fantom | f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

Analysis

max time kernel
449s
max time network
433s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-12-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fantom.exe
Size

261KB
MD5

7d80230df68ccba871815d68f016c282
SHA1

e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256

f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA512

64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
SSDEEP

3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score

10^/10

fantom discovery evasion ransomware

Malware Config

Signatures

Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Fantom family
fantom

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 664 created 4076	664	taskmgr.exe	80
PID 664 created 4076	664	taskmgr.exe	80

Renames multiple (58) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	Fantom.exe

Executes dropped EXE 1 IoCs

pid	Process
3888	WindowsUpdate.exe

Drops file in Program Files directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	Fantom.exe
File opened for modification	C:\Program Files\StartDisconnect.html	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	Fantom.exe
File opened for modification	C:\Program Files\ResetCompare.mpg	Fantom.exe
File opened for modification	C:\Program Files\WatchRepair.xlsm	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	Fantom.exe
File opened for modification	C:\Program Files\InvokeComplete.crw	Fantom.exe
File opened for modification	C:\Program Files\UseResolve.3gp2	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	Fantom.exe
File opened for modification	C:\Program Files\LimitMeasure.pptm	Fantom.exe
File opened for modification	C:\Program Files\SelectBlock.xls	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	Fantom.exe
File opened for modification	C:\Program Files\SubmitPush.pps	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	Fantom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
4076	Fantom.exe
4076	Fantom.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
664	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4076	Fantom.exe
Token: SeDebugPrivilege	664	taskmgr.exe
Token: SeSystemProfilePrivilege	664	taskmgr.exe
Token: SeCreateGlobalPrivilege	664	taskmgr.exe
Token: SeDebugPrivilege	60	firefox.exe
Token: SeDebugPrivilege	60	firefox.exe
Token: SeDebugPrivilege	60	firefox.exe
Token: SeDebugPrivilege	60	firefox.exe
Token: SeDebugPrivilege	60	firefox.exe
Token: SeDebugPrivilege	60	firefox.exe
Token: SeDebugPrivilege	60	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
664	taskmgr.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe
60	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
60	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 724 wrote to memory of 60	724	firefox.exe	94
PID 724 wrote to memory of 60	724	firefox.exe	94
PID 724 wrote to memory of 60	724	firefox.exe	94
PID 724 wrote to memory of 60	724	firefox.exe	94
PID 724 wrote to memory of 60	724	firefox.exe	94
PID 724 wrote to memory of 60	724	firefox.exe	94
PID 724 wrote to memory of 60	724	firefox.exe	94
PID 724 wrote to memory of 60	724	firefox.exe	94
PID 724 wrote to memory of 60	724	firefox.exe	94
PID 724 wrote to memory of 60	724	firefox.exe	94
PID 724 wrote to memory of 60	724	firefox.exe	94
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 3280	60	firefox.exe	95
PID 60 wrote to memory of 4576	60	firefox.exe	96
PID 60 wrote to memory of 4576	60	firefox.exe	96
PID 60 wrote to memory of 4576	60	firefox.exe	96
PID 60 wrote to memory of 4576	60	firefox.exe	96
PID 60 wrote to memory of 4576	60	firefox.exe	96
PID 60 wrote to memory of 4576	60	firefox.exe	96
PID 60 wrote to memory of 4576	60	firefox.exe	96
PID 60 wrote to memory of 4576	60	firefox.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  PID:3888

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:664

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:724
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {50af24cd-3d27-400e-b2ab-79e83104018e} 60 "\\.\pipe\gecko-crash-server-pipe.60" gpu
    3⤵
    PID:3280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cc568e6-96f9-45c0-a438-7a554481fc1a} 60 "\\.\pipe\gecko-crash-server-pipe.60" socket
    3⤵
    PID:4576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3156 -childID 1 -isForBrowser -prefsHandle 3160 -prefMapHandle 3148 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d21527c-62e3-43fd-8479-47d2caff5e91} 60 "\\.\pipe\gecko-crash-server-pipe.60" tab
    3⤵
    PID:1772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4016 -childID 2 -isForBrowser -prefsHandle 4008 -prefMapHandle 4004 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6e5337c-0966-44d9-ae26-80fd913eab1f} 60 "\\.\pipe\gecko-crash-server-pipe.60" tab
    3⤵
    PID:3292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4720 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4716 -prefMapHandle 4712 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {307a18d7-f2ac-4e56-8a23-6497fd580c98} 60 "\\.\pipe\gecko-crash-server-pipe.60" utility
    3⤵
    - Checks processor information in registry
    PID:3092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5148 -childID 3 -isForBrowser -prefsHandle 4964 -prefMapHandle 5140 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7030270-e48a-43c1-984e-bffda4d19a6b} 60 "\\.\pipe\gecko-crash-server-pipe.60" tab
    3⤵
    PID:5976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5472 -childID 4 -isForBrowser -prefsHandle 5560 -prefMapHandle 5556 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a45eb218-4c0b-4258-a4e0-f83f260584e7} 60 "\\.\pipe\gecko-crash-server-pipe.60" tab
    3⤵
    PID:6000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 5 -isForBrowser -prefsHandle 5536 -prefMapHandle 5540 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5b3287f-ce0c-4968-bb8f-2b572329c0af} 60 "\\.\pipe\gecko-crash-server-pipe.60" tab
    3⤵
    PID:6032

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\02b994c0ab114d01b2934a5e20932169 /t 4724 /p 4076
1⤵
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg4xad17.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
ef99d836f44c03915aae88db59f736ef

SHA1
b64ddd6049775adeba0770f7a243ec26d2bb34ac

SHA256
5324cf0732e63ddafd80fdf273d34eac74b6e1e0d84f807e46414e678ac9bb42

SHA512
adc8aed9af99ffde4ae762d68dbd4d32a7bfd7b808c69f74e98893b1a04b753b9d2cb8e1b9219531f7d443771e5189c137b11b2b8e1d3bc632ea57963ae7a417

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg4xad17.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
14KB

MD5
b28a4fe4339a8a5e84b185febfba57e6

SHA1
cc5945ba088c1c41d9a72fe2bbf447f84e3286c8

SHA256
25cc0a396d670e8c8288db3fa5ca2c306c1a2847f0021d5bc9effb4d51e50e97

SHA512
af50a2015568268841390c02d39029e35ee6ca36185b9bf319b4c3419c41d13967c938ec025303c4edc107817fcb2031305e65d3eda7d4898a81e1183732d58f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg4xad17.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984

Filesize
13KB

MD5
48638692d43e2a52f5ccf374d8a8d747

SHA1
8f83611b2b9b0d10700e5d2cec0ff78ef8726fb1

SHA256
694e151a59b1075bb09be88376309c3fbb6485b2618c12a0ada8cbab78c53cf4

SHA512
290613096cd63dd018c1adb3d19dadecf0a0858399b37d7d1bc21474fbdff36da970d52d9f3448394c3fa22955482e3efe4ba5038754cea5fdc197530bfd9d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5Q3LRG4C1NV5HV967LR6.temp

Filesize
7KB

MD5
553cdd010ef494f23a636e19a7231067

SHA1
1e085b497ae04a9ec6953e386ea965ae3b733fd5

SHA256
34f4a12c9bbcf17ab05c277c95535a34ad8b956d7063cd271aa1565007159dd8

SHA512
559b921ed05cec9e775aea9629f3249e7252902cf43fcc163cf289f69b495a275e7c9d8fbff441d1139d5d02f180ab4389743ce4c529bbf71b20abc2f6d18f5d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\AlternateServices.bin

Filesize
8KB

MD5
ca38a67c6cbd661088a5214f312f1605

SHA1
3058d56c75c9084fee396bbfc450c2d13c15db53

SHA256
0a95de62441ad35870a174a51b55973ded88b4ff66ce82c8513d5a79e52641d2

SHA512
1059fcdc93f739a0943e4fb2e6d296cdc93792727132b78a31304ccc36a193f09f1c4f47050b016913487e83323e8575b43093bec952c99d10a88614ec1352d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\bookmarkbackups\bookmarks-2024-12-21_11_AABdb7jMUgXlTl1VNh58gw==.jsonlz4

Filesize
1011B

MD5
7c81899298488e87e76966a46d6802cf

SHA1
5de4868b8e4b6949a99b84233c105e459f938924

SHA256
679d9dd9da7193507ec56d11433d6d09e4597c280a7156848cf4f5857caa2b0f

SHA512
35effe0a8091c186fed57fd2b5cbdaef7db06c011b0f18cbb47f371c481788dfbaea2ab2c66703813fabee623aeddcdf570f572232a9615eb02634e470fae9f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
08615a43c66413096045880a1827a10e

SHA1
ab2fca16fa0fa12ac2546514eaf42ace5d4caa74

SHA256
0dd4cca9057cb9348d2bd9fed245aab324b3f53ad4c6466837dac9266f1a622c

SHA512
2a45a306551b06549582b9e2b9a45fcbe5672e99713b35ecf241fc83a9a4e840d33fe51cc4d2b3b12fc397354e473126e0ac62de2b26216b3bb2071b09cdf56c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
7dda246fa2700e89e45c20782c6e2a7e

SHA1
18d9d2ff58a06fad55131fee7e69d3f1a3dd562c

SHA256
8388980f24c5c5ddb6d45b682d4abdbf03e1817baf9f1c61baabe149d875cac6

SHA512
7e5eb1a8d6c5cfad45a964951bba7dc365d7d94d11bd1de5523db987859f83ea70268aae4d054848283a2b621cd40ec1002933ec0536be0b4b5808f01686ea16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
1e886d0acff146708c1a6e18a87f0007

SHA1
3d0c0fd91f240d907cfebba31aa4201c86b4a836

SHA256
078f450fc19125153c5c92d892431e4124b3abcdcd90dc3ffecbf68c5aef504b

SHA512
8e5926542fb04bd3f57112a865b0d0202aea313ce4335219075affefdcb5052bb843daeb379e1d181cad0bedc1c63f0ac72b7602fe36fb4f1f4b8f6aa2fb1436

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\datareporting\glean\pending_pings\38543be1-4e25-48e9-b85d-a3d4e2186970

Filesize
982B

MD5
34b0618da3443eff6503ed601f2ab7dd

SHA1
c6be707008550189c5746e27682cbc84024883a7

SHA256
4e02dbf71d805aa7ff24f36965528ac4e01a4907f5d4a8eee3144d0fc52fbc22

SHA512
fdf7d95225f95d4199cc4d139df955cec711532f11ff0c962c2e907dfe1e49cd4d20819b8ba24655e80ad9d8b14ca522f02c6f0e714ae8767417dccf24756c4e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\datareporting\glean\pending_pings\412a103c-b4ae-4af1-925e-54d4c38a20f0

Filesize
24KB

MD5
0494520be04c98455d1dc4556fec4fc8

SHA1
7fcd27fa4b91ab464a0e1f28f8a5ee12f1c20f4c

SHA256
b9db206fe94dbf77e4343b3f13fce31c0e8c36189654ab25fb285cda12ab7cd7

SHA512
aa862482c9a986d9b9f23a866481d3f5ec090dc603f3ddc68b9c67ad5e3c6c23c18b8171116b4819f226133671ab43e6b6637d771bf2e3dd80487e831914c6bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\datareporting\glean\pending_pings\f3fe2088-1775-4cd0-a0c0-784a7d8de992

Filesize
671B

MD5
c58149f20f6d71849f7f937f13f35ad4

SHA1
2aa61f3e16d42b65e61ea807b604f98c53321294

SHA256
76c3d42c2fcfe2d976d8885cecccd1e27c0b5906989767abf430947abc97a61b

SHA512
74a58dc1fa349534445bddd0fbe002d027da4530f2bbe8319256b27dfdccf75769a56a4e76e632eaee00462bdaa1d04e0f0deeeb729a77b0df4395d1d5936db5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\prefs-1.js

Filesize
11KB

MD5
e72a9a0a4ed657d14c88f72ef73f0a32

SHA1
8d138fb6b97f477887b2e1cc9e5374c8d7ba241d

SHA256
e69389404db9230981335aae96d89c10222a17e444614b86c875adc91798d7be

SHA512
db8bc608faac97eff0cb013b717e044dd9d402888bae7b5943e3e83d0e55caa08c80e82b290331753b885ba88226f6c68388c7394f9c984e54bf46af04b04502

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\prefs-1.js

Filesize
12KB

MD5
84298cdc239cf1a054dacb5b992ad9e8

SHA1
9562f27bcdc8b30bd84258c92da275bdf179fe3c

SHA256
3df3604764c0c4fee71cd9604e8563730d113c66ffeb4d500eb0e4f31ae02fa6

SHA512
2bd82e37b01b169750ad7e04887a585969a87a15cb4f003f81c494933982b43fccd45149bc530d310dbd6272e3a0ee4cb4cd711880a86f709e5ddd0ae4cb50ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\prefs.js

Filesize
10KB

MD5
95b400668d8a274d5b0d3a2009f5a23c

SHA1
2c5875e0a6369c670eb83114cb3fe30b4372f4b2

SHA256
2a6a961468d072449ca1b872675d0a2e14402c123754628f3f5d2d2acb256bcc

SHA512
f1b8dc9bbb0fee674ffd980673f7e6f235f6781f0c489e3a32fe4744dc0d67d5af8f429543f7d3bd5e65a95918822647d7c72ef597ba245eb79c89c704825dde

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg4xad17.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
90cb685ea05b829694b3312948c8becc

SHA1
1bfb82cc82654c640acb1e1cd6a2f4bd7992e829

SHA256
54c2985cf4d3aff1c1d3504e3f9be6b15d2e631b433a67c57c2c9f988631ba3c

SHA512
d8533a6ad6eb22870ea3ecd94401acd3008c0e19c6090a31fdda44fd09445a0ffea81787bb069ad41b8f8596b041b8a07f65598854cfa0e76b5f839b1a8e550b

Download Submit
memory/3888-512-0x0000000000D40000-0x0000000000D4C000-memory.dmp

Filesize
48KB

Download
memory/4076-52-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-40-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-32-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-30-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-29-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-132-0x0000000074A40000-0x00000000751F1000-memory.dmp

Filesize
7.7MB

Download
memory/4076-26-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-25-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-133-0x0000000074A40000-0x00000000751F1000-memory.dmp

Filesize
7.7MB

Download
memory/4076-12-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-22-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-20-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-18-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-16-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-10-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-8-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-5-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-59-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-44-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-134-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download
memory/4076-135-0x0000000074A40000-0x00000000751F1000-memory.dmp

Filesize
7.7MB

Download
memory/4076-36-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-38-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-34-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-42-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-46-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-48-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-497-0x00000000054B0000-0x00000000054BE000-memory.dmp

Filesize
56KB

Download
memory/4076-51-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-0-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download
memory/4076-638-0x0000000074A40000-0x00000000751F1000-memory.dmp

Filesize
7.7MB

Download
memory/4076-54-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-56-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-60-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-62-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-64-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-131-0x00000000053B0000-0x00000000053BA000-memory.dmp

Filesize
40KB

Download
memory/4076-130-0x0000000005290000-0x0000000005322000-memory.dmp

Filesize
584KB

Download
memory/4076-129-0x0000000004CE0000-0x0000000005286000-memory.dmp

Filesize
5.6MB

Download
memory/4076-66-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-68-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-14-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-6-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/4076-4-0x0000000074A40000-0x00000000751F1000-memory.dmp

Filesize
7.7MB

Download
memory/4076-3-0x00000000024F0000-0x0000000002522000-memory.dmp

Filesize
200KB

Download
memory/4076-2-0x0000000074A40000-0x00000000751F1000-memory.dmp

Filesize
7.7MB

Download
memory/4076-1-0x0000000002470000-0x00000000024A2000-memory.dmp

Filesize
200KB

Download