5794bf772bf0b81fa1d6cd157f5b24393e15378dbfcc286dce608f893ed90d6a

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5794bf772bf0b81fa1d6cd157f5b24393e15378dbfcc286dce608f893ed90d6a.exe
Size

896KB
MD5

d1d30847ea6436b90160f56e5710c5dd
SHA1

cebb4d784589066cbf974954af20296b23fc1cb2
SHA256

5794bf772bf0b81fa1d6cd157f5b24393e15378dbfcc286dce608f893ed90d6a
SHA512

3761fe006be272c1e460e57a45e45a9babbf78bcb21d41363b905837d0719625d5db6c399362a6e7916d7efcf6146fcb071bbbfbfe505555f3a91174db4e2f36
SSDEEP

12288:QqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgarTx:QqDEvCTbMWu7rQYlBQcBiT6rprG8avx

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	5794bf772bf0b81fa1d6cd157f5b24393e15378dbfcc286dce608f893ed90d6a.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5794bf772bf0b81fa1d6cd157f5b24393e15378dbfcc286dce608f893ed90d6a.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1892	5794bf772bf0b81fa1d6cd157f5b24393e15378dbfcc286dce608f893ed90d6a.exe
1892	5794bf772bf0b81fa1d6cd157f5b24393e15378dbfcc286dce608f893ed90d6a.exe
3360	msedge.exe
3360	msedge.exe
224	msedge.exe
224	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
224	msedge.exe
224	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1580	firefox.exe
Token: SeDebugPrivilege	1580	firefox.exe
Token: SeDebugPrivilege	1580	firefox.exe
Token: SeDebugPrivilege	1580	firefox.exe
Token: SeDebugPrivilege	1580	firefox.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
1892	5794bf772bf0b81fa1d6cd157f5b24393e15378dbfcc286dce608f893ed90d6a.exe
1892	5794bf772bf0b81fa1d6cd157f5b24393e15378dbfcc286dce608f893ed90d6a.exe
1892	5794bf772bf0b81fa1d6cd157f5b24393e15378dbfcc286dce608f893ed90d6a.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
1892	5794bf772bf0b81fa1d6cd157f5b24393e15378dbfcc286dce608f893ed90d6a.exe
1892	5794bf772bf0b81fa1d6cd157f5b24393e15378dbfcc286dce608f893ed90d6a.exe
1892	5794bf772bf0b81fa1d6cd157f5b24393e15378dbfcc286dce608f893ed90d6a.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1580	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 224	1892	5794bf772bf0b81fa1d6cd157f5b24393e15378dbfcc286dce608f893ed90d6a.exe	87
PID 1892 wrote to memory of 224	1892	5794bf772bf0b81fa1d6cd157f5b24393e15378dbfcc286dce608f893ed90d6a.exe	87
PID 1892 wrote to memory of 3500	1892	5794bf772bf0b81fa1d6cd157f5b24393e15378dbfcc286dce608f893ed90d6a.exe	90
PID 1892 wrote to memory of 3500	1892	5794bf772bf0b81fa1d6cd157f5b24393e15378dbfcc286dce608f893ed90d6a.exe	90
PID 224 wrote to memory of 3824	224	msedge.exe	89
PID 224 wrote to memory of 3824	224	msedge.exe	89
PID 3500 wrote to memory of 1580	3500	firefox.exe	91
PID 3500 wrote to memory of 1580	3500	firefox.exe	91
PID 3500 wrote to memory of 1580	3500	firefox.exe	91
PID 3500 wrote to memory of 1580	3500	firefox.exe	91
PID 3500 wrote to memory of 1580	3500	firefox.exe	91
PID 3500 wrote to memory of 1580	3500	firefox.exe	91
PID 3500 wrote to memory of 1580	3500	firefox.exe	91
PID 3500 wrote to memory of 1580	3500	firefox.exe	91
PID 3500 wrote to memory of 1580	3500	firefox.exe	91
PID 3500 wrote to memory of 1580	3500	firefox.exe	91
PID 3500 wrote to memory of 1580	3500	firefox.exe	91
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 1580 wrote to memory of 2044	1580	firefox.exe	92
PID 224 wrote to memory of 3644	224	msedge.exe	93
PID 224 wrote to memory of 3644	224	msedge.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5794bf772bf0b81fa1d6cd157f5b24393e15378dbfcc286dce608f893ed90d6a.exe
"C:\Users\Admin\AppData\Local\Temp\5794bf772bf0b81fa1d6cd157f5b24393e15378dbfcc286dce608f893ed90d6a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e39c46f8,0x7ff9e39c4708,0x7ff9e39c4718
    3⤵
    PID:3824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,8234400882689104264,14181967917035535472,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
    3⤵
    PID:3644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,8234400882689104264,14181967917035535472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,8234400882689104264,14181967917035535472,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
    3⤵
    PID:3124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,8234400882689104264,14181967917035535472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
    3⤵
    PID:4368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,8234400882689104264,14181967917035535472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
    3⤵
    PID:2288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,8234400882689104264,14181967917035535472,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4792 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1632
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {05d2730f-3a06-4b7b-a593-bc94cb51b524} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" gpu
      4⤵
      PID:2044
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcd5f444-520e-4b55-ac58-01fbbeb6a422} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" socket
      4⤵
      PID:2592
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3300 -childID 1 -isForBrowser -prefsHandle 1744 -prefMapHandle 3332 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb449bfa-4e01-41e1-ba78-25b21ce17ba4} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab
      4⤵
      PID:2940
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3608 -childID 2 -isForBrowser -prefsHandle 3696 -prefMapHandle 3692 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64de423d-4dfa-463c-b133-16c3e5c55c9d} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab
      4⤵
      PID:1888
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4220 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4204 -prefMapHandle 4200 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4f8afe9-192e-4c67-ba28-577f4ebfec63} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" utility
      4⤵
      Checks processor information in registry
      PID:5696
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5428 -childID 3 -isForBrowser -prefsHandle 5216 -prefMapHandle 5448 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78c31727-045a-43e3-8bdd-acbe3e4205bb} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab
      4⤵
      PID:5228
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5044 -childID 4 -isForBrowser -prefsHandle 5408 -prefMapHandle 5436 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8270c6f3-8efc-4c71-b2ff-2de1cae39894} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab
      4⤵
      PID:5240
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5844 -childID 5 -isForBrowser -prefsHandle 5836 -prefMapHandle 5832 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70cd2fae-b184-44ea-9cad-4bc52a693059} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab
      4⤵
      PID:5256
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6132 -childID 6 -isForBrowser -prefsHandle 6064 -prefMapHandle 6076 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8af89e51-2c37-4524-8ee7-e98ed38eeee5} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab
      4⤵
      PID:5912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
5f0ab75d56c5f7f1fe48cf6d0eb90f80

SHA1
53c4df3531a99258255df108eab45d2bc523840a

SHA256
59f9ccca271ac0ad2420e31409cd8855780e3a8c83c8465e2d9f7ba5299a3ab1

SHA512
a19d8c60f55e3a04eb9527386eeb2b5cbbbf2d19daa14283e3657fe4ab387e907275268a86013b1585eef6cd34644f42135abcf45c7a076e2bbff5484211cf55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
cad4f2e3e6c0d01e11b924dc3034988b

SHA1
c03588fd0b6570d4f322aee2a53d578b0979da7a

SHA256
d6a079bf68c2ccdf6d2d46f0c9b1ab4bb5695cf88ae1f609e4675f85c81f3820

SHA512
c2222341c279b45feeaa71fb8404fad219855bcb79a538ff7846223e4f9cbc85ab88b037048e49bc82b411914aa0143b8399df700da898aa8beabb00b60a0f30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c66d2936f0546e0b7e09f1062e8e5701

SHA1
c98f9e66e067ae0618e4e3656fb546af2eb64fea

SHA256
913926f0d6ad0cbe72f19da8f8fcf73df9d3110eb6f78d1e834b3f35d7c4ca76

SHA512
9882a6b0f4951d371fa1f2518b073939e2360067716afae8f57e25d301033307237008f4311761c8e9d619238460e57b5b2f8e1129fada79e4d160da9fbd6b97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d75032243fbc3a922de3592ac62c7b1c

SHA1
a751498bdbb31aa83e7690ca0b6f3d63f6e99b50

SHA256
27d7684b7bfa2050ef1fda72fd47d633de6538ae880961e6dcc690079a2377a4

SHA512
22aa4995c46d50bc4bc36afe36af69d27d973a9c552748886f6146083dee35e2fafa2d24a18998910cba7fc668e20dfa0c639f78bd6fa715921f879f8dfff6a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e64f053062407f535a708b547528b70b

SHA1
0419609736efe903fc391ce3422600c1e296d784

SHA256
5ffff2b2f9e3b40643eed1d3c361c55673d459766270b84043f9f05566376d35

SHA512
ab76ba1adceb0758062db41f9206c418cc3be63aebf6baf5105c38c12407c9384f583eebe87722a3ecdc1b6f8bf12cff601f30969e058bac87839e72c064f3e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
632fa25a35833502e59c81a468d85c82

SHA1
9bc467d048458fd9cdec5db264be3eb4fa709c86

SHA256
6dac4901c91c4ec54690b329b06c1839f64f2419a8c520c992519d2ae39710ea

SHA512
bee54871b2c3d7c0640ad9c14b77b6a09827c3b7201b9029b8a718b3b74b23ee3f5df90f1ae8378d881ba12040f29883e037a659c93d944e9058acd8e69c731c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5991f5.TMP

Filesize
201B

MD5
552e6434a92d8b6136c22b28ab8957f9

SHA1
09f7d731ed80dc675f1d0197a06dec5874403821

SHA256
2db367e6cfcf480a9174e1ba1577beef6885cb050bc97515f4f2918f6cf0e62e

SHA512
251f39f3226811cfa4fc91d28d6b977d1dc81f9fd8e9ea15b0f74a458db55380d81fc63e8a170925fe6a7fc3c42f5c74c66316ae0c93c5381343466d42415adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
535ed8029e0ab7abd60b69bfa0ddc2ed

SHA1
e380c701d8f49d5711dd68402c8d6b03bbdbb5e1

SHA256
fb8caf468b4cf408cfcee1d1dcd421c223d14f1a2a73497cd87a42a7114dc048

SHA512
882f85c75ea9fe624e0d73ffa491332ba7ff2810cd9634f4a9305aff69849359e3b853a6f5447c55a20f5b902ae117fadfa134c0597401c633ff18b7cfc8dffc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\activity-stream.discovery_stream.json

Filesize
42KB

MD5
0544700d1a62d8c94df60ba52f69e606

SHA1
7409ce6d60083ee7315d3dfcd38489450b6568df

SHA256
609c719c9f8a937e1696b8e70a374b5048afe15fe3990db84d8f1af7bd0e16cf

SHA512
350c32681aa26f29444711c52803e93eb288069c635c669a02782b5d228c7b04e4ec6ee33f94b5ad473940f5990b2a5217b0db1920408023cf9f201097e19489

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
7a55515e16c74575e9a7a1d969b4f8f2

SHA1
f40b5b0d3f741d2154685b86e042c5699397c7a2

SHA256
2149ab7efc91d243a40517bbfeec25722e432d27bfa9fa2ca8fa33f5b1267f78

SHA512
e7db9567b99f2d7ee6387631b4819af94935fd4d82df9727df736f78be8fcff0eaa96f9231dd30f3eca9369c87f793a624197402c9355e6904efa62a1b2e4827

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
8KB

MD5
cbfe3d42d91609609af20481c563e610

SHA1
0e1a4b88b8be1d403ad08060d0b48aad7296814d

SHA256
6d127ddd5a8245510cbd848752c697cdcbbe64b1b7a7650b32de7c8b6e023e92

SHA512
451520dae9ca5ee922799b9ca4561c17f71d8e2d3ba421304670176bdeefb5462d1f46876aec9f07d41f9f287746120147039baeee8b96d6bb0d93d15a1bc53c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
f0dd2b0668c391a7a8f22a81ea6c96e4

SHA1
e36837772963180a7bbc3030fa2eba022bd44d3b

SHA256
be38473957c53a3cabd95cb3350e4fe41536e61d332a83e40d94c56b7b90d3be

SHA512
7136a1aa33bf3cb0da4804223b8b358edb3221065dfe9836fbbcb75333b775eb6350adb809eef25009b25e22888bdd2591734f6745932fc2040fd64e2d5853f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
9835d7893014a64600bba0743c541aba

SHA1
1ba00ad01c403d9ad24ebad4cdd7d5cb4c5378b7

SHA256
707d6bd0a8327b0847a39da7ba795f13547f1c93e926d6dc1019bbea647df4c0

SHA512
9c6c39f9af4feee912368835425398831588933d72bbe8c5ad88bab9223b32eb53430f2239afef8085842961e1a04b86d8ba3677893b8f2a9fb0e4c3421af822

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\04018e07-ee42-49e3-b7f1-a41c45e83f29

Filesize
25KB

MD5
70bb14bf4d728f960f2ee41e02ac8902

SHA1
8d7cfe97a4cef2e260cd2dededd52f8b42ac262b

SHA256
c868bb1a7fef84e55b62685316ec5e851b008bc61703ca1cb50f2cb9281290f6

SHA512
ff585124bd809a4adc67f1598b2c87dca605e39860402dbc27072724681120dd11c8b5ad761096f18181894ebe22924d5f20275e77c8c5045736e5c478452769

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\289aa160-c8fb-4f1c-a6b7-9a61a63e3296

Filesize
982B

MD5
d0d6d87f61b70156d71b3921f9dc4dcd

SHA1
afaeda7234822d6ccfed407c7e307831ad876d58

SHA256
c0bfa194bdf69b43144640cc9ba7f8bd302becbed43f9d5771157dcf850755ac

SHA512
e4db15ef6067d6b9f97c8f4fce64fa090652852aa3c524ba81b9bd3be0cd591f2ab03bd74f6afa9daf599f9e7e17eeefee6c73a4d4cb1e2d4d9d5a0e9f853864

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\a8b6161e-6d9d-41db-9d1e-b1dc6ecac481

Filesize
671B

MD5
b4d65edc6475f1e9e9513abd73b72a08

SHA1
2ecad1eb0aebdd9f60a8ed08296888ce7831a985

SHA256
cbbefddb6127a3d0c6f6b93a719a7373f83876a4ec66cba8a8b09560f31095a3

SHA512
67751a5d193cd632867a679246692cdfef229862cecb39b09436fc247796e8628071186209c5792fd03150c6d70e2fe6e4c8ddd62bec0aa74f843f71b6b49f7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

Filesize
13KB

MD5
264d7e01908a6eb4b4e64da94a8f0fa3

SHA1
a41243672a60791c4dae63c098f687044814fd57

SHA256
9438e38136bd8c319a3bad04591e3cddbb338494e79fc9ba23ef19909dabf711

SHA512
87828b71c01a1e02bd3ee2317b690305d2e5c255609d15427452f6db389ca5ba1d951c5160a842477ef70abfff9f3b4f3f07756cd591adab1d3bb6975c6d8f66

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

Filesize
16KB

MD5
850b4a3621b12243483d81fa1d6f69b0

SHA1
f42bc8b3424a1d3982990c81b47cf11ab8c344c4

SHA256
535cdbc412d4b37538f56f90463a1d02590b9f7e8005f3fbb7fddfae207871ef

SHA512
6f8da45dddeaa01939a623e640b003ba3027304c2dbac0e2199bd91e225a3789291a2a214cc4b491eb357e39d6bc726f12f8eae2d74a5ba54fb65d33d1977a3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs.js

Filesize
11KB

MD5
6df1f1f0ff85d605b33d008838e7c86c

SHA1
229c211ca43cc104fdd64be5caed18464a6aa8c3

SHA256
f342bb43711e3a080a02442a8bdd799d64899efbc80a7e63e4338807200f2393

SHA512
ec5feee94dcab65add1461c3056ae604b554e901f35761a43b0e5c293fbe8dd09d7c481e2471d1a471568a15faf773ef77559ff9e947c9f71e15afc2659d70be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
81017a84942c418fe3318e1615ec38c9

SHA1
012652535013b5180a7dea0737367eeddf583d60

SHA256
f375c6edf8a168f6cef0aa4f6911fb564dc683f38db35333da31306d5b338a8b

SHA512
d64674b094301d8cc8c01bd2fe91ebe927797cb8ab4816d1af0965279facba0f9215830afd3f075e5f97ef1497fcd3418cd36293ae29e66f0356abeb991b4b90

Download Submit