bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 02:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe
Size

896KB
MD5

288aa9ecb864d704de15f9818dbbefd7
SHA1

8c25304d4408ba4909f55d6a03bd50eb722969b4
SHA256

bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e
SHA512

cb5276c9070da01e4890951ba02d8224d6a690e786443d176de342987c05c3f1f02df332cb1a36edeb775bee7da9a69236a440d0eb424d05fe0a02aeee96f28e
SSDEEP

12288:dqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgarTt:dqDEvCTbMWu7rQYlBQcBiT6rprG8avt

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5020	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe
5020	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe
4648	msedge.exe
4648	msedge.exe
4004	msedge.exe
4004	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4004	msedge.exe
4004	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	firefox.exe
Token: SeDebugPrivilege	4744	firefox.exe
Token: SeDebugPrivilege	4744	firefox.exe
Token: SeDebugPrivilege	4744	firefox.exe
Token: SeDebugPrivilege	4744	firefox.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
5020	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe
5020	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe
5020	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
5020	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe
5020	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe
5020	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4744	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 4004	5020	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe	85
PID 5020 wrote to memory of 4004	5020	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe	85
PID 5020 wrote to memory of 1928	5020	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe	88
PID 5020 wrote to memory of 1928	5020	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe	88
PID 4004 wrote to memory of 436	4004	msedge.exe	89
PID 4004 wrote to memory of 436	4004	msedge.exe	89
PID 1928 wrote to memory of 4744	1928	firefox.exe	90
PID 1928 wrote to memory of 4744	1928	firefox.exe	90
PID 1928 wrote to memory of 4744	1928	firefox.exe	90
PID 1928 wrote to memory of 4744	1928	firefox.exe	90
PID 1928 wrote to memory of 4744	1928	firefox.exe	90
PID 1928 wrote to memory of 4744	1928	firefox.exe	90
PID 1928 wrote to memory of 4744	1928	firefox.exe	90
PID 1928 wrote to memory of 4744	1928	firefox.exe	90
PID 1928 wrote to memory of 4744	1928	firefox.exe	90
PID 1928 wrote to memory of 4744	1928	firefox.exe	90
PID 1928 wrote to memory of 4744	1928	firefox.exe	90
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4744 wrote to memory of 3608	4744	firefox.exe	91
PID 4004 wrote to memory of 2928	4004	msedge.exe	92
PID 4004 wrote to memory of 2928	4004	msedge.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe
"C:\Users\Admin\AppData\Local\Temp\bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ff8fad146f8,0x7ff8fad14708,0x7ff8fad14718
    3⤵
    PID:436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,10777993462576940506,9314325554225255194,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
    3⤵
    PID:2928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,10777993462576940506,9314325554225255194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,10777993462576940506,9314325554225255194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
    3⤵
    PID:2104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10777993462576940506,9314325554225255194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
    3⤵
    PID:4576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10777993462576940506,9314325554225255194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
    3⤵
    PID:1444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,10777993462576940506,9314325554225255194,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4488
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1892 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ba99b48-020f-464a-8a88-ba6af2a75aeb} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" gpu
      4⤵
      PID:3608
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {abaa9451-6464-4d7b-9819-aa742a472359} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" socket
      4⤵
      PID:2100
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2848 -childID 1 -isForBrowser -prefsHandle 2920 -prefMapHandle 3324 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c448dc19-2ca8-4fda-9f4d-095c4f2f397a} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" tab
      4⤵
      PID:4948
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2756 -childID 2 -isForBrowser -prefsHandle 3708 -prefMapHandle 3704 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9635f2ac-a28f-4fa2-bbbe-f3aa07d009a3} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" tab
      4⤵
      PID:632
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4548 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4544 -prefMapHandle 4472 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73d0ea92-07bf-4a35-bb70-5acccd19414d} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" utility
      4⤵
      Checks processor information in registry
      PID:5284
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 3 -isForBrowser -prefsHandle 5536 -prefMapHandle 5532 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b85165b2-e21a-401c-8e9c-0692ee96d755} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" tab
      4⤵
      PID:3536
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 4 -isForBrowser -prefsHandle 5556 -prefMapHandle 5440 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7afade1-8c57-4f4e-b1ef-99e9d15d2b9b} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" tab
      4⤵
      PID:1668
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5672 -childID 5 -isForBrowser -prefsHandle 5680 -prefMapHandle 5660 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65b13298-7aa8-41bd-939f-309fa11ff2d6} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" tab
      4⤵
      PID:1500
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6280 -childID 6 -isForBrowser -prefsHandle 6244 -prefMapHandle 6264 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bc7b9f9-8c3c-49a2-822e-99fe13df507b} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" tab
      4⤵
      PID:5272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
671b9a5503c04f9acaec6c7f7ccbba8a

SHA1
78279d6fc1dd0c2a4f146f7970d196afef7b6e34

SHA256
a1a222d64059fd02d4590501274db92345d3b9bd0a6d9d7a867b1387c342de15

SHA512
894981e56b763b461e514a4ecb0a5e87978bd67ae09ed03fe41ff4c61b4e8271026594afa7121d22be83082c745e8b3682f1b94c9f92f2f0a03b6dfdc76b19e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
01b5060d7928c489319993a1d963a1a1

SHA1
153d9d19c0c5095981f956e2cdd1a19b6f6c1101

SHA256
8b5f1a2a3b81fb7fa823ce819ac917358328beede9a5ebcb63e998291969cbad

SHA512
4e7e8805d0e06c603d5e9c2fa029c581526b068dfdbcdc8ac5cb18a35912adfc3546e055e5a4d05c2d56ad52ddaa69d9b69118756ca987e26b4d427ac6a6140f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
705f307b0a2687c5d6390dbff1d0fb40

SHA1
cf1ff1a1c788359b2a6664a8703cbaf6ff8c4c3a

SHA256
3269a543a19514b96821539297ab088da67894f4c07d841f0bb3de57dbe3ebcc

SHA512
d5cf831e4cc1d098f424924c39091203f532e6357c6401225a3100deebc292fc15f4b124f2e4830a35767c4ff1996bd91e482b7e812130cd96e4a5573302671e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3d2f9ea7ac23e854f24187abd6adc131

SHA1
130a8fbe4625983dc43b88df4102ae7cda6cea9e

SHA256
07f2b22e09edbb3b1a2b77587c35942df56a5bf46a33755ddce899cbca41f464

SHA512
96fc7beb692d9aade00ac759f0bda198c9c936c5620042bcefcfb464e6e8c111a4e55435585f3d8f00b955162ecdeb089888ac9330a2fa85c04678184887036c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cb328aec41f3978a04ba352861b1a920

SHA1
94de266683955b38dbd6b05c0df1a40e516ecccf

SHA256
0fc453de090a463614a591e7bf3941de49e533299d195cc9475a4d0695574bbc

SHA512
049aa757a27856adef3f72442b1316219112ca8199dbcc9f5c7dea24fdb00d53d1d7475ea4536a49a95d85a82ba00bb1daf685cdb3ac80f392b7b6f288bfd3c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
96c543ad8b9efc8561a6089ae89d70ca

SHA1
10931b73b7807633bf4cae63133504ef40396ab7

SHA256
e50f7ba1e55fc0aaf3d069da0267f452e52de757d63f7c3826be40d4a1a777a9

SHA512
ea0a24ec5b16affac3b705bba912e93390bc7b29bf8ea30dab997e8db88121750f6255f4ef4e1de1c04420a073585cde7f67dc7dc740c967481aa2c6b964ed59

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
979080ff7456ad95ee367d448e86b925

SHA1
cdcf4869c577c98dad19f21bd609ca433d4789b0

SHA256
e7e7b930fa5692b14d377cf025b7e3dad80b19bdc912561c41c5e8845957e45a

SHA512
c4169ef11bd5fed61e6306568e07bddeef76785962d45f929139a72dce032c321e8f8a02fe5997469c6ea7eb57ca57ad37d7e5f90a0d5ec8d30664ddd7ac6aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

Filesize
7KB

MD5
144be6d82c00ce49fed889e69856c2e5

SHA1
9a9049879432712d3d4a0bfb75203359e0575f70

SHA256
25c7f58425de4e83ff7a55fa66de9ad383a3d43b55943be917fd7b67263ed9e0

SHA512
90758a7437b6f2a7bf69d988f6f0a55564295255d27dbdfa73cc9c9fcb960bf9d3202eb16b49a51282c10298770e52553bc7e41cf8e49cae7d667b668f372fb6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

Filesize
10KB

MD5
09037205f81b6635815abd49e66b7d16

SHA1
5c306c984ac31db41540cb39278c1be50fafb737

SHA256
022d9969f04fdcb00de30ab5e4bad6f8ca0ded09f1bb1690b3fac814eb7f2559

SHA512
00a6e6838ce8987fe04bc78af7dcee68050e99ba64973995d9ff22ac1ee3b411d52cc9da3bdd3505b66de2ab4ba455fa6ccd80c512e2a13e0c0bc0a2b0ce9f12

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

Filesize
16KB

MD5
71729ba5eedbaed0ed25a6d3bfefec9d

SHA1
416ac542f7d4166328ba2a70dcd975f2aab39476

SHA256
7133919bf5e31e33f76678aaa58d38a0badee8ecd4bc8e3da7e17ae6b9586351

SHA512
2fc8cfc26d8b8dfdc79a9fac53e97f234a7bdc37ad961d3658039d97e96c50f5999024082200117341dc0efd9237b8ea2fbdabc7d195745e3eb24fd5dde15634

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

Filesize
11KB

MD5
96544aaf18255e3937b8500b4bc0f5b2

SHA1
1af8159cd2790e9b8139d1ca43f812fbd8c3b6a5

SHA256
7921a0eeafddb4023a19f6e875128a990cc25e4f6cd61b6c9efdf963d6d25fa5

SHA512
ccde149bb6aed099dd26b9268cf928adbf7f3024efcb0da1dc4b614df45ce65cac2310ebfda2612dff3f61bccbc11969573e6f2a7acc530bdad20a9d1f0ecb1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
ae1f162e01e79cef4298a853189d3989

SHA1
ac2cb2214104984142a73ef6279987d122f20706

SHA256
dfc54c6804ad13f978e459959f4a6e1b9958144a185011def471e56bfd1c20a0

SHA512
5076da4200645a663a6da764980e52c3930ff47b59bcc71bcd2b37c74387b9656f6e123fb846bd0bf7578b2eb562ff918913fe4d29bf02dc802dc1d1090f688a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
5261b0a920b96b3d593cc0ed6b407473

SHA1
03426bbd76e6854bdf86cbf6c9e435e6874a3032

SHA256
8c0abc823af39e0fc575b9d106764a5a1e99d10f9769395271c73714fe452c0f

SHA512
a4099fc3dab5422e31216974c4bce2680b7e860ae3e937230ec985da6b06e72a3ef6b6c212bcaacf0c48547545ddd711376dd04391b253912b114b0f9cc7ddd5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
782119afdc5bccf885fb9ecf821de7ce

SHA1
adde4a2c10a37c78295920f28604c5fad3cfda10

SHA256
d5133b242594c465127be425e3437b7bb554811bcb5ab2d3da66f068e19eea5a

SHA512
7d92ff5b7e2c5f6a4fa0a87ea0f4e0302570be82204b4bd3e1ff2d7abfbf882a2989b55b42c22135432b5cb8a3ef71bb243b9d2f68c90eb076e1c666b7a151ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
c43cc20a157b6fa4a9f6efcbab894af6

SHA1
043762e0b32ee4fee0767bb2569e3f7f068b547d

SHA256
cc5e7fae66941ccb0571b94dbb9a21607210d6b376bfb5b8f32635e7579f0296

SHA512
ed0080ec56ce2e7c2423d8e842acefd8c9177cef88c343cadcdd246b946c7fed769275e19319abd17dc9c26a9dd79c270ee2e35a54f50a1e4015d9533c058623

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
3510cf1d883269f903588e09b3c2336e

SHA1
d7c49b9a733eaca1b0bb716500de387cb1d964b1

SHA256
6463534878bc89dff2a882a3e4e87aa946665915fe94d77b3291e1905cce3bf2

SHA512
e9b6c2e85df3b29d6b4a9d2c824d09d4f961c6a55ece3964d0d0ffb861ff97d22179e0201f31aac31738c1537d5a4331ebda9e44e4795efe3f69a2a07b3bf88d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
e642bf3aefa62d50e23364b105020a97

SHA1
be48d163bd040be3c35b641cae47f1f182ac7c19

SHA256
9069458a4bf990f4607673ec13e65ba89d065605a09fd08c9fee863759e7a401

SHA512
3f7deb18fdc9e43dd89fdaf32e7ea77ab30c01421f77b17ed3325f3055ac6faf6287c048686bec86511ffb21bbd8fd00c1e68e15ffce8a85f82e17ab41bcab3f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\853e4415-a205-4ceb-85af-e6374d1f16c6

Filesize
659B

MD5
cb3b47097eb21da9c60d2d160a6f7799

SHA1
d9cfdd0e913b4c24e164239127c119155750ed1b

SHA256
2c954aaaddbf76116e865c1c7b034b6bd21f83104ec31f48ffa47fe3bea89ff9

SHA512
e86de696d49a3ae3b587946b97876349dc957e25af54e1a0aeae1e6876ea39e3c28edc7027dd3fc064f241dcc3f9817ff7c94c457cb98198fa3649911f1d512c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\d58fe910-0afd-430a-987f-ae9af08f749a

Filesize
982B

MD5
792f15d8377196ee96f8a958cecccefd

SHA1
4713e0afc361ed33ef34010d45a1bc51f4115354

SHA256
2ca0e9379fb9411f38552d6b628c24042df6cd98d7511d5ae4a1c8dca87839ab

SHA512
cede8d778d227e31266864112c450b45b95eb16cbe6916f27e6896f01f5de2a3b9e879685135781efa7a67b1c61c45270b658794648702137f75e5073843596a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

Filesize
15KB

MD5
de8e72f1abeff716e4ac363d3ffdbc1a

SHA1
1ac8cffe37408338e6aff993a7202d5e09147ad2

SHA256
5809fd1c8862ba523cb1789a473832f9992e3f2ac0ba377befebf2c030b0ceb2

SHA512
1c564a21a5a3a4d64a68c563e04385acb4e7375691923aac25d3556add83c1fde4ad005929f1158d5d7cdcdd95c7e5cde79b331a86891a58f16510aa233a9261

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs.js

Filesize
10KB

MD5
790122623054c63cd5df7ad1b42368f0

SHA1
e86ba2e8ff1987190c41cbd3bd5c6e7f428222d4

SHA256
35106f88343995bf8f7a4d1f96d80003769e0f2e5cd487326bf2e36b867e156b

SHA512
661aea3df8f7e03f75a081a6f3a6c86ed5a4d20c5544dbb6f93e327540e54202927f441bb5a32dcc4131190c17d9258c2161b80f55bbcba9e7027fcdb272c1d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs.js

Filesize
10KB

MD5
3f63564785258d2e6b21b1cc140b9190

SHA1
da2daf3cc39fd47c4c63f31af90327c48df06824

SHA256
37cded8f0cb7efefc5f2007bf6113790a831adb7ffcc15a072d8e5140570159c

SHA512
a6f21acd35be47132b6886293fec4e8d0a00c0272df35b87b8767a851e84dbf86ab205c5e64c693b8f3e30b289d34a16f9e3e3fa2047f5c7e47e28c7d8e5f418

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs.js

Filesize
11KB

MD5
ed57602552086310aa641fffc7ca92e1

SHA1
6635e44b6b16ee8f97ac6cf69444e57116823ed4

SHA256
abe60ba57b1fd95b1bcfe705b1e3326fffac2a906c71b8cdfea419b8d2b69e04

SHA512
4154f4e55c5aad66efe1a49bb88a58832b477e566088c99a6aebb252ec910aaa09f8c06c9d3c9c3fc21ed25704aecac427e9c6562beaa6747f3c347fc0467374

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs.js

Filesize
11KB

MD5
d2046c08ddc1ccfec9a1c2304cfe9872

SHA1
cc52ef70046a5a92357c2cf04c76a6826d7596d5

SHA256
9664e72a78f81e96ee17886dd905f2fc20201c22bc1c5f89aa53674602071129

SHA512
9d1f7e77a8ad19bc571f7c8a6a11f758e5e9a1776b780e4304fa6427cb3a982a98c52518cec61120fdf347698c71a93d2ca043a694c81410b399bc0a2d8bb2b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.3MB

MD5
136319e884b5a6de3b1e0b442567849a

SHA1
93f175df9c73a87fc7569e13a86d7ea6ce13914d

SHA256
2bb680aa9d2ac22643f938ab7db66ba847af95a92d9f6f61c782c0013fc0970e

SHA512
e0ea4448467452363f26a7a69302504cd92bbb0c9439551024fbb8c409581d52bad80514b0646a1022882b7f37302423c80cf2e6a3f5149bb25addd1caa71f4d

Download Submit