11beb652f1076cdec2a428100b55e9f60f2e0d07aa537c1e5e8f1d2ddfa8d412

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11beb652f1076cdec2a428100b55e9f60f2e0d07aa537c1e5e8f1d2ddfa8d412.exe
Size

896KB
MD5

0639c0335f0a1dcbf92d2ce5a91be1c4
SHA1

0be7628dc4546a9d8962e9eec099005f3a1e20ff
SHA256

11beb652f1076cdec2a428100b55e9f60f2e0d07aa537c1e5e8f1d2ddfa8d412
SHA512

e50741463b52ea8d6b5de4ffb05f9d102e52e0d099c54503c5b3757e27c6bb61c634423abfd3dd36176c13f1fd8ec03c9c347bca54d53675240474be1b409bf6
SSDEEP

12288:GqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgarTp:GqDEvCTbMWu7rQYlBQcBiT6rprG8avp

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	11beb652f1076cdec2a428100b55e9f60f2e0d07aa537c1e5e8f1d2ddfa8d412.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11beb652f1076cdec2a428100b55e9f60f2e0d07aa537c1e5e8f1d2ddfa8d412.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1048	11beb652f1076cdec2a428100b55e9f60f2e0d07aa537c1e5e8f1d2ddfa8d412.exe
1048	11beb652f1076cdec2a428100b55e9f60f2e0d07aa537c1e5e8f1d2ddfa8d412.exe
2252	msedge.exe
2252	msedge.exe
5116	msedge.exe
5116	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5116	msedge.exe
5116	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3808	firefox.exe
Token: SeDebugPrivilege	3808	firefox.exe
Token: SeDebugPrivilege	3808	firefox.exe
Token: SeDebugPrivilege	3808	firefox.exe
Token: SeDebugPrivilege	3808	firefox.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
1048	11beb652f1076cdec2a428100b55e9f60f2e0d07aa537c1e5e8f1d2ddfa8d412.exe
1048	11beb652f1076cdec2a428100b55e9f60f2e0d07aa537c1e5e8f1d2ddfa8d412.exe
1048	11beb652f1076cdec2a428100b55e9f60f2e0d07aa537c1e5e8f1d2ddfa8d412.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
3808	firefox.exe
5116	msedge.exe
3808	firefox.exe
3808	firefox.exe
5116	msedge.exe
3808	firefox.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
1048	11beb652f1076cdec2a428100b55e9f60f2e0d07aa537c1e5e8f1d2ddfa8d412.exe
1048	11beb652f1076cdec2a428100b55e9f60f2e0d07aa537c1e5e8f1d2ddfa8d412.exe
1048	11beb652f1076cdec2a428100b55e9f60f2e0d07aa537c1e5e8f1d2ddfa8d412.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
3808	firefox.exe
5116	msedge.exe
3808	firefox.exe
3808	firefox.exe
5116	msedge.exe
5116	msedge.exe
3808	firefox.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe
3808	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3808	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 5116	1048	11beb652f1076cdec2a428100b55e9f60f2e0d07aa537c1e5e8f1d2ddfa8d412.exe	84
PID 1048 wrote to memory of 5116	1048	11beb652f1076cdec2a428100b55e9f60f2e0d07aa537c1e5e8f1d2ddfa8d412.exe	84
PID 5116 wrote to memory of 1956	5116	msedge.exe	87
PID 5116 wrote to memory of 1956	5116	msedge.exe	87
PID 1048 wrote to memory of 568	1048	11beb652f1076cdec2a428100b55e9f60f2e0d07aa537c1e5e8f1d2ddfa8d412.exe	88
PID 1048 wrote to memory of 568	1048	11beb652f1076cdec2a428100b55e9f60f2e0d07aa537c1e5e8f1d2ddfa8d412.exe	88
PID 568 wrote to memory of 3808	568	firefox.exe	89
PID 568 wrote to memory of 3808	568	firefox.exe	89
PID 568 wrote to memory of 3808	568	firefox.exe	89
PID 568 wrote to memory of 3808	568	firefox.exe	89
PID 568 wrote to memory of 3808	568	firefox.exe	89
PID 568 wrote to memory of 3808	568	firefox.exe	89
PID 568 wrote to memory of 3808	568	firefox.exe	89
PID 568 wrote to memory of 3808	568	firefox.exe	89
PID 568 wrote to memory of 3808	568	firefox.exe	89
PID 568 wrote to memory of 3808	568	firefox.exe	89
PID 568 wrote to memory of 3808	568	firefox.exe	89
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2592	3808	firefox.exe	90
PID 3808 wrote to memory of 2256	3808	firefox.exe	91
PID 3808 wrote to memory of 2256	3808	firefox.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\11beb652f1076cdec2a428100b55e9f60f2e0d07aa537c1e5e8f1d2ddfa8d412.exe
"C:\Users\Admin\AppData\Local\Temp\11beb652f1076cdec2a428100b55e9f60f2e0d07aa537c1e5e8f1d2ddfa8d412.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffce45246f8,0x7ffce4524708,0x7ffce4524718
    3⤵
    PID:1956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4577580012609902525,16276960820482681818,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
    3⤵
    PID:1964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,4577580012609902525,16276960820482681818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,4577580012609902525,16276960820482681818,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
    3⤵
    PID:2436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4577580012609902525,16276960820482681818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
    3⤵
    PID:2084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4577580012609902525,16276960820482681818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
    3⤵
    PID:2016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4577580012609902525,16276960820482681818,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2436 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1712
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3808
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {390611a7-52f2-4e9b-a91f-53dd8b8be9e2} 3808 "\\.\pipe\gecko-crash-server-pipe.3808" gpu
      4⤵
      PID:2592
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2420 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93a51db1-ee04-4246-8d8d-50ae2e8187de} 3808 "\\.\pipe\gecko-crash-server-pipe.3808" socket
      4⤵
      PID:2256
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3304 -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 3288 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06b36be5-0cc7-4a9d-b37e-0fa12eda4eed} 3808 "\\.\pipe\gecko-crash-server-pipe.3808" tab
      4⤵
      PID:1820
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3688 -childID 2 -isForBrowser -prefsHandle 3756 -prefMapHandle 3752 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d803677a-c34a-4837-8b00-52f86d57355e} 3808 "\\.\pipe\gecko-crash-server-pipe.3808" tab
      4⤵
      PID:3444
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4276 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4300 -prefMapHandle 4296 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e40e218-9521-4aa9-bbd5-b1b3573a8c8a} 3808 "\\.\pipe\gecko-crash-server-pipe.3808" utility
      4⤵
      Checks processor information in registry
      PID:5648
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 3 -isForBrowser -prefsHandle 5380 -prefMapHandle 5308 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a149a25-b032-4bd2-bbba-1f1ff046983e} 3808 "\\.\pipe\gecko-crash-server-pipe.3808" tab
      4⤵
      PID:5472
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 4 -isForBrowser -prefsHandle 5384 -prefMapHandle 4460 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3a47976-5dda-449e-90f8-3b3a03ea552d} 3808 "\\.\pipe\gecko-crash-server-pipe.3808" tab
      4⤵
      PID:5480
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 5 -isForBrowser -prefsHandle 5824 -prefMapHandle 5820 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dafe436e-c125-4aad-b2c7-f81d9b25ecdc} 3808 "\\.\pipe\gecko-crash-server-pipe.3808" tab
      4⤵
      PID:5496
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6196 -childID 6 -isForBrowser -prefsHandle 6220 -prefMapHandle 6216 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca2a9db7-b32e-4785-83c2-2b97432ab288} 3808 "\\.\pipe\gecko-crash-server-pipe.3808" tab
      4⤵
      PID:2228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
de162f71c39955f6ebcc4839266eb0ac

SHA1
f78917f88d7e6ad6504c24a64a5aae91adcc018a

SHA256
0eba08cf4fbca8b67a7b7a9835b4b8a7e8cfed57606cc89c5f5420f6b3e37d4d

SHA512
59a1baea2239685467ce82267b609acd6dbb9ef0dea2fd470f70849f094e7a4ad8f50971fd5e3f418b35d82536d0369cb06e87d631617fe10b5dd3ada5057f4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
45d428e57a3125eb4ed3e39c55f8caf2

SHA1
0a5a6985fab7d5ffb12c14fe899d4d8d4f074d1d

SHA256
52cf428d56613f2dd663214ca534876de825e818884c58fd29f6f827ce9c5464

SHA512
67c97b4166a822edca915c03a63b7d225b58a11b0665c6e8a52801ed53f88e2e52e19215b1a4714de748f6595967ad38ac6b338def825d5d5e1ef3c64a00eb46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7c96424f5e0c5a43f702fdd6175900ad

SHA1
641fe930bc4c4f0cf987b47015ff50a7f1aa4321

SHA256
bb5fd108af8646a28e8f5816b44a9bc8df03a5cf5fad3150f430f79a4987d5cf

SHA512
67b2cf8767f2a9fc40ea61b50f87cb3f9ca9ba84482f3f91cb5fa109614ebe973cae3686a9109f4aa6f3647a0e98e6e1692e9330e58c78484ae25446f5a5b259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7aa8217bdf229d9e39a75c446e5d0ceb

SHA1
25c5fec4c963773d99b7fd207cd10e3f0a2a404e

SHA256
84deee2603470a1e51c8f35ca20538c67cf93d607ff067b5508b77584fe29346

SHA512
55d4bb7d16b79abee4b393f185591817ce700e08eb2841344dad634407da1ecb4aaba1b5db92bf41c26ff19a5793859946d1bb6e9919a397375dfc22a59751cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
97da227ca618c015ad7b47a01ef989bd

SHA1
1fb43424947cbe8d4b67fe8d0bb51c865aef7bb0

SHA256
4b93845933bf80605416f80c4e3590094c8dfaafe43c8df92452847e95c8f9a8

SHA512
ec7cb7e5fc72e604690404125bb1e52129d168e50a0824a48303bb4b4388a1865cba66996e834122a87d26ebddbaf2c355faa7b37e0d4ed85bf84a5874981258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
712a5ce7237aa879fc9e22aa33d7dbab

SHA1
5011b8a38dafe92cbb88072187bc4e33a6f29664

SHA256
09e8b566f1f96a445d65e252643d12e71470fcdbb93832cd735ed1da881cb22a

SHA512
ec9c4a5bb63b17702ff8441a88c1e7e20cec8686718eee76d4ee3fdde41bfb5a02f5bd80ae1a3fbb5278525b90226a88e4d295ae7fe8b51960a36813ed7be26c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\activity-stream.discovery_stream.json

Filesize
42KB

MD5
ba4b67558822c88d585f58f38a131edb

SHA1
b7295a7ec01bd9a1c10742c90e659b3fcbbae1ad

SHA256
7cf988fc3b385d343622bb182b3c435a9e14eab123750868d44dc52ffcc9315b

SHA512
b7a075bb21b919d06184669fe57a6f61f581afeeb93dfeb57796f5c555fa4ad9d73da6a7dbcb6b4f9ed149020945615a9d33979d0e6ae8fe05cf4a9b128a77d7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
107c770f709c47ace304218104e54d17

SHA1
3234ea1a231ac45bdd85d2111fee0577177afa22

SHA256
cf9efba868c26d38f889727b2c5b35c39388c920922494ba07d616b535b660cf

SHA512
9e932ad9bf7cfcf4e4ed55b326f3ee00c278bf14972004f36a0285ce4178a20463862a5cb1460430787c50959a6cfb6599986ff94ec228041bd43ceff447c0e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\AlternateServices.bin

Filesize
7KB

MD5
dd4d3806ac362022a063ce4fff1c70a3

SHA1
0b05fa10fada577eea21f6babb5aa0c9d435e001

SHA256
04e5ecdb4243a5a0ed88ddcf70071ce1efb296ef8e3fdd7754ac7717bb8902c0

SHA512
717ea9508a2e129a79fcf4b91b10171fd6377714f21ced6f06d82a9e00edeaec96da6058237247110ab25107df9cb472ba94734312090350b6a86fd0703fcdcc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\AlternateServices.bin

Filesize
10KB

MD5
364f50da8c524c812b76ec1113b4c182

SHA1
fe66d5e3415e253a6c13e0f5261b4384511338aa

SHA256
ea9b5ade604d81e1ff1f783d6e36cfa25373e13015aedd16f93a59d11b43df37

SHA512
a16d966d2b95e0fa7e7e806efaf3c6fb7c26c5ea393927768f31ec0f07afddd26239aac218f78a713588bc92d8479e7a51722c12e3f1f8d265bf44e1f7b7a4ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
bdc314412ad611848838d496601d6c20

SHA1
9c707bfcd5b43334946b9acf8ae7f451549ff876

SHA256
2e1e760ccd7891b6283a1439e326e5ebf4eb46d50cf22a8645d5f817717a3f14

SHA512
1a147df06c3ad2fceaac626ce40591d633c7103ff5eec3dcadf006e6e73f506bfb40ad03c13faa529a0028046200a6d6e62c5f8d94f0f6973af63f98e13cdc9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
58c8bd36c106cf19548cc0c5e1d2f893

SHA1
e72c24d8fab2a65d8a200ca187cc1d70160f9ffa

SHA256
aef9c6188b8b34bf87e81e167e811155bd06d1daa048f844e542eb345a947c55

SHA512
6520f20fd928c5171bc718430da8092f54c6854faeff9fa0ba5f44b7c151da0d5809aff79a290084a1794b363edb806d2c0ec04f3a58cb51a00e6585300d6e4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
12a2c72a9b29f4352bed19548a5261f9

SHA1
daa798f4a7aefc232e8c27b8bbb100c4e6325a4e

SHA256
0cdd1aa2eafd842bfc270f0275cc8eeb40e9f1ef99292fa0c78f553a5cfb172c

SHA512
2dc5a8c488a68c175f91f66fc045129d44b941e267fc1cfb0360f5242043978e5db0c9a62822024b8679803f1db02c88c0922a9f23672bc0143feb754eb17963

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
59dd3d7e99afcf8aa895e2452d8b38b4

SHA1
03455034232e72d50521fb0044f0db8ed2ce4417

SHA256
2767dcac1fe37840a5b0e2f36f54bcb674600d0c4e872932b8a2a275c27f4d84

SHA512
b36bc1757e77c6d5d3a4983780b28c856f1ea804def5bbc7162ba46283c5444e8019435052cfc692caf3656490f9a6605c974fd5137a1313b9b08b2e54ac46cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\23c2b958-a279-4e09-9bb4-6157dd26b535

Filesize
982B

MD5
1d27803a7f698f44330199757d5f35e6

SHA1
53d69b841f74898950a7629259b32209b3ebc4a9

SHA256
371aefc881ea83d348966fe2422509666bd56545367d6f2fd88461931c6417f1

SHA512
efe6e88f0cf7a7ab1b3211c22c7dcb6c5b43e622bd74d23698e8efee3cd02d9e2d586e7f60c0036dcdba60b8e160329413ed59e1dc0c01d53a8fc04317434bee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\3be540ca-c41f-4844-9ff7-7d424027d585

Filesize
26KB

MD5
02c6f6b9b2676fbe566aeb2e26d8520b

SHA1
0bb41729851db984a9fe90b3fd47bca160d5fb70

SHA256
e5e18f22055453de680b52b7fb4862d70baf88c4f287faaaf4a2ceafc89c5705

SHA512
2c6ecffdb382ebac0bc44a8e426f00dbdd277a2cfc1a7c4ad0b2b0315047cf1c0fdbcbaba87007a3f05a6ed68ff90d27cb4e3dae6a2981b75eed3671943b2aac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\8e35d375-9e75-4f21-8e36-2946c0a24dfb

Filesize
671B

MD5
3645d1b1f9ed5c205bb04f2277e6a880

SHA1
37e9464c4c7b01ce22126d4e23cbc68fccffd12e

SHA256
8ebd72da811367654c65ddc4d3fe87be7dc339295ccc882040bfd9f1198b6471

SHA512
67e388e167f0b2a4200d23a2779eff22dcdd9109456b2265249f21f88a0bf61170f3793fec8ffa1e9e35bf656a6f25f7a6e452e9ca28dd9f340e2b3a78de3bfb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs-1.js

Filesize
13KB

MD5
46d83b8205b138e40e80fc9167fa7ec2

SHA1
263a2d8fce65d37af3ecbd8e8ba4557480f02280

SHA256
1735f5929aa6354e6bec8e648dc51b4d8f31dfdb2b475ebcfb0612153176a18c

SHA512
cd1b879d0a41b4fcbc7071d52490105aabebdd1757de2f88062c765c1492bf0a10c8fa31ae3248f8ad473bb05c4af0ccf7dac916dc632e171177be45dc02b0c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs-1.js

Filesize
16KB

MD5
787ed6ca68f56b223cf0f6bc8c58c513

SHA1
8132c631a383d6ccaa1f5890561f8e1a093c333d

SHA256
5aac952544ab0f023e23c2323b770f1898d97a5edb09826f6dc685047b93a6aa

SHA512
3b638d9495addada491c7151b48a72d940fae266a9651a8d02566d7fcb0ed6fbccfd133eb39d023940e15a9a8d8b7eda7b289757e728aaf3d3f119c77e2cc5c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs-1.js

Filesize
11KB

MD5
eac43f28a8580e59139eb6f83c5b4ab4

SHA1
2e4dbd73ec5b1a34ab502a2f274e7f9cba9454c0

SHA256
a84dc2b41b8be2fc0d16057d6d4b1eb5ee60cf8e78291ef792b2539058a9bd42

SHA512
30efa84f4ce7cd0986f46df602f93c4b0e941a08d8d6c265ceaff0ee658aace0dfb03f519e0488724abb0f8a4d3609eb09c1dd53863105127be3e25b2f5d430e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs.js

Filesize
11KB

MD5
f02a1e4bd090d99b0979a64e0fa9c40b

SHA1
8cde853f5e5c07f5fc9b4048f85a10be894c215d

SHA256
34fea4e025513f104439cfc3af276096e90bd36e5e432747c44aec5e2e5c5123

SHA512
cfd889535a22be7ac34a3d4f11575e21839a9d388c81b045ed5e87e802e6cbd4d0bc3176f7f5ced3820c722e309bb64311bbf7a8ad510c3716cf10c2e670e8f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.3MB

MD5
09344a4be9e26efa173d90455a43d303

SHA1
4e32e4745cba63c5500fe909dbd7fe7a08771576

SHA256
662addc511f3c35eb5af4a3f3c6c859c3ed772d4864ad79b3ff9c0b0c4c653c0

SHA512
872dac2e3119cb8f84f55002142d2c53636f9b9754d223bde140e384da81706394d2596ac09d8ce745bd363a3148cb8a8a5ddc72dbe64205d8a7658a09bab84e

Download Submit