b577947677a4dacf20eeb42a1e250af220bd161e00bcd20695036bcc3f5ae5e5

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b577947677a4dacf20eeb42a1e250af220bd161e00bcd20695036bcc3f5ae5e5.exe
Size

896KB
MD5

928d7803f08676539035325d8697fc53
SHA1

cd0dc8cf27e83ce4f8aad5379cb5330d539f4893
SHA256

b577947677a4dacf20eeb42a1e250af220bd161e00bcd20695036bcc3f5ae5e5
SHA512

b13d9f3089f8393aa00b5565196f25d6ef8b05808cd8f5c19ee8ce7a48197364a64f464866429a3d33c69ec2c9ef738d88ed8a4c29077338f7f336db6d800a24
SSDEEP

12288:mqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgarT8:mqDEvCTbMWu7rQYlBQcBiT6rprG8av8

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	b577947677a4dacf20eeb42a1e250af220bd161e00bcd20695036bcc3f5ae5e5.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b577947677a4dacf20eeb42a1e250af220bd161e00bcd20695036bcc3f5ae5e5.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1840	b577947677a4dacf20eeb42a1e250af220bd161e00bcd20695036bcc3f5ae5e5.exe
1840	b577947677a4dacf20eeb42a1e250af220bd161e00bcd20695036bcc3f5ae5e5.exe
4372	msedge.exe
4372	msedge.exe
2220	msedge.exe
2220	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2220	msedge.exe
2220	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3492	firefox.exe
Token: SeDebugPrivilege	3492	firefox.exe
Token: SeDebugPrivilege	3492	firefox.exe
Token: SeDebugPrivilege	3492	firefox.exe
Token: SeDebugPrivilege	3492	firefox.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
1840	b577947677a4dacf20eeb42a1e250af220bd161e00bcd20695036bcc3f5ae5e5.exe
1840	b577947677a4dacf20eeb42a1e250af220bd161e00bcd20695036bcc3f5ae5e5.exe
1840	b577947677a4dacf20eeb42a1e250af220bd161e00bcd20695036bcc3f5ae5e5.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
1840	b577947677a4dacf20eeb42a1e250af220bd161e00bcd20695036bcc3f5ae5e5.exe
1840	b577947677a4dacf20eeb42a1e250af220bd161e00bcd20695036bcc3f5ae5e5.exe
1840	b577947677a4dacf20eeb42a1e250af220bd161e00bcd20695036bcc3f5ae5e5.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3492	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 2220	1840	b577947677a4dacf20eeb42a1e250af220bd161e00bcd20695036bcc3f5ae5e5.exe	85
PID 1840 wrote to memory of 2220	1840	b577947677a4dacf20eeb42a1e250af220bd161e00bcd20695036bcc3f5ae5e5.exe	85
PID 1840 wrote to memory of 4524	1840	b577947677a4dacf20eeb42a1e250af220bd161e00bcd20695036bcc3f5ae5e5.exe	87
PID 1840 wrote to memory of 4524	1840	b577947677a4dacf20eeb42a1e250af220bd161e00bcd20695036bcc3f5ae5e5.exe	87
PID 2220 wrote to memory of 3276	2220	msedge.exe	88
PID 2220 wrote to memory of 3276	2220	msedge.exe	88
PID 4524 wrote to memory of 3492	4524	firefox.exe	89
PID 4524 wrote to memory of 3492	4524	firefox.exe	89
PID 4524 wrote to memory of 3492	4524	firefox.exe	89
PID 4524 wrote to memory of 3492	4524	firefox.exe	89
PID 4524 wrote to memory of 3492	4524	firefox.exe	89
PID 4524 wrote to memory of 3492	4524	firefox.exe	89
PID 4524 wrote to memory of 3492	4524	firefox.exe	89
PID 4524 wrote to memory of 3492	4524	firefox.exe	89
PID 4524 wrote to memory of 3492	4524	firefox.exe	89
PID 4524 wrote to memory of 3492	4524	firefox.exe	89
PID 4524 wrote to memory of 3492	4524	firefox.exe	89
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 3492 wrote to memory of 4496	3492	firefox.exe	90
PID 2220 wrote to memory of 4836	2220	msedge.exe	91
PID 2220 wrote to memory of 4836	2220	msedge.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b577947677a4dacf20eeb42a1e250af220bd161e00bcd20695036bcc3f5ae5e5.exe
"C:\Users\Admin\AppData\Local\Temp\b577947677a4dacf20eeb42a1e250af220bd161e00bcd20695036bcc3f5ae5e5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbee846f8,0x7ffdbee84708,0x7ffdbee84718
    3⤵
    PID:3276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,1219526186550814725,1420505598822811582,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
    3⤵
    PID:4836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,1219526186550814725,1420505598822811582,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,1219526186550814725,1420505598822811582,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
    3⤵
    PID:4700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1219526186550814725,1420505598822811582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
    3⤵
    PID:1160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1219526186550814725,1420505598822811582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
    3⤵
    PID:1632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,1219526186550814725,1420505598822811582,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4960
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1896 -parentBuildID 20240401114208 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {59290f3f-8fe2-48d9-adc7-aa6cd21abd11} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" gpu
      4⤵
      PID:4496
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b59c952-7c0f-46a9-afb1-32797bdb6ad9} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" socket
      4⤵
      PID:1056
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3156 -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 3164 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 880 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {469c1dc1-5808-43af-a968-843a6bda0c80} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" tab
      4⤵
      PID:4660
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3348 -childID 2 -isForBrowser -prefsHandle 3548 -prefMapHandle 3108 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 880 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3f77acb-18be-4eb1-86ee-cfc5ad7d7e46} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" tab
      4⤵
      PID:3464
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4292 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4124 -prefMapHandle 4128 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0578ba56-7885-42d3-a149-42d7a4fb2523} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" utility
      4⤵
      Checks processor information in registry
      PID:5296
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 3 -isForBrowser -prefsHandle 5396 -prefMapHandle 5460 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 880 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79d6172e-abe3-42ec-a82a-1123de3b7682} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" tab
      4⤵
      PID:868
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 4 -isForBrowser -prefsHandle 5472 -prefMapHandle 5600 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 880 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94a2f6bd-64e5-4fe7-a340-06d3c8d93b36} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" tab
      4⤵
      PID:4736
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5776 -childID 5 -isForBrowser -prefsHandle 5784 -prefMapHandle 5788 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 880 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cb59ac1-6941-4e34-b1b1-5380dc63151a} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" tab
      4⤵
      PID:4448
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6372 -childID 6 -isForBrowser -prefsHandle 6364 -prefMapHandle 6288 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 880 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {857399cd-0275-4a5a-83a6-379b42201451} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" tab
      4⤵
      PID:1220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
669000c877497917a559e34f16a6e4b1

SHA1
83298c1ac1a335b1c6e0f4fb8733a0520c2efd24

SHA256
19d53d8975bfa9c1106e949d553bfe30aea8c9f82842bc080092d1c2d13fe1fc

SHA512
167190749be7353c98ec61b23b07d5c93cff173306ea2a0495ab931e9484865170032cee32c0c1a2045e6af7cfe8b1d7dde47bf8e04d82157c27de7199add6c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
5fd6fd86d7452fb4dfc1cf398cde0824

SHA1
21f112f20714672a06ff4a114826bfc8a925c99a

SHA256
86948b2038fc6e3a55e622237676a3ef1c30567732083ea5c3b9c727a31bedb0

SHA512
35656bb701d71efb63802bfb66a2f09d915b8c14d4377c0b8354cedc1037d31309feab531e48a99200f007d3512ddd6613cc3139cd62a7ec44a371c1f58ce072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
417da185dec078a61edb203815f1e9c8

SHA1
37a08a10e57916e60cf4d656afabd42a60dc0cad

SHA256
ce8a53d39330ef917f8d8b234cbb706cab6983c20f2444a62d2d99b3acf7b343

SHA512
e30803b11cf10c4ca401d34e70d8978acb8c03cfc2fa7750edcf2191e2a724a3167c41e74eb7f5079e6f7cf612d3de1c3c3bbeb94540e5e167b680a4334c644b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c8e1943d790edee6172893095846d96c

SHA1
6970a076c6b793fac4f697c35c11fd5c7efc2d63

SHA256
23604d1d871bf91c2295eea408b82c32ebd0338b2b373885201c900d07982941

SHA512
bba84adedea0541f6d30fb7ff34716a2569ae452cd51f2d839609060ec23a717e19c3725136ac35e3777240b1463e11a637c2a851d8ff6b3961b17fd9bea9fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d2e59500172c3a19ce400b99084148ea

SHA1
4e9f2a20284dbdbc64b3defcf43d4e1152bb5a72

SHA256
119a47e94e0235a6a7b522f7f8c538221e16f3f7949351d25b633e116cfb8ccc

SHA512
eac7ddfe545dc749cdfa75c63c2fe42a95244b70104bb294a549f9de5a0eb897fc1c9724fc813031e9b764e1fc03b6257fad795e51bcd0f0a8af4abbe09816c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7f19ddcea9c17022482e551548579d57

SHA1
67df21cfc791888738e437fcc275021a7cb8781f

SHA256
c428c5fbdf3fc50fe994460ea89039180aaa14f5d95177711b8b95aa2689a350

SHA512
09d90dbfdd7b55480b1759acd3a7917f169bd0e6eb63462df7b9238cb9e9fef1946f826812b3d9be03bacc4ac2ffdb87c67585db452d15a64f2493f798376722

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\activity-stream.discovery_stream.json

Filesize
41KB

MD5
2314295f7eefa24dabfabc4f837c04f4

SHA1
f1166a17046235429a68bc4a514b313856b70321

SHA256
78110d347aa3686b035eaf13e95c789b203b4f157f409f47aedde3fc6444b170

SHA512
960ab4dac9a4f5114196e8b7f6d23ed6eb8725ea58fe4d4a5aa1050c9a0cf0152a97566a063a239a2938fc2102a7142e7bb2a148bf535f24522ef3839a8f0e98

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
171f4c48f8fc94cad30f7cfe5d1a8dae

SHA1
7ff5306b3602bb46faf4eae513c61b6134670467

SHA256
800cf17ef36716633b05008be4445a57e170720ddbe46aedd30792ebbb6ebf95

SHA512
ed5c28b32dfaa136730df613efe8f83ccf1211c304463fcaa90faaa4dda62b3c36ff20fb879d3c3fc6619588eaa1183fe80651df2d1118d1384f96e6e4005b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

Filesize
7KB

MD5
916c67c938b51d47300a0a7b66443394

SHA1
2e38e3799baebd20a6084aafa88f39c2763af099

SHA256
85dda97047442f42450e25edcbbf885fb8b61db589f52c34644375b3adcd584a

SHA512
faa056261ef12ffc7ab2204251f9c441424cbc17a22bd84da551e8e7d2c1f6449fb846e9013be19834ba0505a146500413854f6d2279cda87e91fbf00abb2496

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

Filesize
10KB

MD5
60a908c58f84a66240826d95e6dd30b2

SHA1
a4f86f74b256f8953504c92ba9734b4686c6a243

SHA256
4be25cddd16a2660cd0528488de0cd01f07391aa5fbfc7d9d78b975ee6e529a4

SHA512
a5f36b7f709c3798e6aa40de47ab465ed12f6e787845e28324947d2c2e5bab2c2a0111fe1ce8b0184ad76849412e47d3e00f11662b0450a8ee82697339a0da47

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
98cea208486426b95119223224b60abf

SHA1
d88374523eba9e0da74558cc65d3de6c31737dfe

SHA256
279ffa01ba1f459966df532329ac5fdafb7755c619aec3d21c8ec0adb50c1d69

SHA512
45f2139d8beed8a8ab07aeb807c6bb23ce5ffeacc8e35e185c4a4b2ba6aec4e7297c7dc456abf7d9b0b1364ef32aea00c0d81fc2321c503ead7842d8945ab81c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
3ccdeabc7a18679d735ce4bc17e0beba

SHA1
09f5ad00cb51230be2b03352924cdc56ea22a739

SHA256
fa15d84c8b73bcba54d4e2bf6dec0cb3a2044e221201e28d21643970084cda36

SHA512
4533e73c52c8c555f2ee0289e3db39f1c1a9b64a90247d61aa0f3d30e379692b475dc4869f555e3c9332ccfb464c33a4588e281129080da81a8554880895b177

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\2b642cfb-7d3a-4cac-8ba5-bbad1e9de86f

Filesize
982B

MD5
a58f7ecdbec0b8e519e1d85bcae01bf0

SHA1
03ca6812b70e08afce0cbdcb5b8a777500e690d0

SHA256
584ea147a9305e7b91f84c9c11bb4b17fb4772024c9e0190f543ecbf9bdaf4f8

SHA512
3ad89bc627249c7b760a2240bf66bb23e071b06c55facefb23eb2ccc484c432aa7f673ff2455924f41b6bee654bef22909501cd8ce1517e586820043d2dffc3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\2fb52714-513c-4e24-be67-dc3bfca1f3d0

Filesize
659B

MD5
21ce51295c009d2260c4690462890792

SHA1
d97073dacd4a38039edf80fd5ac4a6c4f90395a6

SHA256
e8f1105c1cb1ddcbdbb73d601720cd894def067154948fc93f3771f596df1b63

SHA512
fa05d9f12dedf0b4c54876fd33e282d0477e1d08b6bf1127542c27082aced6ecf1ad97b1ac48cc9660d13678d62127e26dac4ce5536aed9ae9f520ad2d688fa9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

Filesize
12KB

MD5
d6e433e9bbb9e05a1736f269b5a5f76b

SHA1
4e41cc4bd3a6fb70df3d82a0b2a59e2c25d4b3c6

SHA256
bfe34bbc013cfea7ceda9c55e225e0caec003d75d3d2db8c2e2813fb5402fd7d

SHA512
af2b37b60c24e1b2fe2001da5dcfa200255efb30ececfd51db75a42c47cd59fbfa568162c6569fd1578101eeb99e1fbb4d6d9a01f33e769c146b5b6a5bedd71d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

Filesize
16KB

MD5
81d870f6faa6f5c76f8506039c02215e

SHA1
a09952d7e6524d44a80224fd5c17e9dafef46ed6

SHA256
3e3f314e47f0d524f4487c91108b358c5af0bf28537568034e2654094697644a

SHA512
a2927ebb0e88d69266d6f845f86579bed49cef113b62a42913e410e5d4a02c18d92df90f1aa5da842eea5bdb42be0bc52dc43fedea4a0ca36a9efa7a9d72c7e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js

Filesize
11KB

MD5
4621eda4ece532cfe9a789db163d7fd7

SHA1
eafc5e40fd36c8ac587320d07b6b2105577a6ef1

SHA256
20445f782a828b59c04f67f05c730c54aca958e1b6e058091e1a7b1ebac40e0d

SHA512
74096063842888739c4c85951e99233555ae031a099800e4770d9be2b12a0433d0d7b9c297c8031b3342cf424c7005d0554e428c89814ecd6ab716f7801c551a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
e7d169d56be1737e52199ce31db0c769

SHA1
8d227b6047259666fb781eb90bd118a48db7d337

SHA256
962a7a4c65747576cda53500c50a4db60b901b5e1c493840437b7323dbd59e61

SHA512
808d32698956bf0df56cd963dfe2eac15567421214d16060e8310bdd38d7d7f4b2254c207d79ce692dd39993726ab011f44e68de032f7bb9b11a511ccbc08e88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.3MB

MD5
9a24770a0dfeb5bb6201188884776313

SHA1
285f7dd0431cded693a1626e9d1b7ff7215e250b

SHA256
f8ee960d9f89c1553b3d63a160349fa22fa2b603e1f44ad745eecff08dcc3b33

SHA512
90401b0feeb41d7ec2104ac8f143f557f97a19ef73ff37ef99672b457f77a75659c5639b80e3971156e9480ff6c08e1b485846b81a58382a67ef83e98f745f3e

Download Submit