6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1

Analysis

max time kernel
149s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
22-08-2024 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
Size

1.2MB
MD5

8ee8ff6125b9ba9e15904693a8ababdf
SHA1

1fa32fa06402d7c4b02e5ced6689bfa2a9b7f8dc
SHA256

6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1
SHA512

57c052043b073eebc9a6f529f2da19a7dea3a8e8c1a23a60467c152e0dd271492cecac15be153700c93bd13927bfd87c2c7fbaec9f66b244ddb3e67040489c37
SSDEEP

24576:tqDEvCTbMWu7rQYlBQcBiT6rprG8auH9y/ChQcW:tTvC/MTQYxsWR7auHWChQc

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	424	firefox.exe
Token: SeDebugPrivilege	424	firefox.exe
Token: SeDebugPrivilege	424	firefox.exe
Token: SeDebugPrivilege	424	firefox.exe
Token: SeDebugPrivilege	424	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
424	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 3444	1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe	83
PID 1128 wrote to memory of 3444	1128	6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe	83
PID 3444 wrote to memory of 424	3444	firefox.exe	86
PID 3444 wrote to memory of 424	3444	firefox.exe	86
PID 3444 wrote to memory of 424	3444	firefox.exe	86
PID 3444 wrote to memory of 424	3444	firefox.exe	86
PID 3444 wrote to memory of 424	3444	firefox.exe	86
PID 3444 wrote to memory of 424	3444	firefox.exe	86
PID 3444 wrote to memory of 424	3444	firefox.exe	86
PID 3444 wrote to memory of 424	3444	firefox.exe	86
PID 3444 wrote to memory of 424	3444	firefox.exe	86
PID 3444 wrote to memory of 424	3444	firefox.exe	86
PID 3444 wrote to memory of 424	3444	firefox.exe	86
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1456	424	firefox.exe	87
PID 424 wrote to memory of 1576	424	firefox.exe	88
PID 424 wrote to memory of 1576	424	firefox.exe	88
PID 424 wrote to memory of 1576	424	firefox.exe	88
PID 424 wrote to memory of 1576	424	firefox.exe	88
PID 424 wrote to memory of 1576	424	firefox.exe	88
PID 424 wrote to memory of 1576	424	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe
"C:\Users\Admin\AppData\Local\Temp\6208aad8a023d9030a30596cbf5f7209078723ab5f800384750e352c0b05d9d1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:424
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f63a6b52-4921-4bf1-baa5-dc6de8561197} 424 "\\.\pipe\gecko-crash-server-pipe.424" gpu
      4⤵
      PID:1456
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72b44b06-ff63-4e3f-9c25-ed6e3fcf7441} 424 "\\.\pipe\gecko-crash-server-pipe.424" socket
      4⤵
      PID:1576
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2988 -childID 1 -isForBrowser -prefsHandle 3100 -prefMapHandle 3168 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a000d1a-015a-4bb9-a08f-652f8819a486} 424 "\\.\pipe\gecko-crash-server-pipe.424" tab
      4⤵
      PID:3684
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1404 -childID 2 -isForBrowser -prefsHandle 3584 -prefMapHandle 3580 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e20b2016-ca73-43fb-a4c6-f6669952eb2c} 424 "\\.\pipe\gecko-crash-server-pipe.424" tab
      4⤵
      PID:2456
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1448 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2752 -prefMapHandle 2756 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba4533be-55b4-40a8-9131-bb7d9c127413} 424 "\\.\pipe\gecko-crash-server-pipe.424" utility
      4⤵
      Checks processor information in registry
      PID:2132
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 3 -isForBrowser -prefsHandle 5552 -prefMapHandle 5548 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9065baf8-f5bd-4c05-ab6f-67df1be89401} 424 "\\.\pipe\gecko-crash-server-pipe.424" tab
      4⤵
      PID:5652
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 4 -isForBrowser -prefsHandle 5708 -prefMapHandle 5712 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5721a05e-e88b-4117-8872-ae9684fbfaf4} 424 "\\.\pipe\gecko-crash-server-pipe.424" tab
      4⤵
      PID:5680
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 5 -isForBrowser -prefsHandle 5892 -prefMapHandle 5896 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fffd61b-2f44-457f-bccc-678a794944a5} 424 "\\.\pipe\gecko-crash-server-pipe.424" tab
      4⤵
      PID:5704
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6268 -childID 6 -isForBrowser -prefsHandle 6264 -prefMapHandle 6260 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee3456a1-033b-43f2-9d58-015c657a0b1d} 424 "\\.\pipe\gecko-crash-server-pipe.424" tab
      4⤵
      PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json

Filesize
39KB

MD5
d832cf7fe290e4e11eaf997bfcb8078a

SHA1
8de3808505111dcb65c6ff7f0218445a83f289c6

SHA256
cf5702a8e23616a4e0dc846e2f4ecd1dc9f4a9a691985b546d45239323a64ccf

SHA512
fe1fdd3262f9ceecc36cc41d0d31737295e459fcc10fa619ba61dce3b8c7082a4b77a2ddbd55d20d9ddcd0f6f527e8a855c2b1a2eb312f951edfff5ae15d572d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

Filesize
13KB

MD5
ca7af11421e3a016acda96854f8843f3

SHA1
36e4c79858008ee5a9834b62127dd6eaf1f3c53b

SHA256
f5df3bab2085b4518870f0210471a070400845f70a49dcf1a68e3222a997fc94

SHA512
a45c6adb87a1018dd9d87195252f5d06b168d9082b469e32000cbc67ebb1069688d932b8fc0d224ad24b3762de2f418d7db5a403fff44daf8fc20e0e7e19db7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

Filesize
16KB

MD5
33f7698bf857090650ac099bb0d6e9ea

SHA1
5940a27b9574c6c8bec09dd0e77b92e05471944c

SHA256
4f57247cc47a4169187f40bd9d829ebeb434212e6803518c47d2da5b288dee8b

SHA512
a0d7bf703fedbba1427ae1aff3ee2797bbbaff2da875178eb4f0e67d7347e48d3604552e1e2d433ebda90fb2560cbe8489e909d65891245ba674640b3f8b997a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

Filesize
10KB

MD5
96e50475ab34935bf4a92f0a000d941e

SHA1
ec11c67698420b88cba64724ac472a27be736d73

SHA256
f50d67015b37095a563638aa577e2a3511be2c5fd8336e6c4bb1a416dae1fd8e

SHA512
555b376da81e52db2fd9352342ee72502268843a17df0852b0db097f9e7e96f2366642067a52928caf8b048b2631320653ec7d131052d07b9a91e156a4ae4981

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
b3433f8a9fc97ee1993ddadfd6119e65

SHA1
a5580d91c94a53f4f4b35fba2fd7aaa4c449d91e

SHA256
0a2777ae4e732b54958ae3bb382fcccd9cb49ded4e3b6402f3afc1cad2456846

SHA512
a352dbb603275caae2e5ef4128dd22f7ff22741ea8269d1440bd3301931394547c45181c042a7ccd711bef6b6c5ccac4954f2c469c9dc6b8c7dd2bcaa1b74403

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
2ecc8d2c420cfab18bcf3a05c4cc8d40

SHA1
4d57b0a05a07b1b6159b7d82f659aabe7c4e6edf

SHA256
70df8b901b82fe1103ae28b16cb3e8177d4f4bf2c0dea149d57d53ff3140a1c5

SHA512
f287c784e0fad1fba7110b48637323d2772f0cf12de956cd67e8aff12264fa5ee391654476efffae89a5587e4b507f746bf6c00fc93a1fdacab2c732bb9b703e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
ee3ece168f62f64980bd542443cb2946

SHA1
3b0ca5b59463d21180cc57cd6b8d8139ecefa4d9

SHA256
938e82b10b7cdcbcd5d58d0f29ca25a40595a8ce42a549744031d04421628186

SHA512
b12d85430f4f90f4d54d75f3ab939c433b5469b7f8bf88bd88eb527443746b0e79fd3c6fe81e90d61900a988ce1fa31ea0a76bb37d0ebbdd79699d1e1edb2fb1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
3d130f3fbd4522f85b75977e66bfaa9d

SHA1
56e19d8a8acb3965b1d7a98668dad79e61c0995a

SHA256
e26b360ea5535bd2a1a997624987591758c664c1db8d066fad361b1d8be4f422

SHA512
a7990bf29a3642896e611421a02876a06813859f0bac633798c0838a0de7bfba07d57a565c81a369688caed14a560473ac87e6117e4b4080aadd61b1d429925d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\58f4822e-c7a0-41ec-a4ed-d8f6c25c2cc2

Filesize
26KB

MD5
78520d0a2901e633bb7ae5da818367ac

SHA1
0c6f6d41d3c6f754b68590e6991a6bb2eec0d3d2

SHA256
506c02dd03899e80191e9d24c789f2870ba740f4e7c94bb3708ae88fe67af1d8

SHA512
23ee955497b3f6725a33d501128d7760cba9a39dbef6d3db1028a37a9d42f93dc383ab36c645ea8354b741c704e993b0d9153df31a615225a3088ab28115d70c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\b28cbe33-db6f-4164-8cd9-afa4e8de93ba

Filesize
671B

MD5
6074f1289bd9cf4b66c0ceaeee76be8f

SHA1
ddaebf834d72e92506050b6580479a804af3fc14

SHA256
5b4ae77f92f5b5e6f343f8980d339823bb7ad2633a13a33a617e658129729ce5

SHA512
e551dc953f6de618955739c6e862787f13c2df5caab0cfd3e9f9d85ad2afdc89115b90d1fcb42d03ece4bc6cebe83c21b3ab38bd1717f3897130901a38af16ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\b36c10c4-17f1-4083-826e-f0c3f0b4aace

Filesize
982B

MD5
63218dcf889add001429e964283b6372

SHA1
4f5b0fdaf88b885d70fdf5ff9296e246f4ddda00

SHA256
900b9dec7d9e9282da75bbce08c86f4459315b1bc302442d7618598d24941c65

SHA512
c872b4955f97a9b029f220adf33bfdb7ea9de71a78be622b1d6a3bc052bdeed46b729dca09ee6feee327666d0576265cb6ddf78349715a7c53527d0f5c6fbb78

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

Filesize
12KB

MD5
be59e4cd8f69353448f3f5eafd245348

SHA1
903365b5a2ab2b74ae50aec2b2d0e7f013a67dbf

SHA256
32312e9944c091265414a6b879479bf53d498c2f48e7d2103470e157af6f81da

SHA512
8c07daa25bf08a624a178a2e40d1cf8f493d322da0a860233e2864389a27afe8fc42f75ac77c3fc1dedb152ededd37a5a19fe50bcc924c2424a09cf7df31dce5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

Filesize
15KB

MD5
746fb1170b8180e79265386366d89278

SHA1
fc4fd63f59cd81d5ce62a4461bcd1c47bf3bcab9

SHA256
41a7845144d1f8e0ac9eda2c335a6951819a6bdbd3adf011dcd7eac40c4165e8

SHA512
0303e9566bd0ff447501cca52da8078c27c947de101bde951d8debf75e056d20270f43f9cd4cf56b4b3dd5a764015c739a98ffa7229bd075eacfdcb3f7ff4109

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

Filesize
11KB

MD5
21eb48a28e631e9d621da5e4b5f2180a

SHA1
b58adc9b35514975d4bca2316426f09f97debe99

SHA256
4e73709cce59620878a5ac766f512eaef603329d979afaef68ac9c7693a0087e

SHA512
f0e68b9e256f59e36e8d9624c3bb926478a16b5afb21b4077b3e2db361f707682eb30365b87a2adeb4a3405d46e602a32c0a0706871d84c03d82ea5b3320ffe0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

Filesize
10KB

MD5
8a95e3ac11a7d0fcd6c0e6efef299245

SHA1
e09543f598481f94e890db9883873eb4c3760cc8

SHA256
5a37bbd83eb6c1fe26954eb8f650e3812311f6b26588f3dec281b169afbbd967

SHA512
3454e82a5fa7c92c45d6318389af6897f5a2f03def53c9cdc201f13095c06aaa5206413b33cd148ca4bbefb973f23f41085a8c7b2bb25fd40cb46699379cb37d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
9ee2193d213f9805c30f32db0f70b8a5

SHA1
e0e53870acb8009d4947de1ee8a91557b7a076e2

SHA256
58f9aae40d11ffb1c4c50ca6f61197267b223daa288be3f77eaecde2da4945ef

SHA512
23cb54a555329fd7a7dafe3d5b6871253a3c7616a7b2cbb71fb264ca5bb88a980703634ee9455d94a96df502769e71524da37fe3344f34cd072ac9cab47f3210

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.5MB

MD5
9feb5ebe441b08372e33f69354eeec5f

SHA1
fb719fb7631c6b685caec54713dedc29add2fa32

SHA256
fe5b5876f27e7cb609b6f448f6356314064175f2b65350e6d53f3bc64e32ae32

SHA512
4a1acbe98291cdf8fb59a8400661b1020354980a8fea7a12ea465193a91eaa76009a67798f9e6092ce722c3fbe6cabc38d45213d329435ca0b9943c2616291cf

Download Submit