e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
22/07/2024, 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
Size

1.2MB
MD5

38e7523eb5ba752ebb7fda106bf072b9
SHA1

23555ae6b6cf3e3def07b31ee313895e48ffd2f0
SHA256

e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a
SHA512

77112aa14c6f1b96f164a4ad94e568f1cf6dad0a27b8795740c83997039a899b4eac2adc442ec7e1ca75595eded3c4b1c82ca87bbe7a0748db768637aeebc178
SSDEEP

24576:bqDEvCTbMWu7rQYlBQcBiT6rprG8aLx2Sbly7TWEPje:bTvC/MTQYxsWR7aLx2dW

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	132	firefox.exe
Token: SeDebugPrivilege	132	firefox.exe
Token: SeDebugPrivilege	132	firefox.exe
Token: SeDebugPrivilege	132	firefox.exe
Token: SeDebugPrivilege	132	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
132	firefox.exe
132	firefox.exe
132	firefox.exe
132	firefox.exe
132	firefox.exe
132	firefox.exe
132	firefox.exe
132	firefox.exe
132	firefox.exe
132	firefox.exe
132	firefox.exe
132	firefox.exe
132	firefox.exe
132	firefox.exe
132	firefox.exe
132	firefox.exe
132	firefox.exe
132	firefox.exe
132	firefox.exe
132	firefox.exe
132	firefox.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
132	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 248	3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe	78
PID 3136 wrote to memory of 248	3136	e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe	78
PID 248 wrote to memory of 132	248	firefox.exe	81
PID 248 wrote to memory of 132	248	firefox.exe	81
PID 248 wrote to memory of 132	248	firefox.exe	81
PID 248 wrote to memory of 132	248	firefox.exe	81
PID 248 wrote to memory of 132	248	firefox.exe	81
PID 248 wrote to memory of 132	248	firefox.exe	81
PID 248 wrote to memory of 132	248	firefox.exe	81
PID 248 wrote to memory of 132	248	firefox.exe	81
PID 248 wrote to memory of 132	248	firefox.exe	81
PID 248 wrote to memory of 132	248	firefox.exe	81
PID 248 wrote to memory of 132	248	firefox.exe	81
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4044	132	firefox.exe	82
PID 132 wrote to memory of 4548	132	firefox.exe	83
PID 132 wrote to memory of 4548	132	firefox.exe	83
PID 132 wrote to memory of 4548	132	firefox.exe	83
PID 132 wrote to memory of 4548	132	firefox.exe	83
PID 132 wrote to memory of 4548	132	firefox.exe	83
PID 132 wrote to memory of 4548	132	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe
"C:\Users\Admin\AppData\Local\Temp\e1ba7d54c2c166835918d5e7388945f6490d047c5f838c9ec153bcab5944977a.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:132
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 25757 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dde8c3cf-b18d-46e2-a144-fdfc3a615ccd} 132 "\\.\pipe\gecko-crash-server-pipe.132" gpu
      4⤵
      PID:4044
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 26677 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8877176e-e41f-46b0-ba75-286fda6f2ae7} 132 "\\.\pipe\gecko-crash-server-pipe.132" socket
      4⤵
      PID:4548
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3076 -childID 1 -isForBrowser -prefsHandle 2756 -prefMapHandle 3092 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b8e5326-2313-475f-931f-ba63e0217bb5} 132 "\\.\pipe\gecko-crash-server-pipe.132" tab
      4⤵
      PID:788
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3680 -childID 2 -isForBrowser -prefsHandle 3348 -prefMapHandle 2740 -prefsLen 31167 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {016de214-ea05-4bf8-afec-dd0273b5ba43} 132 "\\.\pipe\gecko-crash-server-pipe.132" tab
      4⤵
      PID:2036
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4784 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4728 -prefMapHandle 2788 -prefsLen 31167 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3baaeb1-dbb5-4211-b26f-8d91dadfada0} 132 "\\.\pipe\gecko-crash-server-pipe.132" utility
      4⤵
      Checks processor information in registry
      PID:4752
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 3 -isForBrowser -prefsHandle 5748 -prefMapHandle 5600 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45d9ec20-be59-420b-99bd-2623eec1ccfd} 132 "\\.\pipe\gecko-crash-server-pipe.132" tab
      4⤵
      PID:2864
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 4 -isForBrowser -prefsHandle 5868 -prefMapHandle 5872 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cc98458-c461-4a9b-a5a0-03d5ffd2dbeb} 132 "\\.\pipe\gecko-crash-server-pipe.132" tab
      4⤵
      PID:404
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6076 -childID 5 -isForBrowser -prefsHandle 5996 -prefMapHandle 6000 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68d8462f-1598-4f26-9da9-94ae67d5149b} 132 "\\.\pipe\gecko-crash-server-pipe.132" tab
      4⤵
      PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0xshw2k.default-release\activity-stream.discovery_stream.json

Filesize
18KB

MD5
1eb0ceb71cced6850cc0c7bcfb74a4b4

SHA1
1a8c107cb01c379ef303cd90974635fdf41fbb50

SHA256
ab226b5185457af83e90605aa28c077c18774df12017276189f9a7993e62c7ce

SHA512
d28883807b2741edbcb483a27a5de40cb24956d8a41785c2fdb89835a960cbc1c1a3e6ad92a261ef516fd310bbe73b006c97a910dad052526eba995d8483dcce

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0xshw2k.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
2909d8e27533ee836a5d07620de42600

SHA1
8597d72e3ac51f787a1d4a09aa3daf51ceaf9988

SHA256
0b681e8b05aeff9479ac6cb6b785ef8879a0cacb55e2f222143c5e2054cbf85a

SHA512
a9805fbdbf1d4d6e3ba41cb438f4d25ee9caecfb3a50540977a601ce7230eebda73a5083294d25db85ae9410410ff1b95aabeec972b97077466e356a5b7db4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\AlternateServices.bin

Filesize
17KB

MD5
4b042f608566316fec8d7babd5cf8cff

SHA1
e3dcf79dec4f852a5675700d6e7434aa5bd14a4d

SHA256
b4848b2e5d8ca6eb968a0ce659a286390501eaf8478f40116a75288f5fbb285b

SHA512
4607a2c6d8e3e3396a1cf32db6f97f593f479c8be8c3e6ecf918956bf3e7fde1ad422b5e5629c2427523cd7265008b39eac2dd80b37af43cc36526c11e6fb6dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\AlternateServices.bin

Filesize
8KB

MD5
74b546f9cc74436242ffa9c125276704

SHA1
624a360385989f1ef0b39e060f4a77fe6dd4390f

SHA256
583064a16650094ca57a60fbb614d951b80972bf4dd695b981b1eeed10e53551

SHA512
df4799e43e755d5b91e5b214fe415823777abb0bd3a64b75ae9bd2296aa8832b176ef2a23e318ab45bc0b03a4b27d5ac78f72b0d735345909139abcb379f0453

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
29a339eaeccb632be30d420da81fd8fa

SHA1
c930fde28936110ef38caaccf2333fb780aeabba

SHA256
965b5e15de55b7f47b82aab42ae88298d8068b344b2f59a7a82e7af2c52fb6ca

SHA512
1730f927e1309f29ebb1b89f3e1af090e61ea019c13e15b05e5ce3834c302288d9036cac2365bb53c77ca088980259390ddbbbf40cf8ba8a7801e34b7bc5dfbb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
9a3dcfe02f8927d1f7e2aee3ffcf150e

SHA1
3ce6ca6fe5c48ab0c23107ee0ccc58f8c84408f6

SHA256
abba3e95320f683db092187e3b3b70e33636f704a98e68ead0836e511c7d6829

SHA512
48e49d630cc30f64e80505b0b165aacb9ee2c82df8ebb7660c2d8c696199704d58691d5e1d344a2e2ec0d4c0a9c74826963535ce8cac8f3c3399b6592beea9c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\pending_pings\0912ca97-5e55-4ef2-b9dc-8c345a324c0a

Filesize
26KB

MD5
4f9ec0d931b8aae49a7b422cae7b2acc

SHA1
18bc7111a45d11c601e28ca7faf259a48b37c952

SHA256
6a7a9c2f2fddef6d13539c4879a4bf7dc7bfbd03b9b9d82c62d573c7bc08b418

SHA512
324e8ec69c2038309b77c3c3c1b0666d1719931bdc04c0453005fa84bd4d8f1903e0de1d48d7bbd937fb95b73be6a7bd54a9fb74296822b06337b1f546b2ce94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\pending_pings\8809ebd3-b562-4d1b-a1ae-ef1d7969e547

Filesize
982B

MD5
9f9666decdffa927694d29d3e2205b6c

SHA1
5c707436ef429b74f5813a27e06d0b6bff4cacb5

SHA256
e9329696b4a81b87199e575d4a3867bb7692b8d6ec94b4d34d46a30f9523a5c3

SHA512
ef6142ff13e42526bead65a82461f98746272263d87b3a431f44fe054436a96aa15d4edbd425f0fc94a0cfa47ab607794fe0e3b30397e8482ddf14f1a6425db3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\pending_pings\bf54e13a-5f5c-4af2-a552-f76757f718cf

Filesize
671B

MD5
94845e7ac8bdf223c3f6e33d071c9c3e

SHA1
dd782b67934782a5a8052f96c0c3bc01f03ac779

SHA256
3c25ad0be25f8b644ed6374cfaf719af24a32727dfce56a35f901057c0438c15

SHA512
04c7da0ee5fa093fb4494d0b05e9fa0322cc2c415035b1157c5208d85a0c3f46d7b130357d4d8f68ad88c24b06f2d1604412dfab3d33a1b12778d6b73b0c7636

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\prefs-1.js

Filesize
12KB

MD5
93851c73cc601345cd4ab47bcc74d356

SHA1
cd24ee409aa865ce1e78574c679eaa2eb2635240

SHA256
b8cb6f47988854efa3f25dc28dde4ea7d4eb0479335536136cc2711b17a1b8f0

SHA512
6186bbdbd37643e86cb93632eccfbf6e9879459b408e645bce74efcffe3c5cdbe4582b2b49e4dbeeb87d53ceba4c6bc551d698795c66cca599d24efb03b6e1a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\prefs-1.js

Filesize
16KB

MD5
b2b3d1f8337a3e24c21b1619370fef1f

SHA1
e33ae94eb3f610701563e35f080868d3aef474d1

SHA256
787b689be50c8f27feb94625c2f06f62b196d7c770ab1b332f7158159493f68b

SHA512
407d300b8da6c66fa99acc26ddf90f5f672adec008975a1c6bccabcce0a43a438a774ec749ba90e37f559c09e6d9dfaa1fe7757849a5847f7c49128d350a495e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\prefs.js

Filesize
8KB

MD5
bcd52bd60ca2a3b43b9c9e97de55d160

SHA1
58d2ca730152d2374b20e976d8f1e7c7ac5547bd

SHA256
e7b2fec908606112991430eea352fb445af2cc3a154098947a469ffa478d63d0

SHA512
8b874b58a83784aad22bc0335f50e245b77056ff2bf40ac167aac222af1f144fa578e10dcab4e020cacfd98c5c7665348834f86cb6e1767f4e157a847748ec5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
960KB

MD5
54c6b7beb5e2e34630806567c33b6f02

SHA1
da147b2a91168812dff54108f5f36bd0f2448246

SHA256
eb291758f1d72d8ed10cdb95bcd2ee677994129a3a2589cef1b37f42343b05cb

SHA512
9a2c47c7637f638bbe78e882efd63b471d0a6b6c896f593b28102bbf752be573b735200096b1de34202fe7797725811bbfec7d98e7ddc12675bef35c1f98ae78

Download Submit