180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd

Analysis

max time kernel
149s
max time network
158s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
26/07/2024, 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
Size

1.2MB
MD5

a73378024e79f58b4cad0999872c5f98
SHA1

a7953b9edf8a1e86e0cc4ffd0c33890533016f7b
SHA256

180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd
SHA512

e71a23df64091805a30cee6e3da6727df26e91d8a82ffe931021799ca099269203835ff1f6940e05fd17e621a43b5fdddd4827949bbe8f82176f631bd6db48f0
SSDEEP

24576:mqDEvCTbMWu7rQYlBQcBiT6rprG8aLk2Sbly7TWEPje:mTvC/MTQYxsWR7aLk2dW

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	firefox.exe
Token: SeDebugPrivilege	2480	firefox.exe
Token: SeDebugPrivilege	2480	firefox.exe
Token: SeDebugPrivilege	2480	firefox.exe
Token: SeDebugPrivilege	2480	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2480	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 2084	1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe	81
PID 1188 wrote to memory of 2084	1188	180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe	81
PID 2084 wrote to memory of 2480	2084	firefox.exe	84
PID 2084 wrote to memory of 2480	2084	firefox.exe	84
PID 2084 wrote to memory of 2480	2084	firefox.exe	84
PID 2084 wrote to memory of 2480	2084	firefox.exe	84
PID 2084 wrote to memory of 2480	2084	firefox.exe	84
PID 2084 wrote to memory of 2480	2084	firefox.exe	84
PID 2084 wrote to memory of 2480	2084	firefox.exe	84
PID 2084 wrote to memory of 2480	2084	firefox.exe	84
PID 2084 wrote to memory of 2480	2084	firefox.exe	84
PID 2084 wrote to memory of 2480	2084	firefox.exe	84
PID 2084 wrote to memory of 2480	2084	firefox.exe	84
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 1508	2480	firefox.exe	85
PID 2480 wrote to memory of 2304	2480	firefox.exe	86
PID 2480 wrote to memory of 2304	2480	firefox.exe	86
PID 2480 wrote to memory of 2304	2480	firefox.exe	86
PID 2480 wrote to memory of 2304	2480	firefox.exe	86
PID 2480 wrote to memory of 2304	2480	firefox.exe	86
PID 2480 wrote to memory of 2304	2480	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe
"C:\Users\Admin\AppData\Local\Temp\180ed671c4d965ec7240ad7ff811eeead49a7f8c0b5353fc715ffebc0ccd46fd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1872 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4642faa-05e3-4cd9-b80e-b95cfa58808e} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" gpu
      4⤵
      PID:1508
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2388 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a9cc9d5-84f5-4570-954a-83dd97a5e7b0} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" socket
      4⤵
      PID:2304
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2996 -childID 1 -isForBrowser -prefsHandle 3076 -prefMapHandle 3004 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54ffaa71-8af2-4e8c-8029-6040d07b38a5} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" tab
      4⤵
      PID:1620
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3656 -childID 2 -isForBrowser -prefsHandle 3680 -prefMapHandle 3676 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3cc682d-4a00-437b-8f45-73733e07641f} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" tab
      4⤵
      PID:796
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4632 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4712 -prefMapHandle 4708 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9b6fd78-bcb7-4abd-8dd5-3d370f778ddb} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" utility
      4⤵
      Checks processor information in registry
      PID:2464
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4912 -childID 3 -isForBrowser -prefsHandle 5492 -prefMapHandle 5480 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {241ccc8e-a50e-4de7-8e65-9ad82aa98797} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" tab
      4⤵
      PID:4536
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 4 -isForBrowser -prefsHandle 5480 -prefMapHandle 5596 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e9db2bd-f99f-4763-81a5-234313f09e44} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" tab
      4⤵
      PID:2108
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 5 -isForBrowser -prefsHandle 5712 -prefMapHandle 5708 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e28857e7-2d8d-4c93-9ed3-bcd8e63397ca} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" tab
      4⤵
      PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
366cc9f8d0326cfe620bec46b98aca74

SHA1
31aa3c56035ded50c47dab85913a88e66a042c4e

SHA256
dd6c0e6548643e0ec5193d0995edc068457ce9cfc798367d18aac9e373705ff5

SHA512
7d27c75e759b5955791b1a3ee74237238acbf64e11a1159ba8999ea47a184abd45419634e6651c86aec5d895a228b678db04d67a454c045058fb139c9a174026

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
7a5df4d669c0b6111d0a4bd50d60e64b

SHA1
3f07bc53f6da1623f6fbef806dc632311e2bac71

SHA256
b3358f2347e81e20edd369990b83da72c18d65b14a876e645ea9f0adca0f0bca

SHA512
083412b3c7ff9b28279590c0acb0f583b7820467887542225821df574a384b918118732235abc4097a48e4442c4ced4dd2e14dbc84761c487eb1c8c75cd771ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\AlternateServices.bin

Filesize
11KB

MD5
7fde7dafdd641226a9230e8e4d28e48a

SHA1
13621fea462b4950786227ed88361240897ad452

SHA256
cfd665dc2120d9d9ed667470b9a4e3c40d3b5f34d7f23861640d6bf2e634c881

SHA512
320348ca2280025be51d2248faa0d7c84b405ef2163895c8a469c915720de13222ef1b3e9f1e477f3d64cda1d40363b1ba531cea19864e9302910b4e5a45e4f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\AlternateServices.bin

Filesize
16KB

MD5
5978387855b4f97b72cd2b3519be6e13

SHA1
5d654793fdaeaacee3f38adf9470a30aa83342ea

SHA256
5e2e41a06b259b3ce8d66cb6f02fe3ed99c7907c712dd1b10e269d904c10943e

SHA512
b061d06fe695ff55330dd97c38fbf3007297b64ebece07bb6f967a89850cf4294c970f005df4c8ec41807a0548e38ab4a023597da742eda8b17cdf84693b0b0b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
0641275dfccade2b32b41ea4bdcbca88

SHA1
13a0d1afe360dfd495a7c24bdf1ad0be599fb33a

SHA256
7090ae564dc4eaa6331b1626986d8d07fad16ef6fed27f1f5fcfe1376bc421a0

SHA512
5ed5878e945fbbbc2bb5af999851d05a72f79cfb4b09ac2a2e917de0c9f09b5ebdeb531e2899c5b20df9be3a274eb7ba5fd2df604d41958f5b0f3a60aecdbf08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
ea7decba090d87de2b63c19eeb06cdf6

SHA1
54899184eb07744e2eca9abcdd323bb1a5db2a14

SHA256
91120c87309749c99f55fb18706602c305206b1109d947c2a8446c9619295b4e

SHA512
7216da5f32169ef8594ea3a1c88e7f27c1b6cc34f990886cf63f872eb4c97a6ee6d772754c377258668aacdb4c784ee51497e40220dfb74dcfa53d149bc6c58f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
0c200f00aa535fd6f30ee7d77df1a902

SHA1
7e11bf93c36c87e95f57c7f0170e13344bda6409

SHA256
68ab0ea20be56500fe8fd65684f44a0917ebf49e9ed315a1886fa01aa8279c54

SHA512
b07c4cea9523fb53f90903786899dfdb77a66687412c1685e45254855b79357fe859cb247ea70aa779124eb2954a5e15e073b1f97744c2c9658a6fd75b81c607

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\0cdf518f-fecb-44e3-8a0c-5810b4a50daf

Filesize
671B

MD5
733d0888d1d902d28bda39b127dd03ce

SHA1
c789cbe40e98fb05a8deffddadac6e5536bdd100

SHA256
a60e2d1f349d4481d1fe67eb6fc49ed3dbf84abfd997dff654fb1471d3b0455b

SHA512
0e64c85a15795b3dda67132c8095f5287073b90d7a4f98013a03c8262a9771eb32cd7db0fb0ba8725b0acfc1fbdacc92359925dd226c618360a080cb152284e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\bcc9c309-ccb1-4230-aa62-39a94946ddf4

Filesize
25KB

MD5
189d0c69d6542be0ffac8a36d769558b

SHA1
aabdb96db708d4f6ca87378c222785d28535d54e

SHA256
176145578b65905a8d018e429411d0dfd4437453076c153b66f1ec8fed75ed7a

SHA512
9eaeabb1adad6e5cde4cda734dd7e51bff53504834f68ea42ad2dad7dfefe7e1f7c6747e981c1d10ddd1cc0f6fcc661fa8613f50d08e1b452ad3cc69847b5ebf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\e5d827ba-58be-49ef-bb8e-96c2e96d31cf

Filesize
982B

MD5
e04970ab0b527d6137891c7a2f05bd3b

SHA1
54a4d1808fac2f9f2c7ea3c90d0108eb097ca61a

SHA256
de2c3f146ca034728aa5a4c85303b06f0abb1ed15ba2bf749d7813b9d14df0f9

SHA512
d6abff7f0db21a5b19925f981711e319f4f95477d22ba7110c981c66420494f5ac665ad987bcd9f92aeddd598c61551faca10fddf4bb9451e157f8ff62a374b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs-1.js

Filesize
11KB

MD5
5b8fc021d53e23f96dc1a26ffd246733

SHA1
695224053af6f413f1ace2b480aa9501a3e6a2fa

SHA256
36a919e6f8cda80dd80f4910b74bb3fe623bc1e04aa5e4df2a4db30da30de840

SHA512
3f62b9ba7cd3d141774ad8086cb1bb1f6c8f7628368bbc6cba3b7d1a521c2560c914621b81fe7d51e66d775127e8e569d451a640577fc3a357d32197ea255dd6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs-1.js

Filesize
14KB

MD5
869a3bd4cd2ba88dd4936edb3e8f5651

SHA1
9ce50f2161344a45fee0164ac29a5eff4d0f8124

SHA256
537e005debc6841d57f84dc7d5c0d89fbb055a5073ae1635e21de46af9a4ffac

SHA512
27f22db853deabfb6135bfbfbba00e9ff853ae349bd723de78d581110321e6e1477b6de458d41a45fd087934055f4bfeb693ab5094366a172c2a9166ba130685

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs-1.js

Filesize
13KB

MD5
d94b992bc6c50e118a95b388db89e4ed

SHA1
6864315b8f7e1a92d8b4f147aaf3f58841321bc0

SHA256
679bf245ef09ed806ffd4feae7981f3a0931b82f10f6fa7f56c3d11193f4128a

SHA512
5c09d17f596b329f6456d260af4c236a0013919c6d64710a250e034f604d1b658a40ca9a06eb32b8ba3de5c75ca7535ec0df7593fbd3c6031bca9cb4896d76fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs-1.js

Filesize
11KB

MD5
0248578bab06908fd0b6d04a8137112c

SHA1
23e40bd8fbf412f5384be6d87f330396905e5b23

SHA256
ad080eb2418a06ae2d3b1b680326a49a4f809ce60db587e2b3398c5b3556ba67

SHA512
015818d53f0804d1bba74d2836e70109ccc7733756102b6e9104ca81ff22667abe40c9fe8156694122068b169dbd7021726712f0c90cc79da9292be733ce1147

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs.js

Filesize
8KB

MD5
ec6a2fab357ed68582495caa27dc247b

SHA1
1cdfe639ad3e176708c42013012c16da0a3d68bf

SHA256
06f65c15f88146f0c279a887b1d91eba9b442c353c338c2733be0b7010499413

SHA512
02a143bf0229c0578cd19663b36a92a80b5193b21c0de68137c923eee9baae26f6f2fa3ba6eaa34686fd333b4641545c1919340398268469aa7ed2223817636b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
9.4MB

MD5
bd500dde536316cc579e06157f489a23

SHA1
67837e265b168296ffb2978fed981265273cff20

SHA256
3cab28fcec403498c43ee405bb1ea9f49452b77f6f7c9e93ec26b16d03eb57ce

SHA512
459f5d54bdb59fea7737891564e63ba843bcf90781b3505f212217d03372eadaa23bf6c1607ea663d64bd2e32c9449fdae8afa7b8d699f27b73a9548f01e5463

Download Submit