345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330

Analysis

max time kernel
126s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
Size

898KB
MD5

8ed1a31ba67fc5419d8c8700a14689e3
SHA1

f28cb27277fb97652c56313b98ffd4993a592824
SHA256

345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330
SHA512

78137037c20d00cd3ba54aa38bba7b6e2d5cef41c13e37263387a872741a73dbae600302a7965c68f58df5cc69547762d1d20e8d10d8ef8eb8a401b8e60d2d6b
SSDEEP

12288:bqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Tu:bqDEvCTbMWu7rQYlBQcBiT6rprG8abu

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskkill.exe345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3168 taskkill.exe
3944 taskkill.exe
4240 taskkill.exe
2008 taskkill.exe
2236 taskkill.exe
Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings firefox.exe

pid	process
3168	taskkill.exe
3944	taskkill.exe
4240	taskkill.exe
2008	taskkill.exe
2236	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe

pid	process
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	3168	taskkill.exe
Token: SeDebugPrivilege	3944	taskkill.exe
Token: SeDebugPrivilege	4240	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	3164	firefox.exe
Token: SeDebugPrivilege	3164	firefox.exe
Token: SeDebugPrivilege	3164	firefox.exe
Token: SeDebugPrivilege	3164	firefox.exe
Token: SeDebugPrivilege	3164	firefox.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exefirefox.exe

pid	process
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exefirefox.exe

pid	process
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

3164 firefox.exe

pid	process
3164	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exefirefox.exefirefox.exe

description	pid	process	target process
PID 532 wrote to memory of 2236	532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe	taskkill.exe
PID 532 wrote to memory of 2236	532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe	taskkill.exe
PID 532 wrote to memory of 2236	532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe	taskkill.exe
PID 532 wrote to memory of 3168	532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe	taskkill.exe
PID 532 wrote to memory of 3168	532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe	taskkill.exe
PID 532 wrote to memory of 3168	532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe	taskkill.exe
PID 532 wrote to memory of 3944	532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe	taskkill.exe
PID 532 wrote to memory of 3944	532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe	taskkill.exe
PID 532 wrote to memory of 3944	532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe	taskkill.exe
PID 532 wrote to memory of 4240	532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe	taskkill.exe
PID 532 wrote to memory of 4240	532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe	taskkill.exe
PID 532 wrote to memory of 4240	532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe	taskkill.exe
PID 532 wrote to memory of 2008	532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe	taskkill.exe
PID 532 wrote to memory of 2008	532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe	taskkill.exe
PID 532 wrote to memory of 2008	532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe	taskkill.exe
PID 532 wrote to memory of 4792	532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe	firefox.exe
PID 532 wrote to memory of 4792	532	345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe	firefox.exe
PID 4792 wrote to memory of 3164	4792	firefox.exe	firefox.exe
PID 4792 wrote to memory of 3164	4792	firefox.exe	firefox.exe
PID 4792 wrote to memory of 3164	4792	firefox.exe	firefox.exe
PID 4792 wrote to memory of 3164	4792	firefox.exe	firefox.exe
PID 4792 wrote to memory of 3164	4792	firefox.exe	firefox.exe
PID 4792 wrote to memory of 3164	4792	firefox.exe	firefox.exe
PID 4792 wrote to memory of 3164	4792	firefox.exe	firefox.exe
PID 4792 wrote to memory of 3164	4792	firefox.exe	firefox.exe
PID 4792 wrote to memory of 3164	4792	firefox.exe	firefox.exe
PID 4792 wrote to memory of 3164	4792	firefox.exe	firefox.exe
PID 4792 wrote to memory of 3164	4792	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 4420	3164	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe
"C:\Users\Admin\AppData\Local\Temp\345f7f033867726ab35d5341e27cdaf68978d8f9cbda9fd4680d7fd8c0575330.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM firefox.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM chrome.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3168
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msedge.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM opera.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4240
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM brave.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee5cc765-960b-4051-b479-81c0f877559e} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" gpu
      4⤵
      PID:4420
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8b58f87-cd82-4184-a373-77eea4cb2d88} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" socket
      4⤵
      PID:3100
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1464 -childID 1 -isForBrowser -prefsHandle 2988 -prefMapHandle 3060 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d407fd1b-0d0a-4d35-9360-9b26d6174658} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" tab
      4⤵
      PID:1464
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3308 -childID 2 -isForBrowser -prefsHandle 3724 -prefMapHandle 2824 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {986902cf-03a0-455a-a1ae-d9bc9eac3914} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" tab
      4⤵
      PID:892
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1540 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4528 -prefMapHandle 4524 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85a08ff0-91c3-4309-935b-0ca69d6c6cde} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" utility
      4⤵
      Checks processor information in registry
      PID:5040
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 3 -isForBrowser -prefsHandle 5400 -prefMapHandle 5396 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {138d240d-3890-43a2-ba08-e180f5d4a59f} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" tab
      4⤵
      PID:972
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 4 -isForBrowser -prefsHandle 5568 -prefMapHandle 5572 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38a68638-f1cf-4aaf-8780-ec1fb0cd77da} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" tab
      4⤵
      PID:1504
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5752 -childID 5 -isForBrowser -prefsHandle 5760 -prefMapHandle 5764 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07faf6ea-ea9c-458e-a7c2-52eddbfee7b1} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" tab
      4⤵
      PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\activity-stream.discovery_stream.json

Filesize
27KB

MD5
51861d91048a1fe6efdc8f24aba618d0

SHA1
2f1d54ab9f83a167e038a803cb8050ddf12a9e65

SHA256
e3dbb32731b833e640b9065fe10e9e41cf236d7640cb16a63c7dd7ded4521e05

SHA512
4b80a26f2b10e46690410d7d3861eb549db7b316133122273eac15c972cb0fc4e3a717ffd3302699b8c12040625cb1d1c78cf7bac778e149ef654913498c4876

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
5090cee4c06b3f194674e6b5a226b6f2

SHA1
f4ab1c685665414392dfc2904eda0ab2494359eb

SHA256
53b29ae73ad32af9384d5ed7855cfca252e4b869ab0e3040cac910d491572791

SHA512
d09462780f7fecac94901aa5006a0c6d8a17d0ee0532529936fc7a80f588a0c354fafa3c7d649fbf7d9ae755b853ef46adf1601ead822e3bfd401797b3a4982c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin

Filesize
6KB

MD5
6cfb7765a1c6c9d6a457132a851f51d3

SHA1
45e2a3d8039fd8324655414f095635d5ad667ede

SHA256
e3ae3db5abd6fe29842fd03239b76b609e307683276cc179e797baa887a15cc3

SHA512
6bc3e3c0816cf9ccc6a09ebb718d424e77592f3606fd6a3871f4f7d2eee7e99a0c78af29bf2a04e8b5f296aa43e4c48e6b3a8a6b195be506195a4bc3ca802ee9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin

Filesize
8KB

MD5
0caeedd40cc3aab3122c5a94b221f76d

SHA1
9b877ba0ffc9e90a319c1aab165aa6f47f032cec

SHA256
2c26c877f936daccfd28e081257d96c33848bc634ef7646f60d90e7746d4afdd

SHA512
c5670c14ef7029dbbb737788eaf49d2bb53ee3403b7409b860f6221c33a42814e91528c058c838cc729cf2c80fa5956e89d150fd40db2116aa12a3b3c0ae8da0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin

Filesize
13KB

MD5
453b2d3100f9ad537f7ef6fbe470ed9f

SHA1
d868e772629a385119ed4828bef76aed83dbd1b8

SHA256
f33ad48b0d7027d1a2762e88ad146d2813d0d0a5911f5f9a83d151d123749fe2

SHA512
3935fa1429d05bb3c42a58ddf5ddd8da8b99ea17473483fa8ffc9bfdb3de7a7c58b3f25cd2aaa1b578349e5f935272ce5df0c0183ecb189741d706cd7c89ac69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
4KB

MD5
65ccf7f4c87cabefd8ffba3847367a05

SHA1
fbbda45ec75b3a42225070f0d5b491ff2a39e2dc

SHA256
9344d6fbff49c8ed92904cd07a43745cb99f3e40767aa978b59b627233e9b830

SHA512
90359f474950d23b73e0c4a40d192b6d54e141995eaf4be5ceb0e512f19d441abd39f9e1b836f9b9c935b4e38c76587c9d91df9f1da8088713f9cf3b8a20f57b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
0d1b735efeff3f04144070b598e9dea1

SHA1
6ad7bd68738e2190e781eacdb19213430f41d26f

SHA256
0e2fdbc47bc04af5d84c7d8472c1c9cffb60cf160d7866b510f17e5dc2be5145

SHA512
124a41530e6b554b5b76d1e425353a3ada523c8c8319d3af9b047c1f084e485ca8b54aeeb7b34156710d401b32789edc7cc4f6f1a753e6958b68c681a0b2d284

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
58d0dadd08bcd396ab1846fe9b470527

SHA1
d31426b7a4a3941d214319406f149862de830158

SHA256
fbde752fad551b70a2df9074e78dbfa3ee14f8f99e47d498e27fdbcf8ab6de30

SHA512
13d20f96ead31b7798f589d141bc68a07049b7dcaf2dac4f0f7f6f9e4f0a5a761fad66960d42b90865bb6f2f128040541874a38eeef0a67beeced095a8e575af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
05e32a70b184c2a496330b48f18b010c

SHA1
d922857c646e6f9211881e9e533445c1d8f7dbce

SHA256
0f4431ed5f92c42c3c7aa5aaf54693d4736fa16f60da7773fa708bcb2e0233c8

SHA512
883111af2cfde3b270c6cb6a73b71c48f101ada08aa60baab906e69017d8b8f2aa973bc16e61eb70c4c7280b72147489eef6651af69c980a8bf2ff51507079f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\147e4fa7-daf1-44b7-9747-16baca4c26c6

Filesize
671B

MD5
675e2b4cb835e9345e41d449f3881e01

SHA1
d864bd37e1b6609b45086446b186fa83782a6569

SHA256
7f5d4fd8454fdeb10972080247f377e3313ed48d0652f8960e174fc0e60f5a7a

SHA512
087c2220ab2614a275e6ccdba6e583487a5048062631582e316c664054e71fc00b60601fdcea4d5e49a35a5b5b1663d44979a6a106d3ee29b8e4f3ef13a4ee2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\30aebb2a-06d3-44b5-9955-be9d767f997c

Filesize
982B

MD5
9e6e22ecdac780e45e8d436d03de280c

SHA1
8971ca4461b491ece1ec2b5f54cd0c16f291cade

SHA256
894b0240f3e4d893121caefb899cb9ee8e4ed829f25f7e8e17bb0490be67bb36

SHA512
890caf720f933c3038a7afdedb86628a2280e904b9c776744566823c4114a1c92448df728412b16e4cce7fcd7e3ba587ea4a40248f167236470c054b2c86d8ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\337fad75-4668-43dd-80ba-4845600718b7

Filesize
28KB

MD5
828666748bc23d5676669cb7f8fbc556

SHA1
50c57c8b7c86aca117668b6a023833b7fc7f2eee

SHA256
9cf2d1fa879eeb241dcd6047c5347132e5bc4eba63d5ad002d3c57e266514375

SHA512
3ae17ad6372cd350bd3cfcd515f2ef58a2be5b8ee5be6795a434d87ecb2489897cb6131b410a2897ed2702190c85bd77134ea8ce44b9575e18607464462833ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs-1.js

Filesize
10KB

MD5
dd0951521dc7aa668a7f6c479c803240

SHA1
49c3a0a8cff0744a71d8c75ca6b8783750cc5f0d

SHA256
9ac00da4e9557148844b87cde5233fdc6ca6b4c94dd8d80a35760d6d68171f75

SHA512
e66906a192474da3d31667b436608753eff505b777b5e403d51dfa3d819bb96d163a3cfb5d8823eb14506ae4e99fa25a15d723eb9f6c741b691500a03c059fac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs-1.js

Filesize
12KB

MD5
26caa4735994fcd38b4d2c1bfaf80957

SHA1
7e5f6d238954219c6e94652211e43ac4d8aa090e

SHA256
b3b5a64bad32d9bdade0361d8d780c7cbcdfa40549eb53cfb04155b08607f25b

SHA512
41ab284afc32e74a65e6a12f2bfd28a9eb3a7ba546af3d40595801b04dfb39d994bd1b2a9a132ab439b237ea77e81258762093e48a9a3c71c1627137a4ac2a92

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs-1.js

Filesize
15KB

MD5
7e1d61ae598a5f35eee1f7d6415a8fe6

SHA1
c702cb6351a1de31e3ab5b2d22147dc1639a0736

SHA256
039532f5aab622bb40964b20026b339a3ef847ec336381cba8f8d09a29a26529

SHA512
22481c38dcb7980ee026638a5ab68b25382b62dd10496225d8b48f5ba67a613158dde3a623b1d1f4ad0e7c15a97998d225d17801aec4f85ff68569dab75ecea4

Download Submit