ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
Size

900KB
MD5

8ac15cf603cc81e0ab0204a91e52bda1
SHA1

0af6a75dfada4b67958e390ab7f59a8d651dd930
SHA256

ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69
SHA512

209253b1d55065eb122f9bda9a93557acb3dbb5ac81f49890c059f1d21258078d999eb303f0f850c7e48e61b0db185f6fd876110fa40ed6200b94144467c835c
SSDEEP

24576:xqDEvCTbMWu7rQYlBQcBiT6rprG8aHUu:xTvC/MTQYxsWR7aHU

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exeae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4712 taskkill.exe
3568 taskkill.exe
2044 taskkill.exe
4988 taskkill.exe
2552 taskkill.exe
Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings firefox.exe

pid	process
4712	taskkill.exe
3568	taskkill.exe
2044	taskkill.exe
4988	taskkill.exe
2552	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe

pid	process
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	4712	taskkill.exe
Token: SeDebugPrivilege	3568	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	4988	taskkill.exe
Token: SeDebugPrivilege	2552	taskkill.exe
Token: SeDebugPrivilege	1436	firefox.exe
Token: SeDebugPrivilege	1436	firefox.exe
Token: SeDebugPrivilege	1436	firefox.exe
Token: SeDebugPrivilege	1436	firefox.exe
Token: SeDebugPrivilege	1436	firefox.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exefirefox.exe

pid	process
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exefirefox.exe

pid	process
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
1436	firefox.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

1436 firefox.exe

pid	process
1436	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exefirefox.exefirefox.exe

description	pid	process	target process
PID 4932 wrote to memory of 4712	4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe	taskkill.exe
PID 4932 wrote to memory of 4712	4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe	taskkill.exe
PID 4932 wrote to memory of 4712	4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe	taskkill.exe
PID 4932 wrote to memory of 3568	4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe	taskkill.exe
PID 4932 wrote to memory of 3568	4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe	taskkill.exe
PID 4932 wrote to memory of 3568	4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe	taskkill.exe
PID 4932 wrote to memory of 2044	4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe	taskkill.exe
PID 4932 wrote to memory of 2044	4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe	taskkill.exe
PID 4932 wrote to memory of 2044	4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe	taskkill.exe
PID 4932 wrote to memory of 4988	4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe	taskkill.exe
PID 4932 wrote to memory of 4988	4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe	taskkill.exe
PID 4932 wrote to memory of 4988	4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe	taskkill.exe
PID 4932 wrote to memory of 2552	4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe	taskkill.exe
PID 4932 wrote to memory of 2552	4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe	taskkill.exe
PID 4932 wrote to memory of 2552	4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe	taskkill.exe
PID 4932 wrote to memory of 4168	4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe	firefox.exe
PID 4932 wrote to memory of 4168	4932	ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe	firefox.exe
PID 4168 wrote to memory of 1436	4168	firefox.exe	firefox.exe
PID 4168 wrote to memory of 1436	4168	firefox.exe	firefox.exe
PID 4168 wrote to memory of 1436	4168	firefox.exe	firefox.exe
PID 4168 wrote to memory of 1436	4168	firefox.exe	firefox.exe
PID 4168 wrote to memory of 1436	4168	firefox.exe	firefox.exe
PID 4168 wrote to memory of 1436	4168	firefox.exe	firefox.exe
PID 4168 wrote to memory of 1436	4168	firefox.exe	firefox.exe
PID 4168 wrote to memory of 1436	4168	firefox.exe	firefox.exe
PID 4168 wrote to memory of 1436	4168	firefox.exe	firefox.exe
PID 4168 wrote to memory of 1436	4168	firefox.exe	firefox.exe
PID 4168 wrote to memory of 1436	4168	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe
PID 1436 wrote to memory of 4792	1436	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe
"C:\Users\Admin\AppData\Local\Temp\ae25fcecdb0bb5303793575c8a176bb57e77cede9e437015bf2c9b1334dc8a69.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM firefox.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4712
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM chrome.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3568
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msedge.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM opera.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4988
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM brave.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4fe0262-55d9-4d33-8fe8-ebe9722ab626} 1436 "\\.\pipe\gecko-crash-server-pipe.1436" gpu
      4⤵
      PID:4792
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e39f9e7e-156b-44b3-a61f-ee9b83bd17a2} 1436 "\\.\pipe\gecko-crash-server-pipe.1436" socket
      4⤵
      PID:3584
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3124 -childID 1 -isForBrowser -prefsHandle 3128 -prefMapHandle 3292 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {485715a8-e499-4eba-bee3-f81243989e3e} 1436 "\\.\pipe\gecko-crash-server-pipe.1436" tab
      4⤵
      PID:2604
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3672 -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 3660 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f225a25-939f-441a-8527-ab73ed79e58e} 1436 "\\.\pipe\gecko-crash-server-pipe.1436" tab
      4⤵
      PID:1480
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4816 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4812 -prefMapHandle 4808 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7caf9085-8d59-4253-a7c9-9716f381c295} 1436 "\\.\pipe\gecko-crash-server-pipe.1436" utility
      4⤵
      Checks processor information in registry
      PID:2404
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 3 -isForBrowser -prefsHandle 5652 -prefMapHandle 5648 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6be2fa7d-d56b-4ef2-9f28-0a277c1f5091} 1436 "\\.\pipe\gecko-crash-server-pipe.1436" tab
      4⤵
      PID:4292
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 4 -isForBrowser -prefsHandle 5664 -prefMapHandle 5660 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f71466b-4478-46c5-ae65-33f45852824e} 1436 "\\.\pipe\gecko-crash-server-pipe.1436" tab
      4⤵
      PID:2380
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5988 -childID 5 -isForBrowser -prefsHandle 5888 -prefMapHandle 4552 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8118ab3f-f79d-48d5-bfad-ed09497bbb6e} 1436 "\\.\pipe\gecko-crash-server-pipe.1436" tab
      4⤵
      PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
998ae181d7568cb4fb897e5ff0ccd6f4

SHA1
533999bc703896a4b44eee87b7971c64c5eed028

SHA256
8a7db9f6eb65b0ec0dff285ce304ba64cd737929636309697d9a4072b17a2026

SHA512
695473f2b853f96aa72f0af5b78e4c5d1cb3561b36e12d3f405e7db3ba4c211a56692dc88bba25140b0080b20c5d19f2a36fccc22e778552ab96e8da1324f506

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
6d0e6bde4bbcde081ac2bfda671d275b

SHA1
df4b747962e32f88eb6fd51f2abeead57af72c84

SHA256
349114f7e615b5d23587007cb381f50a5cdaccf717ed12daaef1fca25642f582

SHA512
c0e5e276133c15116ccc9ed63280bc5a4b97530f69e785b3a1269fae792e8a855e07ba1532abc52d28926d971794dc3c8f676a64119dbd17ef7d3c7809f6813d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

Filesize
9KB

MD5
7b83b0331bcddc60d666ecc7341a3c24

SHA1
05001d01912f93f7b2246f81c74b4b676ee9a315

SHA256
e945ad1c688b97965c07873ebf6529074d8dac1733727084e217b8bd1d54abce

SHA512
f17b508706dfe82dec9a9cfd1918520f80f57626472629fdf5b0d825e1ab4b8ecd3d84981b950d570aebf2cc346a05dc01a18fd30ed7db3ff5f5590adda99175

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin

Filesize
8KB

MD5
8be7c253676833d8f6a0845c67445fc8

SHA1
5df8386bc9e52a504bec7a933c4083ca75150cef

SHA256
add489d91697b4b9fd1b8c6110ca0c76700b5611334723fcc2cb4c87f8c5fa36

SHA512
5baa9acd8bb9d01f8e26ac7998c3658dca78954230923969a7d4259921d87815a0da222f798e89b676f6a40db7ec34d427f16e9ea8b3d42cac056149650a8db9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin

Filesize
12KB

MD5
81313c615954848be375c7c063895bf0

SHA1
104e021294178957f12da41af836871e0a7f65f5

SHA256
4fc62db47bd08df2c0c7d46dfeae3218c40607cd6143a78b62eeb30455956d1a

SHA512
eebce3aeed688188d2a428202f5586b9c9d2eea55316a846f2d6608075c779721bc31ccb2e58827436ed685c74ff8942538e2ea6a64d49f64000bca549388998

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
4255e437fe69e37d7d1b0661ba139549

SHA1
47139b4088de6ada1b833d623fd86bf32d0884e4

SHA256
3176f6032a633c5c87304c4ecf480f81c5b0fb032d4f24eea481ac7e07b1763e

SHA512
535e03dfa9717f527d83aa583175341ca81de57900199f152cf29bea0d965b148a1b0226589326944570da26c13591d56ee6060887ddf2549bfa16d5c7d6c295

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
e36c393ad4621ba09d5bfaeaadc4d09a

SHA1
24754714a31600733ad89277d9b3d298efe109a6

SHA256
ee54e864f9e8889dd330733143a9a6d2afa74babcb513c103bc081428b01114c

SHA512
52c2e51c6f241656d7e0888739f0f97b4abd0742ea872acafdf57534d74488a2be736ead503477d30bff3a80378572db2e9b1ed1528ec387182a1f50640acef0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
c258078074d36f96a4fcf4a405611f01

SHA1
4c1a565715622a33bd50764f58844ab2922930c2

SHA256
1e25349ba4c4c1bf35b6d372f6b08fb03947d6d8c37996a218a93f05da77262c

SHA512
cdb6d4924dec312bd45999330e8bd9039a332118afecc1b87369a11893310c03261903f2a270f28081748115a763764daaf333cda06a4a6260975ee79bc553e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
370f06b97c30373b2f5554117ef6cfc3

SHA1
7257a69f07547b98e6912198563f9be68ba900d0

SHA256
d665bca40e1c312743616d2c24b30a676e12abf736ba8405b6bde6b59f4e9e71

SHA512
66e1de625654625a408ffcc7de2ec496fa09d46a6df9bc77f82f1590cc060a882596ea818a697a89eea36ff15721523ee06603efbd7786c789cb666c2c874ffc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\74b28147-9cd5-481e-aa06-3d5206f5dd8e

Filesize
27KB

MD5
ca99e5f0b048a174ec8eba0d0fcc2b03

SHA1
f1143166c083617ec51e2bea7daaca257d0796d2

SHA256
84f87b7b0b4e1716c97c99ea042e597a98e377a77ed623c7abeb8d3692c46465

SHA512
2f88a40830d0d5407487e13c8760b69270be4c20f4911525a867c5057e6a07ed6ac196285c6f4339d85ed27c6988340875503adc69b950e4ec2a17ba51d9a62a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\81aa949d-7d1a-44a5-9f43-a7b3acb7d18a

Filesize
671B

MD5
45375c346a7b8dbf10b3fa6ecb825499

SHA1
b8ca3f6578edc7a9bc4959d07eade42cf81b9d7b

SHA256
4d249aa60350e4577b539eb1a8faf41f2909bea9c92af2c6884f8edc0a06e698

SHA512
9dcf625cab1a67496012bbb977cbec90657c5d75a4e0a51b531776e7b8d4c2f0d5578ea0651ec91893629094e8b02490ec83181b7d222ce3c02907424784545a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\87ed2cc0-68e5-4b4a-82a5-c52c817c857d

Filesize
982B

MD5
d98252831ee2b1cd1f28d5d7f254d0b1

SHA1
80372bc04ee2abfe2a926e36e61133fded070dc3

SHA256
174ae67ebe7a1d398037c00192b1d088e7cc8cfcb2b569d6f3902822a7b683a6

SHA512
0fb7b83afe18f413c547767e18bf0cd9ccbbd86023906db1e6f5902dbf205c3c2f504c97856db438d46229f607a3ec3984afef45723021e936161b3e471026af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs-1.js

Filesize
11KB

MD5
8cf6a6832c3e9a91a1d704593aae1a0d

SHA1
2f46a7da2825a199263c20e47bfe576558d80ecf

SHA256
4f130f2a305d73ea53d9675a124e465587475551ecd3fbd9363d4b05c019b49f

SHA512
2396692cfa06d0231ff6e7781b68b664c5c3a7e60bc1181447807e7e8619c0f6b935516d8d87bf58d02211ae925935d5185ce78f0a82ba186e54bb37e411656d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs-1.js

Filesize
15KB

MD5
3a5c8a205a2bd6bd27d2f54b267683a5

SHA1
b6d9e988fe73a0afeec746cb14308aa89cc4de06

SHA256
998c4c76ef86b80c08210f00ce3cb6eedab445b8367c025ff5632095a11eaaeb

SHA512
60bb502345cfd894d0a2c2dce22c88038d029bde21fdb8383c5c528522f96e4509fc9141e5bfb26a8f8ac45d999768cb7f57c3702c83557c366f5d552ca8ab36

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs.js

Filesize
10KB

MD5
ee891cc0ab1eb3640450df21e4c2ad65

SHA1
76d8b12f0656ee3ffcde268ed66d979388bf26d4

SHA256
31adf9a73c9bb3614dcb1a43c1696c5fa6bc6c841c563f610442095dc2db39a2

SHA512
e69bca0f354472a647c060ad742c3b7a3dce0db01e1015e69c2cf224c52147fa20839aa2b0e945d7643d4a2edf9bd5adee739dfc5865e7b6d8a3116531a9a281

Download Submit