3123af93014a5a5c49aa6fd2118f6805041af178c222be27e30b2fd477085c19

Resubmissions

11-12-2024 15:32

241211-sy44nssrdm 10

09-08-2024 21:57

06-08-2024 13:01

06-08-2024 12:52

06-08-2024 12:29

06-08-2024 12:26

Analysis

max time kernel
59s
max time network
54s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06-08-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1/a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
Size

1.2MB
MD5

81d3df03a7bfb9112626bdcedae6df90
SHA1

ba206887aa11de8e1b405e5a18bd04568e2b5693
SHA256

a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03
SHA512

7580b5dd5452afba147417685bf9d42816c7f32af9496e4f8dec519c0abbb9578206a5e432c1b884abaa0b9870c198b8d0c7d109b43590d95ea855bff6a59a13
SSDEEP

24576:EqDEvCTbMWu7rQYlBQcBiT6rprG8aLS2Sbly7TWEPje:ETvC/MTQYxsWR7aLS2dW

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	firefox.exe
Token: SeDebugPrivilege	4884	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4884	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 4880	1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe	82
PID 1764 wrote to memory of 4880	1764	a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe	82
PID 4880 wrote to memory of 4884	4880	firefox.exe	85
PID 4880 wrote to memory of 4884	4880	firefox.exe	85
PID 4880 wrote to memory of 4884	4880	firefox.exe	85
PID 4880 wrote to memory of 4884	4880	firefox.exe	85
PID 4880 wrote to memory of 4884	4880	firefox.exe	85
PID 4880 wrote to memory of 4884	4880	firefox.exe	85
PID 4880 wrote to memory of 4884	4880	firefox.exe	85
PID 4880 wrote to memory of 4884	4880	firefox.exe	85
PID 4880 wrote to memory of 4884	4880	firefox.exe	85
PID 4880 wrote to memory of 4884	4880	firefox.exe	85
PID 4880 wrote to memory of 4884	4880	firefox.exe	85
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2532	4884	firefox.exe	86
PID 4884 wrote to memory of 2644	4884	firefox.exe	87
PID 4884 wrote to memory of 2644	4884	firefox.exe	87
PID 4884 wrote to memory of 2644	4884	firefox.exe	87
PID 4884 wrote to memory of 2644	4884	firefox.exe	87
PID 4884 wrote to memory of 2644	4884	firefox.exe	87
PID 4884 wrote to memory of 2644	4884	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1\a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
"C:\Users\Admin\AppData\Local\Temp\1\a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {880eccfa-caba-4bc7-86a9-883a70655e9a} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" gpu
      4⤵
      PID:2532
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2841a62-4b33-4ca4-a928-5a95d16fe724} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" socket
      4⤵
      PID:2644
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2984 -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 2972 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cfceaca-bb66-441c-83ef-8efb943d9acd} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" tab
      4⤵
      PID:4396
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3708 -childID 2 -isForBrowser -prefsHandle 3600 -prefMapHandle 3584 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {658ed1f5-6d84-4344-afb5-4594b88be98c} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" tab
      4⤵
      PID:4916
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4436 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4832 -prefMapHandle 4828 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7ac1220-30e8-4dd8-ab01-a9289ce7c451} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" utility
      4⤵
      Checks processor information in registry
      PID:2376
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5300 -childID 3 -isForBrowser -prefsHandle 5040 -prefMapHandle 5400 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e76d1f23-70f4-4144-9f2d-7c62d05b60fd} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" tab
      4⤵
      PID:4872
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 4 -isForBrowser -prefsHandle 5544 -prefMapHandle 5548 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6041c18f-85ed-4a21-aba3-19f4bc57df01} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" tab
      4⤵
      PID:1344
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 5 -isForBrowser -prefsHandle 5736 -prefMapHandle 5740 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e36bd2f1-627d-439e-9ce5-bddbdf8f96a5} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" tab
      4⤵
      PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
9da3e7ff72f5b26276e7088630d6c11b

SHA1
a20a743eff67a3545f9849f91f7d88ac449e0516

SHA256
9249c3d85455a03265c7dae0a6676069f4aa45c17a0139eba871d0f799df2d49

SHA512
ae9183f3c7a24f7ec9bb413e4bea600c2078c8a8358b920af965d0ae11ada7b5a40d2f231a69c201ccaac4dbcb3b560df28719b776d287b57f19c01f825b36f2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
a7e380eb42eaf75ec9f2d4b01bf89a6f

SHA1
56ba5ce894b574bcb8c7951a6511c83d90d1ef83

SHA256
3e19ebab05e947ccdf1acee21d72c367ffb7646ebf417ab264121c22d6c03f19

SHA512
8b8f92f5f54c133aba9151dd8d29376acee83ee5e0cf73d73eceda49aca48faf4914ff9f43caef66e1cee8f668a8289148d7832612fb6a1e4041fb404c2cbba5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

Filesize
13KB

MD5
1f491d14601e38563bb6255fc99c6c5d

SHA1
ac20ea67a8cb22f8eca3f56e6fe7b3ddd47a7f8c

SHA256
3d8675dc2ca9468f076b9e9a1e044c6eea6e321873a25ac8660f14cc6c85ecac

SHA512
8480a9a7f4c82f18c6c3b7bec3193ad3138400da5059ff3b82388529cc9aed4a9e18cd0661f49b4c484e190a642303f2aeb1487c605ec6a0880c3b818c9a88ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin

Filesize
8KB

MD5
3c9d2460e55a432e34e681626edd4d74

SHA1
8961505c49df0d4e6519b79603419c92cfd4a5c5

SHA256
7388ed69c078a44495d17513233da7890b721d0ea270c35e30834f0881c4081b

SHA512
c85ad40fcedafdd77738bd0db0d8b4ecdd35b8a7ab43db10ca6c428283111b65ea120e86097c549ba2c825f8f2723a27822c7a9ac3a7b24ddd2b2a92b444921e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
43311a06e2e6a12cc01327df2687bb2e

SHA1
311c7836dc15a2626d0007622898e495862428b5

SHA256
a2646ac4aa27e2d741a4e74f02c9d56f7701f4aeb3271ce7045aacc5d7554e84

SHA512
5f6a14b643fa585f9226e576d717293d4993f3d8e42bc7c7a827fda4a146b8d8f5698358d86db899ed8e3b38007475b4f89b78ceb8e46729a800fb19db7077da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
aa6d1899a891eb4723b157d8dc8cf94c

SHA1
6a20db2cd667d97962529b1de2c7c7a734040b24

SHA256
bbcafdfd41d9a95c1f608a1056fc149cd7842297edd7e757d0e5d754022309e5

SHA512
a75c0f58e50241155ef9371da51db9793c7167f4c3ba8114a792ef84e7ed5159690fa88f4d8580c01a669397ec8d36dce31e7dbff18fddb14c57eb76c57daef5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
c0d1e40f5857da9643113b25fd671ee2

SHA1
a8ede0d83ac7f4e15bf80708b082141bbdba79ac

SHA256
7485ea8e2257be391bd32cd2b51ee437e1daeab302006c47c28b975d97367024

SHA512
5b8ad1ee7e29a2ddbf64a1853f6b32fa33e25977ece5e13f22edd258e79f6b72e5af74faa029d13aeedfa954d63ef5b4df7fecbc1ad843103db928d5606a257e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\2e7e933f-0d38-4dae-86a2-7a8b33178464

Filesize
671B

MD5
485ffbc0be13f9bf07d88da6153a678e

SHA1
95a514d423cf80760d0d61163ab0e45ef5a885a6

SHA256
04586233a6723e5f3a45aec33024f6f8f26f9b4446c199e9107e1de7d7155105

SHA512
0758674a37b5f6f801e2d46b1d6b3935c4d8202c272b385ac1f13cb7b323cd303a4b8cf759481f3bdbd4b38e6d6cf2fd88c988f5e7456c7014895fadfbfcc1a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\75c91fa6-f632-477f-be9f-18479288e0f6

Filesize
982B

MD5
db5337ac3a1cbcc1281a3c52f139c66c

SHA1
c8694fb1520d86dc15b9ecd04b8238dfacd75e91

SHA256
19c7a8bc095aa9cece6e785e32ed1464d9a2f70390ff0bf78d10d042fbc9d94c

SHA512
52dfd701560efea5a17a5fbc374fe979da40e976f9357e8fd1c88748d6289adec6d54463f968f2f68f96d8b32e3ffb928e4d6e80bc0aef3ce56b91c0fcd52e36

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\e4798879-5187-44d8-8d72-dab69d8bb868

Filesize
26KB

MD5
85eefad36928c027659c8e9ac79bde01

SHA1
eae6212403bf5a95e6e37c4ca888576d7b4c9b5d

SHA256
d4537bc7a351157b36046d3d95a50a8366db5012f989dea0fecc8e63d0754f95

SHA512
5351a3d3a210dafb3ce5c2ef3a4ebe9bd5a33fd5283082b446d2be7d62e6a30ecb64f4eab88c741b248e94553f53413a9975822546c792e5438379dcc73b1b3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs-1.js

Filesize
12KB

MD5
866c767bea6fd66c90f095651a195e91

SHA1
a8e1db22985c51feb624b8ed41c0525c79e791ab

SHA256
cbeb4674d0ba6fcd72c74425ce8333ff1fc993aa48014879f68812405963e370

SHA512
89fd6cba7545218dedabae81f4e72cdbff882b61cdf40c28da23ca104775775fb3c4e4e46ff6dbc22b87dc4350c95c7d50bb510891554b9dbb1d56d36b8ae8d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs.js

Filesize
11KB

MD5
8b718bdd8e386d0679cb0411f2676dfe

SHA1
5ff48790f6fabfa0afeef3ee66800a03230e0c04

SHA256
177b690122d74f007aa7fd15c9fc909b79bca943379776d8139c31707a6fc14b

SHA512
da485c2293935653283fe2ee2ce9f83cd14f2b9fb2e2075507f805c1406a3448d8cadb8526263256e96ea68b0a4423b70c02299df1c84f97d292f0fbc61356dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs.js

Filesize
11KB

MD5
9b587643feff8f278fbbe805713bb960

SHA1
7c647ee082720c631b66e7d3c9dc59f5d4dbf381

SHA256
38f4eb16ef934715f7015126b6c21a955528bc86df0e8888036dcf05c3a805d3

SHA512
90d6f21616de349fb00021ac0797b79e00e6da18b64b9c07ddca2c94ee7b5c05cf221c69d7a5343dd77434ad55c7195b910cc21e7ae729872951c5675a349db7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.6MB

MD5
20128e5ced28d0eed0573b21abb79a5c

SHA1
d58840bd2f6dfa4184d4979159cf9aecd1a3de3b

SHA256
adf4c3a159e602d03e53a083d55326c8d21f6edc7d791ffe9b41ae50a6228974

SHA512
b24fdfadc9da62f74c90b2a57842ea2aa846645862057cdff2a0d2eeebc8b695594848f222a215e63fc082855dfbf1d7be0971e921c05e0adc91e0716990eeef

Download Submit