95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 02:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
Size

1.2MB
MD5

99e74072b62ed51d52bb381fbc312762
SHA1

e2caa1f0ad91ed7de6e1ce541601873d6526e442
SHA256

95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8
SHA512

3162e15c3a078db225310ab2bb599828afc2dad63d524f9e310b8d6f819b173bb92f4e3a39f1c3c56a8e6666476459c10edb6c1a97796042df9448e519a667ce
SSDEEP

24576:KqDEvCTbMWu7rQYlBQcBiT6rprG8at6KP6cBDjvi/u:KTvC/MTQYxsWR7at6m6cBDjq/

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1556	firefox.exe
Token: SeDebugPrivilege	1556	firefox.exe
Token: SeDebugPrivilege	1556	firefox.exe
Token: SeDebugPrivilege	1556	firefox.exe
Token: SeDebugPrivilege	1556	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 3552	4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe	92
PID 4452 wrote to memory of 3552	4452	95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe	92
PID 3552 wrote to memory of 1556	3552	firefox.exe	94
PID 3552 wrote to memory of 1556	3552	firefox.exe	94
PID 3552 wrote to memory of 1556	3552	firefox.exe	94
PID 3552 wrote to memory of 1556	3552	firefox.exe	94
PID 3552 wrote to memory of 1556	3552	firefox.exe	94
PID 3552 wrote to memory of 1556	3552	firefox.exe	94
PID 3552 wrote to memory of 1556	3552	firefox.exe	94
PID 3552 wrote to memory of 1556	3552	firefox.exe	94
PID 3552 wrote to memory of 1556	3552	firefox.exe	94
PID 3552 wrote to memory of 1556	3552	firefox.exe	94
PID 3552 wrote to memory of 1556	3552	firefox.exe	94
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2644	1556	firefox.exe	96
PID 1556 wrote to memory of 2824	1556	firefox.exe	98
PID 1556 wrote to memory of 2824	1556	firefox.exe	98
PID 1556 wrote to memory of 2824	1556	firefox.exe	98
PID 1556 wrote to memory of 2824	1556	firefox.exe	98
PID 1556 wrote to memory of 2824	1556	firefox.exe	98
PID 1556 wrote to memory of 2824	1556	firefox.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe
"C:\Users\Admin\AppData\Local\Temp\95254c13e5d6982b346f2e68904e632a126a9e4f3cdfb38ebd2929715450fbd8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {375c5892-61e9-4519-9d83-a5962d67b430} 1556 "\\.\pipe\gecko-crash-server-pipe.1556" gpu
      4⤵
      PID:2644
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbe292c1-f5d6-4193-a078-3c72ae5d675a} 1556 "\\.\pipe\gecko-crash-server-pipe.1556" socket
      4⤵
      PID:2824
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3392 -childID 1 -isForBrowser -prefsHandle 3460 -prefMapHandle 3428 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2af419b-84bd-43af-ac6f-32e3fc6f4e2d} 1556 "\\.\pipe\gecko-crash-server-pipe.1556" tab
      4⤵
      PID:2356
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3316 -childID 2 -isForBrowser -prefsHandle 3772 -prefMapHandle 2760 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f00c9822-9469-4c82-bce8-043a07fc9fc7} 1556 "\\.\pipe\gecko-crash-server-pipe.1556" tab
      4⤵
      PID:800
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4612 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4616 -prefMapHandle 4664 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec226b61-9e71-4aa7-bb51-1f9a2df35314} 1556 "\\.\pipe\gecko-crash-server-pipe.1556" utility
      4⤵
      Checks processor information in registry
      PID:5432
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 3 -isForBrowser -prefsHandle 5436 -prefMapHandle 5432 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {943cd5c4-089e-4b22-a3dd-1c9532c6b5b0} 1556 "\\.\pipe\gecko-crash-server-pipe.1556" tab
      4⤵
      PID:5940
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5580 -childID 4 -isForBrowser -prefsHandle 5588 -prefMapHandle 5596 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74715d1e-fc98-440e-965d-9ff5edbff95e} 1556 "\\.\pipe\gecko-crash-server-pipe.1556" tab
      4⤵
      PID:5952
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5768 -childID 5 -isForBrowser -prefsHandle 5856 -prefMapHandle 5852 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96143a5a-73b0-4008-86f7-b345ea5b3aaa} 1556 "\\.\pipe\gecko-crash-server-pipe.1556" tab
      4⤵
      PID:5964
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6116 -childID 6 -isForBrowser -prefsHandle 6320 -prefMapHandle 6316 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a970334a-91e1-40bf-8da3-3b4a45bb8445} 1556 "\\.\pipe\gecko-crash-server-pipe.1556" tab
      4⤵
      PID:5140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\activity-stream.discovery_stream.json

Filesize
36KB

MD5
7bf3d3f9683b4511fdb34b69cf287e8d

SHA1
8929b5512b6688284d6eb4028f0ead7dacb7bc1b

SHA256
3dbffa02bf43432bdffc2320b0001949deb3cc3543a0ed2dca2be98a31d3ce69

SHA512
e989caac1ae5e721657539cce260c6c356cd2832a656bbf0e78121ef57708bf8dc923dcbc5099a6f3fd4db1a84789d2494fad817862a0a5519de2ae8e44f6c5b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
443911b03aefcaa199bebac431d6bde0

SHA1
ae782bf7e15f042aa971c234c6f23a9e805225ab

SHA256
84a6a6fa9e945fdacf0c460f22ccf6b761183b18dbab006a8a3c8a04b065bba3

SHA512
dfe942207227ec066f9abbf19bc1a97dbfe73b26e9f3dee30a59642e0f8217eaa6340156b0f5e2a2bc312513a54d43a8d2076b0fac694abe521dd77af661c048

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin

Filesize
10KB

MD5
5c5a6f49ad4310de42baaa2a29043164

SHA1
9c6ddbd3ab5aab7c14a426f85be5b99917a344c9

SHA256
a7f90c7932b53d37d0fe5eb98a1d17377b5ea1b5312eb45d2556b143eab5cecd

SHA512
1fe03f5ac4589e26fa599827301660b7d63abdfe05b338ef6718bf9084e704a7ca3fd6d8e33f22e12f300fed3734dc5295c23e25a7cc62708f5fb434e925633d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
db01aa4e8c33414b3ea788fa53075dee

SHA1
136d4863ef501fecfbc140714bca94e009ad8d9c

SHA256
63ee97db9d0ece2388e80751098fc3edf16d6d73933a2e74cead7563d8a47e33

SHA512
b211bc40831fd0c8f5a4def274462e67dc5125d1e8dcfc02521118438ca31fc94df168238e5beb117396b80d1b1c1ab2298080508d8504d3983a98470256afe8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
1acf47da1d013f04ca9059939df581c5

SHA1
74d44e223850250ab76cea8f76ab9ee2e26f3c23

SHA256
0f01837052c0bc39ea33486ff5f9656a8d46fc504e86cca1467f3cb03ca287b2

SHA512
9d6ffeb76d638d2e9186e8c7e05a8e608004290b4dbf5938ebdeb68acffba44b755fa2dedb2e9b10815d6e311a750d2c35d87f1d6fbc0283463d6a44065eb3ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
1cdd9ad6c50756817d70f2213b32171a

SHA1
d1657981d1f4cca859a674d532f48d7d0bae1a08

SHA256
3b009a8cb5ce84afa60ca013d4ede005c85561c584938893ee3971fb78302e3b

SHA512
7ccdc725a77f9c34fc0ee7efcc8dc7ec0eabffc0a41801303816cbe9dd6a439c5a6a201bfc4bc0e8f327f4d713193363f265dbffbe0ddd62183cdfab8dc789de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
467d8329e1fadccb8d67be30c776c8ad

SHA1
09eabc1f698408e907adf701638a53918bc5aa97

SHA256
964f4bd6e1ea5719ced121a1fb0b0a51306e524d9cc0e814e0cbf330eca62bc2

SHA512
20de4aa14a70b5045cefa801db25f73b87ada412bffe2da706241d7f187c0e31d8b0accccf5ba7358a1dd611c5f47940a1e1dbfc5bc35b641616ac20ab1ced63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\c5bb0d97-3276-4a38-9aea-64dd389dd32a

Filesize
659B

MD5
5db6708cc66fd82f7dac13e3053d8a3d

SHA1
ef7a565a40f20c185ac5896839d3317d3f928ae3

SHA256
e1aa8dceb6e5d9a53fbc08f733f4daeb0777ff1d471cc3b6227efe87ac18c675

SHA512
02e24bd7326131c05898388fa56f796a0d8a617eecdc39a28010269fe8aab5122c7f2887e005b84ced87812eb4f513ba64403a81b19e584d2c2e4bc85d3c5207

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\d5900a44-ec93-4660-b1a4-2609b8654e9c

Filesize
982B

MD5
62bb06d53ac63f3b3b756061828bbff9

SHA1
78585ef3261780d3d005b1949f9be47e0e43ee48

SHA256
d9cd61150d9562b3626eca4d7ed6118b898013e025ba5269c7753d0eaf485084

SHA512
61b9632a405fb969c3b79afdc6d3f5d27a3e5d9cc6d5e9918a2e9afd080fe2b5a3ac6d42f361b0fd4f96b21dbc51aeb4fabd288f433b190d49e4b77f2fbe0583

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

Filesize
13KB

MD5
b02a9c2bd08a95fac66f3f0218216827

SHA1
40ebeefadfecfbb8ed260ad058782b3b2667be7d

SHA256
e5c357de40b1cebc9397214e7fc20fea3fc2893145ba394a46b5ef7229d5d7ee

SHA512
2243cfdff9354a7b73e342f392b7ec0b309bcc32d65d2f4d952e83401918f9fe3f62916424d2ab02d244144aa670fab0a0a83346f88d19f9b19e9c6cd51d293a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

Filesize
16KB

MD5
b4b7f3b5679657d42e585499ad16a457

SHA1
5d73b45f8bcc093a2685d07d9f37a22a97b72971

SHA256
d77e0a66fca1b9681593a22fc4e24f07ed2c4fe7b1ceba21e656039e35daba2b

SHA512
0c72c8516e115427da2130913731bb0e738cc52b26da1b31f5621e7a61fd19efc7e0d088e97a2c05b4255c9c49fae830ec2f43b8d37ac30e4a55791c5a81ec69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs.js

Filesize
11KB

MD5
bc3a34a4385d21f32bf7bf7809d8b7a8

SHA1
61c51c128ef78dc42175c6257029b38cdd279b9d

SHA256
7e92a019ca6040c09257cf2fced4a80659e17f27d7d97ca6edf127d85ad2b338

SHA512
8189d79eb3f19d86474044575c801fb80ad00cd34e0ebc7fa4946f67e337fc60c8b249c6de5178702a82138e35e84f0de039630fed17da0d3c9e871f322d9b29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
952KB

MD5
cf854b11e521f4150bb61f68a06545c0

SHA1
0b56c6816a40ba2ce25c3cb049d7ea2b3919e556

SHA256
86f0c8cd86604c4af67d49cc7676b694658d53b20ce91b184f936a57f51e6eb4

SHA512
80982c2c45f8e364fd34e2bcb2954da43f298ded8e23fb00f3837e3c097e7c35e121d797f4ea0ca62e055bbc089c3ece2952eefbad8d0d8a23abacfa50f11449

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads