c4d8ceca57eca8abda4e05a78bfaab5c520595cc4d306d70b1c16575997eee86

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4d8ceca57eca8abda4e05a78bfaab5c520595cc4d306d70b1c16575997eee86.exe
Size

896KB
MD5

895e203a2b0491b4aaf67903e1c5d671
SHA1

ec65e79e969f39f911569fbdfe88d69b6407d721
SHA256

c4d8ceca57eca8abda4e05a78bfaab5c520595cc4d306d70b1c16575997eee86
SHA512

4db7e4de5f4f1acc1ccf6ab4bd9f09a2a550eb5e10ff3e916d9b99aa5984246a6d7aa0b717d70ad1a2fe774edde227ac609339ab2b9956bc22589899162ba924
SSDEEP

12288:eqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgarTf:eqDEvCTbMWu7rQYlBQcBiT6rprG8avf

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	c4d8ceca57eca8abda4e05a78bfaab5c520595cc4d306d70b1c16575997eee86.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4d8ceca57eca8abda4e05a78bfaab5c520595cc4d306d70b1c16575997eee86.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4844	c4d8ceca57eca8abda4e05a78bfaab5c520595cc4d306d70b1c16575997eee86.exe
4844	c4d8ceca57eca8abda4e05a78bfaab5c520595cc4d306d70b1c16575997eee86.exe
3684	msedge.exe
3684	msedge.exe
3552	msedge.exe
3552	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3684	msedge.exe
3684	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	firefox.exe
Token: SeDebugPrivilege	1596	firefox.exe
Token: SeDebugPrivilege	1596	firefox.exe
Token: SeDebugPrivilege	1596	firefox.exe
Token: SeDebugPrivilege	1596	firefox.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
4844	c4d8ceca57eca8abda4e05a78bfaab5c520595cc4d306d70b1c16575997eee86.exe
4844	c4d8ceca57eca8abda4e05a78bfaab5c520595cc4d306d70b1c16575997eee86.exe
4844	c4d8ceca57eca8abda4e05a78bfaab5c520595cc4d306d70b1c16575997eee86.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
4844	c4d8ceca57eca8abda4e05a78bfaab5c520595cc4d306d70b1c16575997eee86.exe
4844	c4d8ceca57eca8abda4e05a78bfaab5c520595cc4d306d70b1c16575997eee86.exe
4844	c4d8ceca57eca8abda4e05a78bfaab5c520595cc4d306d70b1c16575997eee86.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1596	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 3684	4844	c4d8ceca57eca8abda4e05a78bfaab5c520595cc4d306d70b1c16575997eee86.exe	84
PID 4844 wrote to memory of 3684	4844	c4d8ceca57eca8abda4e05a78bfaab5c520595cc4d306d70b1c16575997eee86.exe	84
PID 3684 wrote to memory of 3520	3684	msedge.exe	86
PID 3684 wrote to memory of 3520	3684	msedge.exe	86
PID 4844 wrote to memory of 4268	4844	c4d8ceca57eca8abda4e05a78bfaab5c520595cc4d306d70b1c16575997eee86.exe	87
PID 4844 wrote to memory of 4268	4844	c4d8ceca57eca8abda4e05a78bfaab5c520595cc4d306d70b1c16575997eee86.exe	87
PID 4268 wrote to memory of 1596	4268	firefox.exe	88
PID 4268 wrote to memory of 1596	4268	firefox.exe	88
PID 4268 wrote to memory of 1596	4268	firefox.exe	88
PID 4268 wrote to memory of 1596	4268	firefox.exe	88
PID 4268 wrote to memory of 1596	4268	firefox.exe	88
PID 4268 wrote to memory of 1596	4268	firefox.exe	88
PID 4268 wrote to memory of 1596	4268	firefox.exe	88
PID 4268 wrote to memory of 1596	4268	firefox.exe	88
PID 4268 wrote to memory of 1596	4268	firefox.exe	88
PID 4268 wrote to memory of 1596	4268	firefox.exe	88
PID 4268 wrote to memory of 1596	4268	firefox.exe	88
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 4048	1596	firefox.exe	89
PID 1596 wrote to memory of 5072	1596	firefox.exe	90
PID 1596 wrote to memory of 5072	1596	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c4d8ceca57eca8abda4e05a78bfaab5c520595cc4d306d70b1c16575997eee86.exe
"C:\Users\Admin\AppData\Local\Temp\c4d8ceca57eca8abda4e05a78bfaab5c520595cc4d306d70b1c16575997eee86.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb020846f8,0x7ffb02084708,0x7ffb02084718
    3⤵
    PID:3520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,11883867754402440397,14232935797225826866,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
    3⤵
    PID:3880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,11883867754402440397,14232935797225826866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,11883867754402440397,14232935797225826866,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
    3⤵
    PID:4604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11883867754402440397,14232935797225826866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
    3⤵
    PID:3828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11883867754402440397,14232935797225826866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:4912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,11883867754402440397,14232935797225826866,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4780 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5592
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99fc99b5-5e5c-45c9-ac1d-6294357c6a7d} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" gpu
      4⤵
      PID:4048
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8884ddd7-e2b8-49da-9e43-9b731847b1c9} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" socket
      4⤵
      PID:5072
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2812 -childID 1 -isForBrowser -prefsHandle 3056 -prefMapHandle 2956 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2c0b0db-5249-443f-b40d-22c1b4261a6e} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" tab
      4⤵
      PID:4376
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3436 -childID 2 -isForBrowser -prefsHandle 3168 -prefMapHandle 3688 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f31ad2db-1272-4471-8ea4-caae5be6c739} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" tab
      4⤵
      PID:4380
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4232 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4208 -prefMapHandle 2796 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50fafebd-e21d-4c32-9d13-1cd07a5ef372} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" utility
      4⤵
      Checks processor information in registry
      PID:5292
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 3 -isForBrowser -prefsHandle 5496 -prefMapHandle 5392 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {196a1e19-2056-4f19-9ce1-f397dafede8d} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" tab
      4⤵
      PID:1496
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 4 -isForBrowser -prefsHandle 5412 -prefMapHandle 5456 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99af690e-87dd-4c01-b759-b07558bb58f7} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" tab
      4⤵
      PID:2664
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5212 -childID 5 -isForBrowser -prefsHandle 5780 -prefMapHandle 5784 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08584b6e-0824-4aae-9145-432d69b3a5a6} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" tab
      4⤵
      PID:4764
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6192 -childID 6 -isForBrowser -prefsHandle 6204 -prefMapHandle 6200 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c87587a5-5e8b-4e61-8805-f0c2b8baf693} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" tab
      4⤵
      PID:5360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
7fa7450c2f1968e3dd4d9f175d9d3706

SHA1
71573eb12df5e26599f1d01bb15a5ce62bf76216

SHA256
b0ca160d37243e9796364f6977144a275bc8b8516022458a1623df3db99d4dcf

SHA512
ace2ab67cf758a8e702793a8e0a6400741df85afec30ab193e0cfd24f1936cbb09b936f0f03126167c4107c9a654cbddd7ced76936730ee88c355107c5b654a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ad77955128d705e7968033ab8a0754af

SHA1
7078c291490f628f2d0874944bdeb31bd52868d7

SHA256
d21f8edd594b8d9d1b8e655647ed92f86bb81a195071fea2dab3be101f719c50

SHA512
736b280ecc41cc0ea7c1d6311a4532e322421c1d9a7497d35de33dc4848831eb44b2ac8b0ef6a79535d42c26e7dbf362dbf2ac568f220ef586a270578c95fa2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7c7c0f3b6ab63ebbd4f30e1091a25de3

SHA1
30221b495469b6c043aa8a4cfcdc29510ce26811

SHA256
6b7925bd37f174a6387620d951437e12d86a9cd98759714564f00552fb46b21a

SHA512
e45b27914cc3d440bf6edf02cbfbffded24603dd87a38b8ae7ad67550132be905f1d7738789cd77178c6536e123563510c31b9ad7ebbcdbd0e619d2059d41f3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b67b4b1a21821767e3e7cd27641e50ba

SHA1
14f4ee700bd53a229a3e1ec36bae81af0790a931

SHA256
bf848d997056cda077cef066e5f3e67ecea15990c05a1eea7d75b1e4f88fea7e

SHA512
bdc73e7ad42891836183738ce2e35f8e7bdcd4a582c717af6763701fee9acfba16be1bc08e6ca450c514f09dec92c56c466bc8a324927c962a27dfc2bd83656f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c1b24284fecd17d409cecaaebf1fbc5e

SHA1
18235350dfd15e4505f93091cdacc40c2a007d62

SHA256
9aa2e7fa2ff3278c55398857ce51fde4af39b6dfe8323900b79faf29b15be84f

SHA512
a6e31a38ef210d447c62fec00f1405346a042bc952386a92f6d0ab44bb264c631633ecc02ac8cb64022407fde36e56f056fd81926792df872760990ef04eb280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
9667221d812ced4f514c834a1f357e28

SHA1
a75c130da5491777c76a81a73bbfb9990034598a

SHA256
007986b278f858f84f32789af2b6d1856d2dc5dd0b2f4b858aab1fc8860b636c

SHA512
b252d1eae2e102babe1f67b1e9029c78da8286137cb02990da7828500e333e461fc63eb2a404df5b26c7ad86224062cee9466aa73e71dc0075ca919afd2d6c41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58af75.TMP

Filesize
203B

MD5
4760c0ae16f8b48f0a7bd57fa1e9ab07

SHA1
45a0b86bef6c67093b0ceb86cfdb3cf203b69a0a

SHA256
cf04b49e9ac5c1da465c861731bf9de561e17a8c26937d9865b4dbdfed74dc93

SHA512
f6524f5171a0294d1c75fb55d2d45cc5dae5a8b75e447c733aacc217536b4b4c9008b598f9fdf07ed55f8a7dd9d68c835c7e8345397fda00c92795dd3fe6fd12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6e8d6d0a6115af7df39375530bf6c4ba

SHA1
26eb3ccd4e9c74937debde808a9b3d4087d83672

SHA256
73d380e90fceafd844c9cdec177385771eb4e79c1cf3e93c8b06c6000d5cc74e

SHA512
87f445667c48e60dc59805b9a84e97860651aec740da6d5e33286291122d2991b48922af9440718bd150666547720aa6cdf725334894d43dd53bf0e5ad2bd8c4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\activity-stream.discovery_stream.json

Filesize
45KB

MD5
68a331ae230b36fe8ce85d7202fe4312

SHA1
70ce67b315fb6cacb799a5b1f0db6b50e8c3304f

SHA256
b144f1633ee5162df2d695841e94e16ea4393257020be19413cb97c6f1f8458d

SHA512
021507b70d5fd2b31956099e928928ebbf532297273269a3cec9451f06c1a25ae01c2865702ff85079d7089f73c0a28981e3a6833db2525f4a0af97a2d13274a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
4449933090397b5e8a957071025d8b61

SHA1
366d979fd0c41bf76b7a4777546ef5aaa7021a01

SHA256
83563670cf68cc55c1cd7783cbda31b5a7a63a24cdd67bb377ecd861f533dc59

SHA512
544028630d6ba9c7e9d0099ec50e9dc891b9b0f37303c2f8dca24f2d24818eeedae2878c5b10978f782b17ed6ff3fcfe783b607dab068213345d2fa64effad33

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
8KB

MD5
08e938bded3c2a96268d9a01e378ed44

SHA1
19b87e8962c436817ab6d1a349abc95a6c716f8b

SHA256
72aa5cfcc4d5fe08bf960037634b1eec52a2ae34343b2705902d699a41cb3c82

SHA512
cdcce2c63d2e6bc8c289789268b016f8a7d8438d115305f47c9427a6d0399c53fe771f46cd63152e46fe5d3e684579e734a988bb5bb4520e63f6f385a19c5943

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
6035ada89fef9d8082f927376e8c9694

SHA1
5631626af4ed1525a8f5f54686b936150edbccaf

SHA256
2cce36f8fbe12773ce57ae50b240877e2fb14570c3ac13edbb96bcf9fca3a940

SHA512
e4677c83428726c2515b20af04ed7e4beedd3342a0176f0bb8768a88849e92529e3ed5e4b5c65387517c7e2c8d572bfea1450e1ae893acdccad588bbd5fdf6c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
cc0533c7316dd01018b2172c739eebdd

SHA1
0278ed44a9a1ee7c95130200d4b18ea7082c9d59

SHA256
516908226d762caebc8d7d5e47f731d691200e9c95036c022d053a1322dd75ae

SHA512
3616df4541b75db7bcaec5a2692be1f7a06a8fba10dedf4d4459615c8e91068a877d9efd5621697bef3b00317391714231dbb4754e5c3da9c3a7ad68b256eb01

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
156ad71c185aa6a9b97ee94ad08724a0

SHA1
974516746ee35c255450533a77d69252161cce61

SHA256
5d97981b434e6d814860b3136f13ef7f941f20529ff84184628441763ddaa038

SHA512
6878265f784f571025594b59dcc53143ef25caf9a623a2bb9bfe906e859cc401beec1e2178560ae530ccfeb6558d96f0439869e6bd197b3cefc8d29c3d89626a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\09aab6f7-150a-44c4-8cb6-3a331ebc3c44

Filesize
982B

MD5
3a6cfbb2655bc326c450caa9fa325935

SHA1
be804e2e69406329816ec9c736495375a79bf6f0

SHA256
61123e8e28db0e215e0ec02afa18c2fc3b183e4ffb4472dd505bc6de8fa087e0

SHA512
06cb67bee1ede4d2bba17f2f48b5b001f06687fe0675175af5b63b775d16b4cf97f8d8edda899c78206a73d4d8a7c3e83133c84b1fbdd935037555a1188ba769

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\b21d9c55-37fa-4f9e-a601-be72f2adff52

Filesize
26KB

MD5
afbc3d8cc862c466a37910e79dee5d0b

SHA1
9d142e2edc02aa2c0f6ea1f1c2f1ab7fc387fbae

SHA256
cf5601f10a95de2bfc8c911ac2a2c6e6c64e9e69f2d88bec3e06d170a03d4d4a

SHA512
ca44cb1975533d2d4f7911763fe645afd31343147f187ebfe45159e7490b045ba392f714e2a3cc7c4c490b52e3ea99f5752df2493645d24dec98807ad3408656

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\d2e83a78-9461-4dfb-8661-15fe2a6bac78

Filesize
671B

MD5
14ca53b356ff746e762c4e34a0066535

SHA1
4ac16aadf1d7e73337ba32f423b8c805a50c1bf4

SHA256
a4ebdefb9c208000d6531efd7832c1bd23b03c47c3bcd4fa73726d01ff5348c1

SHA512
a97cfd999e0e1c1c52986c799d0621c5d5a8c5559cc833ea8262b67848d986d0fec6e7c7d0fbc26357c08903aea79b87948462ce8e0b0a1e887f1d1043f768f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

Filesize
12KB

MD5
ee170d4e3cfd593392744c749d7f5253

SHA1
c91dc6072c702f6fa00d6078f56e171bff724e66

SHA256
a0525beddaabc2491fd633ebb26a730798b3988fa21545cdf2e1630d60fac983

SHA512
3efbca385befcccc7de6b46ff6c7023e2d70377d27a16dc0929733011038a3858bb065f8eea8cad30a402007182835c64a6ba4da87a5917351706529cbb41c9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

Filesize
16KB

MD5
2ac362e2832b4dc1f3a3d8cc36a12155

SHA1
9f9b9763b91d7559339b9bbf4c52b23ab486c18c

SHA256
87ea206d109512e1203f6422f790abce2246e3b31200dec597b5076c568af382

SHA512
ecd9752aef942979baf3b9370d679ee1268d7657d97accdfc0183e92aea51644d47b9c3ebf9bc60c75702ddd256af076db091e7677dfa8acffbbee2cdb50419a

Download Submit