3123af93014a5a5c49aa6fd2118f6805041af178c222be27e30b2fd477085c19

Resubmissions

09-08-2024 21:57

240809-1t1vfs1cpm 10

06-08-2024 13:01

06-08-2024 12:52

06-08-2024 12:29

06-08-2024 12:26

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
Size

1.2MB
MD5

dd831eb4a822421a497990d84a0fd578
SHA1

aa7ee9cd7fcdb6e0f15c57f6f99c83c320480f3b
SHA256

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95
SHA512

5a894b58d5d6b3a6abedb687caa16c06344d87b6d8e5bfb39d5b9806a7b51f3003e3ae83871683d086a760ea987a42bff511d4cb4d723a9e52744ea8aaf9b73e
SSDEEP

24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aLY2Sbly7TWEPje:4TvC/MTQYxsWR7aLY2dW

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

firefox.exe

description	pid	process
Token: SeDebugPrivilege	3932	firefox.exe
Token: SeDebugPrivilege	3932	firefox.exe
Token: SeDebugPrivilege	3932	firefox.exe
Token: SeDebugPrivilege	3932	firefox.exe
Token: SeDebugPrivilege	3932	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exefirefox.exe

pid	process
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exefirefox.exe

pid	process
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

3932 firefox.exe

pid	process
3932	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3780 wrote to memory of 2480	3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe	firefox.exe
PID 3780 wrote to memory of 2480	3780	4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe	firefox.exe
PID 2480 wrote to memory of 3932	2480	firefox.exe	firefox.exe
PID 2480 wrote to memory of 3932	2480	firefox.exe	firefox.exe
PID 2480 wrote to memory of 3932	2480	firefox.exe	firefox.exe
PID 2480 wrote to memory of 3932	2480	firefox.exe	firefox.exe
PID 2480 wrote to memory of 3932	2480	firefox.exe	firefox.exe
PID 2480 wrote to memory of 3932	2480	firefox.exe	firefox.exe
PID 2480 wrote to memory of 3932	2480	firefox.exe	firefox.exe
PID 2480 wrote to memory of 3932	2480	firefox.exe	firefox.exe
PID 2480 wrote to memory of 3932	2480	firefox.exe	firefox.exe
PID 2480 wrote to memory of 3932	2480	firefox.exe	firefox.exe
PID 2480 wrote to memory of 3932	2480	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 1080	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 3784	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 3784	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 3784	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 3784	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 3784	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 3784	3932	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1\4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
"C:\Users\Admin\AppData\Local\Temp\1\4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6072814e-e86d-4368-abf3-3da13e44cb02} 3932 "\\.\pipe\gecko-crash-server-pipe.3932" gpu
      4⤵
      PID:1080
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c2b7f9d-ea44-4663-828d-a7c380d63dfb} 3932 "\\.\pipe\gecko-crash-server-pipe.3932" socket
      4⤵
      PID:3784
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2904 -childID 1 -isForBrowser -prefsHandle 2820 -prefMapHandle 2908 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b45a300e-cce7-4ee5-a1d2-bb622d9dc299} 3932 "\\.\pipe\gecko-crash-server-pipe.3932" tab
      4⤵
      PID:4528
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3668 -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 2780 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d48eb49-f2ac-40eb-a6dd-f1085a6259fd} 3932 "\\.\pipe\gecko-crash-server-pipe.3932" tab
      4⤵
      PID:2316
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4704 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4716 -prefMapHandle 4712 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {762129b8-c10c-4773-a80e-1a4b48faddd3} 3932 "\\.\pipe\gecko-crash-server-pipe.3932" utility
      4⤵
      Checks processor information in registry
      PID:1496
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -childID 3 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d2ce4d3-86f9-48a1-90d8-5ba89e739201} 3932 "\\.\pipe\gecko-crash-server-pipe.3932" tab
      4⤵
      PID:4524
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5472 -childID 4 -isForBrowser -prefsHandle 5564 -prefMapHandle 5480 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6653232-9346-435e-af60-49ccbc78b34e} 3932 "\\.\pipe\gecko-crash-server-pipe.3932" tab
      4⤵
      PID:1912
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5696 -childID 5 -isForBrowser -prefsHandle 5700 -prefMapHandle 5708 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3a49920-9edd-40a1-b8b4-b0114f9e1022} 3932 "\\.\pipe\gecko-crash-server-pipe.3932" tab
      4⤵
      PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
42829e27808e4d12ffb7c18885940113

SHA1
f60c1fca258e6b289712d0a8f537fdad37638e51

SHA256
5369068fd147b01d3be97b0af490bd8bf7a758321b82cff83a43432f6e82d316

SHA512
8db86c5bc0b88f7917aa3240d541f7b15a7bb8f1f8cb1a458c616e1f2c5239c28333218db48ee47325559fb0fa82f75ff842f1f49482f0c9640cf8654f37f0e3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
e5aae011715a3523e267fd0156282068

SHA1
d773abdbeeb8453ea0e6456785e13cf9fac5150d

SHA256
7faf6ab2006987d4c74593bdd5d9cc191fa3b9b56ebd8c0dc241f1f92396cf03

SHA512
b58d72b46bf54a699ade4aa2534dcf8157b7baa98e299b0358455adb52bf1862f76340d6dcd9eff404cfecb5d3c3fe394f30d522c232e5b22ce7adf484a0cf0a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

Filesize
13KB

MD5
5f5c20eecd711025375f7d306cf549f7

SHA1
5f46873cfe4d10434cf291093f4d49c5cbd930b7

SHA256
4051a2a1639dfc2dbf230b395af70ebc5540af7f841a3755156afd859cfec853

SHA512
4529a76c99bd200df8c7c1ad593f17f791a5860037ac3c5de9173cc6064d895362b064eedcf30f9cc33436bc0b60b4a3e02dcf905d7fb0d6c0a152baa26ba12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

Filesize
8KB

MD5
314f1b9c4981e420a737e7763d90c8eb

SHA1
d5218d68f2b0a1431d87b5581f1f7459120882d7

SHA256
5573d67b01c6f2c1db8f20e670e7bd86d501420cec5c8f1f9b45c39312df9094

SHA512
30f379bb7b9e25a234970d164d52665d7a91c98a4fa3438088d0adaa14d8e4e069cc3e8523a0a3b701359afdd0d644417c745b44eb6cd12fa1d219bfa3276887

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
3de1cc4c0b81121b2e790c76bec2722c

SHA1
7f04aabbb90a99d4dc5e5388f286ae8803530b44

SHA256
8edb74849ba859060dcd0f7a78fc33bd4e7f3482a87dc1ad00b80eac90c89471

SHA512
ad582a331574aef3c4d25973e815bf050e502eca068bbb8d2aa214f9d6641e5100cd3c564fb5105f332cac37cafc46a81d779e4e1cea91ff5fab31b60b176b5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
0c7004790f560156849ab2ed8a77b511

SHA1
dcf67b388604f27a0a9d2c57efec64467d3e50e0

SHA256
5943c4722e246df672af50bde96431b11246c71866972e10e72448410cca0f93

SHA512
4fa4092765018489a5d3c55758f15bd8ec2da8e985ac07922afbc9c6f29f2a09a9b035409d26898ae5a007e5190be5b306827f30b63e126de035417a18df452a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a62bcdd8bbe64f95f677ad75df0f9b60

SHA1
331d747323500ea40d32126252c1d2199e77ea77

SHA256
205fae9091b6fa6ff79e4a409970f650f70c1d6c4ec734a2e741a116fea47511

SHA512
be2e62268ce4a65ad74c61d3e3d62a3de3149295316f7ee4ad1ccd3f5bf46c8ce0e21ae6ea1b891d15fb4f4daabffe4374acc63d82feec94369cdfd0528fe4ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\18f86c93-0f3a-4219-b419-7cd346b285cc

Filesize
982B

MD5
6e467424a65c70a3b1554670d3a3264c

SHA1
4e26fe852cb509524037803dfff713b970a07c56

SHA256
f612e977f71c1382e81a966e2bb00c25d2fa164e7222378450cf33485838a2ed

SHA512
d177a2c9f1b5ff0c013bb7c1272dc3d1d14340685a4d6360edaabf16a3ce9b3cf29765a9282806abcaf32e2a62d023814db8858a6d810ed490b34c5c724e1194

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\9673255b-a378-46a0-96fb-cba2e2b2c38f

Filesize
671B

MD5
fec8e3956135590424749a3d5cd1f7b0

SHA1
a9512562c7dcef247dd1c117e6f0c4909e8a6a18

SHA256
1e1704238469155060177d1fff626c6b043d44e09e689e2ac1c91dfba395d2b5

SHA512
56e9e60d7db582f259da539fbcdee6a53c502684cc364bc2ce7222eb58ba9b16de9df95b9ab1065951132219c4a16e1ba438c5006d525e13eb9df7f08fecb571

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\9e727c10-88cf-48f7-b729-72de29031f77

Filesize
25KB

MD5
3eca38ead54ffacb70f9abbecfada409

SHA1
8074b89e29be4b50a3be4057c0676da51d78b614

SHA256
bd9955ee5b998d7fcbb18ea8d67055d55bd2d1b3ebb0bed4feb245dd1853ed69

SHA512
d3061b6486315e9135f73d6d805632f5ac8e0247d0b5a8a14d9109c4d714698a489ad909498f9831a509f22a2ccfd5b7c787739cd0e554b73fa92c910f4cfd41

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

Filesize
14KB

MD5
539b37aed4e008d5fcea605b5e22bf87

SHA1
a1c1e147d3e1967c4ba443b71b42fca68c192029

SHA256
5484888269bba67e5cf2a1053baa3e610693a175a34583bceac029db49a8d206

SHA512
50a0512534f0c892a84602e64cfb88c5e59bf7de41ab0606d735df3a2e994897ac4df17fa00ceec45a226bf7e2a57bb3069fce5a03d26ada94de8388a233098d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

Filesize
12KB

MD5
5c1d7032058104ac05a9a8f7004b34e3

SHA1
a36e86c077f5a7158cf1cdacd50fbba37317990b

SHA256
254e8acc080e50757a2b839e1cca0b774d799ac48b39cf23f61a79c7bebd04f7

SHA512
290c2420edd58f57155ae0938aed7382053cb590317ea446cc86c371ba90c8611574c6dd42905fe1f788971428c7be131ab79fd6c8545d2d14578e583441be23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs.js

Filesize
11KB

MD5
497bf7c306d27a51d089c09bf7985f9a

SHA1
a6b7931cc70b3a1178036386e17d69ad8bdefbb0

SHA256
a826cf05a7fe8f452d8e38ad3d327db67327ff1507ac59678eaa336ceb901e2a

SHA512
8ea41d2f08bc3726d8c0988751a9587e3c043edc7135325ee1770d44511603b9aae80b16759977f7c1885d49544bb4e5e34130503f6ac63e61f17ccb772ea186

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.6MB

MD5
1886ddf5e4856045ebd72e98ed9c379b

SHA1
3336dcf6bd23711c465480cd6a47cc3865b4b975

SHA256
5a8860616ab0a38ac4aaa3c545508a23f92aef121d3e8129393e3e2e9ee22901

SHA512
925b5cdb23dc4bc1cc4b83ebd03d32bfa05e993a9ed4c246c0417a209735b0d29e099e8e32e9303b60af422bb32d543e64f0b4c98eb4a5d64159e1d7b1526c6e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.2MB

MD5
e4ea9a54901948af1cd75904eff63f38

SHA1
04022d7044b2505973575d5eef21fce3a8e0d36d

SHA256
70177cdb321b81ed087dfd77e912a202163598fa2ef9c1dd037cb050e8c9c71c

SHA512
1c9db4e8429aae0959504f877bf6256826e8ee0966c1f4dd7e25c493001b0b0d4f7af730ad5466b48561b02c85c7aef43a5ef3fc7cf5bbc491e97da17dd23f83

Download Submit