3123af93014a5a5c49aa6fd2118f6805041af178c222be27e30b2fd477085c19

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
Size

1.2MB
MD5

dd831eb4a822421a497990d84a0fd578
SHA1

aa7ee9cd7fcdb6e0f15c57f6f99c83c320480f3b
SHA256

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95
SHA512

5a894b58d5d6b3a6abedb687caa16c06344d87b6d8e5bfb39d5b9806a7b51f3003e3ae83871683d086a760ea987a42bff511d4cb4d723a9e52744ea8aaf9b73e
SSDEEP

24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aLY2Sbly7TWEPje:4TvC/MTQYxsWR7aLY2dW

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000\Control Panel\International\Geo\Nation	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	firefox.exe
Token: SeDebugPrivilege	2800	firefox.exe
Token: SeDebugPrivilege	2800	firefox.exe
Token: SeDebugPrivilege	2800	firefox.exe
Token: SeDebugPrivilege	2800	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2800	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 1140	4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe	86
PID 4420 wrote to memory of 1140	4420	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe	86
PID 1140 wrote to memory of 2800	1140	firefox.exe	88
PID 1140 wrote to memory of 2800	1140	firefox.exe	88
PID 1140 wrote to memory of 2800	1140	firefox.exe	88
PID 1140 wrote to memory of 2800	1140	firefox.exe	88
PID 1140 wrote to memory of 2800	1140	firefox.exe	88
PID 1140 wrote to memory of 2800	1140	firefox.exe	88
PID 1140 wrote to memory of 2800	1140	firefox.exe	88
PID 1140 wrote to memory of 2800	1140	firefox.exe	88
PID 1140 wrote to memory of 2800	1140	firefox.exe	88
PID 1140 wrote to memory of 2800	1140	firefox.exe	88
PID 1140 wrote to memory of 2800	1140	firefox.exe	88
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 3788	2800	firefox.exe	89
PID 2800 wrote to memory of 1384	2800	firefox.exe	90
PID 2800 wrote to memory of 1384	2800	firefox.exe	90
PID 2800 wrote to memory of 1384	2800	firefox.exe	90
PID 2800 wrote to memory of 1384	2800	firefox.exe	90
PID 2800 wrote to memory of 1384	2800	firefox.exe	90
PID 2800 wrote to memory of 1384	2800	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1\4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
"C:\Users\Admin\AppData\Local\Temp\1\4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a55bb4f-bf16-45f8-b78c-19269195aa9d} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" gpu
      4⤵
      PID:3788
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af2c6573-081a-48be-99d6-4a6a42b92352} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" socket
      4⤵
      PID:1384
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2892 -childID 1 -isForBrowser -prefsHandle 3288 -prefMapHandle 3332 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b5fda32-549d-46d9-8d9a-9041064d6a16} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" tab
      4⤵
      PID:1500
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3016 -childID 2 -isForBrowser -prefsHandle 3836 -prefMapHandle 3832 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7d3f118-4fbb-4c90-82a7-8e946a946f0d} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" tab
      4⤵
      PID:4896
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4820 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4844 -prefMapHandle 4840 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {136c3878-c4d8-44f5-9810-d817efef94e3} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" utility
      4⤵
      Checks processor information in registry
      PID:3868
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 3 -isForBrowser -prefsHandle 5504 -prefMapHandle 5480 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06c2ac19-e84c-425f-ae1b-b8686d57ead8} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" tab
      4⤵
      PID:512
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5716 -childID 4 -isForBrowser -prefsHandle 5724 -prefMapHandle 5728 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ef0c840-7ad0-418f-8090-eecd10dbe836} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" tab
      4⤵
      PID:2580
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 5 -isForBrowser -prefsHandle 5840 -prefMapHandle 5836 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64c07742-3d60-4e58-87c6-508b06444a46} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" tab
      4⤵
      PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hdqbpzf1.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
e597b237b00675ba41c5bbab8ea58ccf

SHA1
8e89eafabb38c939d9cd3a0bbc6caedf3cd1581a

SHA256
f4ad2cc012db63a4bbe464a7624f5543f9330ed7eb3b74ac7a0a9c36b261804c

SHA512
f4307b33f40b53b3f20c26a6341bbc986e4b9c770e71f943ee723adbf964f01facfee97b5a9e5723a9e7a33e2797aa55de57c343e59e251d1d8162db95866e92

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hdqbpzf1.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
5b3aeff56b5b3e77d4bd74a871247a12

SHA1
1c1f937f8f206e8760b78d0af4194b94b34d3ba3

SHA256
47ed1905b425907ac23de6e27cb935d5fe1c2d72eab22bc480fab26983e7d60f

SHA512
ad55778ca66f6b7d927d1a2975c6823523b9ee2ee5b559903d745dfdf797f6980541450f683681eef025a79238548bc0d6dfa11f67b53e1f50e79dd1ca731463

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hdqbpzf1.default-release\AlternateServices.bin

Filesize
11KB

MD5
82af05a184414822eff3d1b048f21f27

SHA1
7fa7d586f6a0a13bf8bb1006d7c9cb94619bcba8

SHA256
370c1123c89fc17ea8fe0c2cc62cd3efce9b914881cfedd0a07168fe9664c181

SHA512
2fd8f350fd6a306d883059dd4e24ade2a7d238e15648e0feb9c10417c9601dab0779a4dee03bd77ffe65311afff31729e1115a9bfc40a95b5fd166ce1a1ddd52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hdqbpzf1.default-release\AlternateServices.bin

Filesize
17KB

MD5
919e325f264c23f28e55fe2b9c527ad6

SHA1
61d8d828b9355321d65743127f6181240af9a949

SHA256
193fc6244095ba40192d183df8d608b0d7a5cee4f429b8460f0d8e77204aac33

SHA512
27b222be30ab4c5993b8a538f0a764b1214298c759bf60c378833abe2e99cbfd0b5a0858981a230f1b7eabe33c5c5542bd8319d4f8306b525a920cf0195704a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hdqbpzf1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
69e9996a5138f86bee84aa4c5dadd46d

SHA1
45bc5b1030febcdf4fa1220996c7da082368ecb3

SHA256
37aaec69b7771510aaa9d20738ed71fb1dbaa567fe64cfe8e5601e3d6c33af39

SHA512
9e915f73ef05839663ff9dc4ca84d642b6b0a9fde3bc97aa8ab19a007115c8057cbd7306e0ec92f2b497ff85d9d0203b349b70bdd7c413dad8aac677ea18848e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hdqbpzf1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
2771fcb75f99f81af3da89492f116d1e

SHA1
ab498eda876dee17b24ac0528e52df2bbaf54e18

SHA256
dfdda23633a83a034942d756b0a8b383026e122aba153718fc1c0ecb7b0ef936

SHA512
ee29d0b26dbf4fd5337653cf519a698ad79773254928e146f2dbcb96d3e84d28d233a6f23105631f01cf04e39b93213dea514e790a064e4106cf1308b9f5a5a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hdqbpzf1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
2ea46fd4e5fd92820a38fac344ff256b

SHA1
0049f4a1b1de9dc57f70252827d1b5e76baffa75

SHA256
ecd320d0f19d345836c1bbc05641929f710b4cac776c4637d4ae1c82f97d4ae3

SHA512
27eb141491e9e700b79c1e6b9b853d4aa46486829a0c4d9aa4260ebf936c4efba94594a96877c1b31269668c97f0dac77408c77868a47a9b1a4fb1c678453c43

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hdqbpzf1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
9dc9de26b46291b22cdbd369b5515b9d

SHA1
55dee4f06d79b6e021df4532f5ecb8ee524a071e

SHA256
a340949864505c0305ae3188be0e9b92e33f600a3c8c1d8820fa28e386c953d5

SHA512
d040c4208d361736455c4c296e6a5cfb51dd0b0d4f0bbe9729f2c4974d5fb225d8d27c5b01ac57974e888f2488b7e45ddd215ea951c9b47e62c36a2e4fcfdf45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hdqbpzf1.default-release\datareporting\glean\pending_pings\79a45faa-5f12-42f6-a8c3-c9b5d5f04af6

Filesize
982B

MD5
a19e94899974c05363e67c1092235dcd

SHA1
8c231a29c8cdc956b536158e3eb943b6f3e01f7b

SHA256
e9eb856fc5a55b0ac5c3bf3043000d66f92f7c3d4733d694ae6dfecb1e83503c

SHA512
939b48235cd0e5ae7049ef8b4abbe4e6ff6b542ed3a03149b71f8028fa9c0cb4b07df9147204ffbcf4133ba7b4f0ab84a7731584735f4d22a590bd97011f3163

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hdqbpzf1.default-release\datareporting\glean\pending_pings\8339464a-ee83-4bd7-93ca-986ad1eefbaa

Filesize
29KB

MD5
49f0a7e5ce7225e034cee431fe5b8ad7

SHA1
a1adce90a304b1512c6c757a620126214da20c55

SHA256
2fae821b3dc9f1a9cf8c16c84b4eb5ee170236a3495cf4b53e2662a2ba89a2bd

SHA512
8a0489b100e6187c6fd72dd3f2cce7a12c4879fa656d7bfa9eff87db4133125056ce7e7c6c467ea08d8e0181f6c52b56791f409800d8a6b1ca3c934b946dcb80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hdqbpzf1.default-release\datareporting\glean\pending_pings\db8556ad-5525-4072-9e02-f368606e3032

Filesize
671B

MD5
344a805e04fe3c96b483e8ecd01d067a

SHA1
346e54bcd00573ee4f55346b753be4103fcb01b5

SHA256
61d44b7fb45254ee02e765a1ef2d174164737db6f0126dfade07d4f337634d1c

SHA512
df282d2ce561329b4bfeaffa745bb79235861f194dfa158af989e386802881408d85932196080d1ee8e0c950a8bd1bf6cb4d47ad228a466c57c1095e31eb2b12

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hdqbpzf1.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hdqbpzf1.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hdqbpzf1.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hdqbpzf1.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hdqbpzf1.default-release\prefs-1.js

Filesize
12KB

MD5
537a620dbe58b5c382c12826e919d722

SHA1
4619ad6000de0e070b9ad8b5b3c4aa6ee7da44a3

SHA256
cb14c8ae8a448d62915fa37709cf5003d582ecaadbae78ef0dab11785b39c194

SHA512
980c6ca25208ca7ae792e8186a51a368f96795ef9270a6b6828021612ad46fdb3ba64c93a803fea122e3b264816bfb5c6b06470cbf4166a8b54a3bf4e2a1cd1b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hdqbpzf1.default-release\prefs-1.js

Filesize
16KB

MD5
87f7eb7201cd76704fb961c3619079fe

SHA1
95f3f06002e0e9986f72debfa9ce49f67eca6e37

SHA256
7534712d69b183ea58a2eabc73646b43cb932d9a4eedd7b74adc13f57ec7f228

SHA512
bf5936f0458c4121779c156872726da86a7e5a0823ec64440599e71d251defa2b9b77bb4e15647ddf1cb7e6c73fe513552b19af3709b756fe089d63b34901355

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hdqbpzf1.default-release\prefs.js

Filesize
15KB

MD5
7d35699edff38c9b88c17b4bb056cff3

SHA1
1cd80455a226d8d37d1b06f9031e400abbaa7c66

SHA256
d5900fdfedb61f0eb019bc733c2ad47dca30b8c1770af1b8353a911f0fbc3b71

SHA512
eb6daa79d8c4b8a93d36574e6e43bfa3dd0aa444a3377a5d8c0db8033f6524f0b889e3ce1ae2324d1d71c4f898de399a2cfbb62a27a84136e15ff4c09b2cdb9a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hdqbpzf1.default-release\prefs.js

Filesize
10KB

MD5
4719708d7026551deb74b61cd200cf09

SHA1
d519033f43ea396a870a81764d54db77925de3a9

SHA256
cb3c10f15172840b17728e9ee2c9baa5c613af15562cf1e8ecbe0cf34f5a558a

SHA512
d1b4859b22702174ebca3af557d6bae47584ef32f0ce6a86cb0892b2fe284d80f4be16e2af0ee7b40e42acec48838307ff38aa135d5b930b0af34b0aef46a61f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hdqbpzf1.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.2MB

MD5
08806de3ff5b0d5ab07f83cd51628d8e

SHA1
42ba13c3b3fe616136273e75f3eed5461ec8f093

SHA256
35a9f227e1d674aaba94c05f71e946f1a9980991cd7ae49ee2b4fe151495962f

SHA512
02a7943df21bb9f4907dfc2e0c0131ddf424df5254bb2a551ff8ce5c457c604d6b656a1122c227483226c28267555ef5c28bae6540c1e7aed5203943da1f5d00

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads