a53f00e9547d3fabee894ede8be0789547500ba6bfa687ff8aa3372db85f5eec

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

896KB
MD5

ed53390240f6c119598e823eed525ef8
SHA1

0cd9bea7f58e1212997a19d3adb66aa49f7b0205
SHA256

a53f00e9547d3fabee894ede8be0789547500ba6bfa687ff8aa3372db85f5eec
SHA512

02ae8b40de00fba6eb21f08d54ac1e21f2898e2829765d44a070ab43ad36fc0913a4daacddeede9708dd16d5735d7954930b2b8498114e29ca4a78fe6bced5d5
SSDEEP

12288:3qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgavTx:3qDEvCTbMWu7rQYlBQcBiT6rprG8aLx

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	file.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3428	file.exe
3428	file.exe
4296	msedge.exe
4296	msedge.exe
4040	msedge.exe
4040	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4040	msedge.exe
4040	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3132	firefox.exe
Token: SeDebugPrivilege	3132	firefox.exe
Token: SeDebugPrivilege	3132	firefox.exe
Token: SeDebugPrivilege	3132	firefox.exe
Token: SeDebugPrivilege	3132	firefox.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
3428	file.exe
3428	file.exe
3428	file.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
3428	file.exe
3428	file.exe
3428	file.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe
3132	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3132	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 4040	3428	file.exe	84
PID 3428 wrote to memory of 4040	3428	file.exe	84
PID 4040 wrote to memory of 4844	4040	msedge.exe	86
PID 4040 wrote to memory of 4844	4040	msedge.exe	86
PID 3428 wrote to memory of 3808	3428	file.exe	87
PID 3428 wrote to memory of 3808	3428	file.exe	87
PID 3808 wrote to memory of 3132	3808	firefox.exe	88
PID 3808 wrote to memory of 3132	3808	firefox.exe	88
PID 3808 wrote to memory of 3132	3808	firefox.exe	88
PID 3808 wrote to memory of 3132	3808	firefox.exe	88
PID 3808 wrote to memory of 3132	3808	firefox.exe	88
PID 3808 wrote to memory of 3132	3808	firefox.exe	88
PID 3808 wrote to memory of 3132	3808	firefox.exe	88
PID 3808 wrote to memory of 3132	3808	firefox.exe	88
PID 3808 wrote to memory of 3132	3808	firefox.exe	88
PID 3808 wrote to memory of 3132	3808	firefox.exe	88
PID 3808 wrote to memory of 3132	3808	firefox.exe	88
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 3132 wrote to memory of 4332	3132	firefox.exe	89
PID 4040 wrote to memory of 2908	4040	msedge.exe	90
PID 4040 wrote to memory of 2908	4040	msedge.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe22b646f8,0x7ffe22b64708,0x7ffe22b64718
    3⤵
    PID:4844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,16007496914402671918,9994257010537145378,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
    3⤵
    PID:2908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,16007496914402671918,9994257010537145378,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,16007496914402671918,9994257010537145378,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
    3⤵
    PID:2536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16007496914402671918,9994257010537145378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
    3⤵
    PID:2448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,16007496914402671918,9994257010537145378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
    3⤵
    PID:4400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,16007496914402671918,9994257010537145378,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1352 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:796
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19e7e8f1-e662-4651-a92d-f44717de2cdd} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" gpu
      4⤵
      PID:4332
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {255f3f8d-5c12-4585-ac4e-b4b56ba4ecd8} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" socket
      4⤵
      PID:3816
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3164 -childID 1 -isForBrowser -prefsHandle 3156 -prefMapHandle 3188 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {018d0887-dd1f-4255-94ea-29f4392efd4e} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" tab
      4⤵
      PID:768
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3716 -childID 2 -isForBrowser -prefsHandle 3740 -prefMapHandle 3736 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {befa54c7-5b41-40ac-8cc6-b9e5b549a882} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" tab
      4⤵
      PID:4752
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4316 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4280 -prefMapHandle 3704 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54e9225a-8877-4044-a4c0-8e3642b451f9} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" utility
      4⤵
      Checks processor information in registry
      PID:5504
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5276 -childID 3 -isForBrowser -prefsHandle 5336 -prefMapHandle 5332 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c93ac20b-05e3-4a4e-b253-7201a92642cd} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" tab
      4⤵
      PID:5548
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -childID 4 -isForBrowser -prefsHandle 5456 -prefMapHandle 5460 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbbc149d-9fdf-47d8-9dea-ab1f50717af2} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" tab
      4⤵
      PID:5516
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 5 -isForBrowser -prefsHandle 5648 -prefMapHandle 5652 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5d7cd17-e4bc-4e71-a5ce-5eac13bd9127} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" tab
      4⤵
      PID:4524
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6232 -childID 6 -isForBrowser -prefsHandle 6308 -prefMapHandle 6304 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8874de3-ee15-4303-808f-52e95dc479c3} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" tab
      4⤵
      PID:1792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
a03c2d72786c5f6dcb87128ac266d3d3

SHA1
6e57c445fc4d699b1664faeb08d07eef215e5e04

SHA256
37a20d0ded9e962fe4ca0a61644665866541cc85d95b69bb86eda78ee6befb91

SHA512
1e3e9e5d0dbd6fc5faeecd5fae7f6c5d8a8272021befe9c091209c3d0e7cd23ede451e5c2b588c8dad7abbae1e99df30e5a1fbb14151daa80c08e1dd17e5819a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a7223a812133d0ee1b66dbca90d80c48

SHA1
14bca12678bb33d7ca9f3d9a5624d33a6e372bc8

SHA256
66a3ee747438bb14a67e6f9b45ee60c9032c9982ba02641088f29dcdf0f7e13c

SHA512
39cfd447d2b5eac0993b672e8e97d20df5d6d24b722050a18f3097aebbb63eea61945d8ec09f697af99cb7cfbd97b6a0b4e7ee74a5cb7649ea56c25d704feb0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
050c3fc4c245ab40ecd862e1989b6007

SHA1
0e4d50d5ac45882fd2147d8ed1aa3e42d7b6a79b

SHA256
a1456e4f5622a02cde7e0a022027102ce809a4d5ace1c38ba0765ec7b565f792

SHA512
5064f6ae13fdc4388c9c53954f4d6459a92564c1946a42f2d50c4804a892ff309db18fc863251749ac9d56eb0a0c28bef32b36b57642a2db75e60829148fe1f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
140473f2ea46fe4d992516b92bc49d42

SHA1
3589bea73e56b72b044d6f07002462abc23b6615

SHA256
38af24a9468676e09874301d5c52d2edc8efda50f455b533e19297fc8fcb9a5b

SHA512
345ab7816534d912a9ab7722f9aa3e6e28313be8d47df48eeacc07503db1fe61aab3ded0485cf54f604d9fe979813c5de2528b31d7264f008384881fcd0f01bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cef72226bfe7b2dc7b827c2e65c92af4

SHA1
9f6cfa820219c4241360294819286d3b2715c60f

SHA256
08a2eb1f2e5857f5b44fe0139155783a57a7de4a109d4add805476047b953d52

SHA512
12ac92bd29f4fbe1137bbf4c41e58f2a0dfca0a7a828c49614ab408123fecf159351300bf6d288577908e16adec38c96c1e218066df1313cf0efbf0bb0c9827e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7b7a41e5835eb14138a4a81fbe5b66f7

SHA1
efd2becac34f590bd49376648ed74a1c485a3a6c

SHA256
3decfcd6c42c672e9ec651adf3b4823e2902e2149d1da26292cb42bea81c2b48

SHA512
a73f9196a44ce293947c3b37e6f39ace6fe3fc5dc5af9a9edd19c0f2022727b866086cf0668d0e79f6b8712e4d953e1d17825174c8b15207ee41dfc2c7600896

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\activity-stream.discovery_stream.json

Filesize
45KB

MD5
c867fceac5b199b95db6b593a0d60807

SHA1
3b9cb71681eeed0848deb338d99e7d6a2d7b0fad

SHA256
ec2f45eb8e4ffad6b6864c2c49d01bd00d94661ee36107287f53a976b488764c

SHA512
0619908ea90a1e569ce426b13b1eb85d3598112ace2754b35fff06577ef010aab215a9123eb20b67adc165e355db4c16fdf12848dbbf856d0ae73d619b4ef54a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
23df7a58cdbc46ffb6014d141956bb95

SHA1
721f1feb2d00fa039b67fd3650e994c69f18d8e2

SHA256
b51c51361a86df52fed23561890b89c519d8dfd181309d5cfb0bc8cc8b8d2281

SHA512
108ef57a1d8bc50507862e5ff36ac08f018fc556dfbd626b4c57e167a271b23a8d07440a7415b8793f9082760c75cc529993ee863d4fa4a7270218daa0124519

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

Filesize
10KB

MD5
837994a95d93892b574084e51eb79d25

SHA1
6bbb9fa31856b20066304eaefd47c57f9993246a

SHA256
e55888d2cd188ccc715f368cb2d1473e52a8f1a6a65afe7c68ff8894ae178ed9

SHA512
85ee7e9fdefe3d334a8b721f743400825b9dff36ff3ea88c3b96f4216bdaa177662986e25a7cf9e1dbc14c6d606066ae389104375e3107e306103049d78c83c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
183c812e53fdc8adb24daaeb3e99a17e

SHA1
5d39ac1d64ad67ba6785b2aaa634279d1d53b5fe

SHA256
5516f0c58da21e9b4628c14230b656c54d985fd82881afd3e336bae392eca91f

SHA512
d2667b322e2f9e15971d9208a3a2a94227aff6e10ea81ca79186b24802c76fdb552dc4ca3bf5ad7d36f600f4361733086fe044c2ae9acd09363cd756e06e82cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
27e125b094900b02729c4587c031d6e9

SHA1
eb4a7f7e255ef01e4155d33a9d3a116982fc7538

SHA256
cfcdd183751eef85aa876bb3d55afd91b97076edde553f936c4d4a978cae36e6

SHA512
015e50eea1cd044d5a6fd0f69d02e7f3b23435a0f6e0c58f47838ec1fb1dc14696e03c1cabb439d8bf41c19f24ce73a66fe879d10777c30c656d22a04cab63e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
38e43ef0b176556d58a65315ebb16189

SHA1
6e9ddcded0730f61e65a5f3aed42623cbe6d5917

SHA256
3200bc684141cbd11d54f8a5706a0ebde0047586759c11e961b9f485b9b3d8c0

SHA512
447cfbde5e3cc7cebb37afb913ec2e154fc8324a0d418fc3c60bbdf849feecaebb6965ab514750c159af19e6234cc4a6e3f9eb95d70e67872a58881b383e9a21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a2c84cd0f0d0394ae5bf73adfb7a4caf

SHA1
b2d052f5cba50149b9eeac046febf74f04c51fb6

SHA256
feba89ff66c70d87b142b128886b855aa539ebcb2afa2771271f8ad40767f13b

SHA512
e6a080dfe9ac3ed2359be7e70b93abbc4e9527a7697a7066d9e8064d551e55469d260ab249bee0bfa3b85447d1ebbece8efaa7b05c0d283b5e8d4c8a5a7e88e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\2f8d7eb1-f227-4125-9c80-1402db80f762

Filesize
671B

MD5
f61a699a7aca0cee42c8af90d2d81e3e

SHA1
2c8959643ffa403780ad98fb8baa19c094014aa4

SHA256
9cc6ccc130a5405e210b1ab6c340edd4b1f13dfea54410be63cd36cf6660c620

SHA512
dc46671ac3b6734376197e71da721ff0470d18e376ea4088f2ad74067d3511a194558bb78c82879570db232d90385353352bb5d893baf19daf69e68fe5aecfd3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\87cf21c4-6111-426f-bb9e-857308cb842e

Filesize
982B

MD5
17e7cdfcd664814d6cdf060ee8cf75b1

SHA1
5f48ed7aaa18c5dfe5b008e9fbf3b696dd5d17b0

SHA256
dbf87e8a69463a5631277eadc9dead6e42988c7973329efd23115f2498f864fb

SHA512
362fc37072a4941e48b3b65de2c4f6908a5deefdcb353b83b4c62197564848d0ae39512f2dd0b7ae8f13630d62272e7705cee8c4ecd0a9211ad223a32b37c65b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\d75660f0-0f99-4091-a996-a965a3fd7714

Filesize
27KB

MD5
dab9891f7cb8e704c5977039867f5fa9

SHA1
7ec911ec7ebc917d27cfe0ebba67204773978752

SHA256
349dc62ea5f13bde884c8095b7219bb9edeecf668ff2698acae29ef5b771ffc1

SHA512
e60e26fc335c60a9153bbacf635c3fe9a74d090866f19c42ed48c1c1bf93537e28b67c3915f001777a6581a085ba4cfe6e9a942c0d92fb2062c13849d8ca3866

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

Filesize
11KB

MD5
b6b56ce6ff9159670649670c0ebd2480

SHA1
7535b215e3ba0a2dc2b30332d2e0d168c70bd8a4

SHA256
83e6eaa46c2ee0b0e043247efdac7ccd77cb212196641ec9571c93bbc900191c

SHA512
3f0ec0ed7b5cf9a7e1eac269182d7c4186b61270b6bd6f3616cf0c61d24fd3dbdcf2d465abb549bb74b2da6fa0ede981c7cfea1d4017475cc314ae62f683de65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

Filesize
15KB

MD5
b66f4559b7acdedf75f43f861e1db076

SHA1
7c140ab07aa9b7291d4735e7130b710b51c058c1

SHA256
96ea2e7d884f344e006bf7263a1dca278a0c86da6ff27b4df4b1255eb9ece23b

SHA512
00b2e9151edd11b06fc907b8731727a30e62f879003a0e823741a6a7956ca427db688b9c9965af09b35ba7751c5935df6623d354117dfcf3d72be3f106bae3b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js

Filesize
11KB

MD5
76f9a246c20f7e917222c0c4a0dcebbf

SHA1
e4270380e549e6c234b894c1f809a1ffb915504a

SHA256
f3f622926ac6aaaa48709c057d3013f57b75ceed70fbc0421f300f2928af91b5

SHA512
4235466d2369568aa464108e713e0b1c1159abed01ad9ad62f18434dc3ffa4c29cb73e31dc34d23473ac3620901de434459397e142103ded1c63dc8281b4b496

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
02aef89cce125aa9f0e1ed839a25131c

SHA1
979da6f5990486e20ea35848aa91533f2b61c5f6

SHA256
50dbf36bee398a9d81001da078482274111e01a2a113ad215de8530adc7a2edf

SHA512
f0dbe8df1a39dd1c095ffbc5bd35c9ddaba0d309b4e15b2749445c025b1ff26ed758eca6f54823b2c048abf787f8b535d0e5b0b20e90c5270873ab19a0310bd3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.3MB

MD5
9a24770a0dfeb5bb6201188884776313

SHA1
285f7dd0431cded693a1626e9d1b7ff7215e250b

SHA256
f8ee960d9f89c1553b3d63a160349fa22fa2b603e1f44ad745eecff08dcc3b33

SHA512
90401b0feeb41d7ec2104ac8f143f557f97a19ef73ff37ef99672b457f77a75659c5639b80e3971156e9480ff6c08e1b485846b81a58382a67ef83e98f745f3e

Download Submit