vanillarat | d548ea85db4681de9393a4bd8369283db49f9f0525356d15f8ca06259e4fa930

Analysis

max time kernel
1041s
max time network
1044s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
20/01/2025, 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fortnite Checker.exe
Size

883KB
MD5

5ff30ec323f9e6ec632ea3b2180a1cbc
SHA1

aba95d8f4f7f634170cbad0461a3e6e0a4574059
SHA256

d548ea85db4681de9393a4bd8369283db49f9f0525356d15f8ca06259e4fa930
SHA512

e990b1de0d4f6c2f830bca0ddea747ab733289f8fc45f2da1b9e20128b9eabb51c8f2ed62ca0346bdbb20ca73b4ab871e2a0298e1f4df9d559d4bbee41cce66c
SSDEEP

12288:GToPWBv/cpGrU3ywFm/byWr+5q+LViWdEVr9WoMwtubIwyqd7zw:GTbBv5rU4/b9SDmVr98w009qdHw

Score

10^/10

vanillarat discovery motw persistence phishing rat spyware stealer

Malware Config

Signatures

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat
Vanillarat family
vanillarat

Vanilla Rat payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x00280000000460ed-20.dat	vanillarat
behavioral1/memory/4376-47-0x0000000000270000-0x0000000000292000-memory.dmp	vanillarat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000\Control Panel\International\Geo\Nation	Fortnite Checker.exe

Executes dropped EXE 2 IoCs

pid	Process
4376	Fortnite.exe
2160	FortniteChecker.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fortnite = "C:\\Users\\Admin\\AppData\\Roaming\\Fortnite.exe"	Fortnite.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

flow	ioc
1346	discord.com
1645	discord.com
221	discord.com
1643	discord.com
1646	discord.com
200	discord.com
202	discord.com
262	discord.com
1344	discord.com
1347	discord.com
199	discord.com
201	discord.com
210	discord.com
273	discord.com
1343	discord.com
1642	discord.com

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc
837	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fortnite Checker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fortnite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FortniteChecker.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	FortniteChecker.exe
Key created	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	FortniteChecker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	FortniteChecker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	FortniteChecker.exe
Key created	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	FortniteChecker.exe
Key created	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	FortniteChecker.exe
Key created	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	FortniteChecker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	FortniteChecker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	FortniteChecker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 5600310000000000345abc091000526f616d696e6700400009000400efbe2d5afc6c345abc092e000000070904000000020000000000000000000000000000007f11110052006f0061006d0069006e006700000016000000	FortniteChecker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	FortniteChecker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "2"	FortniteChecker.exe
Key created	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	FortniteChecker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	FortniteChecker.exe
Key created	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings	FortniteChecker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	FortniteChecker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	FortniteChecker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	FortniteChecker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f44471a0359723fa74489c55595fe6b30ee0000	FortniteChecker.exe
Key created	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	FortniteChecker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	FortniteChecker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	FortniteChecker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	FortniteChecker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	FortniteChecker.exe
Key created	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	FortniteChecker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	FortniteChecker.exe
Key created	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	FortniteChecker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	FortniteChecker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 820074001c004346534616003100000000002d5afc6c120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe2d5afc6c345abc092e000000060904000000020000000000000000000000000000001dcbbe004100700070004400610074006100000042000000	FortniteChecker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	FortniteChecker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	FortniteChecker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	FortniteChecker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	FortniteChecker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	FortniteChecker.exe
Key created	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	FortniteChecker.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3828	firefox.exe
Token: SeDebugPrivilege	3828	firefox.exe
Token: 33	2564	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2564	AUDIODG.EXE
Token: SeDebugPrivilege	3828	firefox.exe
Token: SeDebugPrivilege	3828	firefox.exe
Token: SeDebugPrivilege	3828	firefox.exe
Token: SeDebugPrivilege	3828	firefox.exe
Token: SeDebugPrivilege	3828	firefox.exe
Token: SeDebugPrivilege	3828	firefox.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2160	FortniteChecker.exe
2160	FortniteChecker.exe
2160	FortniteChecker.exe
3828	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 4376	636	Fortnite Checker.exe	83
PID 636 wrote to memory of 4376	636	Fortnite Checker.exe	83
PID 636 wrote to memory of 4376	636	Fortnite Checker.exe	83
PID 636 wrote to memory of 2160	636	Fortnite Checker.exe	85
PID 636 wrote to memory of 2160	636	Fortnite Checker.exe	85
PID 636 wrote to memory of 2160	636	Fortnite Checker.exe	85
PID 3816 wrote to memory of 3828	3816	firefox.exe	88
PID 3816 wrote to memory of 3828	3816	firefox.exe	88
PID 3816 wrote to memory of 3828	3816	firefox.exe	88
PID 3816 wrote to memory of 3828	3816	firefox.exe	88
PID 3816 wrote to memory of 3828	3816	firefox.exe	88
PID 3816 wrote to memory of 3828	3816	firefox.exe	88
PID 3816 wrote to memory of 3828	3816	firefox.exe	88
PID 3816 wrote to memory of 3828	3816	firefox.exe	88
PID 3816 wrote to memory of 3828	3816	firefox.exe	88
PID 3816 wrote to memory of 3828	3816	firefox.exe	88
PID 3816 wrote to memory of 3828	3816	firefox.exe	88
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 3572	3828	firefox.exe	89
PID 3828 wrote to memory of 2116	3828	firefox.exe	90
PID 3828 wrote to memory of 2116	3828	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:636
- C:\Users\Admin\AppData\Roaming\Fortnite.exe
  "C:\Users\Admin\AppData\Roaming\Fortnite.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4376
- C:\Users\Admin\AppData\Roaming\FortniteChecker.exe
  "C:\Users\Admin\AppData\Roaming\FortniteChecker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2160

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1864 -prefsLen 27153 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0436afa-0f20-49fe-99d8-94dff3ccbf43} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" gpu
    3⤵
    PID:3572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 27031 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60ba3e27-bb60-47c6-ad6a-0c70d8f078ee} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" socket
    3⤵
    PID:2116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2980 -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 2808 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f78592ce-375d-41a2-a950-c128f1a1d187} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:5104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4112 -childID 2 -isForBrowser -prefsHandle 4104 -prefMapHandle 4100 -prefsLen 32405 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a6c1fd1-8e8e-4de4-bc80-fe6faf050b19} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:3120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4840 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4868 -prefMapHandle 4864 -prefsLen 32496 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82a15c4f-0cc9-493b-bd95-77d8928630fb} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" utility
    3⤵
    - Checks processor information in registry
    PID:4804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5316 -childID 3 -isForBrowser -prefsHandle 5304 -prefMapHandle 5308 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0f2417a-dbed-453d-9dfa-b6d98b954f29} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5248 -childID 4 -isForBrowser -prefsHandle 5480 -prefMapHandle 5336 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {737a5934-6e3e-418a-a4af-c7d5fd33246f} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:1044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5280 -childID 5 -isForBrowser -prefsHandle 5624 -prefMapHandle 5632 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b6b511e-4b16-44ae-9fcb-53daa49d19b3} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:5044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3852 -childID 6 -isForBrowser -prefsHandle 5840 -prefMapHandle 6176 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89cea3a2-c2ff-4ec1-90b3-7617235a825f} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4836 -childID 7 -isForBrowser -prefsHandle 2632 -prefMapHandle 2548 -prefsLen 33831 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed2792f5-5f75-4231-b120-3e8df4f696e9} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:2996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6404 -parentBuildID 20240401114208 -prefsHandle 6392 -prefMapHandle 6396 -prefsLen 33831 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dccf8211-1d69-468b-b5e3-f2ae8d4dd04a} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" rdd
    3⤵
    PID:3104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6172 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6576 -prefMapHandle 6292 -prefsLen 33831 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c91755fb-eb56-41c7-a1dd-140b2f973764} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" utility
    3⤵
    - Checks processor information in registry
    PID:3960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5716 -childID 8 -isForBrowser -prefsHandle 5728 -prefMapHandle 5744 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9545cfa4-dae1-4b5c-bdbb-7c895b43df9d} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:3576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7088 -childID 9 -isForBrowser -prefsHandle 6120 -prefMapHandle 6912 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdade144-54bb-4310-82cf-ac9e8d8a4280} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:4216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6876 -childID 10 -isForBrowser -prefsHandle 6772 -prefMapHandle 2548 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b5c74bb-e433-4e56-8e0c-1add9390431a} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:4016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7640 -childID 11 -isForBrowser -prefsHandle 7216 -prefMapHandle 7012 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1129c0a9-a033-4894-a75b-491158979928} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:3864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7124 -childID 12 -isForBrowser -prefsHandle 7756 -prefMapHandle 6756 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e6ff1e7-b37c-4d04-837b-c9edd528e347} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:5196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6924 -childID 13 -isForBrowser -prefsHandle 7848 -prefMapHandle 6972 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c42d1e6c-94de-44b3-9377-caa4b18cb78d} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:5164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6820 -childID 14 -isForBrowser -prefsHandle 8072 -prefMapHandle 7756 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {247f43cd-673b-4664-9e5b-33edbb1676fa} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:5472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7708 -childID 15 -isForBrowser -prefsHandle 7672 -prefMapHandle 7748 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c83e1e69-49c1-4f22-9804-a6bdcfe09b25} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:4720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8792 -childID 16 -isForBrowser -prefsHandle 8784 -prefMapHandle 8780 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0fd855d-675f-4d56-ba3c-5cf7b6465bd0} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:4620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8928 -childID 17 -isForBrowser -prefsHandle 8936 -prefMapHandle 8940 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8d37121-9c89-4f52-a91b-1f6a61aedf78} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:1108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8996 -childID 18 -isForBrowser -prefsHandle 9128 -prefMapHandle 9132 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38569a87-96e6-4ac1-8080-6625cda8ee95} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:5716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7920 -childID 19 -isForBrowser -prefsHandle 9172 -prefMapHandle 6920 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0aaa2bc-586c-45c6-926e-3245d4dc3ca3} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:6072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5696 -childID 20 -isForBrowser -prefsHandle 7716 -prefMapHandle 9168 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {774263ef-1e18-417c-9745-f77a10908ad1} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:2716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9332 -childID 21 -isForBrowser -prefsHandle 9592 -prefMapHandle 9588 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77f6dd0a-4767-4dc8-9304-5adc43dda0c6} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:1884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9708 -childID 22 -isForBrowser -prefsHandle 9792 -prefMapHandle 9788 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c96e0e1-94de-4d2a-99a8-22049f96b7f0} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:5232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8728 -childID 23 -isForBrowser -prefsHandle 10200 -prefMapHandle 10068 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b44386e-0131-429f-ade5-f4f640cd87d4} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:5788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10356 -childID 24 -isForBrowser -prefsHandle 10344 -prefMapHandle 10348 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a96382fc-c17c-4ffc-a74c-c6a02d5c6a26} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:5864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10436 -childID 25 -isForBrowser -prefsHandle 10428 -prefMapHandle 10336 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {874d1c35-38c6-4900-a337-dbc8541d0841} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:5888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10464 -childID 26 -isForBrowser -prefsHandle 10560 -prefMapHandle 10556 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {004049c3-b068-4334-95d3-a65136a6884b} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:5884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11040 -childID 27 -isForBrowser -prefsHandle 11032 -prefMapHandle 11028 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b511319-3bf5-43cf-8ffa-211231c6ff93} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:5132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11260 -childID 28 -isForBrowser -prefsHandle 11280 -prefMapHandle 7628 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {265da910-62a8-4ad5-bd70-81335f8b4820} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8720 -childID 29 -isForBrowser -prefsHandle 11472 -prefMapHandle 11476 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32f2defd-7901-4e69-a382-20340cdab679} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:6460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11572 -childID 30 -isForBrowser -prefsHandle 11580 -prefMapHandle 11588 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e45f3d5e-4ee3-482f-83fc-d950d0c564c4} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:6472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11780 -childID 31 -isForBrowser -prefsHandle 11068 -prefMapHandle 11028 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76cc7411-2c39-462f-b286-38bfb6fc5668} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:6484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11464 -childID 32 -isForBrowser -prefsHandle 11564 -prefMapHandle 10860 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b38af231-7b48-431d-b74c-0466a5db3398} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:6800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10364 -childID 33 -isForBrowser -prefsHandle 10384 -prefMapHandle 5144 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec1514f2-5d1c-44d9-9351-fc4a4ee380e7} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:6828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10764 -childID 34 -isForBrowser -prefsHandle 11512 -prefMapHandle 10412 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce4abcbf-f6e5-47de-8bc2-2ac2efa6d523} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:6816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 35 -isForBrowser -prefsHandle 7024 -prefMapHandle 10980 -prefsLen 28288 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac8c3353-eca7-4292-b6e4-d26050dde35e} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab
    3⤵
    PID:6880

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x298
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0totb4wv.default-release\activity-stream.discovery_stream.json

Filesize
28KB

MD5
293001c65453abe73c195e3e56338357

SHA1
1fd8c227e8d19d6af6c78ab3b4e72bb7012a3ebe

SHA256
93c74c3446c60617082b293c72b7ad9b1c75a9eb2d6965b34d51eb88894deeed

SHA512
3511c2e8a0b4181d93e0dfad9814118aed8f76e6bfe4bb98f4713f5be1da97d5152d82f7afa977f5d16f25f5a7c19e6f048a6c46b271e671d289fc629bb49009

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0totb4wv.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
f24bb4b45d97c3c03b8c965d390efbe4

SHA1
3280cffc0457d777203126bfb8154f8cef210e65

SHA256
868256a215b35d29a1dd85f9dbaeaf370e0c58edc094ec6904932332e4a722bb

SHA512
74489a608a595c15d81e3e8267188caa244f35db87e80cde705ce32400ede053d50a3c749b7847b0146877b6c82030ebe3dad69a5e4c1c4dc02425f834b59f34

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0totb4wv.default-release\cache2\doomed\26455

Filesize
7KB

MD5
eebca609bda89052df34aa4699199b67

SHA1
fb8d9c15c1f2d3217762a0a7111d7941e220bd85

SHA256
52e263365db8605360dee8aa392b61311cc1055fcee32bfb8b9a2f3fe7157c3e

SHA512
df83741245edc792d79206db2fded6318480c57218d822440744fe6edc5e291f79bd56de89d46afb84d8b92c2c3af69ca275bc909ad71e3606c6d2021a23b1d4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0totb4wv.default-release\cache2\doomed\3644

Filesize
7KB

MD5
c05154f0d6107c3416750605b838e9b6

SHA1
b82c1145233efe54d9c59ed929989a19b5d59474

SHA256
815ffc01aee3c46b425968815ff6fbd7f021c51e988370d6d003977d2e4543d5

SHA512
fc623457db6e013f49d61fa56d616763d46189b53e53be4cc3d721d46bb28552de66a14a3ca0a267704c801beeb9f9dc25f98d1694ae8ad8fa6356ba83273be4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0totb4wv.default-release\cache2\entries\2C9A88C1C99E2E1361D8B8305E9117D273C40BDC

Filesize
122KB

MD5
cdd7d12f11ea727e22772dbb7206bf29

SHA1
ed9ee3d73f8b4e22e9ce39abf60db64189959c99

SHA256
ceed1a87b09b8471f252991340120e24c6a62606893bb3f2fd12b6a2ba267af1

SHA512
b655ee2ef748c727bb33201ce40329967697deb5cee7577ec762b7d821db5f00db728347e10282e98667cede92d1b195bd7fd5f74fbf013dfe3152ea18f640b9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0totb4wv.default-release\cache2\entries\3A37EED3D1E6B3845C02BF0570CEDAEFF93A93F5

Filesize
76KB

MD5
e766a64c8bfd66248e8cb11d7bdf030b

SHA1
a2c8fcc929a90cd67fcab17c0b65d183c0bdb9c2

SHA256
4b47c21a616512f9f5d6ed02d97a78733415fcaaa439ba190f93e4ad3c8d3f7d

SHA512
a6edba428abc6d1a8302ec6c6d6700d0e7d82aa8831bba82db46e6e15b6f0926617129e05b1c38de62003177299c599d03b98865a3b56565f98561d616d43e68

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0totb4wv.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
13KB

MD5
b1ac217b18cf453ad95bf7f9ac9e61a3

SHA1
2f2f504be7f02b9024388be5d91c5d403c539006

SHA256
717ef9ef0cbb0d364c5aa1a2097bd89276cf5b934dbe6bdb8365c2efacf62767

SHA512
0308f5e39e0a2a0a5780cba50bcd5ea4fc4e422b177023b27e7c4efe6507ea75e55e3eb75e101c875a9481ee39fb39a6d732ed35802cfeac0d8887dc8299d0b9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0totb4wv.default-release\cache2\entries\ABD6D091A44A26BB506FB5835B3E07D27ED94AE8

Filesize
40KB

MD5
1146ee9920d7567c92ced7d1c8b3f216

SHA1
cd988e2982f31bbbc5a68649689e93ec7d072477

SHA256
18fb69ab5b4a089fcf870706c8b342c9c9d10bb7ee123fdd95488c9aa58cee7b

SHA512
0ae8cd0fb566c0102549823168c32bfe5e963eceb9ebecd036481b4b160727f493b582fbf4ea8a6fbf9b9f18c1b117ae59683c8218f22ef3134167bd325a1515

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0totb4wv.default-release\cache2\entries\D458BBF0DEE61870B6EDD64D02D19BE3B398438E

Filesize
13KB

MD5
34b9ec0de81e484eb317abe157aa92e7

SHA1
680d9a21ad3e42d27b826ac686504cba23a86fa9

SHA256
b9bbfe9f9a1c5086d8b4409ffb2d5d328334f049e1637ae113f7e391b71f3b39

SHA512
3c52cd307078295e5231f6eb7ddcede71789575c20bb9a484e1406d80409f8ec0b0c4821e7c9ef34361fab16987555da0b33c6da872260cfd6170a5c13bfa646

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0totb4wv.default-release\cache2\entries\D87FD446E662296EA7458FFE88DC63D972D93962

Filesize
61KB

MD5
89a117f41fc4ecd5f838a99c109266e2

SHA1
e1f45d0b6039d69d427693156b20a8aeae0992f2

SHA256
1850b5b48b2ac93a4a82b98628580909e104bb2bd7feb5ddaecd4f3180a9ee8e

SHA512
2e8f46799f406310a9ff7d7eeb3a85d13463b370b80e8b5e1c9bf230f18c1578081a73da09214971d6c54534bc6d82912cb51cc595eaab3aadfb2c74b9fb4a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Fortnite.exe

Filesize
114KB

MD5
4bd20275a3148a44bf040367a43f6fe2

SHA1
4faa5b6fca5f3b31b00995b4372f635b1ed3a019

SHA256
98efc33ad38ab3a913716402cb445a25e5e578bdd379494c0188b30028430336

SHA512
ba5477c92038704feea1988228b25c82107f1803a3a331ba4337ae48dcdd019b6fc9f3e7fc14ace08b6637ce85ae4ad029a6d1d60ee4daac6a82c0cc1466bc66

Download Submit
C:\Users\Admin\AppData\Roaming\FortniteChecker.exe

Filesize
83KB

MD5
f5d8bedb9dcc17a0a356f2f3f621971e

SHA1
76ed7763602cc198be87b3eb51949f54ae9c0f9b

SHA256
355ae598c711cf98fb78b485fe2bf351233e81d5b98ffd3c81b20470182e6ebe

SHA512
ee5c55a562259481199def67fba592bfa1b524fc4eaa5c9b558f6fbb9609542b0f1a915768f79662a6b7fd2f8127c013aa2fb08a249f5bba89aafad03c9e99eb

Download Submit
C:\Users\Admin\AppData\Roaming\FortniteChecker.exe.config

Filesize
184B

MD5
13ff21470b63470978e08e4933eb8e56

SHA1
3fa7077272c55e85141236d90d302975e3d14b2e

SHA256
16286566d54d81c3721f7ecf7f426d965de364e9be2f9e628d7363b684b6fe6a

SHA512
56d0e52874744df091ba8421eeda9c37854ece32a826bd251f74b88b6334df69736b8cd97104e6e7b2279ef01d2144fee100392744cc1afb7025ebbad5c307a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
6b131aabe4329527079b7039d4f67cab

SHA1
b0484ac93db98b3d2bc2a0cac21c8686e88cf85d

SHA256
62fc42503bfbd01995a8f05fc6a9b1db34d467f8be5d0651b2675c12892b463f

SHA512
0cb242964627fb546d5389e8725a2076284f972836ca74a1b907bc68d35ab6337241d0aa33dd040706f2587b128b2d2d0f4e6608bef2d1f2276306797643ea1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
17KB

MD5
911cb30675ea963344ab2d167f5f4994

SHA1
169697cd3d0fb1da3f1be9d6851385688fcfbdaf

SHA256
fd6ac13b55816e6d2b6818ed470a6e507339bfc64c45aa374b7358263a262769

SHA512
4ee98996dff3664431b46b12383d31df10ba3bc05a2d01d4f79fce6f4bdca36aeb456aa5a011129122e10a72c0c09c380c9c915097ac56d743a15859a29114c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
10KB

MD5
60211285343b459d29b20154606ec014

SHA1
ae5c71c2d60f9a82b2bbe4c623009912015f92da

SHA256
a85635fa9699ed3c0b74978a9a3345a895c061f8bd84d9c6eba3faef3675df91

SHA512
67ca5afe4230214bb64ff6c4d923270a58f7755d5701372ce51f0d5db06b523434ed9d179ed9ae823db30c0c59a8bdb0beb94b583fe11ff8728cea2d3494dd6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\AlternateServices.bin

Filesize
8KB

MD5
82cb411fd7d62adb677ecb80c0acc95d

SHA1
240ef29ee307022191ae8b169e20b06dd1be6a5b

SHA256
336435a3a4ecdedc392508ddf03028aecc20617c75c80e48d8a559523c9743eb

SHA512
c6e952c1f6acfb6be86d9b07bff09a704024ebd14a3985bd749ea817e1f6324e3c722663a2917bea785b6cdf3f0b8ffceca5fe978d24af743cd40cb02e3b1b84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\bookmarkbackups\bookmarks-2025-01-20_11_Nz6lCJnFMhy6sicHDmGd6A==.jsonlz4

Filesize
993B

MD5
db3fa2f33174a2c3fefb95acfdbf179a

SHA1
e0aead6be61c11bcf60e0a63efe55c34cf7fbf56

SHA256
9f047485203912b82e4aa579015690f1ad2d21086fe1b6ab18b6e79d0b4b9649

SHA512
289547065a28642dd021c650bc0c9dd26be1a48d46535d424ab7b0cc06263a9d9ac30cb179fd858df1020edb452e7b98cdf876c80bc06ce35ce5249da86868b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\datareporting\glean\db\data.safe.tmp

Filesize
107KB

MD5
7678aa7559470ff727c803a122c306cb

SHA1
4e69448349203fbd3e9405d7c2a5971608559ea2

SHA256
76f9ab441d06edf95efbd6078048cf34e8b7849576187dc0a3e7591ef0cc03a9

SHA512
bc13383c54873bc17b38fdc507154a3b5fd04e9bd33993bb0567790f87563560d1772df2f9132d17e4cff8f869d92f5737c6c6266821e118049372a35dbaa4c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\datareporting\glean\db\data.safe.tmp

Filesize
109KB

MD5
f550c8ea65ff295776c6d37260ef9bbd

SHA1
29dc3a54457bb4f27c9b5a7c13be1ab6d64da2d9

SHA256
518989cb617dfcba33d56b9b4d8995fa2fab6acd8dd3a3481397cdc944c2723b

SHA512
d753bb80c543a3a4db2b26fa451cca2d94110b9e78d61e23c04a88e2fdd0c96379a6cc9e40ee80e789ada28aaac1e07a3fae2b5c370e61031ac9e9043fa95a06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\datareporting\glean\db\data.safe.tmp

Filesize
107KB

MD5
aaffe8004ad809dfde2a3f61426e1934

SHA1
828ce62dae320b87902af3e2e2b24eb33331b5b8

SHA256
bc23fd31ab09f3ae1c3efdf58cfc58bfa5ad8a3172555f5fc1bf0c0f9fe49ae0

SHA512
e13a13738bd1326194362b55b812a8127335176af4cf79d3c330d0ee02d998ada9307d1403bfd339f98758fc2aa3b6a6554e88600273a8073501f5ff6b4e197d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
73237e08ec307e7e98aa17aaaf76d7ca

SHA1
804e4b9860a7c6921bb265d296bd624da37a050d

SHA256
d6d8ea093bb166e22f286479554cd3ca4da1c7619a4c6bc47da0e317e8e4f03d

SHA512
47c96ffca23df931320998a795f42f2ad954657b9b99f842e88e008b1754fd3b76d8b9cc4570f0204e0c2c423cee749a9f0671569b85811139383db896310360

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
1d106ad65dc425141fe87dc064f05ec0

SHA1
6bec43ca6c9e52df13ab86ba380fb195ee671ff9

SHA256
aac74daacae183251e5b73c0e80a970ebee6261a636cd49ce56064301e574939

SHA512
4c25740a9b02997a26ee070f3f40da4238b3e438bae14231fcd23c9d4316b5510c7030ca3685a2601849161251ac71cbadfb35e2c7bcec99dbfb3f6da62aa4dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\datareporting\glean\db\data.safe.tmp

Filesize
34KB

MD5
702c68648d0f1e822245b75ebd65af31

SHA1
90011f81a1af0523a55fdf89365c71604b678358

SHA256
5b7b81dd73fc31063fdbfd9f30c11820d85617c63fd0487ffbafcb1a09a2a46b

SHA512
365f71438102b309b5a01fb38b55a9f5b0fd1c3940114774f723553b5c9b49a41039a4e93c0538a0823edb19d95d10ca64a1ce7423c30a95505c57f7cfd915aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\datareporting\glean\pending_pings\2b4cbea9-84d5-492c-8b55-f92d111740cd

Filesize
982B

MD5
b86a037750a7f77d381ed4594cfcd8ce

SHA1
e6a1428944426741a026919018c1b45e2d94af56

SHA256
46135abcb9d12695b26bef94216cb3a3386f6aef1d47bba751e322c35c3e52ba

SHA512
764b57f18e482cc1ace79142f06beb3cf9fc21ffdf0062263d762e80b8e26389213bff730aee4089d54450da5207671f3c570d3b473a60f48c4745efec08f25a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\datareporting\glean\pending_pings\5fe1023c-2cf5-4f5c-8e93-28f74f8c536a

Filesize
5KB

MD5
4d7cd2dfbd0f73e97027fa9f2ef03ec9

SHA1
2867965840cccf38f80fcee1d6c7089c1554174a

SHA256
85fe8d2d2f0550a19d6d85461f9ec1d128f5a51452d783a702cc2d59f6fbb2d3

SHA512
a7d30dbb86ec2557ba98b4258321e92d02a2881d991d1fc29cd55d59c8e6d1432c8a4cddbadb3d892d5fda8f55e53a5cee7736c73da8913ceb4ba4b162846974

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\datareporting\glean\pending_pings\9768d7c9-7cac-4298-980b-752c521ab257

Filesize
659B

MD5
b4c75824cdf18800ca685a1c3470acab

SHA1
e8a0339d623f74c9688eb20f1771608b12d673c3

SHA256
5afe4b060d420506b2ae220e2bc613c88a843ef26838bc9873e7a622e18d6ac6

SHA512
5690ee04f7b6b0239e58142d1c04b5daa9a85f8488b6a04b6bd2247de13034b7ab7f9c8610b88a7da770ba6fa47c2119e5dc8fa759ae961f06a611558033b309

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\datareporting\glean\pending_pings\fd6c5c61-ec5c-438e-8e43-fc3b284cbc11

Filesize
847B

MD5
74ec8a64cd132be89151c5e3a2593344

SHA1
88aad330da12bbc4ba7625c61c7e96183ef0c171

SHA256
72bf02e139ff5ecb0837fdd71bfbae0c793604886032e3e1b643f311f9b90836

SHA512
0ad4951c1181f393654ca5635536fefe1cf9353939f07706131d46488dbe86944b03661ae3a47d0004750015c18342f80766703c3dee39ad8cd2fe0d1996a6db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\prefs-1.js

Filesize
10KB

MD5
85dfec0a92d5d10ed21aa81d4fdd0d4f

SHA1
c1ab4decbd719bc534bd3b797153494ebc20fa42

SHA256
84efcd4b2b8f873d578536295ec40d0d953366c9ac05f86093edd975b015099d

SHA512
8b5d71cae641d8334fbd05c7c13b819efbd062ccaac1b94d937cf09c99e1e68f25604958ec6de04b4a5e4b68d78daebb40587f0d08abd03dddbae18faed9d400

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\prefs-1.js

Filesize
11KB

MD5
18a415796ba89f97cada77bc609ef9f5

SHA1
a81d4de4dff3a918d01cf6382e9fcd16e1acac3d

SHA256
6c87f1e82164a1a8042477b053e1f3066586164e1f914a1b4b893f916d7fe561

SHA512
2396371cacff372acd43a9c6b85ab2bc9991a9b95cbf4a068ddf28ac67faaeb43e422fc874c92260ca05f46a8cd1b72c3373704344e2391cb8c37d604b3855ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\prefs.js

Filesize
9KB

MD5
8e37e4cacfa8a320bf907735d8a7cf75

SHA1
4960bce6e85dd7e9169d2725e7a59bf6212fd671

SHA256
666482384e50140f583900a76c7d5ee9472235fa7ab690e5e76b28695c32663a

SHA512
59b6373f3b96097842bfab25eb001cfb31e5473688244635d2e8d636f704a547f4a6008692861a04d587e8d0029f22c84e0bf387e37ee59cee6781daed5b3b6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\prefs.js

Filesize
9KB

MD5
cca709c59b54e534dea4bb2a4febe7e3

SHA1
da4ab61ffd871d655f1ef1dfb58ec4d66b8b1bdb

SHA256
322faf9563a9846f66d77949a7275c806dcd35cb5b8ec9b55e7d1a75c9b57e80

SHA512
415ff7f1c1f5c949a929aeb1cfca76a6c2e72a9032bb9358198e128db67d6e971f28d5dd95d3955894a827cac5b18ddb0f0c96496f7c4749e07608c6d02c0f66

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
3d28d38a95b39fe290a37af0ee9f87f1

SHA1
399a2adb935890f1630563c29fea008edeeed8f4

SHA256
c02de7fbcbb9b79e8871d8b2dc474027b9b30915718905687e574ab157f9ae78

SHA512
be76389146e8df39da161779e1e28db1b392bcdbc912ec0079c95dcd5d29dc313b84cca6961bfb00e4eee70514aaa0a83ad3a62d09f96b35642a7f0b76eedb73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\sessionstore-backups\recovery.baklz4

Filesize
16KB

MD5
f01d9d4c5bc52eee570c4e5ba6ac860c

SHA1
ae7888aac55b5b1ed724e047e616460d6321b5a0

SHA256
c7341a2553d691c2ae563fd8396a54c379458a759ecb243ea7a8267c51d21d5a

SHA512
ff39739df4bce988e0f5ec5b7674db7f9c70a2f3e0ad2f12ed20b29efd39b5f8b8cf9e70e32421bd019a8a01cf2adbf8cb6e5f671801bacf54b3a54e37492e64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\sessionstore-backups\recovery.baklz4

Filesize
35KB

MD5
ddd06baed0cfbf78153f8142a5637cfd

SHA1
c6e6aacc28082982911480aa119b3697c8a51ce1

SHA256
641cb2610db8794590100c3a9b91c155a9e9bc1ce903490dffdefba20f3046eb

SHA512
ab551b0288e9b8ff9a66b02df969e90f4c1a3588163019ca94e2f807bd342bd4f489db5922a8310a38cbc6849c29e8cb9286c71547f9dd25613c0bd394de4f62

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\sessionstore-backups\recovery.baklz4

Filesize
32KB

MD5
321b02053f2d769481b3a86473550af7

SHA1
0eaed3ccb5170a4cfbef5b32587e859397873236

SHA256
831ba2a197ac461bb046fc029b05ca13704e85d3c4c188ba066340564b4df20a

SHA512
7002832a472372c9b86273ea42862d7aa57e9884103c765a766d89932734fb82f6e5959a9468b59215d83cf6b781ef11594684e64f20aa6da2f0476390500615

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\sessionstore-backups\recovery.baklz4

Filesize
40KB

MD5
9fba87d423dbb1728cb6ff9e6f83d509

SHA1
f78ef2098700d0e0d610b04253f67095c52f0522

SHA256
de6ad4ac6d89fae770d4dd56c858f052361a97b80107ff357568829d5cff5bbc

SHA512
1f3cbb6a2fff81411f3db5465b33504324c1bd0b581e1f82617b2b1e34e2effe548973797a95428b1b4b758728c49e1d398c92865afa35083451b709913cb526

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\sessionstore-backups\recovery.baklz4

Filesize
43KB

MD5
1d8056b49978527e780969d53951c65d

SHA1
594bbfed349abba7d5226faffde8cd959ec9df5c

SHA256
3dac372f86bd7c56e7180357b76d36deb91f4bd8e0fa0a36f374222c2959f575

SHA512
5243a3a9d8f90af080f467b8ab76f4147ab1e1c9662b87e13c9e686a36abf1d77f688fc8203c0b81ec1b8bf8e58ed402610642ea08a95bf3f7c54243cbd15526

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
f46476e81e4ffdef02323366d07bc6af

SHA1
4da09cc47b0027c11ab15e9c67f1037a58717a3f

SHA256
6bb4e3baa9b209ac23f91c43b242f44c5097af69834ef494964905150a22ffc9

SHA512
2e1036de3b232d43f082ad7dd4a6009986123f6941b7f7f36615dc452b9d1ff9f84a841cfeb8cc049a3b222ed76f87fff9f676d1a6249f619759ed66a574f276

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\sessionstore-backups\recovery.baklz4

Filesize
15KB

MD5
67ca60df9579516ae08c766103cfd913

SHA1
41c1498d152f9b432a01850f92ff9245eb510d89

SHA256
8b9c13dcea489fdaf4426b470377616302c0b319da32e7426d8390fe14843a20

SHA512
03fa2f9b84e96ff437eac22fdd898009de021cba8264b066a7a3ee83faa79aacb370cea5d69c5473cb422a3923a2afc8d96f3ccadd03f9526e04dcdee712c592

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\sessionstore-backups\recovery.baklz4

Filesize
16KB

MD5
f563f5a3398dfd616c63560705c11e7f

SHA1
f7fae1baadb82e2cac3c97732cd9a6c75028c78a

SHA256
ad21673478768f8c5a818e666c537bc599861b79ae6924566ae2902094ae96ad

SHA512
67ab41192ebb88237027476e871b04c7a931e3585b2901f391bd760d34abff2878cdf2a11ac4cdf11e6262c6efdc30c8e4fdbf6daff6610059fca71953288603

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\sessionstore-backups\recovery.baklz4

Filesize
36KB

MD5
2260751da9fddfa56b3320dff8322728

SHA1
dfbd33b03de03c6004a0fd15666ffa289dd89912

SHA256
e63f95fa9e029f7c4b5ace681a3898f1b51d666ea55c3c28f31418b825ccbaf8

SHA512
ed83a3d9b3b943a4bb910c225079a6469648e481d3a84f0299b49f57b460c4f3132e653286691e5163f8c00f0f424f688aa0fa4b75e6b8ac2862b85185990691

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\sessionstore-backups\recovery.baklz4

Filesize
39KB

MD5
9043f2e0db146ee61f723a5ec57eef3c

SHA1
fddaaf46a44ac86211257384629db78feb4b8290

SHA256
46aa19028021df7cb9ff40d625e6069fa63293ce1021099d3579a3bbafb6545f

SHA512
cee7d2a585f9bb7dad015667e7d218bd3010195847ab4649e6a455d7351edb47e6a199ea52cb345f659daedd3880d7fe5ae6f8f9614f161c2dc539f75e632c3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\sessionstore-backups\recovery.baklz4

Filesize
44KB

MD5
2b8ccf813453e7a10b3285f86401f422

SHA1
5e453db794d9ecc26f9a852367d7a3e8ae0e7542

SHA256
b925d4f0874c130c8a3095db5b4ef8af7850f3db7ebc7fbce752bc438cefe541

SHA512
6cdda75635759ab7684d5917991b7c7e3cdd2750b1df5eec17180b14a8c38e95d8e3ff5e41323a48994d30864a59818bb535fb6cd27a6ab9a2f662eefbaa9b84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\storage\default\https+++www.youtube.com\cache\morgue\31\{2d82f5f0-5702-449d-9508-2b15a1d1b71f}.final

Filesize
258B

MD5
d0d1672cc7d147f9f802ebefdb01e914

SHA1
22ed7eb147f695ec1df8ae6f43cb7787dd0ea652

SHA256
62efa98b135e5ef8779b99489ab8200b60026a5b1000ff3c997f3be230febe2f

SHA512
7f8ef8af3f57a6aab90ccda6ab1079e43630de11d14a780786a1b0f1ab057d7cfd5ab512b53ecd8ddd1bcc669fa56a0c260b2df421db64e3855dee7d63251a68

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\storage\default\https+++www.youtube.com\cache\morgue\78\{f1819338-8ff5-4cb3-b73b-8e74b3c8f44e}.final

Filesize
192B

MD5
2a252393b98be6348c4ba18003cc3471

SHA1
40f75302fcbe4a8ac2e33a8d9daf801abc2a9598

SHA256
04cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee

SHA512
07af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0totb4wv.default-release\storage\default\https+++www.youtube.com\idb\462978050yCt7-%iCt7-%rce1sfpao.sqlite

Filesize
48KB

MD5
99179c0ba6f1f78b24adb660d4d0cfc3

SHA1
81d6f31e2e83775d458e41d0bc355d56157e7a86

SHA256
438c3b0094888ef639515584d6b5154b40294afcd5f8ee3799860bfdf0844824

SHA512
a387b58e90d4ae17962b045375efb1ddd444a6530156b242c030239122b1fea11d756385fc1a42e0dbce80b9e0c44827d3983a29a495c5ee103ef311f7a78304

Download Submit
memory/2160-55-0x00000000728C0000-0x0000000073071000-memory.dmp

Filesize
7.7MB

Download
memory/2160-52-0x0000000005310000-0x000000000531A000-memory.dmp

Filesize
40KB

Download
memory/2160-56-0x00000000728C0000-0x0000000073071000-memory.dmp

Filesize
7.7MB

Download
memory/2160-51-0x00000000728C0000-0x0000000073071000-memory.dmp

Filesize
7.7MB

Download
memory/2160-48-0x00000000728C0000-0x0000000073071000-memory.dmp

Filesize
7.7MB

Download
memory/2160-46-0x0000000000980000-0x000000000099C000-memory.dmp

Filesize
112KB

Download
memory/4376-54-0x00000000728CE000-0x00000000728CF000-memory.dmp

Filesize
4KB

Download
memory/4376-53-0x00000000728C0000-0x0000000073071000-memory.dmp

Filesize
7.7MB

Download
memory/4376-57-0x00000000728C0000-0x0000000073071000-memory.dmp

Filesize
7.7MB

Download
memory/4376-50-0x0000000004BD0000-0x0000000004C62000-memory.dmp

Filesize
584KB

Download
memory/4376-49-0x00000000050E0000-0x0000000005686000-memory.dmp

Filesize
5.6MB

Download
memory/4376-47-0x0000000000270000-0x0000000000292000-memory.dmp

Filesize
136KB

Download
memory/4376-45-0x00000000728CE000-0x00000000728CF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads