3123af93014a5a5c49aa6fd2118f6805041af178c222be27e30b2fd477085c19

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
Size

1.2MB
MD5

dd831eb4a822421a497990d84a0fd578
SHA1

aa7ee9cd7fcdb6e0f15c57f6f99c83c320480f3b
SHA256

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95
SHA512

5a894b58d5d6b3a6abedb687caa16c06344d87b6d8e5bfb39d5b9806a7b51f3003e3ae83871683d086a760ea987a42bff511d4cb4d723a9e52744ea8aaf9b73e
SSDEEP

24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aLY2Sbly7TWEPje:4TvC/MTQYxsWR7aLY2dW

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-857544305-989156968-2929034274-1000\Control Panel\International\Geo\Nation	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-857544305-989156968-2929034274-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-857544305-989156968-2929034274-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

firefox.exe

description	pid	process
Token: SeDebugPrivilege	4580	firefox.exe
Token: SeDebugPrivilege	4580	firefox.exe
Token: SeDebugPrivilege	4580	firefox.exe
Token: SeDebugPrivilege	4580	firefox.exe
Token: SeDebugPrivilege	4580	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exefirefox.exe

pid	process
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exefirefox.exe

pid	process
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
4580	firefox.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4580 firefox.exe

pid	process
4580	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exefirefox.exefirefox.exe

description	pid	process	target process
PID 2444 wrote to memory of 3964	2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe	firefox.exe
PID 2444 wrote to memory of 3964	2444	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe	firefox.exe
PID 3964 wrote to memory of 4580	3964	firefox.exe	firefox.exe
PID 3964 wrote to memory of 4580	3964	firefox.exe	firefox.exe
PID 3964 wrote to memory of 4580	3964	firefox.exe	firefox.exe
PID 3964 wrote to memory of 4580	3964	firefox.exe	firefox.exe
PID 3964 wrote to memory of 4580	3964	firefox.exe	firefox.exe
PID 3964 wrote to memory of 4580	3964	firefox.exe	firefox.exe
PID 3964 wrote to memory of 4580	3964	firefox.exe	firefox.exe
PID 3964 wrote to memory of 4580	3964	firefox.exe	firefox.exe
PID 3964 wrote to memory of 4580	3964	firefox.exe	firefox.exe
PID 3964 wrote to memory of 4580	3964	firefox.exe	firefox.exe
PID 3964 wrote to memory of 4580	3964	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3004	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3664	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3664	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3664	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3664	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3664	4580	firefox.exe	firefox.exe
PID 4580 wrote to memory of 3664	4580	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1\4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
"C:\Users\Admin\AppData\Local\Temp\1\4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58e57af6-c982-4e74-897e-d5f9c13f1c6b} 4580 "\\.\pipe\gecko-crash-server-pipe.4580" gpu
      4⤵
      PID:3004
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cd23524-5c42-4efa-b7a3-c3f58a568f4b} 4580 "\\.\pipe\gecko-crash-server-pipe.4580" socket
      4⤵
      PID:3664
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1452 -childID 1 -isForBrowser -prefsHandle 2892 -prefMapHandle 2616 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40b19233-1366-40a7-bf5a-6def1c393dee} 4580 "\\.\pipe\gecko-crash-server-pipe.4580" tab
      4⤵
      PID:4264
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3968 -childID 2 -isForBrowser -prefsHandle 3960 -prefMapHandle 3952 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f7a0325-6ed6-4846-8c0b-c8d3efb0a1be} 4580 "\\.\pipe\gecko-crash-server-pipe.4580" tab
      4⤵
      PID:1516
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4804 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4796 -prefMapHandle 4792 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e48200fd-59b8-490b-9d78-db0e1ff514b2} 4580 "\\.\pipe\gecko-crash-server-pipe.4580" utility
      4⤵
      Checks processor information in registry
      PID:3836
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5264 -childID 3 -isForBrowser -prefsHandle 5292 -prefMapHandle 5328 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2630c475-9bc3-4f76-b109-92cf5c518f86} 4580 "\\.\pipe\gecko-crash-server-pipe.4580" tab
      4⤵
      PID:4576
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4796 -childID 4 -isForBrowser -prefsHandle 5512 -prefMapHandle 5516 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e122af0f-3fee-4d2d-b505-bec35b6eaaf8} 4580 "\\.\pipe\gecko-crash-server-pipe.4580" tab
      4⤵
      PID:824
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 5 -isForBrowser -prefsHandle 5768 -prefMapHandle 5292 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c767e70-d781-461b-a883-0d8c86bc54f7} 4580 "\\.\pipe\gecko-crash-server-pipe.4580" tab
      4⤵
      PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\26m6z2vm.default-release\activity-stream.discovery_stream.json

Filesize
23KB

MD5
be04e88ecfb0a431caa3b3d402b363c7

SHA1
c6c4d35ae0be704369ce849c11aa28c76de51913

SHA256
243c4db10db2dddfeb6f7a08ed91c75dd3c74c4df7acb60f9c5d4404b0fc9675

SHA512
6e70a627a0fb425b6538c47986ab36916c05c6dbdf72df1a2abb05da6c4d8a72d354520d5e23966277e3795bc405628c27a87232fcb35e0bcc1ac8f55bc68ff9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\26m6z2vm.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
6b8b058a7e03d4a8d91ee17e46aa4232

SHA1
c6238fda090f1a4648d790fb2184747dc0b6f8b2

SHA256
446ff095b86cf3236e1f12c43e18f73c4df040b792694ff6363d5a15b3c8998e

SHA512
97dbd5e06279f25fd19ee4f6a4adddae37128667405f518bd2ae1a70f60a873a45963b57ccf3ac863b55d488a157f126c5584ad7993b849eaf561e1bc36a275c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\26m6z2vm.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
57f9a0a854c0e0043158f461c9b61687

SHA1
7a5aadd178605f092b13148a17216232c62257e2

SHA256
f71f042c8cd50302625105442f763100127fd57ff4b722872964ad7fa423e2fd

SHA512
66d71ada0adfab1bf4baf6826e0bd8796eb670140649a1307411eff13e3231ca350c8920d315450b7e81cbb8120f4f4f9fa73902037ae88d6f24bb95b86b774f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\26m6z2vm.default-release\AlternateServices.bin

Filesize
8KB

MD5
12ce86ae5bc3162f9bb344df0c9d0b22

SHA1
fa3b0a224d9222d1d553b716930f84d7db1bab6b

SHA256
e2d4f95e5e680e784cea9e14ef8f2f86ace5750b4122b4dfea2818d5a4eab0b9

SHA512
5aff5f4d3ae73bb40bfe80fab992f734094c35e2d0ab7ffc2b01dfa30fe10461357b5b40f2e55a8e1504ceab22d146a14fdd94a7df8ef5dd8cdcc0a9d9247e23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\26m6z2vm.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
94508d7bdfc40f910b0ae85ebbb6222e

SHA1
845fee2d2e68aa789f62487d478d5c27c671342d

SHA256
d8b507e7dc6613e1eb59bce456ed2745a43b4bda0538754c5965706e1ab635fa

SHA512
501960cee47dd87324dee6cf9aac79c7ebce7765453d25e8441c4753c50023becbcea743175545ed453589ec18a7ea302c6b8226bd238de9a12d953197e2512f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\26m6z2vm.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
628b7728160ff9590b55c71057c3cfc0

SHA1
017a88373b0c23d9d2418b14750181aa130fb091

SHA256
8a33d25c02021721240d5a6f9042c3dc370f8353b29414066fca1fffb0391b07

SHA512
ae7e2c8de30f10cd58b9bb2903bc373a88d831b0e0903711d01180b9fbdb10079f29489cc5c51c363b0f973015dcf3afdf2ae29f314e53efc24f366d90b4617d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\26m6z2vm.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
02e07027e5c836a20cfceb829631f4ec

SHA1
38964486e06b804ec8813ec2c528e7a136a104ff

SHA256
b23e7cb024c53d453ab5b6baffbf44062e7153b8823f99922e2d7e1cf9c76c20

SHA512
c8e9fb11dc1aa0928df390a8955e6bbece1cab0166d0c1832be1dfe853d2e0a75a75e60ce44d6ecc81b8a05543475d74a3cdbff19d2b0b8c7d682c80e3fe0b4d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\26m6z2vm.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
3775e1e1eb361bafae61faf623d62797

SHA1
f01349b214ace55f973c67109ebd7e6ec45ca5ee

SHA256
2298f0320fc43f7ce9eafe231f2ae2f5473e0a1a0e750a323982eccad1fd4679

SHA512
3018c06e925c1cc878f04633de2860f3069cabd98725ea3c0cb8292b34df4c5e1a5ea679b99aecd9c5c0971eba7cdeecd3a5fe9c763de7e0c3575c1bef249fc3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\26m6z2vm.default-release\datareporting\glean\pending_pings\71b5a122-d262-4f18-ba78-39d8cbc4e552

Filesize
27KB

MD5
a5ef1e7154301427047c284f44c0ed6f

SHA1
6542aa179f3e022194260681f0e5ffe1aa8363c9

SHA256
11d41515e66f3b6c99a9be083f3fb886fbec4c00bd07d6f60b294e8b5425ce7f

SHA512
cb82565b001713d094b5bf908f00c596ef8db6f4b32597af88537bbe9901bfa0119a0e7abfb763fbc484e926ec05a869da45167cf7a64b4dd0897d44a52b4f2c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\26m6z2vm.default-release\datareporting\glean\pending_pings\c2071747-c12c-47fb-9332-4cfb6a34c0b9

Filesize
671B

MD5
3252108ee1a50e1cc8ce0bb62fa6e4b1

SHA1
c50386e9e82ee6defd8c9574909169cd66a4475c

SHA256
4fb208cd92023aa8070bfe4c0a120ebb228b77f26846d60a0d7ba7bbd0b61f78

SHA512
c3fd74c04102ce133ca9bea07f7aaba0ecbc80383c1781d76e718e1a312ea2661a98dda162223858b225b81569161b074c74731362a5a3addeba6ed3a75f5f46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\26m6z2vm.default-release\datareporting\glean\pending_pings\eb6a4384-559d-4856-8de6-2753bd924835

Filesize
982B

MD5
02f92883b4d0655539a74dcc49768f11

SHA1
6d57c43893f7189120654e4b826c9deec918019c

SHA256
569ed75119ba99a9bd6e518b78695829631fd554372c5daaa6c723458c78d7ce

SHA512
033547c6f3c3843eebd52b13ba51e1682a797d1faaf748d522628a70fb27a5a446bd9212ce7827309bcda702bcd3c138c081e0af2ec9da134e62a9180b3b7f7b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\26m6z2vm.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\26m6z2vm.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\26m6z2vm.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\26m6z2vm.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\26m6z2vm.default-release\prefs-1.js

Filesize
11KB

MD5
071faf05640f36d1a7335eaf52734764

SHA1
10ca468c81e52d99addfce1d8596879eafb62e97

SHA256
cacf89469ecaa6ca99e5f2014ec2ca59b054ecfad8ef875b37a5c7d31b7a2db7

SHA512
35cd8f1f17f938b5dd7b6c3900714e39a968ccbd03014049369c20c7c99f4c3e8342f7a576ca6e6f8592e5efba2211cbf79531751964ae08bb981e5725f3a7fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\26m6z2vm.default-release\prefs-1.js

Filesize
15KB

MD5
4df4eb853c0b6333385161f9284e54a5

SHA1
1e392a73e974bbe0856d8fc0915a9e5ab25e3160

SHA256
897e1f96ad00e4a92f873999ba53aca67d80c76868011004b5e507745a338ef8

SHA512
067574bd99aa71093e256e1e80117cc7034fcf35b59a00d130962f5816b8b44bb387297adf9db2e6a05307e63c9a45a67f68c9ed9e771fd05d3e348a3635ceaa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\26m6z2vm.default-release\prefs.js

Filesize
10KB

MD5
a6df52f769832c259d18eca7cfe59c94

SHA1
a1eb0e7cee7d1185b64688471708715424f5009d

SHA256
e29fe4214329ea50da3489a20ba135225aa39f15def8b2501f388f092e668994

SHA512
fc4036d0ea9f3aaaaf289b7a908c42e821ea6cdbd9e6a1a2f56e8ecac0d140514fd80358fa620b5812a272fab5c27187193a1469eac7e7bc52dc636e421d67f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\26m6z2vm.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.2MB

MD5
140b41700c15da7b0bfa96b304c3a476

SHA1
5f2055193c130ba975fd63ce0c5edb82ab6b6146

SHA256
4348ccbd143196a3e4e9216ebe2e297761c847975959301902791f98b2689913

SHA512
3349399a39646f0f48e886270eb20855785ff1ac1b6a5a55944117299c98b8527d787a6e817bb08e7a6af5696a8c3c673749c6a232f2534a06c4d37df2d9743c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\26m6z2vm.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.5MB

MD5
e9c019357402a68f9bc7e7c32ea28225

SHA1
81d435e01f58e48e4a529868717fa9150ff3be99

SHA256
b9e3a8979f9db1a961ab5036b7e0fa64375a3b61e3bb9ce7d145fae85005359b

SHA512
656a025a1d79d65f7813ec3e64976eeed108e8f434fe52b278399b3e88cb710b56ef42b04ad67dc2e4fe9e4ae4aa4110db0a5fd12cb75edc20f3c4fb4c9a0ee4

Download Submit