fd2b01c9d499e970cf0320aaab9acece40d14949b22e40613cffdfda621141a0

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd2b01c9d499e970cf0320aaab9acece40d14949b22e40613cffdfda621141a0.exe
Size

896KB
MD5

4f083d220b0b91a3332be0404aed011e
SHA1

f8de24fa77d1bb1d2f8089a2104e3ca462fc4da8
SHA256

fd2b01c9d499e970cf0320aaab9acece40d14949b22e40613cffdfda621141a0
SHA512

b71786e52d42aa77ff58c644392506df5fc5ddcdc49d75605a2d4e21d4f17d5662fcd1676e6eb22a530b5718e541a3452fcd8a2237bf6388b9bb2ffef0628797
SSDEEP

12288:JqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgarT/:JqDEvCTbMWu7rQYlBQcBiT6rprG8av/

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	fd2b01c9d499e970cf0320aaab9acece40d14949b22e40613cffdfda621141a0.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd2b01c9d499e970cf0320aaab9acece40d14949b22e40613cffdfda621141a0.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3736	fd2b01c9d499e970cf0320aaab9acece40d14949b22e40613cffdfda621141a0.exe
3736	fd2b01c9d499e970cf0320aaab9acece40d14949b22e40613cffdfda621141a0.exe
5116	msedge.exe
5116	msedge.exe
2084	msedge.exe
2084	msedge.exe
6012	msedge.exe
6012	msedge.exe
6012	msedge.exe
6012	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2084	msedge.exe
2084	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4888	firefox.exe
Token: SeDebugPrivilege	4888	firefox.exe
Token: SeDebugPrivilege	4888	firefox.exe
Token: SeDebugPrivilege	4888	firefox.exe
Token: SeDebugPrivilege	4888	firefox.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
3736	fd2b01c9d499e970cf0320aaab9acece40d14949b22e40613cffdfda621141a0.exe
3736	fd2b01c9d499e970cf0320aaab9acece40d14949b22e40613cffdfda621141a0.exe
3736	fd2b01c9d499e970cf0320aaab9acece40d14949b22e40613cffdfda621141a0.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
3736	fd2b01c9d499e970cf0320aaab9acece40d14949b22e40613cffdfda621141a0.exe
3736	fd2b01c9d499e970cf0320aaab9acece40d14949b22e40613cffdfda621141a0.exe
3736	fd2b01c9d499e970cf0320aaab9acece40d14949b22e40613cffdfda621141a0.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe
4888	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 2084	3736	fd2b01c9d499e970cf0320aaab9acece40d14949b22e40613cffdfda621141a0.exe	84
PID 3736 wrote to memory of 2084	3736	fd2b01c9d499e970cf0320aaab9acece40d14949b22e40613cffdfda621141a0.exe	84
PID 3736 wrote to memory of 2156	3736	fd2b01c9d499e970cf0320aaab9acece40d14949b22e40613cffdfda621141a0.exe	87
PID 3736 wrote to memory of 2156	3736	fd2b01c9d499e970cf0320aaab9acece40d14949b22e40613cffdfda621141a0.exe	87
PID 2156 wrote to memory of 4888	2156	firefox.exe	89
PID 2156 wrote to memory of 4888	2156	firefox.exe	89
PID 2156 wrote to memory of 4888	2156	firefox.exe	89
PID 2156 wrote to memory of 4888	2156	firefox.exe	89
PID 2156 wrote to memory of 4888	2156	firefox.exe	89
PID 2156 wrote to memory of 4888	2156	firefox.exe	89
PID 2156 wrote to memory of 4888	2156	firefox.exe	89
PID 2156 wrote to memory of 4888	2156	firefox.exe	89
PID 2156 wrote to memory of 4888	2156	firefox.exe	89
PID 2156 wrote to memory of 4888	2156	firefox.exe	89
PID 2156 wrote to memory of 4888	2156	firefox.exe	89
PID 2084 wrote to memory of 5032	2084	msedge.exe	88
PID 2084 wrote to memory of 5032	2084	msedge.exe	88
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 2912	4888	firefox.exe	90
PID 4888 wrote to memory of 1616	4888	firefox.exe	91
PID 4888 wrote to memory of 1616	4888	firefox.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fd2b01c9d499e970cf0320aaab9acece40d14949b22e40613cffdfda621141a0.exe
"C:\Users\Admin\AppData\Local\Temp\fd2b01c9d499e970cf0320aaab9acece40d14949b22e40613cffdfda621141a0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9da7946f8,0x7ff9da794708,0x7ff9da794718
    3⤵
    PID:5032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,9741211190921315905,14549213803919741420,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
    3⤵
    PID:4272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,9741211190921315905,14549213803919741420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,9741211190921315905,14549213803919741420,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
    3⤵
    PID:768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9741211190921315905,14549213803919741420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2216 /prefetch:1
    3⤵
    PID:2572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9741211190921315905,14549213803919741420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:3308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,9741211190921315905,14549213803919741420,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=244 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6012
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2092 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7687a812-508f-4077-9f76-d15eca7fe206} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" gpu
      4⤵
      PID:2912
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77876bde-f7c8-4be7-8fc0-1a7e728d97ba} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" socket
      4⤵
      PID:1616
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3172 -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 3032 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {891ce08f-9848-4924-a95b-a69c5eef4f8e} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" tab
      4⤵
      PID:2968
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3720 -childID 2 -isForBrowser -prefsHandle 3680 -prefMapHandle 3676 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5f1ab88-817a-49eb-84ee-64da6b1bbbcc} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" tab
      4⤵
      PID:4408
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4452 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4448 -prefMapHandle 4444 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d36ace3a-8afd-41bf-b4ef-e460fbbe5632} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" utility
      4⤵
      Checks processor information in registry
      PID:1452
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 3 -isForBrowser -prefsHandle 5392 -prefMapHandle 5336 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb0a80b7-ef4e-45d6-8166-530d64212a79} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" tab
      4⤵
      PID:1000
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 4 -isForBrowser -prefsHandle 5496 -prefMapHandle 5504 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c60e5989-d03f-43db-979c-6b512e007ab6} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" tab
      4⤵
      PID:4732
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5752 -childID 5 -isForBrowser -prefsHandle 5616 -prefMapHandle 5628 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4afebc0b-36db-49a0-b902-925abc041968} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" tab
      4⤵
      PID:4980
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6152 -childID 6 -isForBrowser -prefsHandle 5736 -prefMapHandle 5908 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4714e49b-878d-4ff6-b62a-5fff6b45e95f} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" tab
      4⤵
      PID:5312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
d9d6ee4dd88dc34e505f7b6a573102d0

SHA1
31f1655ac3ac3894e2ad0539733da29a4eb8b9c1

SHA256
b5cb67434c36ff074b966531dc1e6a99507c258045fb69ded2fdcfd8c928865c

SHA512
86ce4830a8f6946b156b58af45004546980d7b0dc2099fe0dab7878a5f245cee27cbaa0c969e317c8984cacae8c3604a9e128d44d05243a1aa240ee98ae5d54e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2ea9687793fa1e97fca8ed1758e3ee20

SHA1
d3779f622a44e47d6e980e8e6d57828250dbe983

SHA256
6f607d13fd17fcfc69bf3ca88835774cc6179aa5e9ee43c3c21408b92c44d1cb

SHA512
e9182fd032f9f2fedecae2c1e5aa9607758d0d675a7b252febc15ca491905987c69677925c5ff809028d5ecb17deebddbc148c68d7f73aa862cc2cf99e3b0b27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f64e4db1bab965c74280f8b397006b2f

SHA1
ede96009d5ba0b6c5a8b192e5ddba9a38ca971c4

SHA256
3b0a6219779a8a9a0f85d2852cc648d7504551953ed0722be20c34754b522a4e

SHA512
d67bada8e6e684b7b09fd90006df3f918c2e817d29bbe2ebc5737f204e1f9ebeecb22aa1c8f92ea8d275d6dea6f24a7b49983b0de564b2a5c258789aec438815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cfc3d0acc283105268e8db7888c76ae6

SHA1
e7aaed721df3b403086e88584d915b49ae0a583b

SHA256
896bf4c391a534229cdee3e4a962c3e612b7ebdee6ddd6ed7c116e4b39bc22b7

SHA512
4761bd7d8d9943d7ad2a33b5ab8b2c17159cfa4b31ee92a23c675da4f1baacd51f803929ce676833a81fc423797996a60a5631f9f51f4215128b885f5605ea4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4feae61067bbe711e6e7824a5f88ac2e

SHA1
a4ecb7350906da71a888b875449c4cdf4b8ed60b

SHA256
693f65f6a5601566a18e4310c35d929c24f5b9f4ec5b86157759d8004e9614e0

SHA512
2c4c80685dfa12a6930487c50afb77781878e99ceae1f17aa90de2d8d8ec4bea220c62d9c057c6454bcf0659e8de60ed95bee25be7b0141c05a1590c2b2aebb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2d19123aacfc19de3697368f28987a6f

SHA1
1864d1283f9e4a90e165b86098fa0cd35ce2f372

SHA256
ff4c3bb6b6cdaf88d7e877cde383fb0885cf240310c9d04731d9f74834b83f76

SHA512
576e6eb4b9f2ab9431b6aa07371ec250f6b04513d8b557b5e075ba6b449fefcf59ea3615a631daccbab24eef38504f36c864f5fa67508f37fbba2b8f9a94a4dc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\activity-stream.discovery_stream.json

Filesize
45KB

MD5
4e947817dbee094ae12523d6ff8fc1a3

SHA1
755caa4539d3597eee511b7725cab0232489d68c

SHA256
8f9e889b08afe69dda55bf6bd56412d9f34223e922c600c2be5037d43dcda3e2

SHA512
b2be7fff81b6c6b874ca6057585201f58ae9a86bb5e20cd4b548537b347e688a7d3e5c874a97d8a8238578659e6b255d2a60a384e47369169fe7eb4e8dac2122

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
cff5c0d7dfe8923fb6d57b10986de723

SHA1
d429f54f48a2482b49c01cbf15f5feb2342e2ae4

SHA256
3a0f46d73260c12d87125b2f90bacf089f3b19e1587f8a348a41ffe9c8e9afa0

SHA512
f5ac1f93e99e67a5f3445421d01fbd608684196da3ab089c9a581d827406a3c72351d4a1cee770a95ac889b8cf2e36d153190d54e76d9e79b79d3b8249e9cfe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

Filesize
8KB

MD5
348547566319ee81696a90a7105b9059

SHA1
c6fd4bcd63aeb51b2d1cd69d6689804a86eaecaa

SHA256
e83fba41de8d1780c0fb2c7df89463337455bdd3296d20fb7d304460b2ec46ee

SHA512
96c542ec545759f8f78dff3699991e04843fe3674b60bee9fa169af532dfb4ea391d01c0a7c5817e07ef87e8f4b76d57536ea6e8e4a15fc1ef143298a8b226b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a2cf3416cb1e83136f4a9fe073e6bdef

SHA1
b139010073aef51e2fdccec6efa90d8062fa5c50

SHA256
562f3bc810ae34485b538e7d500b5e30a5a48b1a4f59cc714b563f7c8c27b6c6

SHA512
9d2fc7916932a6b1a16404803821cadd87f8904026ae0b6b5417d50feaec424426b6b4ba9091f815b66d1c3fda38728467b18df05a6dfe519cd3c27013b705b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
741f7a34cd3b1a16630f53a096fb0d02

SHA1
75488a160dd55a7c003898d550f7ae6a85b6b257

SHA256
65ae90abafd8b14e0a5221b012da5ce7588c4dcb7a364543c0797694c812f08d

SHA512
a031f39110eaa32529df6618dac4ee7c8af4f69953e0d9f22ac71a5d82957e2cbd196f758794f46f95397eafd92f5a997ddead51443fff42c4be93831eec42f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
06f99a07dceb4f7dc0c7db08a71e88a9

SHA1
434f5faf1a9985a8974520f80538da5fd99d41a5

SHA256
d93a06234f6ab6dfb8a275b7cb8c6959b4d854b7d611717fa2658c345847e6b5

SHA512
b6ae5ffca580f0e6ddb59b72f88c03a8de6ca99920f35f60b85ce4459f430d7245758cac5e6066d3ca57df8d6d357ef51c106e6588703f69a76f576ad963c7dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\6514f970-213a-41b4-ba94-31abfce21773

Filesize
671B

MD5
03ce455292828ea4663701efeb4f921c

SHA1
b3d729cfa0294616bb5e57d6ed7fc5acaf317965

SHA256
ec1a1592496b0bca80bd6fe68551e56e5d8e97efed49cd97001963202ec24737

SHA512
68dfe92e2ab2916fffaf60538c15a9cbba34f1e513173e94fafebd0541f8580b0a06283de8d0723e032bd1002eaa87d6011ae47cc3a6e7efaf8835f183b63361

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\87dea78f-1dec-4260-bbe6-ddadd6abb077

Filesize
26KB

MD5
d8a96f69e37ea72d58e8ae3db91d9ea4

SHA1
1baece33d3ca5574ffe6c29af05873dd3f3a380a

SHA256
b80e9d361432530fe4f94b0d3c42351c128badf5eb34daae9cfd512686a8f9d7

SHA512
a410ae75f5696bb436be82352d3f5510355f8079d506d57f2882ea0615ed66fe0e2404fe85b95295a0c9ca953412f3fe2c49582b33b754d3416856eaccf7d1ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\e4bf759d-d6cf-4960-b5da-728d27758188

Filesize
982B

MD5
6c1b9d0cd4bc9a72053dcf5350f26b60

SHA1
71fb46bc195eba269f108a7dc2c26850fb91cc84

SHA256
4fd9011d1aca925a44b1918ba712e0fdbd5ce747e6df8713676a9ebd37bd23ab

SHA512
4c9f2d8440f980d794948d924550f03cf6de2cc4afb1172e04917d767c79fc68e3be63c0dc00ddf351aa44e6af6e208fd476f12ae2afd44727e8432e3819a8d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

Filesize
13KB

MD5
e72b5d3ca23759e43f03b4b0d1dc0002

SHA1
523536311822590279fe8da0db76d2e4535d33f3

SHA256
342125a396cc43fae7ca958f97ea9cb05d38bdfe1b68b883a6143a454d985aa4

SHA512
124a7cf3095ddb23db0664ff3968105dd59895a95c48d3c6c4b58c059964ff9a8b4bab0184b3a1260e22294e679abe32123a7f0c5ce6cf2ded533b13dead79b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

Filesize
16KB

MD5
dc63f924d4daf14a3f8d27a13ba5bbdc

SHA1
e51db19956f8ca787c9af436e693aec11ee55928

SHA256
846a6f591734bf5b61727c9883c2b12632b99662df2dff48982e076c8df4134f

SHA512
b293fedee1509df5742776a9de1b1d76be399f765a7c954a61cabca5b3dc00f605bd2a0ae2810543f8a9956d9b6550db3a63daca44491ffc13ad0ad89f0033dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs.js

Filesize
11KB

MD5
c139fef32349b4fef17e37440dfdbf33

SHA1
4f2caa19e7d3afd5ceaac72ee3085fec74533051

SHA256
2abeb0fee5ab17d77ed012920c58b51823687e46daacc2197d907ba7895f6393

SHA512
09fdff41f0aafc6287aaafe4d5c6123bbd2eecd7c07d12a4192685181209626d736af6357f6531a16626e7dcde2459c8e3129a685c6ee1581f0f7ab95f564973

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
7975af41024ee70c7d69b3ebc3038847

SHA1
a9dac633f0a6b6ee126942136b9214c4626111be

SHA256
8c7716ac811ec97b59c8aa42215cc84f67ce1326cd1a77a58e89fc20dd7824ef

SHA512
e9d1f95893f4305a2f3c935e021ad1db60ed03ac06f8e7cb93570c9a03500c353a0a8643d1a1e0e5ee5592787ab5fb07458338ff60f3609855a716c6d80bccf0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.3MB

MD5
3bf36669d79598fe263fa875a6e46b68

SHA1
83111874b86f0272f380924059350ab7630f1126

SHA256
0be62a65357b0d96cbdeba73e5fd689afd37d3450c3777183edcc6701b33d8a6

SHA512
03270457aeed3919e854c18e1fac7c048a92cca3bffab348f47b89e8a5e26e27ebbf6e74abe21702bdf7142f12778b79058c9e614f8d2c0a9923b65da9f34e82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.8MB

MD5
b3edbcaa36e7a70ad2b2cd54b4081f48

SHA1
60a55c2499c47815b24fe1d3d55b453af14ae3eb

SHA256
49e5a5fe37ec57548626ec9a5466bf6ae93927ce2166fa8c71494ea3680aa050

SHA512
343ce8183f03dc7561734b5ba10023acce3e8a8f5832e2becf747e19c35b8c894b3dae59902b16f5e2e45ca357b3c0f35bb118cc63862b783afb40ebcccdea3d

Download Submit