f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 13:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
Size

1.2MB
MD5

7eb7229fd89c5b50e720b8606495e79d
SHA1

44e352c1fbc8751527aeaa7a8974d3991eb1890d
SHA256

f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018
SHA512

fd246dde7eee0284c2b918612aa26e4d9b892b413956ef65c5e5561bea7049ac809fccf2df25da5a14ca94b4bcfe8e6ec5215202f8411385b0af8dad5985a2cf
SSDEEP

24576:xqDEvCTbMWu7rQYlBQcBiT6rprG8aLA2Sbly7TWEPje:xTvC/MTQYxsWR7aLA2dW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1444	firefox.exe
Token: SeDebugPrivilege	1444	firefox.exe
Token: SeDebugPrivilege	1444	firefox.exe
Token: SeDebugPrivilege	1444	firefox.exe
Token: SeDebugPrivilege	1444	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
1444	firefox.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1444	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 3632	892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe	89
PID 892 wrote to memory of 3632	892	f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe	89
PID 3632 wrote to memory of 1444	3632	firefox.exe	92
PID 3632 wrote to memory of 1444	3632	firefox.exe	92
PID 3632 wrote to memory of 1444	3632	firefox.exe	92
PID 3632 wrote to memory of 1444	3632	firefox.exe	92
PID 3632 wrote to memory of 1444	3632	firefox.exe	92
PID 3632 wrote to memory of 1444	3632	firefox.exe	92
PID 3632 wrote to memory of 1444	3632	firefox.exe	92
PID 3632 wrote to memory of 1444	3632	firefox.exe	92
PID 3632 wrote to memory of 1444	3632	firefox.exe	92
PID 3632 wrote to memory of 1444	3632	firefox.exe	92
PID 3632 wrote to memory of 1444	3632	firefox.exe	92
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 4580	1444	firefox.exe	94
PID 1444 wrote to memory of 1540	1444	firefox.exe	95
PID 1444 wrote to memory of 1540	1444	firefox.exe	95
PID 1444 wrote to memory of 1540	1444	firefox.exe	95
PID 1444 wrote to memory of 1540	1444	firefox.exe	95
PID 1444 wrote to memory of 1540	1444	firefox.exe	95
PID 1444 wrote to memory of 1540	1444	firefox.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe
"C:\Users\Admin\AppData\Local\Temp\f19e7cd4c2be82f3f076fc290b19c271c9c9922073ab06a1890a4c5b7ee5e018.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:892
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1928 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {59185aa6-3637-43a5-afb9-be22784a902a} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" gpu
      4⤵
      PID:4580
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {051813b7-b9c0-4cf2-98a6-433749af1f46} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" socket
      4⤵
      PID:1540
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3280 -childID 1 -isForBrowser -prefsHandle 3384 -prefMapHandle 3008 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0c35288-9226-40e4-a2d8-e6fa548a1598} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" tab
      4⤵
      PID:2120
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3984 -childID 2 -isForBrowser -prefsHandle 4008 -prefMapHandle 4004 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0211cfca-0e35-4da1-ac88-cd6b9ac5d588} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" tab
      4⤵
      PID:2764
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4864 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4812 -prefMapHandle 4820 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a69889c-2f7a-4ace-a733-e4e991cb16dc} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" utility
      4⤵
      Checks processor information in registry
      PID:5228
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5264 -childID 3 -isForBrowser -prefsHandle 5124 -prefMapHandle 5236 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65aec976-1276-4ab7-a9c8-814b3ba07749} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" tab
      4⤵
      PID:5776
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 4 -isForBrowser -prefsHandle 5548 -prefMapHandle 5468 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae6ec0ad-57e0-422b-a097-2f0866eeb8f9} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" tab
      4⤵
      PID:5816
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4488 -childID 5 -isForBrowser -prefsHandle 5720 -prefMapHandle 5724 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1eb592aa-6419-4e1d-8f5b-71caa4dc4519} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" tab
      4⤵
      PID:5836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
a1a1417a3aa96f67f4d69b13a96f696b

SHA1
2c44c34af5727d25c8e46dd11e880b748b9ab886

SHA256
8a441c75af0a7953be630f6118fe418f04b1da9f8a9b214dcfa4d64bfc2a8c52

SHA512
d188104206ed172ef9f0fbddb450c873f62a7a55200f022b788829119fdc8bfcdb12251f49a6ec94e035b87b6ecdb2e4cf60358d46322082824dcad5eae0330b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
7c4042c4c963d877eb1a82c2ee340189

SHA1
bab51df0a11d6ce38a22302701338cfd9cdcb90a

SHA256
d6174f903e227125b64d057c7c52db9adef2256df2e3db088dd49da37b1d0756

SHA512
b0af14bb2320751d0f91a630fb38238e3058964e051ed47b9f8a75451913f2eda1d1f4bb655991cabe9472a542744ba507d236eee36812834c2e418f0c4f391f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\AlternateServices.bin

Filesize
12KB

MD5
98c7bfe05d57d11dab5494d782478377

SHA1
78115f8d6d9257265a8853ab4bfdb73c421c3fcf

SHA256
427f2453729aa9cd6419f67e8c483763e271110c037ead3354aae148c37e4472

SHA512
cd30f0d6edd96c958d0bc10bb1584065ab596071c78957d24651da14e0fc4ec3ed4af70b9f6ef89f665d9e6c67282158b7312228ee19c531fb82380fc653d30a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
5a3b0b890b33a338fb7462f3e3616182

SHA1
a655fcb3545a890e16bb3148e13efcf19357e7bb

SHA256
05724980593d5c2d9ef0fe03ba60978de1fd876f2bf948e3b047760d9eff22cb

SHA512
bf08734b49a08485cc706b877af0937071d0fb3c39ee1609ffdbf5f16a4c21cd25f8dabb1c497554465474e237b608e16fc111102efb02670ad3d4e154cc5395

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
21ced72d090afc258cd6ab757d73c9a2

SHA1
d7a6d978a98c9056a4e076001c6f9b4e4c0b70ca

SHA256
e69dc3bedc5ab6281db4ae0362abac02d800fed8834686ed02e1fd1cdac9f71e

SHA512
f21acd53d96b7312b738aa99aa139ec20d7a39525c53aa8c7d973c591ad93fcaf5c13b60addfdde796c00d5c175a86b1173d17a6207da0b81fded0c6374296b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
288848890714aa4d441ac28099b125f3

SHA1
ecf6096ef3494308db6b314ff38786cbc639a647

SHA256
b0e6ad59c42d6ffe345c5d7daef704501c52ce66aa50bdfb605e510deaabe8e1

SHA512
487f985b203f17567c6ec8e60435bf7966a458a6da8e37a03743df38b9e7f0a01fbf0abda20a6ca36b5f7a7d36798ccfe28e9e477f874406f128e615d525f1cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\090cb78d-dcb5-4247-bba7-18daa7d3e09e

Filesize
982B

MD5
53a1c59e90b416c38dfffedcf2b86d93

SHA1
f24f9d4d6d2d4acfc3c8e7a4ac001c4545bb0abf

SHA256
eea7af19ef04e503d3b9225e3d3f178b398c7f5a1890ac89ed9714084ee8a858

SHA512
45d07ae4c19a283ecf08a420aa16b3204642416450ee91ab2c7abec53b2d34463c2417685c289ff5ced0be3c24b18cc4850d49fc10d1a4baedba6e05f6be384c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\1a566f1a-d455-4099-bd5b-40b7603b7962

Filesize
24KB

MD5
060b1e4e30d0e3242d058a3afbc804ef

SHA1
451970f28d6575119f6eceafc5b0b47334f59f4e

SHA256
df2d39c37c0b9eb581049598d366c17054da5cdb23553862b8f2725e7ddf0350

SHA512
daeaf22b2ab42de73683418e1ae76a9fdd2da7fd4bf5056a60ceecc97348eabddf169d4e66c180ddfadb099c7941bcd808149f33417d34f68e40e2694842b218

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\2520245b-0cc4-4e2f-9b1a-186a110e5fa0

Filesize
671B

MD5
572cf92bd327305ad1fac3849df7bd94

SHA1
3ede0e2a49572e94aa0b9ad280b8651336854a7e

SHA256
89406d5ec002f0cffd5e43854338084189e59baf72b4aaee6ad68f065ee71a5e

SHA512
30ca4610182f8a74d6c7af49fb007cd8454dff6d2bda8fcaefc1eb9b79690cd51a1140895a7630cf8b5719d1bb572bb3f84bb347dabe16d7e7c9877d4c844c56

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs-1.js

Filesize
13KB

MD5
e8fb2027eb2c3ff96f66457fc0fbff8f

SHA1
a0b998e9c2d37937bfe2cf0e8f86b7bd0839d2f8

SHA256
ab14ae98bf4b600d66779b9e1825035cc70fe48f5e7d05877cca72cfd4e6a1ab

SHA512
60f8d90add52bf7419980541cba831ccebdd3272dac0fddc0c8c6ff7bce9a550ccc4ed300653843a80cbe794684b851284f9e53fb19a8c075f0e61b607b39bc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs.js

Filesize
8KB

MD5
5627a8470ebf8a005232ee5d19329757

SHA1
ccccc953ea830809851f6fd16d3792e0eb44580b

SHA256
82ddc410d3b52f14e21c59663fe247cc05154379e954b8469128fa555111c5dd

SHA512
3a2a5d82e1ecb9eb4a848eb51e28283c988c2d5e8066740af08fac5e157dcd94aeff0258381318ba30061e2d068a5736ce28f519053408ca9d59b03197a4d5c1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads