67d397346dc4afe5f9cfc624d99053febecaa23b667721f158e3b8399df5c229

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67d397346dc4afe5f9cfc624d99053febecaa23b667721f158e3b8399df5c229.exe
Size

896KB
MD5

dbeb4916350fc775ba68d2ba0d4108bd
SHA1

0c627108bddea6e8a16da300e578d3ed5ee2bf6b
SHA256

67d397346dc4afe5f9cfc624d99053febecaa23b667721f158e3b8399df5c229
SHA512

4742525fc6685cfa8bf1073e1ccb9974ac573f7b5d0482b99a36fe6f677d848eeed7ce9bd1ad7a90d516230e4a3e12bc7740451590db438c4b02f8a4ff34d745
SSDEEP

12288:/qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgarTp:/qDEvCTbMWu7rQYlBQcBiT6rprG8avp

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	67d397346dc4afe5f9cfc624d99053febecaa23b667721f158e3b8399df5c229.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67d397346dc4afe5f9cfc624d99053febecaa23b667721f158e3b8399df5c229.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3176	67d397346dc4afe5f9cfc624d99053febecaa23b667721f158e3b8399df5c229.exe
3176	67d397346dc4afe5f9cfc624d99053febecaa23b667721f158e3b8399df5c229.exe
1048	msedge.exe
1048	msedge.exe
4588	msedge.exe
4588	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4588	msedge.exe
4588	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4820	firefox.exe
Token: SeDebugPrivilege	4820	firefox.exe
Token: SeDebugPrivilege	4820	firefox.exe
Token: SeDebugPrivilege	4820	firefox.exe
Token: SeDebugPrivilege	4820	firefox.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
3176	67d397346dc4afe5f9cfc624d99053febecaa23b667721f158e3b8399df5c229.exe
3176	67d397346dc4afe5f9cfc624d99053febecaa23b667721f158e3b8399df5c229.exe
3176	67d397346dc4afe5f9cfc624d99053febecaa23b667721f158e3b8399df5c229.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
3176	67d397346dc4afe5f9cfc624d99053febecaa23b667721f158e3b8399df5c229.exe
3176	67d397346dc4afe5f9cfc624d99053febecaa23b667721f158e3b8399df5c229.exe
3176	67d397346dc4afe5f9cfc624d99053febecaa23b667721f158e3b8399df5c229.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe
4820	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4820	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 4588	3176	67d397346dc4afe5f9cfc624d99053febecaa23b667721f158e3b8399df5c229.exe	87
PID 3176 wrote to memory of 4588	3176	67d397346dc4afe5f9cfc624d99053febecaa23b667721f158e3b8399df5c229.exe	87
PID 4588 wrote to memory of 1032	4588	msedge.exe	89
PID 4588 wrote to memory of 1032	4588	msedge.exe	89
PID 3176 wrote to memory of 3676	3176	67d397346dc4afe5f9cfc624d99053febecaa23b667721f158e3b8399df5c229.exe	90
PID 3176 wrote to memory of 3676	3176	67d397346dc4afe5f9cfc624d99053febecaa23b667721f158e3b8399df5c229.exe	90
PID 3676 wrote to memory of 4820	3676	firefox.exe	91
PID 3676 wrote to memory of 4820	3676	firefox.exe	91
PID 3676 wrote to memory of 4820	3676	firefox.exe	91
PID 3676 wrote to memory of 4820	3676	firefox.exe	91
PID 3676 wrote to memory of 4820	3676	firefox.exe	91
PID 3676 wrote to memory of 4820	3676	firefox.exe	91
PID 3676 wrote to memory of 4820	3676	firefox.exe	91
PID 3676 wrote to memory of 4820	3676	firefox.exe	91
PID 3676 wrote to memory of 4820	3676	firefox.exe	91
PID 3676 wrote to memory of 4820	3676	firefox.exe	91
PID 3676 wrote to memory of 4820	3676	firefox.exe	91
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4820 wrote to memory of 972	4820	firefox.exe	92
PID 4588 wrote to memory of 2944	4588	msedge.exe	93
PID 4588 wrote to memory of 2944	4588	msedge.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\67d397346dc4afe5f9cfc624d99053febecaa23b667721f158e3b8399df5c229.exe
"C:\Users\Admin\AppData\Local\Temp\67d397346dc4afe5f9cfc624d99053febecaa23b667721f158e3b8399df5c229.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x9c,0x108,0x7ffcb34846f8,0x7ffcb3484708,0x7ffcb3484718
    3⤵
    PID:1032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1531996024246227451,5867995504568651952,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:2944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,1531996024246227451,5867995504568651952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,1531996024246227451,5867995504568651952,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
    3⤵
    PID:1484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1531996024246227451,5867995504568651952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:3572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1531996024246227451,5867995504568651952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:4984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1531996024246227451,5867995504568651952,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4712 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1844
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c45a1b0-fb5e-49b7-8fac-eab91ca1d58d} 4820 "\\.\pipe\gecko-crash-server-pipe.4820" gpu
      4⤵
      PID:972
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53ef596a-a8e7-48f3-9eb7-ff22f949cc64} 4820 "\\.\pipe\gecko-crash-server-pipe.4820" socket
      4⤵
      PID:4084
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3196 -childID 1 -isForBrowser -prefsHandle 3208 -prefMapHandle 3204 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a832eb8-651f-4b9f-bcbb-2364eedf184c} 4820 "\\.\pipe\gecko-crash-server-pipe.4820" tab
      4⤵
      PID:812
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3688 -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3680 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1a27963-4504-40c0-9b7a-9f9967f75b8c} 4820 "\\.\pipe\gecko-crash-server-pipe.4820" tab
      4⤵
      PID:32
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2768 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4336 -prefMapHandle 4332 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ae2d867-eee8-45d7-ba60-a5cc234ccdd4} 4820 "\\.\pipe\gecko-crash-server-pipe.4820" utility
      4⤵
      Checks processor information in registry
      PID:5800
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 3 -isForBrowser -prefsHandle 5472 -prefMapHandle 5480 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64fe6423-4038-4dee-a48f-65888d09407d} 4820 "\\.\pipe\gecko-crash-server-pipe.4820" tab
      4⤵
      PID:5388
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 4 -isForBrowser -prefsHandle 5548 -prefMapHandle 5524 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c86b1d2-7944-4585-97e4-250ef63f773d} 4820 "\\.\pipe\gecko-crash-server-pipe.4820" tab
      4⤵
      PID:5404
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 5 -isForBrowser -prefsHandle 5736 -prefMapHandle 5740 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a1d1ff6-099d-4e93-8036-304c86bae85b} 4820 "\\.\pipe\gecko-crash-server-pipe.4820" tab
      4⤵
      PID:5416
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6188 -childID 6 -isForBrowser -prefsHandle 6216 -prefMapHandle 6212 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5aed048c-b8e9-4c15-857b-e619ac65fc75} 4820 "\\.\pipe\gecko-crash-server-pipe.4820" tab
      4⤵
      PID:6120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
c5e828be1e7d623c518265776ffdb8d8

SHA1
d3eefbda446a539fcda229674a8fa8d0ca40d660

SHA256
5a73ac16c275afcbace7df1193d60cfcd326089e18f22a915dd0a3d4260c9025

SHA512
233e40bc1f9d804d9d541d5ae6fc2e4d3bf2e637ab92550d54511bdb878e90840ed77f25f3adc30562a316492202a891e70a95ff32ddf909b0ba26dd7d34433e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ae5a627886b509c152aeaf61d6ba8873

SHA1
c271ad8423abfe03dd31e3ccd45196022f23d262

SHA256
c157932b88d0fd835bc19b2abdd0efa451eaaa6a3c1d692892d5f1c24667f284

SHA512
1bfe25b8ef9623edeaa6bf0844046560809646dac1ff3e0ac3bbf6727936e5b7510e8525f2cee7ad74fa43f6ce8179014181e8d9c73198f9dde80452a68f3cca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1ca9c4e80d4a2e75925360d654379e5d

SHA1
07623142307c19fe6366eec7db7f278095a6fd6e

SHA256
edd4852ec96446f2af22eaf605853a22786c975a73de0ae5074a509902657386

SHA512
b2079e43bf8e0b64c02f4e8987e764dfe28a57dd4106d60acede7c0a10801723b7eb49f5a1f9f991a47e610c98c7de119309ed08d297412c248d935032c67587

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8351ede7550d562f91c26260ccf86501

SHA1
6e63086cec81e2fc0585099479ac4cb21c8c941b

SHA256
54002a5c0e84a466962f8376e074a93dab763a4529f0e5f4e7c7535a7e9d75f2

SHA512
2b28e4f7a59015bbb89055fac8698e61081b31d5b98d778fa2de14340e89d740eea5888d509b681c4850c9603832021a5e32694349e57b82d94382c8a3e422b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d8eef789-3650-460d-9067-39795061fff7.tmp

Filesize
5KB

MD5
45f69a3dbfb092e9c35211d037d814e7

SHA1
9008fb82330eb7356d1273640e1caf678eaf39a0

SHA256
0033062ebf286ca5a0b38953ee81010d72b672a7d5d78bd693e2cefdf25cc25f

SHA512
8d0089f70c7a01d30c18a3d01f4d12d2554c8a2c885f42fa8fc02231c32e193a24d939771e7aed7f940f48ecac24941479401a16cf9a9a4b4707a80ebc2cf1e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
973659099a8ec7c737f412f39a11a8e3

SHA1
5bf4de17102301718abd3a977a8ccf90b94fdca9

SHA256
d537220b6c99be5b4a8d33ac567764555bacb4ee1757ecb668220e29c136b732

SHA512
1b2b7b846c5b5bf3f1a7261d5ac3dc7670970e4354b46fe161738da4ec75de5305c570cd472147d4718bc810949e790afdc275347b3e4d80577994a5a85764bd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\0EA2E1AC3653A248EDE38E975FF2A4ADDA308244

Filesize
480KB

MD5
89ce3a0c087aae0a121e5671fe1401b6

SHA1
677a665f4741263fffd68682c832cb08dcdeed6c

SHA256
55980a06e8d5983d745c6e3f12c0cd6d05369c65f25c0038f1cd194751dd924b

SHA512
1c90e70ab5303339070a69e23fb31729702098130aaf7fdb55600fc7a29bea21638e3a66de7e78ad9bf287c2691ee1ec867cedfcf515e60245a97d765d7f0b04

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
46074eb33b3cff5d64c11a4c9ac3fa4a

SHA1
e2c76d296a8783eb3639bf9b16431604317ca190

SHA256
647a43d61b5859ea77dfeec9e0fbe6b85dacc7d72b5bc35333129d161f5b411c

SHA512
bb66a0aeac7aee455afdf97872ed0e2eb923ec83757ae6cf0d6c2d8928192a6e42573191e8c60f352ef9b235bd11849d7776acb1a8b013d16482855b7ba2a608

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

Filesize
10KB

MD5
c97834d6bbc3bee522cf36391d782096

SHA1
0b7c533889f25b50c0b566c169ffac89899afa18

SHA256
5e3ecff42cf9bb4a4bb971562e43703128defa25eed143591e64af905bc69b20

SHA512
a81caa9edc1c507a2c832e96975365535bd212c919f364e20190da69bf37743e144a4ffd5a1044ccac078e98d53b37ab84d3d342ac0334759721180fb963e294

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

Filesize
16KB

MD5
f24531a93be95221243dd91652f892da

SHA1
c317beb72882aef2ec753a6302607fd7bf19113d

SHA256
ac516fc01065328fc4e56085f138ba50d6f837cd4183d246e2e8325519369a94

SHA512
816ad39205d9b33a75fe3c03509a20d9960963b51d1103dd606b4eaf2be59bd07c37b1c8d8b3858dccf0650dff7ea037a0b05a6cfce00e7adaf97f2d521fa853

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
78f9aba364c53895cd29ac0d550dd62c

SHA1
fb38be2e3f03db24dabed3d60747f86bc8b9579d

SHA256
f82e5aad866b4b7c20ea006f5854efad222f97aec30d9dcd381836af008b1a30

SHA512
11e11431c22daa97592c04d93230333c757b003acbba800ac405f71693925309c09ed11522fb39737ca96e5dee2ffdc607620a73d2f122e49639a90ca15fe15f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
00c93bd6897ba45134e805dfba18444a

SHA1
7ee00bcc845a3d7e015d186dbe3ba77fcf4e43b0

SHA256
45573d0df42d39bd166cd262730193b5fd8d7c126e5631c0af6a92f413748ed4

SHA512
fa1c9de1598eca3536250a1ff1cc7df5a1a7649c53f774da6a41790ba7a4a790cc072ea6cc16b26eed14e6ded5044590b3187023d922094bf14f1e668acdf080

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
5a705f1b723bec71b48a54fa92a4f950

SHA1
3fa20b1c97dfe90ad816a735b7df00ae93d55156

SHA256
16838e49dc72292cae2ce1628d99e052498dc2cc69cef1e7d3d211c9fc340d0b

SHA512
36260e96fafadf339d33922d9bc5c10f555a84110c8ad8a1bbe85de72f1c9192fc379785f73f93dc988c8bec09fddc784a02771f593e64d3aa4d2cfaca9887c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\3f1eedc6-3a31-4c93-b148-fc0ad0e589d0

Filesize
982B

MD5
538505f64f5ec27fc367d1798dbfa9cc

SHA1
d63a296ba779a8dc69cd9cfe03b8e9901c16f0b9

SHA256
0e2edc77a770d5ff8f60f382e422bde46c7d6cd9b8b33d1d097852390400a1a5

SHA512
68acae6032dc1e63f2d7bd0688745a952b9ce0bf2c00470efbdef88d8bdd21111f89a5ea61af62f65d05257f7ffc2c0a52fff236f6e877aa73ddf10ec41bf57a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\57d7ddeb-a2ae-411f-87a3-0fa2803f7fd3

Filesize
671B

MD5
8a24f748e9272a4e05df6523313571fb

SHA1
af8241a2561ddc1094eca305f2be9814636e8552

SHA256
29980af7df9518de9cab7b139303741ed8f46298c69e986a89fe41ef294f5cba

SHA512
7cd637a3b2437f14a88e9944a893e7251b5b190c297d768fad141e127045ef790fd7e8222a9e1c964562fa8781f70a20c53f49d6735bf96c2e0d004de80ac20a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\fb44c949-60dc-4363-9f22-7a07a8612093

Filesize
26KB

MD5
b812375699c61b223f36f32ce57b4663

SHA1
17116c19dd682707a48d7c118a1c0100a91ba962

SHA256
35ce0505d728f1ca3c70f9328a3f7f003067a81bbedc8bb5f30afd5c26fcf7dd

SHA512
d6619bea27c12d57dcc313ba4f75b30cc03e61302aa15ffe3ef4ca3c143677ce37f77b2473292f5234bcf0ee085e045b39a7f2c19eaf26caf272074e5b748094

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

Filesize
14KB

MD5
0329383a3ec0307ba82efb5898fbfe54

SHA1
51e0a8c82755ae00b4cc7f1c98928b6c9754eaf9

SHA256
09e88af584501ff974042a49033ffc60a3c77007d8e5076dcb0a9845fd45dc8b

SHA512
8f4b378b259abefb000387de06487e75dd31e0d3ef456f610a724f8fed77bb43d515e8b16cd730e194cf07e283cbba7718c98f779068890d152dcc6064f830d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

Filesize
11KB

MD5
25e2a13fd309af0e9b63791f6226862c

SHA1
0baac4c022733f94981922aa133cf3d2120dab34

SHA256
bcf2834773ba370281f5f6852d8356a6d7168564fde062d385017929f25da153

SHA512
95720912626f4d638ea34aa05b012f54fb25cd279241af03752c08794abe702fed709ee722f03520df1b44c167b2eb7e1b590396d77d7c2509b92c7552582f5d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

Filesize
11KB

MD5
15514ebee3a1591735631ae8b7bc5d02

SHA1
381bdc50134fc695ed028d3455573c78f6857b8c

SHA256
fa56c15616ac810dbe7adaf55dc04929999b20e49a8a11849d88278375453241

SHA512
e71b4be7c431a434936ba943f446f042fa101ba1ba7f8676fe60f148d5f9d339c841846cfcc1fcac953ee75648dcbaefe9fa091cd3f63381e979165ca5f898e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

Filesize
11KB

MD5
d773dd440f9ccd7a5bcc103be4e20fa7

SHA1
3dbc0e66e7c1c0ee9c12dea41a408c426217e70a

SHA256
21fce1c1cbc21b244135b4a315ee252e02bb18c925c42e6e80abb15536c970bf

SHA512
0ec038e4c04d5e5116d948bf504ed529baa4419826cca2f2e73cf535e9fd4d00173cb16e69cf037ab16059be6dea60778edca5daef4091dc5fa5fac0a1a266ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
d69cd6bc9534cf10344f2c5e03e27e41

SHA1
6e3070a57bb3f1ad8d8ddcdd8a57c69f123de1ed

SHA256
c5aae6d7033e820950808c5a25da1a724fabeaae694bc1598fab19d1868bb98e

SHA512
50e338b9b28362b4b8e776ab3883f31154561ff4f109cede051f9ad90c085032b212a7ef990a9fb60490e866c1241b4543b50a68089915e576df5d60ef4bc23d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.3MB

MD5
26da520641b511ce8ed4de139d0ab991

SHA1
a227757b36731b8f5976c4180f79a6bb2c63a4f7

SHA256
b4fa22e48d89ce09ec852b3e0b71e2fa39275a63945082e798a00d0d6e579df4

SHA512
365357d9f2e5cd02b89732a009253a924528e4f0a0ade962abc437a39c04cf619ad8cc159ced9cb83669fc001094b0645ef54e9d8eccf68915b7587b032e2cec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.9MB

MD5
2c74588ce1e62a682d8b89ec103b47a5

SHA1
10358464c40c75a04d65040ed4b7e35915c04c71

SHA256
e6c4c76d5ef81c5949fed24e6ccf4152c5226c040a3ad242e23b43fda3c5c9de

SHA512
59e7a652209514b9c563593d55b32f72dd47fe0f4e46cf576ff6325f1a6e5efa3980692878900c8c348c980466d145ee25a6af9ef5326e1f7709e36e8f090e6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.6MB

MD5
cd610b95ca4ceebcdf8c832871a2e294

SHA1
e055a55496cd47c1484cd9a7d1e95b76506c2dd8

SHA256
e71aa4b23db00f48c6f828c9be549c8316dd713c799cdf10a89d6376a3a66a41

SHA512
e17a57d29c2d3cea8afa6b184c0b12ddd91e35783bde32e71d7a4590eb6cc9fa1e8e2e956d076e3ca499a33207327abf866186c9cb69dcdd06e60d0a2c942982

Download Submit