8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f.exe
Size

896KB
MD5

2738ce21cf81c164178dfd3f6d25eec1
SHA1

215543dce12a9650d387179e7bb7233ffede07a4
SHA256

8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f
SHA512

9c4ffcdd783c2b721eb46acc8db5ce8626a93548a2d386e9108b6e7914ed8b359c24d75b9704be58449daf3386b3e28f3aac8bd7afa820561a8685d70204d031
SSDEEP

12288:rqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgarTR:rqDEvCTbMWu7rQYlBQcBiT6rprG8avR

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{4A2557B8-FC13-47AA-B81E-198AD3F229A3}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3920	8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f.exe
3920	8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	596	firefox.exe
Token: SeDebugPrivilege	596	firefox.exe
Token: SeDebugPrivilege	596	firefox.exe
Token: SeDebugPrivilege	596	firefox.exe
Token: SeDebugPrivilege	596	firefox.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
3920	8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f.exe
3920	8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f.exe
3920	8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe

Suspicious use of SendNotifyMessage 23 IoCs

pid	Process
3920	8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f.exe
3920	8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f.exe
3920	8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 4232	3920	8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f.exe	93
PID 3920 wrote to memory of 4232	3920	8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f.exe	93
PID 3920 wrote to memory of 1564	3920	8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f.exe	95
PID 3920 wrote to memory of 1564	3920	8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f.exe	95
PID 1564 wrote to memory of 596	1564	firefox.exe	96
PID 1564 wrote to memory of 596	1564	firefox.exe	96
PID 1564 wrote to memory of 596	1564	firefox.exe	96
PID 1564 wrote to memory of 596	1564	firefox.exe	96
PID 1564 wrote to memory of 596	1564	firefox.exe	96
PID 1564 wrote to memory of 596	1564	firefox.exe	96
PID 1564 wrote to memory of 596	1564	firefox.exe	96
PID 1564 wrote to memory of 596	1564	firefox.exe	96
PID 1564 wrote to memory of 596	1564	firefox.exe	96
PID 1564 wrote to memory of 596	1564	firefox.exe	96
PID 1564 wrote to memory of 596	1564	firefox.exe	96
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 2656	596	firefox.exe	102
PID 596 wrote to memory of 380	596	firefox.exe	103
PID 596 wrote to memory of 380	596	firefox.exe	103
PID 596 wrote to memory of 380	596	firefox.exe	103
PID 596 wrote to memory of 380	596	firefox.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f.exe
"C:\Users\Admin\AppData\Local\Temp\8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  PID:4232
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:596
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a9ccd05-c3ef-4aa2-84ab-85695bb1d0d6} 596 "\\.\pipe\gecko-crash-server-pipe.596" gpu
      4⤵
      PID:2656
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {434e6afa-ce49-47fa-a87a-ec1fe51a431e} 596 "\\.\pipe\gecko-crash-server-pipe.596" socket
      4⤵
      PID:380
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3276 -childID 1 -isForBrowser -prefsHandle 3284 -prefMapHandle 3280 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34c4e52b-6b77-4766-81d8-09f7aaccdc1b} 596 "\\.\pipe\gecko-crash-server-pipe.596" tab
      4⤵
      PID:4236
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3700 -childID 2 -isForBrowser -prefsHandle 3692 -prefMapHandle 3688 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39f113c3-b4a0-4746-914c-76a955fd712e} 596 "\\.\pipe\gecko-crash-server-pipe.596" tab
      4⤵
      PID:2408
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2796 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4328 -prefMapHandle 4324 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa8a0d98-937d-4ae2-96d3-5f97980d666a} 596 "\\.\pipe\gecko-crash-server-pipe.596" utility
      4⤵
      Checks processor information in registry
      PID:5724
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5356 -childID 3 -isForBrowser -prefsHandle 5252 -prefMapHandle 5408 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3c8078c-7d2f-4793-aff9-0518083d790d} 596 "\\.\pipe\gecko-crash-server-pipe.596" tab
      4⤵
      PID:5292
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 4 -isForBrowser -prefsHandle 5516 -prefMapHandle 5492 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f20a188-f02f-48e3-8af4-81182a2de314} 596 "\\.\pipe\gecko-crash-server-pipe.596" tab
      4⤵
      PID:5304
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5804 -childID 5 -isForBrowser -prefsHandle 5724 -prefMapHandle 5732 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c5047ec-44f2-4266-a0f1-3eb9ff36ef16} 596 "\\.\pipe\gecko-crash-server-pipe.596" tab
      4⤵
      PID:5316
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6124 -childID 6 -isForBrowser -prefsHandle 6112 -prefMapHandle 6092 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7168f927-4cac-4a26-8a48-c64f08a8b212} 596 "\\.\pipe\gecko-crash-server-pipe.596" tab
      4⤵
      PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3532,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=3932 /prefetch:1
1⤵
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4992,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=3732 /prefetch:1
1⤵
PID:2692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5380,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=5400 /prefetch:1
1⤵
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5532,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=5416 /prefetch:8
1⤵
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5556,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=5624 /prefetch:8
1⤵
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6048,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=6088 /prefetch:1
1⤵
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6284,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=6336 /prefetch:8
1⤵
PID:5752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6496,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:1
1⤵
PID:5592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=6716,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=6756 /prefetch:8
1⤵
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=6744,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=6908 /prefetch:8
1⤵
- Modifies registry class
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5728,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=5884 /prefetch:8
1⤵
PID:5672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
46e8057655b0303d4abd1098d8c47a41

SHA1
26607fdd006cf64a936043cc92b1f8ef7440e086

SHA256
9991771d72ddaa79aba4574f23a2df9abf3695bd565142d840d8a257ba531db6

SHA512
ac17c837cb291122568c05983c91cd02cb18778f48298af19844e81a3fac6e81dc054d518161c01eb177ef8e45bcec86c2f6970ee45cd792c22da305eb13649f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

Filesize
10KB

MD5
d6d9b9e0ecda2e590bbf6eeb3451a3d5

SHA1
d8cb4c84ccd9dd2acd2d1697d75f983849329942

SHA256
0c1a3f78e02911c8b380a6284e4b5a50d83a71e618a42d2c753bfe3df2da5f1b

SHA512
868808f96464840038cd8d24ef781852268963c4fad68588c88b85c095f249f76a959a1445619f5f309c4b6f1b8a8e57ba3905196b39dfc9fcea57e5f1eacf17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
4bf7584677e2551e8159474b66e9b2e2

SHA1
f348b528a2061935a73142081d6f20cc82b195ce

SHA256
d80ccf8bcaa139401201649898b4ff43e71c35320896d9cd193d5a5dfad6ce10

SHA512
44149be31509c24ca264b7bc11f89a1f629848c840024152d865fb9091c3ab7f9a49827ad56f60be34939f3ccccc0821fabf16f5414bb9a92064471c6c940641

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
ea06d5f16c1f88c967a8220afea82629

SHA1
ce07562b47fc17d6a5c4db9dffa22048f91666c9

SHA256
5f57700762d09659531e37800ef50a9595357472687b5cfbedb860a7fa2c9943

SHA512
e6c0091c5582d00286f78936b31eceff484569dc2b5bf3ccb658f01f99170e20f25547d42ec365da996ccaa45d93e59d22e911ba615343cd78e0278580b08a6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
fb4446470a68f33aa0575f3d31cfb452

SHA1
19bf35ef6c8dfdb2ad259af5a3daf2d187b7ad56

SHA256
23d29ea186b74e5ffb307ad2db79c3fe8e374be06ed1dacd38b84c1665200d7b

SHA512
e6c847800ebdce9832e688debfe7fd51a85727f2dfaa456911168941ed2d419c90d62fc414eca122a4d7d51c736ee38b442190dd9ea7e5b361009a6d8adef74b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\26eee141-94d8-466e-9310-c180496c277b

Filesize
671B

MD5
c188c23e30b783e5ba4f74488227e0f5

SHA1
a9ac5a2a2dbf0dc5dd40d6c1c489d34259a197eb

SHA256
0ac2978a73d14305e7f59a4da683710b42bc43468a4dc46f32e7670830c96d2a

SHA512
3f1c0664aae647184d0b50e564af3d165e5da7e3b03ea2c4aa42be75eae645517d4bb30768abab057d582960c887ca8e2393d21ad645c78c953a69af25f3f53a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\2ee75cce-69bc-4ca4-9899-af7c5f460be2

Filesize
26KB

MD5
ea809c88f43c83c1fd50ecb3c328d99c

SHA1
70661f518f27781d4b90e8d76c6de77e413a0277

SHA256
d7b65ff1533b5f05e4c8eda890eade6a4c84aa8400d07ea97ee07dd00d850e20

SHA512
d7055d24b62c826160de4e84a615f937a29f0c508c8c8884f3c05df6691f261786dce067a6277a362fa614f2ac2102a25244238f2d367844eb65f37d1a9132f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\6024ae88-c63a-467b-9233-2d36dd8d7bc2

Filesize
982B

MD5
ca0e2c96af038e85e633671242ad90d2

SHA1
75a02994f8d854213eb45cf04b74668beb966f1b

SHA256
100eed2750821b3b61f130df78eb3c908fadf63ef0e5b02553189ba69e348611

SHA512
fa43a05f026ee3b8231f0e68adfca2fc9ef31b2774e183ddc35a40fcd457a02c0bb4eed32bf57c3570b88fa1e74b3a121e9138b460b65263f676c209004819b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

Filesize
12KB

MD5
b1a2e15ad4b24145be529a6d6bf3c0e4

SHA1
00d22cab3f6884bfd9abd43df1c463d793ee5353

SHA256
03bed28d7faa3e682e0ce8d43d91a79804a951e6a3f60de1b41b74c902c245db

SHA512
347ce0bd72fa098dd6741621a3d7e65c068270fa5e98fc29ab1cc74961f3d051ebca78d32a2d46e723859242da9bafecec5bdd013c6518a62aef2dcc0153f297

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

Filesize
16KB

MD5
18e6b6c806778c879839a89b96c8cc9e

SHA1
7c14794a47ba33bcd5264e600f61eff846b934d4

SHA256
6dab5a743e80d5b2a7c8120c5dbe527ed1124af68b70a3fac811d80eb604e03c

SHA512
600400f0d8aa50a2e63d9a324d34d7684d63729eb82781277d4612bbfd6e2c0342f8df45f581367bd9c496200336b8f7f816948a0df4b02e324af88c92b707a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

Filesize
11KB

MD5
774c79e40bb735653595f89e66b6878d

SHA1
36c5da139e23a519e17c91a92e61df72fbdea2e5

SHA256
8e6fd167529b378b09371ccdf4bb3dc2a7b1aab87a1b77f5a5da3c5098f7e48e

SHA512
91fe0e333c6a3145dffaafde7b163d45585eb666bd7506258bc2ac3aafe8290c3ac06fd8f9f246db074cb8c66046f533ade0ff5b4ae6a2ad6391feb99e952f3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
3cc81bc2e35aa1e211d5b6765b9940ec

SHA1
86a1e6d64697fa701539135b3073e2e4cd7f9db8

SHA256
5db029717017bf963c3fd253a1ab2e524c2126f716f0b3c1d1c774e30c29f364

SHA512
8e9b2fdbf91b21764036b5afa501f1fcfcc6e95d1e89d07ecd4d75fcf85c569398f9239ad7eb9a6129630425ac6bd1fcb15fb94c683dcccc991f00ede422a226

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
976KB

MD5
e41d07afe1ab31a5d51b91147a8228ba

SHA1
25e2270c85a8ef309beea2c92fc127261b3f1f76

SHA256
9c78bf68f6f08bc84e899265c5526367580e60a3e96c02219ca5fefd44a58dd0

SHA512
56e0daeb4fde2f0e876eb08128c87af7c547adbc3297265669c13e3258c63c1cd19bb9d3708285d8491ad69bbf09bc8fa7b8d7d11cf485b38eea0e4c214e294d

Download Submit