xehook | 054a9202452171a072912fa08498330319e6a27b4510e344c73721413896504d

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-03-2024 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build.exe
Size

148KB
MD5

13cc6e125c5d23fa2e6ee3159abede95
SHA1

3ebc3644fb453dbf330e6880fb793e10f5cd34a4
SHA256

054a9202452171a072912fa08498330319e6a27b4510e344c73721413896504d
SHA512

b35b0335960ac240dbbdb92f8456abea09ea063b7233b4de15caa99fd7194c7a588bc70663a394127608b10b3f26f99f91c9ddac4fef526cc3bd62e60eda436d
SSDEEP

3072:1euUEEhq+IB+NFzat1Hen5NoBwA/I1qab/n:fG4+w+NFa+3oBwA/I1qa

Score

10^/10

xehook spyware stealer

Malware Config

Signatures

Detect Xehook Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1288-0-0x0000000000DF0000-0x0000000000E1C000-memory.dmp	xehook

Xehook stealer
Xehook is an infostealer written in C#.
stealer xehook
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings firefox.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2452 chrome.exe
2452 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

build.exechrome.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	1288	build.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeDebugPrivilege	2616	firefox.exe
Token: SeDebugPrivilege	2616	firefox.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

chrome.exefirefox.exe

pid	process
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2616	firefox.exe
2616	firefox.exe
2616	firefox.exe
2616	firefox.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

chrome.exefirefox.exe

pid	process
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2616	firefox.exe
2616	firefox.exe
2616	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2452 wrote to memory of 2224	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 2224	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 2224	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 564	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1044	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1044	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1044	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1552	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1552	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1552	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1552	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1552	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1552	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1552	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1552	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1552	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1552	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1552	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1552	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1552	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1552	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1552	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1552	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1552	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1552	2452	chrome.exe	chrome.exe
PID 2452 wrote to memory of 1552	2452	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5cd9758,0x7fef5cd9768,0x7fef5cd9778
2⤵
PID:2224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1100 --field-trial-handle=1320,i,894746455446705318,14060770758218614049,131072 /prefetch:2
2⤵
PID:564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1320,i,894746455446705318,14060770758218614049,131072 /prefetch:8
2⤵
PID:1044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1320,i,894746455446705318,14060770758218614049,131072 /prefetch:8
2⤵
PID:1552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1320,i,894746455446705318,14060770758218614049,131072 /prefetch:1
2⤵
PID:1252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1320,i,894746455446705318,14060770758218614049,131072 /prefetch:1
2⤵
PID:924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1528 --field-trial-handle=1320,i,894746455446705318,14060770758218614049,131072 /prefetch:2
2⤵
PID:3000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1384 --field-trial-handle=1320,i,894746455446705318,14060770758218614049,131072 /prefetch:1
2⤵
PID:2036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2724 --field-trial-handle=1320,i,894746455446705318,14060770758218614049,131072 /prefetch:8
2⤵
PID:2240

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1280

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1284

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2616

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2616.0.1875603733\1138364419" -parentBuildID 20221007134813 -prefsHandle 1252 -prefMapHandle 1248 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {812a47ac-210d-47e0-b6fd-7304c781e1d2} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" 1352 44eb158 gpu
3⤵
PID:1812

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2616.1.1189726213\84165942" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {30175e05-31e7-4136-b53e-67b1ba8d5d21} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" 1520 4041158 socket
3⤵
PID:2796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2616.2.507909090\166466573" -childID 1 -isForBrowser -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20933 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {06858bd4-4740-460b-aeec-fe1bf4475ba2} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" 1116 1993eb58 tab
3⤵
PID:1564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2616.3.1949550120\783755702" -childID 2 -isForBrowser -prefsHandle 2668 -prefMapHandle 2672 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b2e73f6-3e83-4e21-b1ef-f0654bfc165f} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" 2688 16a10a58 tab
3⤵
PID:2564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2616.4.2009654970\1082287724" -childID 3 -isForBrowser -prefsHandle 2912 -prefMapHandle 2908 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {961a10b5-1769-4666-b88b-c430fa24af5e} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" 2924 e62258 tab
3⤵
PID:2700

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2616.5.921955189\2132378740" -childID 4 -isForBrowser -prefsHandle 3712 -prefMapHandle 3724 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63b3a84c-e051-468b-be08-5f2723f52690} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" 3744 1e39c058 tab
3⤵
PID:2496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2616.6.1208670405\1480569342" -childID 5 -isForBrowser -prefsHandle 3844 -prefMapHandle 3848 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b07b6b8b-49db-4286-a9b5-455525517ecf} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" 3832 1e92be58 tab
3⤵
PID:2240

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2616.7.1611249961\1507777697" -childID 6 -isForBrowser -prefsHandle 4020 -prefMapHandle 4024 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {280a5934-a296-4573-81b7-86da82775d6d} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" 4008 1e92b558 tab
3⤵
PID:2856

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2616.8.580674106\206516396" -childID 7 -isForBrowser -prefsHandle 4268 -prefMapHandle 4376 -prefsLen 29485 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c76308db-b3c9-4233-bd23-c489afd2d3b3} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" 4340 1f728d58 tab
3⤵
PID:1580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\9e37d6a0-0813-4314-9425-49af6d1fe338.tmp
Filesize
259KB

MD5
40a0875e3e10e3f1f4f6a5d4a061bc4c

SHA1
87578024ac4cf7ee13191ab8e67cd4715c0cb439

SHA256
365535d557f217ca1c7a65f2c203d75a17b1e442893977854c77a6cc5abec210

SHA512
5a1b1b1dac0b8c2c5cdc10dffa4b411dc7ba9db14e312a493723f52c302ff08bab92b563a2909fe590f916673fb34837133a39b74f47f283efbab5cbd0fc3b2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
b1bb143f65ce0031404e889759442678

SHA1
89c0d983cc59781eebeb22cf2ec6658b898b361c

SHA256
eea7b7c98461481a9c1fe23ce6f33a5031b471f52b7ba4597ec21f4c9b8b5876

SHA512
34f2134f929eaf71ddf19f903658186d99e67b6851583500b6aad2689edca94d73b461d22cfb603bee8c8c6aa48c493268fd518ed5e43d9c39dcdb9470d39f88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
259KB

MD5
419b493bb2fb27cb5c09d9dc49cb6732

SHA1
558d3912e0c2641723517dff12b73b37bd603a8f

SHA256
4c1195103de74c21a065e8a714c2641e191bb487ebd91d5990178e3c7ab5a7f9

SHA512
7cb991c437d9af1a3fab56d131f42f7b554456b04271ff5ca4e0842b2c8da3c4e433aad8073b19bae3c99cda5a362f16ee2cec645f238202e48c436ba0ab4f24

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gdoevwuq.default-release\cache2\entries\A72798DEF4F924983D5A0DB82D383C613B515FF2
Filesize
13KB

MD5
9bf0774b7f588b70c471196c836fe477

SHA1
c775454b07fd6b49740a633a38fec97a79105391

SHA256
21f62099dafbb97e8109de88fa9e209cae04b63092ec4e37bacf8b348eeff0bc

SHA512
b1c568ab071881974899ea85141187ecbe06f2bafe2093e95c3363dd293fc776d70878b63ffecfd554b516e2952780f2c3ff9eaea02e058d47243a27d0ae14e8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gdoevwuq.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308
Filesize
9KB

MD5
e4d0c14430b017eb0cf16cf3403fe6a9

SHA1
b8dbe3428f4f945741e719b2419bad4454e70d17

SHA256
7b88442a55a734824da33d5eb5ed26cf24a03a1322d1f17b7e3da82df11e714b

SHA512
fe8c2e987d6b16f15ca7ba396f2e30b7d7c7abbd0ea5f270c1b218f306b08c05de9289624cac0a8411b6ae42b3bb6501536dc08c2b94a0dc0556567e15735aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
3.8MB

MD5
032bdc427e8b201410f3a06b4fff2def

SHA1
bdd4d09fd6bda0e1e5a140ec73744dbed95b8464

SHA256
00c4dbbd5c656ad628480923134e0d3cc0dee3b6fbf0ec86008f0267c25648e3

SHA512
2299452398dd42782807268fba325218c261e823b22d2f856b3eb30d945a00ce6c995a35dcaa49be173304dd5723b67719d09be92c7426a00b920244f753e68c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
9328d489e9095713ae74d57ce882a4ae

SHA1
0204d30ee0c0c5e96efa64dd16ea70992995120a

SHA256
6709374e5eee9232d78c9a76a6dba518bd2a7cf342fc927751e4f4f272942d73

SHA512
6b4240f0758b5fbdb980fa7e68e56c15db6a77bf28d99b775c45a570ba8f72de56b23b66b24c8ecece4c8931221c7238d4dba12dbd4498a13ea9f56419319dd9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\datareporting\glean\pending_pings\2bb3d619-4478-4201-8171-496ee33b4d48
Filesize
745B

MD5
2c40e998b0ed4d784e2367fda85132c0

SHA1
76b9519007242857fa9e412f0c96663fbca65f68

SHA256
754ed13fc4c20fcee90064b4520af739e6fcaac959d28ee676e8abe4547cd214

SHA512
cd75e99f01bf034f2fbc7a91bc82d7eeda8d16747865017592ba9f5b53fc66fc1caf0cf1d154f45484b5d3750f82cbc56b0b4d9e38a9c6c9c52359f746f1f762

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\datareporting\glean\pending_pings\c4ea5713-1764-4cee-85bb-4cf4414fb8ff
Filesize
13KB

MD5
fe3328c10e78c1b781a5547d4e581045

SHA1
e2bc3eb432a0540d40dc81a2ec73bb22b12b162d

SHA256
ccfc16b65efb9605bd361c27657342fb80542abbb48fa0b7ec61da9629908465

SHA512
db45c041bdbb0024ff746c957d35fc5cd19c089a9f16f99e62ad3b050a5501d043d7c22fce1307aab5d2ed1259b85b719ec76841b263b1984850d06ba850ff9a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
2.4MB

MD5
6ba73eed03672cd18f13a22966116689

SHA1
ca3ffe97ff0c2f23b621786d4bff7283f7703384

SHA256
48bf18b5a9b570027e702ee3ba58c64cec350b4a9eb578d1ace572c5ac60f2b3

SHA512
fe9e9828b50a26ae4f5c5cef3be6a0585c42f7185c58e09c51488df656839379e196fe3b7c5bcc9360176415bf3e78fb9a62db0963b576af1536f3aaa90571fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\prefs-1.js
Filesize
9KB

MD5
043e5a9cad6f7a0a7c25d152c71aeb1e

SHA1
8b3415cdf06996201086b92cdd0438fdf4e381cf

SHA256
b13a6d64a3d5ff21b6a05865b756b8d859b4822dccb8066f64261ce0e17907e3

SHA512
b1a2c89528a77558ebb7c0e9afb161198245a687e73512727c2fbcf16745752ce62f9753c5f4bf2b438b7a954dee3bdbe82ba982e6366ab983585daa191ad866

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\prefs-1.js
Filesize
6KB

MD5
1e8d2ae70a4c8e53d02d80a32defd859

SHA1
0543df1a6d236cfe2669222848951935cb2c62eb

SHA256
ae8edbedfa47f4cc6c3a3aefa7bdca08973de1ff7452104a7f69ccdffd3ab968

SHA512
f06b57632ae4c1a1b0b152ce206cb4c04f45a081d8051de114e582a9e5d3d9fc343e5b0104875d6456131ec149a6a100f7d2d3239518d1b1ccc848a4c7b21970

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
0e3e28c516e83f77d27735ac0aaf74ca

SHA1
4f7602f337e7e917b3dfc13b4a651911815b8b63

SHA256
e42b45932e85fea18924a9b7850d3d5d4ffd63ab865bb2e8e56e0237c4a1456a

SHA512
326d259541b0cbe72a5105f980213d5fbefe741bfdd7119b91f92b71707dc4fbb4339783dd15b75dd43a5985097d869b813cf9a0c0020ba50a14ceb4847caaaa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
82056dd85489b9b953fa0610d39d59b5

SHA1
5d23cadda802f8fe00a3cb148d54a86a4775ab21

SHA256
72f92d28c2d50d6188213a94cb5f14de9411b79843ba582f2ed381358a641063

SHA512
c01b68f997ee244d63013a66422c4be4b5c1fb994211b6a726c6475b84759b8d7de0302d30b1febc9cc6687dcc1925307d9ce958cec56f6b3cf017be1603bf6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
1b862ca4528b87b6cc5fb7590d474d5b

SHA1
842ded3d2db84968639e4c4e490498115c2b3535

SHA256
2281d6df3bcdcdbaa6d31643dbbfbd83eeb409e54b4fb063dbcc49274ec120a8

SHA512
4ca15dd1a0580415367ac1e4529b70d0205551b7859e73bc032f0540ccb7f70c76aae7af39c7073d3a15da1180324df54e098c4db839c47b57cd83dfb954c49a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
707528c2b3b84b69df5adefb8740e0da

SHA1
d0aa281cb50b6e8b5acbda26190e14ffdd3db8b4

SHA256
3ae290d86b89564557ac7fd5418a81b045dfaebfb15d66b3740a3608dea490ee

SHA512
75348d3689a2420e7681ef3b924d90cdcdd708ad0d243ca0de665bec6449ac6b8ccbdf2ea6c66aaaa82f04c13516c69feb7901cb9301d817388629bfdf33d142

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
3.4MB

MD5
08af5fd8b676c7ca0b7c1ade3dc08c6f

SHA1
36f033c0b8b623efd9faa1bd7d27b904dddf96f6

SHA256
8c442f006b724f037fb0d4b88758199a246ed979d614baf26e51d7138e8f1540

SHA512
1d141b75c8bc259e52a746a090e004a5ff29eab4379b1461c0eef28506505d1a42a061d68aa6411780c48b727e9a3465839361d0b113949f0c9b5c6bdef5b36e

Download Submit
\??\pipe\crashpad_2452_WHNJKCYRTRHDVVTQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1288-2-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/1288-0-0x0000000000DF0000-0x0000000000E1C000-memory.dmp

Filesize
176KB

Download
memory/1288-1-0x0000000000240000-0x000000000025A000-memory.dmp

Filesize
104KB

Download
memory/1288-3-0x0000000000550000-0x00000000005D0000-memory.dmp

Filesize
512KB

Download
memory/1288-7-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download