bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
26/08/2024, 02:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe
Size

896KB
MD5

288aa9ecb864d704de15f9818dbbefd7
SHA1

8c25304d4408ba4909f55d6a03bd50eb722969b4
SHA256

bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e
SHA512

cb5276c9070da01e4890951ba02d8224d6a690e786443d176de342987c05c3f1f02df332cb1a36edeb775bee7da9a69236a440d0eb424d05fe0a02aeee96f28e
SSDEEP

12288:dqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgarTt:dqDEvCTbMWu7rQYlBQcBiT6rprG8avt

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1004	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe
1004	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe
3160	msedge.exe
3160	msedge.exe
560	msedge.exe
560	msedge.exe
5144	identity_helper.exe
5144	identity_helper.exe
3504	msedge.exe
3504	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4512	firefox.exe
Token: SeDebugPrivilege	4512	firefox.exe
Token: SeDebugPrivilege	4512	firefox.exe
Token: SeDebugPrivilege	4512	firefox.exe
Token: SeDebugPrivilege	4512	firefox.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
1004	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe
1004	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe
1004	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1004	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe
1004	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe
1004	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe
560	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4512	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 560	1004	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe	82
PID 1004 wrote to memory of 560	1004	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe	82
PID 1004 wrote to memory of 1016	1004	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe	85
PID 1004 wrote to memory of 1016	1004	bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe	85
PID 560 wrote to memory of 1236	560	msedge.exe	86
PID 560 wrote to memory of 1236	560	msedge.exe	86
PID 1016 wrote to memory of 4512	1016	firefox.exe	87
PID 1016 wrote to memory of 4512	1016	firefox.exe	87
PID 1016 wrote to memory of 4512	1016	firefox.exe	87
PID 1016 wrote to memory of 4512	1016	firefox.exe	87
PID 1016 wrote to memory of 4512	1016	firefox.exe	87
PID 1016 wrote to memory of 4512	1016	firefox.exe	87
PID 1016 wrote to memory of 4512	1016	firefox.exe	87
PID 1016 wrote to memory of 4512	1016	firefox.exe	87
PID 1016 wrote to memory of 4512	1016	firefox.exe	87
PID 1016 wrote to memory of 4512	1016	firefox.exe	87
PID 1016 wrote to memory of 4512	1016	firefox.exe	87
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 4512 wrote to memory of 5096	4512	firefox.exe	88
PID 560 wrote to memory of 4212	560	msedge.exe	89
PID 560 wrote to memory of 4212	560	msedge.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe
"C:\Users\Admin\AppData\Local\Temp\bcb166f193382366910c54f23fd2e4057a10f4d123d4da53fd645da363b3369e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffebc0e3cb8,0x7ffebc0e3cc8,0x7ffebc0e3cd8
    3⤵
    PID:1236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1800,6274875895111742254,11329474377406946023,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:2
    3⤵
    PID:4212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1800,6274875895111742254,11329474377406946023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1800,6274875895111742254,11329474377406946023,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:8
    3⤵
    PID:2884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,6274875895111742254,11329474377406946023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
    3⤵
    PID:4196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,6274875895111742254,11329474377406946023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    PID:1196
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1800,6274875895111742254,11329474377406946023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,6274875895111742254,11329474377406946023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
    3⤵
    PID:5224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,6274875895111742254,11329474377406946023,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
    3⤵
    PID:5236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1800,6274875895111742254,11329474377406946023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3240 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,6274875895111742254,11329474377406946023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
    3⤵
    PID:4892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,6274875895111742254,11329474377406946023,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
    3⤵
    PID:3684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1800,6274875895111742254,11329474377406946023,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5108 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1492
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1912 -parentBuildID 20240401114208 -prefsHandle 1828 -prefMapHandle 1820 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4ba0060-2366-4f8a-8073-959921ba4d43} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" gpu
      4⤵
      PID:5096
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89ea5377-55b2-403c-bace-eda37e428ff8} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" socket
      4⤵
      PID:1792
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3256 -childID 1 -isForBrowser -prefsHandle 3248 -prefMapHandle 3244 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {412dccaf-ca76-4129-b206-ee66babba318} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" tab
      4⤵
      PID:720
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3228 -childID 2 -isForBrowser -prefsHandle 2572 -prefMapHandle 2728 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4244af9c-926a-4827-a0a5-d8a6b57b2c49} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" tab
      4⤵
      PID:3640
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4576 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4516 -prefMapHandle 4500 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2d4aa7b-e193-4839-8c91-ff603925756c} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" utility
      4⤵
      Checks processor information in registry
      PID:5508
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 3 -isForBrowser -prefsHandle 5588 -prefMapHandle 5584 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aaa6fde6-6684-448c-9644-e053dc2e39c8} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" tab
      4⤵
      PID:5264
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5912 -childID 4 -isForBrowser -prefsHandle 5844 -prefMapHandle 5592 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15ddc97c-d82d-407c-a78a-2dd2bcaa98fc} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" tab
      4⤵
      PID:5488
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5768 -childID 5 -isForBrowser -prefsHandle 5776 -prefMapHandle 5780 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e5254f6-26a1-4141-832a-abd0963e10a2} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" tab
      4⤵
      PID:5496
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6240 -childID 6 -isForBrowser -prefsHandle 5844 -prefMapHandle 5592 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc06592f-7008-442d-97fb-c9318d33f50a} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" tab
      4⤵
      PID:5560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9828ffacf3deee7f4c1300366ec22fab

SHA1
9aff54b57502b0fc2be1b0b4b3380256fb785602

SHA256
a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7

SHA512
2e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6fdbe80e9fe20761b59e8f32398f4b14

SHA1
049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f

SHA256
b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942

SHA512
cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
f8660d48d96c48990d43a19f622ceaec

SHA1
7c227e6e33ef0da62bab0a2864cdca909c4d5abb

SHA256
cfa00ec49992ab94f69940bcd3a96e28d8a1fa05b14a39ce6f4903da5820e651

SHA512
0e0e8526b13f8207d00cfbbfb87644dd1b034cc659936c57c7d8b12f89d671227e5c67b05b097a8221db4e0f240568a8ebd7a21b2e1580a2c46e56da8babdc40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
54e8bcb3b40570b76efb1d3870c153a8

SHA1
615ce95d08afb2d67d199aa85fa4184d94d5c525

SHA256
413eb445fed8284782c0cd5bb2b575e8f2ad008478d6c4ad0e149e878b43ee56

SHA512
190d179a641ee17f0cd317cb608ab81c53a7780aa6627dcba1cac81e3a8a6526dcf25cfd359fc0f9b2237f574e7ed9bdc1ca0fad0fdf2f9b55d6e3114e0edfb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
74ca2ebb155e874e536334054b5a4045

SHA1
adba8c547e2adf7c7d5bb682dd71d845e886a6b4

SHA256
48c9631e6db1b9faf03f32686fe4468c177d08088e66553aa3c646fcf3e705b7

SHA512
51456ac4621457c9cd6e99801a2cfb878a64ab4c2532a020e593c92468b76503f26181323b321fb6b8ec7e22da3554a9d1d26ae9b0d7a4d3fe1a350ffaf29b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1c6cd3f582583ace8855e0fa4e4c4a97

SHA1
d52322b02b7b5665163ea43e852688987ed41706

SHA256
5c59ff589a5ce21841da40ba58a33c1926f7f3ced1ac19dc0778bf94b11eeeed

SHA512
fd76fe6a482e1381f7be573cc1d4bfd328d6ae747b9e2bd2e55e8436c4a9bcfc8a2bbed5385aafd79d24b9f3f059935cc558982b88a4f6bb4dad320bdf2226da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bfb2d88a51bdedbc05825f2b33a05c97

SHA1
b75e254fe01b5a89ce17ed24920228bc738060d4

SHA256
0e0b37de1081c32ca10c2ef4e3b04675a26407a45d77a2363829f72f1660f5cc

SHA512
59e3389e3379d7fa3377126ad280b367c65fa56a0c9b45f5075be32d1c4d11063163736ecdeea1712e341247a853fabcbdddc1ae8e4ba163eacaefa487f12b4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\fa7f38e8-877f-4b93-900c-751880e93281.tmp

Filesize
11KB

MD5
995f5291ee01edc1b70a9633da0fba96

SHA1
daaf51d02cc832bea65ac4eb9655011d7b38b343

SHA256
e45e8050f907fa634d6e04a2671407eb89f1c1e5b368cd3761b2feb7de3baad2

SHA512
8a2475ba70b9737ec3632c7c588963392c97fe029c9ddfb6de2bc7f8d888e8f13804f0d62bb5f93ab32e599326308c0d01f8f82e5e54b8bff84bd6e608f7a997

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yel8o60i.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
aafd7a02989779f648f18565041c1b5c

SHA1
115cc6f485a13370b8dcf258146d5773da8a5366

SHA256
9e3ecb5f97b26e281974e48c884f6fffeb1419a054466ca1d8a0328f0f626509

SHA512
500c1d05113be59a3d1774aa77c0fea201c7d6886d7fc0a5b16fa1731d72321a92f2610e98c12811a3d15b887b4c87a8f462ab80326aa60a96e98c011b44113b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

Filesize
10KB

MD5
498fcf515911c4a087b4fc759afcf322

SHA1
111ecf0157c3834cf19fad9c59b131e85434faa9

SHA256
9c6a86708437991871863c784a546d5297e46f303df00536028af0af116ff00b

SHA512
443c08ed9ec9d3b1fa00508fc0204caaa7a952a8450069b5c85b3ece8a6a3c1cd8b1a024865fb4fd28610e10b2054fb437a6fde704a5768393e0ef3098f1e769

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
1b276987dc9951b410f46dc88983152b

SHA1
5ca988a30ea46bae1e329ca20dd337204a0eac8d

SHA256
5383d8ebc7ab15bdac0903e1b1eb3095dbf259037eb374da444a64c47037f033

SHA512
8e4033d82ce2157c1140e53dc03758be39729bacf60c62a808d107580c6a00519dc185ab4ef8561159bb475b93f5365188b3341417a84b9b7f1e66fc922501eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
1cc141b84ab274d116b75de307af9e4e

SHA1
eedcf81c395fd949fc91d99e072760b9f9bb7a98

SHA256
0acfe82e78094cebcbaa4d8ff82bd92c7e3e74ab4c71f59d53efc5289c2fe00c

SHA512
d792b574502468f94ef2aa09ced794b806e0a08ed7814b51e455404fb907e92e143a57aba9c3ac4fc3c21f2588841ff1bb17e48ee3f16de75211f75d0af23849

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
99c3f9a6dc694ee95d2edb53630c4f9e

SHA1
f87d982e33a0964eeba84e7b1bef976d71f6fd4e

SHA256
c8041e6b7cb9b3c45ecd04db555f85e0918c8664f3875358ea0186b523f3ddcc

SHA512
7a4e667dbdc50d2bcaddfeb83028471bae17981d1af7f6d9ca2fdb6562a59f060d4ef51c83dc8fd4aed69438b6ecf384e1e4c8e4fe12359a834ccbac9d65ad6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
58dd5f7f4ab23a18d143325dfe3cbeab

SHA1
80df7f5d64dd87f89b1460fd995ae752d2331179

SHA256
4c8cb84fd953c0fcfadfa1b96a56748f6be9876b7ec8ca3aed3e5fdb2d8f9cdd

SHA512
d764b5db34fa7c239a7ef9ada17267527d3bea0ef7b60b075d61cc5af019fac4edefdafd0e4ecc71be0a0b8141af00b5e68e53fc875c68a8c100c2729cad45e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
aab7d441d82b1379d9eb2adcdee15a80

SHA1
576a3a60b198206247e7e58b59f9843c7579c0de

SHA256
3bda85784c0c9f49acb2f95c12ff4d7db2eb7429c9398baa80d40f637ac62baa

SHA512
2197cf2f4b54e9f92c1136ff4e1f655249e45425bca53b949c0de0eb3fe38be4d12767a0b6673f1d3b86021e5b6441e565d62afca0889ce3bf64093b078729b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\523a946f-b703-4ae7-ba09-62cac3776e21

Filesize
982B

MD5
fd75fef897cb6b7ff979a745956a2095

SHA1
077a7d18087f2cadf0330fae563199b4e1bf96cf

SHA256
6ccb3e1bc6101dc81a3f4dca0fc68f48f262ddbc66b6d5e8fb2bc5d164b7c1ce

SHA512
dd304bbac7b837eedba20cc4231de66db92661151bc029e53f1636db67b9adf292408951702db5592de3cc8dd5f2546f1001a6ebcc423ecdc192f486fb42476f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\561ba925-ea25-4a43-9675-4e4de5b8d1eb

Filesize
659B

MD5
06af648a7102a374374cdd27f6b0c717

SHA1
869d91362455872077f6132f31193ccaa213a2fc

SHA256
f438fc8b3770c024209e2640dcedbef6ef042895ed5174783ecfa9d1de656a35

SHA512
7fcea00e089df828a380e25238d55a85af25141658bd06e34b41986345ed07749d13a1d059d14eaf62096e931700b02fa08a0cdfc5019b06a5ba34ad7146f49b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

Filesize
10KB

MD5
c47d6cac5db103992e0c365c25ab2b99

SHA1
d861d2fd5098ad2e3f3f250741e1839140acb843

SHA256
cc2d14556559b1eb47bdb7544a76e92b653daa3078476504b742609f840042b8

SHA512
43358f00fe3ee54f34ba4faae99acb4ce2d31693fd563ed3ea14df6ed392d70e379b3a61bd6afd9f06ebea508bec5a6f908dd328aa5def7be32f7b3a7820f099

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

Filesize
12KB

MD5
5226f7a56932f26e2e19673e1ae41e5f

SHA1
16dea716d9b4020a86187b3440352720650e4d50

SHA256
d65989785f9bb5323eb20039e4921cb121b1ed5b50e85cd91978d23a7189961c

SHA512
e6cbb44be79feab6b548e3713b08fedaeff5d39effada8c779cf2c99a9e90a0b070a32ae4d4f3879dc928e75903c5da279fe70aa163b06b10a1b5ae6ce37da8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

Filesize
15KB

MD5
82cc3910396545d9a64ed4990b1fe2a3

SHA1
1dfb7a7964ddd268df80a64377f98efaf85e80c6

SHA256
413bc9ce4daebabc7175793b7aa54803bd925939b8ab8d40ee21248ec39baae4

SHA512
b42fe8de012084054ebb08b5b505fe9489366597998e832ddfe4ff0850bd443839ec53f9b4ee2a54e2765c3c67dd69b62bd27eba63371c74e3a51e5e9e6e31f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs.js

Filesize
10KB

MD5
a8689297ce4a1e27a43ee5991387b767

SHA1
dccede8904249affddd2a5ca83d49a2b6607c61f

SHA256
1f2f628989a7c4e42a60436f9cde6e15c99feb8549ed34413794b30bdc21991e

SHA512
2b6547e924f14bc6b941d431da2ed4bd05bd5bc57a024f994c97c711084f583a7a98a1d201482d1dd736e8752f6a23352c185d367ae9803a9ea8837292d82585

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
7b10557a4e88e90c63bbb2810639abb7

SHA1
86b6077825cbb0e8ed81141fb6f39d5be172aa7b

SHA256
53b54e18eb18a1cf08a8aec24e07f6d8497f6715b429e2f688639732506a0c5d

SHA512
c57766542e7f4d24959a71d7042c5c7a38cb77ed3496a60e0bd2062300985473f232a1df8dcaf37aa445656a0f42bc585133ee91635ae24514bc233a771f7a58

Download Submit