bfc092b384976e97153bae0e29359461bfd65fce5ad8188d6460de57bc680eaf

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
Size

1.2MB
MD5

dd831eb4a822421a497990d84a0fd578
SHA1

aa7ee9cd7fcdb6e0f15c57f6f99c83c320480f3b
SHA256

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95
SHA512

5a894b58d5d6b3a6abedb687caa16c06344d87b6d8e5bfb39d5b9806a7b51f3003e3ae83871683d086a760ea987a42bff511d4cb4d723a9e52744ea8aaf9b73e
SSDEEP

24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aLY2Sbly7TWEPje:4TvC/MTQYxsWR7aLY2dW

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1216	firefox.exe
Token: SeDebugPrivilege	1216	firefox.exe
Token: SeDebugPrivilege	1216	firefox.exe
Token: SeDebugPrivilege	1216	firefox.exe
Token: SeDebugPrivilege	1216	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1216	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 3528	4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe	83
PID 4016 wrote to memory of 3528	4016	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe	83
PID 3528 wrote to memory of 1216	3528	firefox.exe	85
PID 3528 wrote to memory of 1216	3528	firefox.exe	85
PID 3528 wrote to memory of 1216	3528	firefox.exe	85
PID 3528 wrote to memory of 1216	3528	firefox.exe	85
PID 3528 wrote to memory of 1216	3528	firefox.exe	85
PID 3528 wrote to memory of 1216	3528	firefox.exe	85
PID 3528 wrote to memory of 1216	3528	firefox.exe	85
PID 3528 wrote to memory of 1216	3528	firefox.exe	85
PID 3528 wrote to memory of 1216	3528	firefox.exe	85
PID 3528 wrote to memory of 1216	3528	firefox.exe	85
PID 3528 wrote to memory of 1216	3528	firefox.exe	85
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 4668	1216	firefox.exe	86
PID 1216 wrote to memory of 1408	1216	firefox.exe	87
PID 1216 wrote to memory of 1408	1216	firefox.exe	87
PID 1216 wrote to memory of 1408	1216	firefox.exe	87
PID 1216 wrote to memory of 1408	1216	firefox.exe	87
PID 1216 wrote to memory of 1408	1216	firefox.exe	87
PID 1216 wrote to memory of 1408	1216	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1\4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
"C:\Users\Admin\AppData\Local\Temp\1\4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65e74944-fc1c-462d-ac15-333498c962c5} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" gpu
      4⤵
      PID:4668
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e19c537-f648-4d0f-aa62-036e5153af08} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" socket
      4⤵
      PID:1408
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3032 -childID 1 -isForBrowser -prefsHandle 3056 -prefMapHandle 3008 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a3b3629-934a-4cb2-be08-b056830df29c} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" tab
      4⤵
      PID:4928
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2836 -childID 2 -isForBrowser -prefsHandle 3696 -prefMapHandle 3692 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fb52216-cacb-4f01-b99d-5814b469d781} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" tab
      4⤵
      PID:1668
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3804 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4852 -prefMapHandle 4848 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {561d8ac8-a6fb-48ee-804b-cc309bff4e60} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" utility
      4⤵
      Checks processor information in registry
      PID:1224
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 3 -isForBrowser -prefsHandle 5356 -prefMapHandle 5520 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14b81743-9f22-4ece-850e-050e369dae9c} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" tab
      4⤵
      PID:4624
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4804 -childID 4 -isForBrowser -prefsHandle 5548 -prefMapHandle 5544 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55235fe6-6d46-4145-96aa-bb46357b4e71} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" tab
      4⤵
      PID:3424
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5880 -childID 5 -isForBrowser -prefsHandle 5888 -prefMapHandle 5892 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfd2313b-7139-4e37-bc2c-e37657d1a2b3} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" tab
      4⤵
      PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
9b84605c8ee7d8b78f20c828e403f907

SHA1
a6fd356a2f6d9b5e24785e9924381454a15f468b

SHA256
cee266a2f6cfad6affe42026916c1f0cea5b835a395fa272de8124876073eff1

SHA512
62502690f642d6998afe6802ce6dfc0587ec4481e4519b36eb19f83837765453684d512ae4270f9ab48dc070723dbc1672d0d8b80549b949d835658a19aa86b7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
c9c76a3e5dbbff26c3e94895b8694f5a

SHA1
ddb30f838697efa46d583d880bafeb1667b45f3f

SHA256
416702c4df4983f58d6245a91cb7637bd6af2bd7a36c0e496315ec1217e87a71

SHA512
5e5f94485e64f6937ebda96e8cbd6242adf4acce067aaf9d170e6c8d92407601e368cafc0fe012737ff4473505cbbf8852e98d28a8057684d11e572d8cc9e6b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

Filesize
12KB

MD5
af8de5dc2a104f6453687d6d834a25bc

SHA1
362bf096bd8808c3463debfb91e14a280a3c7b44

SHA256
fece762e5470f3db150b0f9ce909d1024d6688adb3aadb2707da732f520f21f6

SHA512
b48512d5232248f28d927161825ca2ab5cbb59639a8e17ea46879a103292e709eacf972393bd549785c2e362989fe37cc97560583432b23705d7d25eb41fb827

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
3e455d92977ae21375e32dc5488ec2c4

SHA1
4a26a91ef0ccd6496dbeee81d96e5bb20aa2800b

SHA256
07d9053fcc4a33179b465f5a5d84c66a65ae538930259b7aacc44ea8129a2ac0

SHA512
d56df0d470d0eff63fc97cd014eb4536493f68ec8618a5c68354bf58b591c8d57ff203fb808cc39d9a95c6383f315e7f5741dcc236bf2a6d6239c669308d1e96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
e840675e673791d07c62141fb3680c78

SHA1
18027e8bebdc2c4a3e47983169c1f9a59ac46bfc

SHA256
efb18caa1387786d5a551fb8b6a1ce07c901eca00fed9a794d2946f9d4cdf068

SHA512
099e47813821808c3caaa3a0519ab138889d418d94026d508c598ce35d47b283eab17c868e5cb583bd47067abd5576b4cb40eccfecd15b89bbbae07eba1c2bd2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
6b12c1951d8945aca6dfd7fc2d028d52

SHA1
2e024f76cb9b1d2c00cbaad3a94f931eae7c3eb6

SHA256
35078020e8c074aa350080dacc97c977ea7aec0d8c36b130105bf8054b236f93

SHA512
bbb94bc073b5339d5fffba47c9572d834bbdf39cfd808d256412fc9590d579da7c4650d2a46cb202f8dea558a3bcf65d8ee07da7c68757d304a0e55db3964197

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
19KB

MD5
4dca5de756a318c465d932aa68cf9607

SHA1
8231f4849d8af7d2d09da4927925fe3305bb1623

SHA256
5ef3d51160d879fdd18d5ce8ef83a2d62eb35b0d7596cb6230b84a7e1962956d

SHA512
06f9e5b1609504ea7f89ea3f0e0a6a03a5b7101c69732161088851132eed320001910ba8e7deaf22f131231a7e25ae0fbfc94a5279b171cbd806a582e5b33426

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\390d4356-0472-4d45-9777-531c446581b6

Filesize
659B

MD5
8a8d5656fcec6e1255471fbaf2195976

SHA1
92313e0604f4a8614675727b382490804649023e

SHA256
39dcdb08a5358ae9c9d65c35815bc39cf90a5edf32cf7b7633a5c938d15e36f5

SHA512
2c8279c914e0dd997e36a131ae58ec6168c4ff5c12c397ba7448f622388a18ed12310d620d2e88f5475f6997b3af3f0ce209b43203915b025fa814c940cb14ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\5bae73c3-910e-4041-8ad5-06c2156ecc83

Filesize
982B

MD5
1f5899122a2d60af3d319533b482962e

SHA1
321f7a9dce32e5cb556720ea0978612ce06bef97

SHA256
450ee9a7f99a6be6d92641c31bccbeff4a322acc0aa0c1702336d399e75bd1ad

SHA512
015ab003b657b6e43d58db5be96c431e39644cacff057afa5cd99c37fa0cbab27c4644a149ed0f0f4a65c31b571f3d592bdd60649f82eb36f5dfffa3d08962b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

Filesize
11KB

MD5
17d59c92b3f03068e48a4b6aaa32d7d8

SHA1
5dede549051a6e04f01ed2751e90e8852c46c1bb

SHA256
12beba9dff31e669c5eb6d823d3a493a44f9feb547961768e1c4400f3573a7a9

SHA512
656b695bf1fadcef57f7b05a2754e7dba42b32f78c62829795b204dc38bc7748ef2430d6bdacbb970238be1a5e9c2e31563f0f09f69d35fe43d48b1ec8dd5f4c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

Filesize
15KB

MD5
bc59f4f29ee2113eece1ff06e851db9d

SHA1
88e8772cd13a9a91e076f26f125184c38a87bc14

SHA256
87d8198e19ff3f9cb57154dc080c0335b42393d26f9523c697f819081bc12910

SHA512
09fa4bf84a804d55f3b9f2d1b929eb81c106fbbd166d53e407f4b1cc92491a5dfeba7e743601a429c5657473243771e20f6748741166f6a4a5eae72ff79e85a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs.js

Filesize
11KB

MD5
dc40481573c282143a39cba43012401f

SHA1
c3c16bc7ff9010407faf75e6a7c72fbd4c0385a4

SHA256
e7deac159b16dc9359279b7c6bf8a1a4869a61f5ce7e2a882c17b82e50d9022c

SHA512
ce67c4e3c761e2067c118fd8a27546b361907cf3d54893af50354e9d0c8555938b9a9dc881294ada4194291ee85b0e1bde23168c724990ab83c83e264ac67bf9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.2MB

MD5
45c6df34323b3ed026ed63ca3c4c9673

SHA1
62e57be64bcf26d36cfbb08f43d18c4e002f5649

SHA256
830c18d97d87daaf6af793a1fb34765cd22398d54ac1a7a38cdacd0fe7872870

SHA512
33a65e9a83bed4495c1b7cfbfb810895b85497f5fcf0abe0a52f898ebaa643342ef6b383148d353334c06ea4771543b3e47a2819b917d3b0656664918afb2462

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads