8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 17:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

896KB
MD5

2738ce21cf81c164178dfd3f6d25eec1
SHA1

215543dce12a9650d387179e7bb7233ffede07a4
SHA256

8c42db72578b924a8100e0797ce1249c067c87b41327d7fffa9d53813864557f
SHA512

9c4ffcdd783c2b721eb46acc8db5ce8626a93548a2d386e9108b6e7914ed8b359c24d75b9704be58449daf3386b3e28f3aac8bd7afa820561a8685d70204d031
SSDEEP

12288:rqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgarTR:rqDEvCTbMWu7rQYlBQcBiT6rprG8avR

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	file.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2924	file.exe
2924	file.exe
3268	msedge.exe
3268	msedge.exe
4744	msedge.exe
4744	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4744	msedge.exe
4744	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	636	firefox.exe
Token: SeDebugPrivilege	636	firefox.exe
Token: SeDebugPrivilege	636	firefox.exe
Token: SeDebugPrivilege	636	firefox.exe
Token: SeDebugPrivilege	636	firefox.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
2924	file.exe
2924	file.exe
2924	file.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
2924	file.exe
2924	file.exe
2924	file.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe
636	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
636	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 4744	2924	file.exe	84
PID 2924 wrote to memory of 4744	2924	file.exe	84
PID 2924 wrote to memory of 1444	2924	file.exe	87
PID 2924 wrote to memory of 1444	2924	file.exe	87
PID 4744 wrote to memory of 684	4744	msedge.exe	88
PID 4744 wrote to memory of 684	4744	msedge.exe	88
PID 1444 wrote to memory of 636	1444	firefox.exe	89
PID 1444 wrote to memory of 636	1444	firefox.exe	89
PID 1444 wrote to memory of 636	1444	firefox.exe	89
PID 1444 wrote to memory of 636	1444	firefox.exe	89
PID 1444 wrote to memory of 636	1444	firefox.exe	89
PID 1444 wrote to memory of 636	1444	firefox.exe	89
PID 1444 wrote to memory of 636	1444	firefox.exe	89
PID 1444 wrote to memory of 636	1444	firefox.exe	89
PID 1444 wrote to memory of 636	1444	firefox.exe	89
PID 1444 wrote to memory of 636	1444	firefox.exe	89
PID 1444 wrote to memory of 636	1444	firefox.exe	89
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2936	636	firefox.exe	90
PID 636 wrote to memory of 2244	636	firefox.exe	91
PID 636 wrote to memory of 2244	636	firefox.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ff96f0446f8,0x7ff96f044708,0x7ff96f044718
    3⤵
    PID:684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,15921466802919960910,1874455805389957070,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
    3⤵
    PID:1668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,15921466802919960910,1874455805389957070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,15921466802919960910,1874455805389957070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
    3⤵
    PID:4844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15921466802919960910,1874455805389957070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
    3⤵
    PID:2484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15921466802919960910,1874455805389957070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
    3⤵
    PID:4524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,15921466802919960910,1874455805389957070,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4816 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:112
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e72ad12a-94d5-48dd-a57a-3dac6630267e} 636 "\\.\pipe\gecko-crash-server-pipe.636" gpu
      4⤵
      PID:2936
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a436643-4068-4d30-944b-c6408c92e865} 636 "\\.\pipe\gecko-crash-server-pipe.636" socket
      4⤵
      PID:2244
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3484 -childID 1 -isForBrowser -prefsHandle 2892 -prefMapHandle 3476 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3746eeab-9ddf-4900-924c-ca724d1a7be0} 636 "\\.\pipe\gecko-crash-server-pipe.636" tab
      4⤵
      PID:4712
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3564 -childID 2 -isForBrowser -prefsHandle 3480 -prefMapHandle 3312 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db63a21c-8a51-4f79-81d0-84854a2394cb} 636 "\\.\pipe\gecko-crash-server-pipe.636" tab
      4⤵
      PID:3276
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4192 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4144 -prefMapHandle 3312 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f0f8041-24e1-4a9f-920d-e237a170b227} 636 "\\.\pipe\gecko-crash-server-pipe.636" utility
      4⤵
      Checks processor information in registry
      PID:5456
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4280 -childID 3 -isForBrowser -prefsHandle 5356 -prefMapHandle 5256 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35b4dac0-acc7-4717-90e3-d7a5a78058bd} 636 "\\.\pipe\gecko-crash-server-pipe.636" tab
      4⤵
      PID:1528
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 4 -isForBrowser -prefsHandle 5612 -prefMapHandle 5608 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b766c021-b708-478f-adfc-87c702b89c14} 636 "\\.\pipe\gecko-crash-server-pipe.636" tab
      4⤵
      PID:628
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 5 -isForBrowser -prefsHandle 5716 -prefMapHandle 5616 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ac59497-1dea-409b-8b9a-3be48dc05894} 636 "\\.\pipe\gecko-crash-server-pipe.636" tab
      4⤵
      PID:372
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6140 -childID 6 -isForBrowser -prefsHandle 4972 -prefMapHandle 6088 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e1a388f-c367-4442-86d0-b41b67cae2fc} 636 "\\.\pipe\gecko-crash-server-pipe.636" tab
      4⤵
      PID:5300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
2d1721ef2f33b26b1102de3fb5bb986c

SHA1
7908b2cd06ff1af5985160df5998fee812fb13bc

SHA256
a20f65f0d3703bf291de54122f5abfcb8795a80c1a06c05cd7bcd6c05c531fa8

SHA512
59200adc61042ada36826812f02da146058c28c21ce6d6e225718e0203b2ff210b3be9c59ae109e403d5e040c6ac821fd637aed05089321e873ca4b0d5043a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
381721619bf6672af81cb7c0e7b7041b

SHA1
e1a3c4cd428cc9c589b38a5250e4c17e575ef94a

SHA256
d43b4d5e7219c35e0256d03f934583536a0a00f29e8e39bd936b787910dbb9f4

SHA512
0aa9ce9dfbf22d21d4741de1132205a2aa76eff6bdfb9c6021ec32fdb63a914dc4cf6fd66d7211e9855f266579322dabc0bcffab330dd3d6389196b40c13f02c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a5b0f184fb154a49c71ff09ea4204664

SHA1
89094e2113dae3d8eab036510977b7fb6f5f9603

SHA256
51ff4328ab630b226f3be8038bbc6e1b48865a3f1d39be95bac0b980f4f1e59d

SHA512
45d952e3c1d2c5b475743618c063b2ca5eb81e2a43feb99f3aab4bd966aa9125a8553576022c906a7a7d234f85d0154e5a1d07aec373f66378158ae56a940331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3b608c94a738d3262b35c55c1c961417

SHA1
9373e2f586a96e2e3cfa24fed2e32eb044b88d6e

SHA256
7cca0ee8ab923724f2fa5b8cd5728b7d199d784d536f40273c89a7959f3e6aad

SHA512
04382408e0a0df3142a48ca385a0efe20865e1c49e33e7004c96f28a3a4785f3fef7da78f1be8397852dc1dce8c291d78da6c5950016c0a3de4faf9adf5523b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d304766f3239a98b12cbaf0420310ba0

SHA1
940ada3652741650e4b94c21ce67c0764998cc36

SHA256
31d11b557b873656a4c4d3b41a28df728fb7be116cda5d7fca48e400f10c1d5f

SHA512
2cc6a2d8c9f164c31d2c3ef48c36b74540de8cc8561b07f8a875b48bf4849d1e3967a208696ab1106e40756938025ac21da5c8269a5c39bc4e8044048e02c3ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
151a8d0cbabbbf6ea6f46b21cc788bc2

SHA1
6268ba6f10fca9c21d96fd159bcbe4ab15c2f743

SHA256
cdc162e597d453f4e4064efc59ca453f752458dcf0fae9ef053da5d8f9150ffd

SHA512
9b811d7ea19dcc499e97455fdae1648eb8f909b85e07b54f2b51eb915300a6fe5b779b0ec817377985844ec982e20f7a6eaf702f815230c35f666cea4796e1ee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\activity-stream.discovery_stream.json

Filesize
38KB

MD5
9f37e840d90f5378c59e435ba470035f

SHA1
dbaad4db4255e557fd66cad82ebd5fe3037d5524

SHA256
bb8f0a5dbb7575ddd5ada84792d8e9cf5b6dc9196b9dd423c6668f1cbe394e84

SHA512
e7edd69e4c0eb57fec86fed8cf298c8b568dd99291aa34addec016568cc99d87b4aded4479151f6d44899e4b06c2b41c0a15e6a74641d8c2dcb746e1b01f5c9d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
f460d22c548cd02a2c50ec67c62bba8c

SHA1
af31ecc66761892b90ed2b92ccf0531ce29164e3

SHA256
469a0ea3355eb347fcaa840d87cc90c4f1f6417b1627bfabb25d094e0bd3db4e

SHA512
82530d187c0a83bcc61d3fae1b3ec8fbe53c15bb55f4a205f3abd8f863e885047e52a086c794b65428f1292413c8d83e08c02a1e5f745b2a81fda54f5f5f77b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

Filesize
16KB

MD5
e5740e294b57b1dd278df58867bc9425

SHA1
913a9f6eccbb6b38566de5346db2bf8c00608b7a

SHA256
677ee875e13044bb1e086c3418d68bc65233052017f4497bbe3d59970f8ab206

SHA512
abe3bb57c1ad548126490a42a47d37677a3aa22bbbfa84627a0614cda36828642d029df0293e26196c3c6f805c012f81b81e3d660a8c09420d5e7ed4e7172d29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

Filesize
11KB

MD5
6acec1a1eb686c680b5204e7b1eaf087

SHA1
6574a981a27084ae86c2b28eea668632d6ce727c

SHA256
f8ad2d8c0fc189fa97bf6355ccab4d808d2e506b8969ed74ed2ceb899bdae83f

SHA512
3a0c64a5e7ca073b44b900dcbd6ade62cf93812d232a16282230e5524f8709ed6a7750d694fe15542c609b49632943d29e54c37d152db5e0648282c6e94a21ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
931e2172abe401ff983f034a15da0299

SHA1
ee9341547517e55ce4bea9393a3ec8efbacdee87

SHA256
165a3d937fa9850813a88c0d5e705d06119cb45502e569f7a9e9c1c068c8f039

SHA512
4869aad2f9c0bd90a46d82ac1da24eb855a1d325e35de8253e5f49f2290a084c5ef0d8e85366aa10f6008c1256add544d732ed059b264d848327b471fb7966df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
6ede38c46c6945b2c399092817f09235

SHA1
aa2980cb809f80f87bc7699da9e5c1eda9e9844b

SHA256
21e925c78bc3939b7398d0d2cc75e40efa59dbd50ffbeff9fda99d193c91dace

SHA512
3be8a4647984be93efa6b302d4a6f49297f34bd96f08c907e344a711dd4380b92c42ac0c8258c2f023f6fd205c5a67a0fcee09b072c4d37867381569240008a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
8b801c96f8acfafa92d99e9c006d6d95

SHA1
2a617b60de0c8b88adce843153046f6ed4beb08b

SHA256
de31bc2ee760251bd89ec02c8026c8d49c7c417d0498c656bc02432381a06e44

SHA512
2af536297c7b87bddea751f87e55a0368944fe6e156d50c67be98c7396dcfe3ef7ab3c6aae36782ff595a49d7756fdf94665f0be97e695cf0f5cf3af55c8b5e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
23086f3996032f6a302f7871c2072d00

SHA1
5a7134f8287a4b15a9da1ceb217b74db00e8c2f6

SHA256
f92911a3aa8079ae58fcda4789ed4d5e3a45d72b60bf5bce94e9c04d21c9dcce

SHA512
ecb9e2f49d4b6851171ce913fd3a74f419c9413406f6837d7042b7f4ced551936a8f3fc8405a8c7ca713a201267cf20e710e40ba305c7f5522ce80059b7dad13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\03ffffc7-093d-435d-8391-9984895c3fbc

Filesize
26KB

MD5
45a240d2765631e259be62859550fa4d

SHA1
5f219b530283417cdfe405ad1944d68d7e69b664

SHA256
4b8694127b9158a1bb1a9520485a0b6ce2aeac1564834fae0dfdf76c4a9a3b48

SHA512
d3b9429b028f8144caeded4d9364ce60c7e7c903cd170ee4bf41b230d075db376a83fb7c0b481f41807b794ff0f1ab1f62b8080d73363c3439a65e4b96c2fe6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\45f09936-1565-4756-b280-2355d83b7239

Filesize
671B

MD5
30c1af4ba7cb7ca79bee969971bcd44b

SHA1
dff9c65d594cbb75ee9862f09a594334dc1ddd0f

SHA256
5e749add29d7acc49fa035c706e482d6e997ad7c3bc09b72eedeb0df05d1201b

SHA512
a4347a3ece6a3329126d709179022cd5c418cb4077ebfe755142f5ce3522e9a23e1d81ef94608a17abd9bae6a324dfd5bb4341dcb5a4da2f933bb2f4a4c0e732

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\4818d356-df8a-42bd-9cf0-aee9cc8dcdac

Filesize
982B

MD5
6c9d77fefdaab78d53734c0fd707c566

SHA1
f354be7d30f5f69251c2db2852d4e01093ce2811

SHA256
49b5253c093fbecf1aed820cf5b7296c669077806873ad0aaea4215b6691fd6a

SHA512
8bbea381bb45126b880caf01c5ad71a1af29f2fa8e89420cab2a03e2915471bcd6f437067031b658b169f3308781ff467c20321533db56102955c9787d759c44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

Filesize
11KB

MD5
0d50834d173ae45e8cb55969a765f0a4

SHA1
ffd3cabb7a37f1d64f9ee1664effe4ff55036e83

SHA256
0d1560f03584274ac957b182fce1974d2d642912b162d00ca4ed035455448468

SHA512
f19f60ffeff553d5968850dba27642a453ecad860824ede8b0240808ccc37efab4b30148e4e7f8c1148c92b3885e1d3e9a444a6b78674f96a74e0201a1872055

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

Filesize
16KB

MD5
bf5fe8c5ccad7e2edf8da2779b532bd2

SHA1
5b0a189dc6d28af514885c18cfec99fb1f19c66e

SHA256
f4765a9e698b461dbd5edf844888add6c3a67467dc20473a9e4626a28371aedd

SHA512
34b0fa864552030f476be5df399c0136d8e90d611bbeb14f91152248b28516659c742ba8bb9792cba773d3074ac937c09c3af1c8ea3719c71e39454f3b68fb06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

Filesize
12KB

MD5
5471358bb0eb154a5cf59518dd43948c

SHA1
5c58396b38058958dc9fe589de16a9f5041175d6

SHA256
006a802d842336bbd58909f3744d52ca54969e4e9f591debd74e3617fdd1147c

SHA512
a7fca4038309148303b9e882169627097887d33164c7cf575cb3e075aea8ced810baafa70c60ad619eb3e32b6bcc7c3f87e3b5d49c308413d0e7d1ab9662ed06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

Filesize
11KB

MD5
dfa6c87cb986bdb146260b93a9ec97f9

SHA1
4e115f04de5e2ea9e00d229f75e3adfeb3a9ff96

SHA256
5d622fa8fad91f33cd56d136d2a99567dddcbeca86d778c62bb912b6c678d473

SHA512
1c99c7edfbe3f87df39eefa8d87ac21c227299e45e03678a1030aaa06ad5415b04c2dbe4cb210f821a4dc6f32c8578410f4f50ada08e9d38545ed85c331d8eee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
cd1fc5c67c9484df5e508d35e45c59ab

SHA1
277d8d79e9ef22769a1609a9c1448a33dec817bf

SHA256
64cedfe273fb32189c7422528b1fb163fe5a5fd705b4474b9874677e161204ca

SHA512
d6be9b3128e65f43026aaff4257be7a2fc27773334c3b9e507b47d588ff284e180336141a2872ecf77721f8d289e3e815fd791ca4e0502a5babbf56b666d6ba8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
952KB

MD5
19be387d1c9ec17a3163d9519afd8b57

SHA1
ab30a70f55d02cdfadfc4897df889cc904be2562

SHA256
9716d27ccdb005092f5a1940526f6f50e6036a8f0d6602afb8136219d83f97e8

SHA512
f6680274c0c806ef3ae63b02b26d314d23a93ab3a8cde66ceef6ffcb4574d948a913e9d016fb39ea91eae43ad50706b1bd6908dd77a2332540e96e9330722f0a

Download Submit