802564ef266a23736dca25929

SHA1
76c298157a21164c33949a556ccd678f50c200ce

SHA256
bf97767d6b99f5d620a3c0f99fa4462fb32f1c85944de6248c5e60046bc28841

SHA512
558616352ad141dbbdda446ec74bde33230e738365aa069c2bd892d1fd7d0ab41b63f83ec8b9b37b879789aab8af6dad9f597cd18ddf8a4594225ab702f84eb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\prefs-1.js

Filesize
12KB

MD5
63deb4083a48fd7dab936e01e5874d95

SHA1
f3d6e31f58ec8d8fbf78534dca6ef4a0dd704ba8

SHA256
5b060d7d574bea2d2c94f6833fa79759f4fb3a7c347a85af4afa5fb32c662dc6

SHA512
94cebed1ab858753bf2c1897bb69d851b74a8c56ad314d3a1e0445bcf53a78f557cb8d9c1ed00dd786b6f248d6ab823ecbc5cdc6a30b9ec2c0438719a7204a69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\prefs-1.js

Filesize
16KB

MD5
210c7ed6a8aacbebd43d74d35f01618e

SHA1
908ec4714c2cb9cf735f7c4b19c36b754dad81d5

SHA256
f94775e8a215aa58de414a99c90a991f7d8e761b69bd90b1fba8eea75614ae99

SHA512
e1f09d8ac3b95188ae0017f2bd4cfbd994458d7c453a54693690a98f3c334a4050993d15cb9ddad84727d65f44e0a4d26ce64ad6021195ee26d1b9db541b3d26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\prefs.js

Filesize
8KB

MD5
8372e383e329165b3e002d3a79a2cda0

SHA1
d6ff0699c70ba75ab13f40b1649cb2262a6d6f45

SHA256
514e5617a404d374c8d0aaab526d6a4e0cf34b5a4d97ae6592c8d35936ef5112

SHA512
a3a19855b0593c7a0e6836b510f71b0b02a5bd3fc712a187c808a1a037aa8758af55d884e9c95b377ce21f9450a1f7ae5daf06fb2b8e5dc94d1bd42e5fcc90f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
976KB

MD5
224ef4df3eb548d695128056afd9847a

SHA1
0391fbea02ec8711cd3b84171326e95eed775dfc

SHA256
abe5c7d1aad0dafa4dfcd58a30069f2177e524e9d481cc246fbee1554a078f70

SHA512
06cdb37ef0c7a82402a1521b43acd396799152e94fc01913a4e8865500e2229d242722a729f408d3bc0c938dadd9a431b373935e6cf99052c6353f0c374be41b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads