f3da105df43ac2bf23e2f05097c27af4a46f17d46655c1350ea7d94a00d83daa

Analysis

max time kernel
111s
max time network
108s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
27-11-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

forlorn exec.rar
Size

12.9MB
MD5

8efefc2dc8922b8d9a9a2fa7e80f4127
SHA1

e94afc0cc712dc9ce884794db669de95e182b38d
SHA256

f3da105df43ac2bf23e2f05097c27af4a46f17d46655c1350ea7d94a00d83daa
SHA512

42f2c7a9567b57f0403502e245e70d80fba0c12d6a9854be95026cf6f87ffc1e4c3e2e80ec89beb0df97877b23387c6a3ceb6b8b551e322e03304174e342e372
SSDEEP

393216:bvutTDQL5GWokHIWlZ+3yCi758abymNnF9Sfi0twHEBkR9GAR7:b+TDYGIIo8Z760iky3PR7

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2972	Forlorn Executor.exe
4840	Forlorn Executor.exe
3016	Forlorn Executor.exe
1152	Forlorn Executor.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133772062415591737"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4148	7zFM.exe
4148	7zFM.exe
4148	7zFM.exe
4148	7zFM.exe
4148	7zFM.exe
4148	7zFM.exe
4148	7zFM.exe
4148	7zFM.exe
3868	chrome.exe
3868	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4148	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4148	7zFM.exe
Token: 35	4148	7zFM.exe
Token: SeSecurityPrivilege	4148	7zFM.exe
Token: SeSecurityPrivilege	4148	7zFM.exe
Token: SeSecurityPrivilege	4148	7zFM.exe
Token: SeSecurityPrivilege	4148	7zFM.exe
Token: SeSecurityPrivilege	4148	7zFM.exe
Token: SeSecurityPrivilege	4148	7zFM.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe
Token: SeShutdownPrivilege	3868	chrome.exe
Token: SeCreatePagefilePrivilege	3868	chrome.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
4148	7zFM.exe
4148	7zFM.exe
4148	7zFM.exe
4148	7zFM.exe
4148	7zFM.exe
4148	7zFM.exe
4148	7zFM.exe
4148	7zFM.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2808	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 2972	4148	7zFM.exe	77
PID 4148 wrote to memory of 2972	4148	7zFM.exe	77
PID 4148 wrote to memory of 4840	4148	7zFM.exe	80
PID 4148 wrote to memory of 4840	4148	7zFM.exe	80
PID 4148 wrote to memory of 3016	4148	7zFM.exe	81
PID 4148 wrote to memory of 3016	4148	7zFM.exe	81
PID 4148 wrote to memory of 1152	4148	7zFM.exe	82
PID 4148 wrote to memory of 1152	4148	7zFM.exe	82
PID 3868 wrote to memory of 5056	3868	chrome.exe	86
PID 3868 wrote to memory of 5056	3868	chrome.exe	86
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 4304	3868	chrome.exe	87
PID 3868 wrote to memory of 844	3868	chrome.exe	88
PID 3868 wrote to memory of 844	3868	chrome.exe	88
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89
PID 3868 wrote to memory of 3912	3868	chrome.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\forlorn exec.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Users\Admin\AppData\Local\Temp\7zO430C9BE7\Forlorn Executor.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO430C9BE7\Forlorn Executor.exe"
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Users\Admin\AppData\Local\Temp\7zO430BACC7\Forlorn Executor.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO430BACC7\Forlorn Executor.exe"
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Users\Admin\AppData\Local\Temp\7zO43076C08\Forlorn Executor.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO43076C08\Forlorn Executor.exe"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Users\Admin\AppData\Local\Temp\7zO43073278\Forlorn Executor.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO43073278\Forlorn Executor.exe"
  2⤵
  - Executes dropped EXE
  PID:1152

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f5c9cc40,0x7ff8f5c9cc4c,0x7ff8f5c9cc58
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,4630577004825503337,5680718618160941736,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,4630577004825503337,5680718618160941736,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,4630577004825503337,5680718618160941736,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,4630577004825503337,5680718618160941736,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,4630577004825503337,5680718618160941736,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4484,i,4630577004825503337,5680718618160941736,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4424 /prefetch:1
  2⤵
  PID:276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4764,i,4630577004825503337,5680718618160941736,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4900,i,4630577004825503337,5680718618160941736,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4940,i,4630577004825503337,5680718618160941736,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:3340

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1872
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1468 -prefMapHandle 1904 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a29b7c6f-83eb-4350-b46b-d921356497ac} 2808 "\\.\pipe\gecko-crash-server-pipe.2808" gpu
    3⤵
    PID:3472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2376 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {512023f1-b9f1-4da2-95f6-c8067848c83b} 2808 "\\.\pipe\gecko-crash-server-pipe.2808" socket
    3⤵
    PID:4668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3188 -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3176 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {803673d9-d329-45bb-9148-ba5296a012e5} 2808 "\\.\pipe\gecko-crash-server-pipe.2808" tab
    3⤵
    PID:1840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1700 -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3664 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5baec794-0cad-4325-9f83-c5b1d5db8b70} 2808 "\\.\pipe\gecko-crash-server-pipe.2808" tab
    3⤵
    PID:3320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4588 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4624 -prefMapHandle 4620 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80dfd91a-ffa3-4d2a-952d-cddb2e3cce82} 2808 "\\.\pipe\gecko-crash-server-pipe.2808" utility
    3⤵
    - Checks processor information in registry
    PID:5220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5576 -childID 3 -isForBrowser -prefsHandle 5564 -prefMapHandle 5568 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {412481c8-ee78-4ff3-b63f-5d3455b9633a} 2808 "\\.\pipe\gecko-crash-server-pipe.2808" tab
    3⤵
    PID:5908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5700 -childID 4 -isForBrowser -prefsHandle 5620 -prefMapHandle 5624 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80cff852-7333-461d-a028-98815ce0e685} 2808 "\\.\pipe\gecko-crash-server-pipe.2808" tab
    3⤵
    PID:5920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5828 -childID 5 -isForBrowser -prefsHandle 5904 -prefMapHandle 5900 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {500c0a72-5c46-45d6-bf12-6ec0d5a2eb20} 2808 "\\.\pipe\gecko-crash-server-pipe.2808" tab
    3⤵
    PID:5932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c231ab0a64afbf864d11667896aca3b4

SHA1
19ddba48c315cea41455e48ba75cafa7718b6371

SHA256
8518b0d729316bb9a0749c992119f33d8c0197828dc5a67b4dd3489442b5062e

SHA512
ced65903d9d9a50a66a65f8b3e26733e748a3c6dae0b7a780cb3744a7649b05cf8c6907b708e2f51f0cfc3154f9266a0d4798092cf6df444bf1d6aa326a669dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
872ad1101bfeacce4487aa0c9824772d

SHA1
51aaf52c4c18ff361e39f799c20646b75da6d599

SHA256
d80e59059ac7444b6e7b7bc49ae92e35cee6d3dcb00ed79d38518259433c79a7

SHA512
57be909a6c89d38c62e2447b1d9766c3efb6422bec3d34d29b78a4afb484179bffb4385fb0e726b4fc28e10f5f6a8dc651b4222c0cbcb78f417eb0ca8a1aa004

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
e734e1bda339645871971a16e0190328

SHA1
8164552b570b3ecb3a8ae10f2295d36cf0fe65d0

SHA256
af3e1b09524ded6e11baea13ad39da13674758cfcab9ff43b8ab63479a66168c

SHA512
e12b5b35cb11be8beacad42c6620117820a4dd484a19a22a83feb395ba1d15df67555f333e043f829e91f53aef08037dd3c6e5aaa419445a5cb25206b9e6bd62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
62f0bddec45616fa161fc63b4675c87e

SHA1
3b355021850e020dbf56065da8d62875372831c3

SHA256
1bcf819496620019b133c67f4b9d4520298426c0d4f70b9b0f9c9b5bb5152ddd

SHA512
045d6ecc6979eff53ce8fe92816c84c311ace03dd9e3c88fd821b4c49b19cf6fdb044deb67e3d6c65073db66d13f284cd785d2f580c0b267345c312d3bf6aaa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\fe20899a-1c02-45f3-901e-cc68959e48e7.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cec1ead3921f38ecf006789a610f20c8

SHA1
6e71471f86b46be2872fcd5131fb7f4219eda39e

SHA256
5b349649bd9d270f4b9318d9f2ca638d007bf61a556a54c2a10b7a1a33abdf7d

SHA512
184aaf850f14541ed817c31ae608cba6712cb724599f67245df492ecc215e06302befb6d6a83cf1caa73e434eca32efd9dff1017614d317f2815cb54ffe6f54d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
60776e6d1547515530788522b77fec72

SHA1
f39177b6be3cc5c5eb68addd0a313a1d38681d08

SHA256
1bab916f8133ba03fb52819eea4e7b9bc63f767cd2e07395625c10ed51a15c77

SHA512
263765f4bb2aac50cc9c8fac9f698c4c26fc22d9daca13304677f84bae9482cfc4ab19885051f786c88b00c20baf01294d4e8c7ff4b79084b9dbb1bbfeef3437

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1b7ddac3327f4403cabdfaa5de02321c

SHA1
9ef52d743c00dcf130af8ba167b8d387b84f9355

SHA256
3087a6a92fe6f19c58acc17322755b2bb9c983f71f0fd08314866a28f300643f

SHA512
238ba2ef4b8d5e2420af4e7353968b53a07dbc995b4c2769b1163af2cda5bfb70ec4b08172349773433e069e585d9d0db5e43d422e9fb900050894eb43bd93e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
20f8e144edb20a478d6e0ce4c2af423d

SHA1
5b6500ea0c1968fa6a1597786b76a8e1b8da6c61

SHA256
54e8304d16f96de43936594a94f848e2a0d69cfc60ca8a99e0653255e93a1820

SHA512
5b91f1721e175080742743926a6369b3bd9e768576207fee43e07e51747eca75db59c26329acba5a8b072e1f93b16522177c44a77bc94bce9aea2711c419f61c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
a248808dab70ec1038473b2628ee87ad

SHA1
9232d7e3d72ed8247bcb3a588985b9c08bdf99cb

SHA256
c8ead6431f3c1842de1360b57b0c7c54d307f14661abe0b2a8f7d1b21ccbea5e

SHA512
80e51e2f383c08cac4abe91236cff2f7868c089e65119d7541d6fc688d0f504f511301e7c7856e6a4b910722332ffbc7d5be9e26e71d1cf9d77e5e3ab55a6a88

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
64d94c7290004494f4209b06b9613d8f

SHA1
c76fa2df251cffa3c091d794b72b3ff6255cb42a

SHA256
09d877f3cc6a0b90d90f7b98de5ce3a502e7f21d3b85ff01f3597c8e74358c4b

SHA512
b5a30eab1e56cb1f3f3a6faa49ba7a89abbd14543474b3412468217ce2bb4ec9c2b5727a135b41083c7d0fa4e01970fafadeeb2d9473d8d2117bdb0b62aca039

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO430C9BE7\Forlorn Executor.exe

Filesize
135KB

MD5
ba9edb5fe2d2bb280ccfd8110e81d326

SHA1
8ee18f00acb8ab06913356f4186fd057e560b252

SHA256
ba1a8e7c2843162e68d241b1103654f961378a84095a76b6b9c70a8a2dc9059c

SHA512
2939a69886a098d9b3ce5d80fc5288eda451d752b56a005a7d6fd2aaf0a20fa2b9f76bba3d5186622d9c530a6f0bcfc26b3f5824e03732c1ecbf4059eb82c55e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Forlorn Executor.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Forlorn Executor.exe.WebView2\EBWebView\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Forlorn Executor.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Forlorn Executor.exe.WebView2\EBWebView\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Forlorn Executor.exe.WebView2\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
852a4fe1c84cf666b8395489f93541de

SHA1
c92da347a0d7c1c60404ee5eaa0fdb1f848a1150

SHA256
305b94b01e7c4e6de59452980069c5609dc0e4ce792218eb336e36765333ebef

SHA512
f08f8b2456bd396671bc1b8651f5ab76fa3c02c6161a2f6f51fecad2a24bc348ba23694da870fdcedf16e715cf8d0ee385b5e0383abd4e8354871ee86ef3b102

Download Submit
C:\Users\Admin\AppData\Local\Temp\Forlorn Executor.exe.WebView2\EBWebView\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Forlorn Executor.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\workspace\.tests\isfile.txt

Filesize
7B

MD5
260ca9dd8a4577fc00b7bd5810298076

SHA1
53a5687cb26dc41f2ab4033e97e13adefd3740d6

SHA256
aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27

SHA512
51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin

Filesize
6KB

MD5
61347ade0b692d72c454e56c3c939fa9

SHA1
30eee46ca22ba3f0ac9e0415b17adfc1acd4aaef

SHA256
735a98a1965408855bf46eba9e0ad60a26ec5da5c171f8eee9840e4d35ec1ff2

SHA512
8cb5781bfef805ad5754072ddfc0b2f51410a369308b83b5c2e1921845eb8d6765f14913ff8def21ded6c53f346647e923b24e3fb4580f85e1d872c833a15642

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin

Filesize
6KB

MD5
6e6a1e182da859d032cabbf9e727ab69

SHA1
edd3d4b37194d5cfd2ddb703b40f65505ef4e589

SHA256
dd2c11dab2a9ee97530eeb58653b4b70ee04eec870012f0b5bebf45daac20524

SHA512
37dce806e7f890b55a58b369eb572dcccb5a6a64f1469c84d5f2329564f3bed237bd0d7a4e255a54dbc1ecf665bf0b4f43d34d0b262010c9869f1e1f228e484c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
bf046ebd04b95fb3860716e42ce6910b

SHA1
f266d5894ddf01fd93880a0d7415fda881d12fee

SHA256
e1de37ef40c94bb3cd4179062c3d020b80868d035f672c9ace0e2dfdc987be49

SHA512
100c93df86850e66e290272f00fe6cdab624ee724a86a71a47118ec1b1608a3762258e930b3b28bc2d4b965f28519755a00bdbaddcc878fc753c66b1274ad8fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\4d2a16c4-7385-4d76-ad63-4361d6071a13

Filesize
671B

MD5
211cec2474b0ba3ccdcc2a2d9367b1c7

SHA1
72d94bb31c9d7fcd3af92502ca4d1910d272777e

SHA256
2cc0a27e934af5e8debb31a7f2a78821aedb99e6ee5b678ee641763fcca191c9

SHA512
e70c5a96b3cdfa7a055d4585b113372fb6f66db6d76e7973b80169c19924f4715d55899f1c4f4203b4635e55479adb68a386c6e93ebbf26b71e267ee223c98f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\ad48208c-42fb-418c-bac6-884b76e5afb6

Filesize
982B

MD5
51dc5f5ce58e22109b221d9a3b4eaac3

SHA1
b485db4c1598e93efa2ea1cc620a3e818b9e700d

SHA256
741dd576105fa7550a7ae7e1d75c329859d9d1be200cd325c64cdffada2a21e2

SHA512
9e3793f1bd3c0fabd250d48b66184299089b9044835eeee531f17b612063df5779d8fcc03510980faf0e1927245afc0f1e7e1db3b3f206538b66de09e5d7caf9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\c50c6a15-2348-4259-ab36-695425051a26

Filesize
23KB

MD5
4378d50f3d2c69d7c61caaa39f7786d5

SHA1
6fecf3ebfe590760066d1b865c507bf7505478d1

SHA256
8438f31bfc28de4ed0dc447d492981f51a202bd7861cc8d31c1c4ad36906d3b6

SHA512
1d36ce4cb582c0360eb4907b5ffb3b215969072d614c129324feb777c5944b0119458b59bc58cbc531e2e7aab89be16ef51b684ad6c868a84cbe012f53165472

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs.js

Filesize
10KB

MD5
93e27299b85a52246739b0e1124fc79e

SHA1
f94201c6e7d921675e521d5ab72d27ba53a407d1

SHA256
9f66f78de77b5ba552ca80a9bd7fc3569608ccc992e3695d82a184af30fa32f3

SHA512
29d190d062da9e9e453aaafcb19ce54cd4b17e1da8b406fbcec33c4f80d8e09e89e219277b56779b123fd9220c5ddbf567945835abe44ec117a867756f4b73c9

Download Submit