3123af93014a5a5c49aa6fd2118f6805041af178c222be27e30b2fd477085c19

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
Size

1.2MB
MD5

dd831eb4a822421a497990d84a0fd578
SHA1

aa7ee9cd7fcdb6e0f15c57f6f99c83c320480f3b
SHA256

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95
SHA512

5a894b58d5d6b3a6abedb687caa16c06344d87b6d8e5bfb39d5b9806a7b51f3003e3ae83871683d086a760ea987a42bff511d4cb4d723a9e52744ea8aaf9b73e
SSDEEP

24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aLY2Sbly7TWEPje:4TvC/MTQYxsWR7aLY2dW

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000\Control Panel\International\Geo\Nation	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4952	firefox.exe
Token: SeDebugPrivilege	4952	firefox.exe
Token: SeDebugPrivilege	4952	firefox.exe
Token: SeDebugPrivilege	4952	firefox.exe
Token: SeDebugPrivilege	4952	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4952	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 4192	2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe	88
PID 2936 wrote to memory of 4192	2936	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe	88
PID 4192 wrote to memory of 4952	4192	firefox.exe	90
PID 4192 wrote to memory of 4952	4192	firefox.exe	90
PID 4192 wrote to memory of 4952	4192	firefox.exe	90
PID 4192 wrote to memory of 4952	4192	firefox.exe	90
PID 4192 wrote to memory of 4952	4192	firefox.exe	90
PID 4192 wrote to memory of 4952	4192	firefox.exe	90
PID 4192 wrote to memory of 4952	4192	firefox.exe	90
PID 4192 wrote to memory of 4952	4192	firefox.exe	90
PID 4192 wrote to memory of 4952	4192	firefox.exe	90
PID 4192 wrote to memory of 4952	4192	firefox.exe	90
PID 4192 wrote to memory of 4952	4192	firefox.exe	90
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 4336	4952	firefox.exe	91
PID 4952 wrote to memory of 1604	4952	firefox.exe	92
PID 4952 wrote to memory of 1604	4952	firefox.exe	92
PID 4952 wrote to memory of 1604	4952	firefox.exe	92
PID 4952 wrote to memory of 1604	4952	firefox.exe	92
PID 4952 wrote to memory of 1604	4952	firefox.exe	92
PID 4952 wrote to memory of 1604	4952	firefox.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1\4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
"C:\Users\Admin\AppData\Local\Temp\1\4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {67decb13-533e-454d-9ebd-0811e1542fe5} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" gpu
      4⤵
      PID:4336
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2444 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0396dac1-2acd-44d4-ace3-24d5b2117ff5} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" socket
      4⤵
      PID:1604
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2980 -childID 1 -isForBrowser -prefsHandle 1752 -prefMapHandle 3016 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04de5c6a-6080-4efe-87f4-f0789f04cf04} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" tab
      4⤵
      PID:3972
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3964 -childID 2 -isForBrowser -prefsHandle 3884 -prefMapHandle 3880 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f727188a-b9a2-4274-ae26-8354f10cde63} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" tab
      4⤵
      PID:3968
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2800 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4632 -prefMapHandle 4628 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb5c6253-382d-410b-9c6f-81bdfdaffb96} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" utility
      4⤵
      Checks processor information in registry
      PID:5060
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 3 -isForBrowser -prefsHandle 5432 -prefMapHandle 5420 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7f3a14a-1524-4b99-8e7a-58395bf1b937} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" tab
      4⤵
      PID:3852
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5580 -childID 4 -isForBrowser -prefsHandle 5656 -prefMapHandle 5652 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52475abf-b5f9-457f-96c7-89c7c4e34d1d} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" tab
      4⤵
      PID:2664
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5800 -childID 5 -isForBrowser -prefsHandle 5812 -prefMapHandle 5444 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {966d8b74-ea82-443c-8f8e-2f5ae0417553} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" tab
      4⤵
      PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1hjdrzy1.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
9a00040669e61aa0acf6e7328d1a541d

SHA1
0a56ed3b88ee4e685c66e627b326f6c6fa6fdb8a

SHA256
d98aedb5b04e5377f2ade1a08ea5c428e6585c0a1c3a22f3bbc58073466b1fcb

SHA512
56ee2aafa53c695322dba301de4913031050d0832f068ead836bb579e7170d0b6070038401952be3f57936a526209dac07dbd4352be467f492aa265da23367bf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1hjdrzy1.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
6d49c5675174bd6df6a41252360c3683

SHA1
0efaf94487e4b40040d2f02edec101c6e69e4591

SHA256
929b05b65f869b90af820405d7564e0e672f19a62f1484ae3721e453d5d2db8e

SHA512
d99e669b94ef96d955c0d00fae6d540decb282b59f54792633c7dbacafa0f519169af5b0a17f30af11ae17ecd403c9de387c4a3e1d6ae05340ab284ca713d42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hjdrzy1.default-release\AlternateServices.bin

Filesize
17KB

MD5
6de6a5c3db35c7fddfeb14397a792f46

SHA1
27c5e30cb003221b2648de1aac2a4eb9be6e2606

SHA256
1b991c7611899b1bb41490948ebc9cbd44e911931bd81ad9ce64eb118335b6e9

SHA512
9b7de279da90b1d28fad4033301227b431151b60fb0d760486f1b378319b485d46590677b26a392b216ec309e05c4b7394805e1539c186f17e7ea9b3ef154901

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hjdrzy1.default-release\AlternateServices.bin

Filesize
11KB

MD5
fb77ec997afd0b230a12cddd156029fa

SHA1
ced322df61e514ff4e9166dfe9f9a6352b961e22

SHA256
d94c64a63c8bfa1d57ae72d8b20a160781cd5f2626e6bec0a00a057181d86a02

SHA512
30aeea8686d8e07595e4c7f92a103b6bc39d05fd522e7953bb86f70c5cb9f3c1336320ef4d6fa1c3c7ea9f1e32d510b7cb335f1913ff029301840681389df901

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hjdrzy1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
5fc90b6352f2a0d9da3b38ac88f6e602

SHA1
ee38035b6c32dc4fcd92cb2be6690654e67d3a3a

SHA256
f2f6e7674935754cb173c90df1ffb0e1128fce2cf76c82aa9f411c8e7c9abf52

SHA512
f229f0c92f6ff57ca1e13ecc85a64ead91fa8d9b126505c1177b0f6b28b0a04ee8e1d91a9429ef16667252d24580e27b7d744f0298aee97429f6bbfaa0204f4f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hjdrzy1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
b503ce16abbe31aa5b452a1c50335b83

SHA1
994c4b71ea98db1a02854d8f7eea7f563ad8123e

SHA256
616ffcbc5348db8459b8231fb52221e2c565aae1daee54c28183569e34413de4

SHA512
95e5a829ccc47603c5f523d8426bc7a81c2aba3bc4d7871faf61bab57beaa08549b24723b8656d7f978265295f4f3072f061311186bbe8ab1849d381ba0df131

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hjdrzy1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
af656726b87e03d7d92e01ce395b2326

SHA1
8638bc9278003a2af7ad81b9a43056873688dc52

SHA256
0acd2ca6f133c33c7de649158e1bc67d49c2b75b9c24d6652364b567250d146d

SHA512
7cdce6d14cd5d6b964b3c5e24b41c79a66d062631665d05f15c63de9be5be22dc7e26c80e9251f5da07c984c6114bcf878e4285e43a1afd5af72632d98cce68a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hjdrzy1.default-release\datareporting\glean\pending_pings\1dbbcbc5-ed9d-41b9-a8e4-e2302678aba6

Filesize
27KB

MD5
f0a0ec968158e80acc0df0a79de811bc

SHA1
96067859f3b64fa67d7d466cf3679d45d8a3211a

SHA256
2ad08a99f28abb12a09c2f26ba06d6b37920ec141de7ca77a714d7a947946bca

SHA512
013298badc7eaaf3a6c9db08c2c24defa862ae09ac2c1aa4ca31f1d1c5b82a91ae5d79f30b22af49e53b4568f63304d6be53e885195c1789d9111f1f5b425e61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hjdrzy1.default-release\datareporting\glean\pending_pings\a3914946-f9a4-4a8b-9476-8f77ff0966c4

Filesize
671B

MD5
dae9eb2d922efcbf5cd5ea2677ad78f6

SHA1
ec657d1f7b81a3545bfd2adb96a68e12fc1fdb19

SHA256
c8bf29821ab4f768baf5f4a9f86ecf1caace9fee9569ce61534ad5dca4f54288

SHA512
2d540f8845c661ad8672ee1a9d2995253f0fd85eb28df379d9c3d41177a07e84fe1d09043bc656eb39bef5631c7e3ad71c0a1c8a93a8c41f96feb0297605e490

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hjdrzy1.default-release\datareporting\glean\pending_pings\ab0b2eae-d685-44c3-a0aa-4016b1e37623

Filesize
982B

MD5
8501bfb3c96b8bcc5f4a8e6bfc06e4de

SHA1
8accca7b26878940755399348f06415f47f483ce

SHA256
d7d31a018ec0f1d3e30b96e0255fe933482db48cd203385de5e44f350b722f05

SHA512
07a2ec096d8bdfa2ca0af1e03dc700e233e341439e5b8ea4b4481421e7751dbd6e640ecbb9b122a004a2d9604e7de8aaf1ad28667f45081363eab8c33141d9d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hjdrzy1.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hjdrzy1.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hjdrzy1.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hjdrzy1.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hjdrzy1.default-release\prefs-1.js

Filesize
13KB

MD5
8bb68a11863e54c40f37fd42b7a4b871

SHA1
344aa542c97bbd9b866b720231c6096f99483e29

SHA256
0bbed36c17f506a652833f4e7bf9203caa8a80cdfb06a36710f4bce281b48968

SHA512
e54e7bb867425a059fe79cc92625e485bc022864c623cfee717bac49065f2ababf1826ba7b2380ed354eea57e3ac7c893f9a9279ce22bdfc30c664909d7d1718

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hjdrzy1.default-release\prefs-1.js

Filesize
16KB

MD5
ab1a8c323633e3cb627b9278cebd3bb2

SHA1
6a7c7808b85878b96da3a06017e100abf62ba506

SHA256
8abc4b6cab4df9700402f43c8baed06575b559bfb4725ce3022a090a2154dd18

SHA512
8164bef1f361c2d519d3107a5a46ddfb2bd3817fcd643f95ce235e3f34bf2819ea45dffe8bc01720de747f83e8062702e01385b76573738e76d0a8937e178771

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hjdrzy1.default-release\prefs.js

Filesize
10KB

MD5
bdc44a62653f2c0ca69f6251ed267f2b

SHA1
27f99ed824fc39a974e6b8a2e7797df463c00cd5

SHA256
3440043d3a00c302549f012b3fc48c3f4a71af7c6aa92fe29ef2ec339d627d9a

SHA512
c51f4d4640c26bac5b1b2640e775f10892409ffde26ae364adc880e036bdded6f137f205afa59eea202aaf4d595e43fc9a95f498e95839d93309eba41e2cddfb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads