fc45559d6a3f6dda0bf13bccfcd0a287a1a51463d182f8318eb3e93a0f3a25fc

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc45559d6a3f6dda0bf13bccfcd0a287a1a51463d182f8318eb3e93a0f3a25fc.exe
Size

896KB
MD5

defd39769340947b16036d0ce301eacd
SHA1

4d4e3d6e99f2598237cc0560b0b7666e7d16ad43
SHA256

fc45559d6a3f6dda0bf13bccfcd0a287a1a51463d182f8318eb3e93a0f3a25fc
SHA512

a6d38bc9db6b2745c944f2867683a58b1488dd9741ffe0ebbf0f5bc5a30879e25bc2ca09348157fff5b27eba2f61794049efef952774cd7ca40516a596235841
SSDEEP

12288:7qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgarTV:7qDEvCTbMWu7rQYlBQcBiT6rprG8avV

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	fc45559d6a3f6dda0bf13bccfcd0a287a1a51463d182f8318eb3e93a0f3a25fc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc45559d6a3f6dda0bf13bccfcd0a287a1a51463d182f8318eb3e93a0f3a25fc.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4896	fc45559d6a3f6dda0bf13bccfcd0a287a1a51463d182f8318eb3e93a0f3a25fc.exe
4896	fc45559d6a3f6dda0bf13bccfcd0a287a1a51463d182f8318eb3e93a0f3a25fc.exe
1164	msedge.exe
1164	msedge.exe
4088	msedge.exe
4088	msedge.exe
5884	msedge.exe
5884	msedge.exe
5884	msedge.exe
5884	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	firefox.exe
Token: SeDebugPrivilege	2324	firefox.exe
Token: SeDebugPrivilege	2324	firefox.exe
Token: SeDebugPrivilege	2324	firefox.exe
Token: SeDebugPrivilege	2324	firefox.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
4896	fc45559d6a3f6dda0bf13bccfcd0a287a1a51463d182f8318eb3e93a0f3a25fc.exe
4896	fc45559d6a3f6dda0bf13bccfcd0a287a1a51463d182f8318eb3e93a0f3a25fc.exe
4896	fc45559d6a3f6dda0bf13bccfcd0a287a1a51463d182f8318eb3e93a0f3a25fc.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
4896	fc45559d6a3f6dda0bf13bccfcd0a287a1a51463d182f8318eb3e93a0f3a25fc.exe
4896	fc45559d6a3f6dda0bf13bccfcd0a287a1a51463d182f8318eb3e93a0f3a25fc.exe
4896	fc45559d6a3f6dda0bf13bccfcd0a287a1a51463d182f8318eb3e93a0f3a25fc.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 4088	4896	fc45559d6a3f6dda0bf13bccfcd0a287a1a51463d182f8318eb3e93a0f3a25fc.exe	83
PID 4896 wrote to memory of 4088	4896	fc45559d6a3f6dda0bf13bccfcd0a287a1a51463d182f8318eb3e93a0f3a25fc.exe	83
PID 4896 wrote to memory of 4684	4896	fc45559d6a3f6dda0bf13bccfcd0a287a1a51463d182f8318eb3e93a0f3a25fc.exe	86
PID 4896 wrote to memory of 4684	4896	fc45559d6a3f6dda0bf13bccfcd0a287a1a51463d182f8318eb3e93a0f3a25fc.exe	86
PID 4088 wrote to memory of 2296	4088	msedge.exe	87
PID 4088 wrote to memory of 2296	4088	msedge.exe	87
PID 4684 wrote to memory of 2324	4684	firefox.exe	88
PID 4684 wrote to memory of 2324	4684	firefox.exe	88
PID 4684 wrote to memory of 2324	4684	firefox.exe	88
PID 4684 wrote to memory of 2324	4684	firefox.exe	88
PID 4684 wrote to memory of 2324	4684	firefox.exe	88
PID 4684 wrote to memory of 2324	4684	firefox.exe	88
PID 4684 wrote to memory of 2324	4684	firefox.exe	88
PID 4684 wrote to memory of 2324	4684	firefox.exe	88
PID 4684 wrote to memory of 2324	4684	firefox.exe	88
PID 4684 wrote to memory of 2324	4684	firefox.exe	88
PID 4684 wrote to memory of 2324	4684	firefox.exe	88
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 2324 wrote to memory of 1100	2324	firefox.exe	89
PID 4088 wrote to memory of 3260	4088	msedge.exe	90
PID 4088 wrote to memory of 3260	4088	msedge.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fc45559d6a3f6dda0bf13bccfcd0a287a1a51463d182f8318eb3e93a0f3a25fc.exe
"C:\Users\Admin\AppData\Local\Temp\fc45559d6a3f6dda0bf13bccfcd0a287a1a51463d182f8318eb3e93a0f3a25fc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9099f46f8,0x7ff9099f4708,0x7ff9099f4718
    3⤵
    PID:2296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,3105693422408319625,4383117916585862961,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1960 /prefetch:2
    3⤵
    PID:3260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,3105693422408319625,4383117916585862961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,3105693422408319625,4383117916585862961,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
    3⤵
    PID:4564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,3105693422408319625,4383117916585862961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
    3⤵
    PID:2088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,3105693422408319625,4383117916585862961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
    3⤵
    PID:3712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,3105693422408319625,4383117916585862961,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4904 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5884
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {acaa8be4-1ad3-4ce5-bacb-04f43243ddc1} 2324 "\\.\pipe\gecko-crash-server-pipe.2324" gpu
      4⤵
      PID:1100
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b8e34fc-93f6-4ba2-8fe9-b8ef1b7bdda9} 2324 "\\.\pipe\gecko-crash-server-pipe.2324" socket
      4⤵
      PID:5052
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3036 -childID 1 -isForBrowser -prefsHandle 1736 -prefMapHandle 2988 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef13e977-3040-4dfb-b458-92d3e93e0266} 2324 "\\.\pipe\gecko-crash-server-pipe.2324" tab
      4⤵
      PID:4136
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3544 -childID 2 -isForBrowser -prefsHandle 3556 -prefMapHandle 3680 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08bd6a34-6e2d-4e7c-a8ca-f684615366e0} 2324 "\\.\pipe\gecko-crash-server-pipe.2324" tab
      4⤵
      PID:2960
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4312 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4304 -prefMapHandle 4296 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6032170-dd47-4356-8a19-9d9659437f2d} 2324 "\\.\pipe\gecko-crash-server-pipe.2324" utility
      4⤵
      Checks processor information in registry
      PID:5376
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5428 -childID 3 -isForBrowser -prefsHandle 5412 -prefMapHandle 5404 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a78edde7-eca1-43db-8402-c6b0f0e4ff1c} 2324 "\\.\pipe\gecko-crash-server-pipe.2324" tab
      4⤵
      PID:1292
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 4 -isForBrowser -prefsHandle 5612 -prefMapHandle 5616 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47134eec-2e69-4f9c-9a33-1b0b91432519} 2324 "\\.\pipe\gecko-crash-server-pipe.2324" tab
      4⤵
      PID:3948
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5900 -childID 5 -isForBrowser -prefsHandle 5892 -prefMapHandle 5780 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0e2eec8-a225-4be7-8cd8-a94b013dfa2e} 2324 "\\.\pipe\gecko-crash-server-pipe.2324" tab
      4⤵
      PID:816
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6220 -childID 6 -isForBrowser -prefsHandle 6356 -prefMapHandle 6352 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75eeab9c-2c2f-480e-be6b-9a9138567e8b} 2324 "\\.\pipe\gecko-crash-server-pipe.2324" tab
      4⤵
      PID:5520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
63b4005911744d32c3c38eb5257baa84

SHA1
c9c56c6332c3f8a6af0f9d045267299dbde229f5

SHA256
ebe235834e9e35d5e7142f66d09c5bae8710e7452dc8f1c7ec195c75529fb059

SHA512
41c1be99c89d2f4993047ecb9bd46b03517ea52fc341557c0418df2e0635cde78eae18a92551a56d6ff1f81c2bb112d910631dbced4f76044657377312d46831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
668008a2a9561b5d58e41a49ebe8eefb

SHA1
f9bfcd06c42a2c05268513f35194115ceab2147f

SHA256
5bb48795f31668967b0f3007657631cf7a5e4b9d6f2d7b9315823d3cd5388496

SHA512
32bbb80fdd868b06213ed27d7fa69e00683941a2663a3409507160b3dd2f80ec7d7ee40e79069d47ce3ab35b5445bdedd2b781c4c5e09c56c8b84f87bc4d5b9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
69b1f9380a4d5aff8b1060444154f4f0

SHA1
4358237320eebd5a76890b8670245beb91d5277e

SHA256
a876672ae69a0a5b351d6e0b2efb9f2f9ebc38fba6e3b9f1a6d7df7c4a5e6cd3

SHA512
97302a2d12dc16812d11894f337c41f8216eeb665a8e5ec910b97a5f0c73dd4656b9fd17a6e2b99dec59282c146fe92b37dd11f58110131906b2cc10d503ae9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
95a2ca4230cf82db1f9c6ecbc86abf51

SHA1
8f598fd2c881131ae676732e31e2a00865c5fb4c

SHA256
82231c8343c7c041c4c08ff3d9764a579ebbab5dbf62f36abcbeee4de5910104

SHA512
112c7fcdfafbb260f53ca1a05d1db53b82baedf268fbd3c4e694aa91c9538d3968374633f257d4b22ecb09791aeee78d5a816bc8f832c277fc3881e7c859af3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
09232662741a7f829ec14b72392ec96c

SHA1
cf10492830e72b30045302ebdd479741ff8501fc

SHA256
82bb341f7313a3a6cbb8b141a033f5a709a8356516c606dd0870d224b9ee66c5

SHA512
46fbb76d552df2f06c568c6224ac77c001bbe7d2de34c83a6cb0a9b8d5cced4f0560560cba21928fde0261ebf9ece4bd55cace64196bc036aba196be77696a92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
c36573814f218f4f2c1fdb2ce3cb9073

SHA1
2521af886ff01029f11ae1ba6ec86be6dbf48ae4

SHA256
966f32144df2b6eae492cbd36d7b41d2e02782d7685daff4b6004be1368eab60

SHA512
b3f1ae0da5a3b2de88f66f6459abf14a954e449f353e96a10db7b1b3d8b9eb2c369b22f4578c2432286a8447167385c724ea2fe1f329971f4607c6a61a548996

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e635.TMP

Filesize
203B

MD5
1d0d81e803e6fb7ba99b8b1d4999135f

SHA1
62076219cd31e88575156c6f4f51fac6746768ae

SHA256
3375ce81375a52bbc6c0e18dcaa86976058ee25986ed966d700aee8d24e3d54f

SHA512
b659d3e95d02e328cf80933785e73756e33c7a16f285d2d5e8fa0f4c915e51ab0a0cfab92415732d1ac27d70c85001fa64141bd3967ebc184e8e2b8929cf146e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3ed361175bdac1a2b87a2f7f3a56fdbf

SHA1
9ac2b29c7478b88342501cd0682db44ddfb057fe

SHA256
ff0f8c8818e71ffcafd05cd4ee96b581f607b8fbda2324c6df1afd7cf80d7301

SHA512
857dcf088ad96166d66a67b7f272a29693be64e2b4a8aa98bc617a94f7a31fe201e8d4c60cf487369209836c82307374925f9b3cf5fc97a1d7e296cee86a47d6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
25babaf6e21649c8ff937b9b33ae5d7a

SHA1
bb32b729b58deda2058110c45b7ae8f6edeeb312

SHA256
e8e106d7df82acc627382b6b0486bba92bf7f69bdf6cd93caf02aa6a93e117ff

SHA512
582cbaeac578d791a2283621ce1e5e550702a2c895d721981a4857424ed111d8e8d4c6e0c1a0d201cca62362890020cce106788adf73af05c5af53740e42c814

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

Filesize
6KB

MD5
15fe627ad910b175e88104925e442d11

SHA1
5ace11bea6f4313a91840aab6ae0f39ba0097536

SHA256
171ef0eefb9c9b2f987dfa2519f960e30387519d161d61244a1006abb58afb87

SHA512
312d65825b62a5a262937afd6b3e65617f826194e2840f2d850c01adffbe4ba5abdfaef13564c8c45bee0a0067eb07abf0da2ccbf7b1bd784e95cb5cb1adf858

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

Filesize
10KB

MD5
f855d66e825125ef91d19c56e0b7c969

SHA1
be274833e396c765425ceaf8caadb9935bd60fab

SHA256
dd8b36bb443ec6231a00466cc5d20774969db24d9c522f46f0bdc7f762bc2cb2

SHA512
445ac1bee463c56a5c2d4cf1b67987233ad8df88b3c571ec751e8b2f911d1c8b3f22c374e22c25a02cdb7987e5d0a0c1e227aad2ecd09dee1472c751f9083717

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

Filesize
12KB

MD5
4cc0b0988cb06c5a07e8de1f4ae7282f

SHA1
88d5f7236113b2786c358915a702bfbd84df7629

SHA256
63a2782d867beabd7c7d5c1481897c1ffdfc34526de3e6e726dd5e09b2ab51d7

SHA512
eb1d55611940d740b90504a03a55e810fce03309bfe714b0d665b76add5ac6293833d4fe0072329e2b6ffa94b9fb9cfb7e379181699c9f2c5112ea99940d7ebc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

Filesize
16KB

MD5
2ab11552358378446501fde2bcd3ac48

SHA1
707c9f6a56039a6a4b219dabea3386fed034fbce

SHA256
a6749d7eb29eca2b21b735371f8e531ca5f6f9568a36461bff7e48a78a27e959

SHA512
7cdcfe8de2da279ac9c8440129e5349a84e361598d220851f7c66b11a5d4f33c2ffdaba4ea764b0133f7799af38c1dc4ac519f9c81be054140b1469d8c219926

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
b3a1cdc16b49a7b1bb997d3d751beee4

SHA1
9c1e191e695ab581ffbb2f1fe6effc2c76d4697e

SHA256
0de7f928b9765e66a8d7079752497e4a19686f2c58c7001facf7d3aeb0bfdea5

SHA512
a2c46e284e4103736956e09d684c194e068558663490f4eb86a2ebc85a0482bcd76bb25b2e6779c2060726d8f2ebfc177be04092712f40a2ce9f90c570a89f32

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
e612057da80d50954ba574972a28ff5c

SHA1
ff3dab2f310ae514c24746d61d86ab7e467c8798

SHA256
9dd2735c9ebfce4bb0e1ca5d40b5698d54e280ae11280bd78dcf2d57a1f316fa

SHA512
ba900be940f64d7418f359e869b870e8c535c66c5f1c9c5d43e395909d18f199ed8a75b39023246312e7bbba803df55f6975b2d49ce2019e669a17c76aec08a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
4a75e4a908ed0c2a7d0f0315e207d98a

SHA1
6ec2bc525196adc096483e1826ac30c4bf0ad85f

SHA256
bea51d6906a9677ae9c89284df4c4e376ad27dfa8c654edf5c80b8a37ad94c62

SHA512
6563c26c9907548307fef448f2278f606b3f199ef9fec5c30663f4a47c6f9d344a8f2cce2e4ace9d64f04e7c249b01926188954d007c428432fed5e8dc68d124

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
b3f969b50fc9023545aad7ec672111cf

SHA1
9bc2d1b6c63402ff7a0effe91902f9f225546ebd

SHA256
969d073839c4da53f60cadfcc3982cc81fbfbeccca1e293da5977598a3222cb3

SHA512
d6483ccd0e8f035fec1ad33bc94fa51f73a9c1062aaa3c8e2e4e7c071b937bba1585f0618234da8a73918a7ff4897423d1ecb34b373df9f30c08678a1b404211

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\522e4c11-df2f-4810-9d91-68f45c8329f8

Filesize
671B

MD5
000e8a14b176e8c6fa9608af441122f3

SHA1
6476729b98f821f0198f972d1495dc24c02c5337

SHA256
912473cdd9f41b3f83a6853bbc8ca5a6eeb51347e0b1b41e85d7eca9b1580466

SHA512
dc3fff1da2ea8ff5c28d9bf924d98957137061a5179d73c016785eff37cc08335210468f685af736f959b078e34409114051cef70937dcc4eb850b10931013c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\7acb8855-e6ca-4870-a5e4-ae53c40fde2b

Filesize
982B

MD5
bd1d4bdbfee4294364602bd945ab2bf8

SHA1
29949cf9aeeb067ce39930426df3fa48ed08fb56

SHA256
0b75b5f2ff290040c6b61ca2463ec3430f8ae82237e53f92a4a91443587533fa

SHA512
64fdbacc1297d0c32a77ea09aa4e2242905fabe92a5c4172b104f860e98d586674ea83ef67f98c7369394cbdf2783aab58e128141153cbaf3df7150ce2fb65da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\be98ad58-5794-4e7e-80ea-73093f16eed4

Filesize
26KB

MD5
0f0c18a4ba6c7418fe6699587f2734aa

SHA1
c9f52b7446338002829927074ec507c10ee79061

SHA256
a3b5dac404a19ee73ba31eee278e5b99c2bd8fa58784e66c695e85bb654ceb3f

SHA512
40abf7901343b9d024b312842f8ec6f2c2f3c7da5f6b364ed250736874f764cc760c4fb98a0587fdfeaf6581eddfb0bea85bca42cda763d2aaf3bc96def89271

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

Filesize
12KB

MD5
4ff67723d6223d9189dabf208bbc2748

SHA1
0f5f65b24568c5888f910068ed8a8a23f9c9b3e4

SHA256
86f4dfcb60d705fbb9024f44533f71db050fe4992f8527c4c079a0220fb6d7f8

SHA512
ac72f2884d9b4cc45cbd98b7f63a3bf05e0436e0e81127e757e05ee9cb0d75250bc258ed2ef4b0afae9302743424e340bde09ede2ba971a9241930921f6e7126

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

Filesize
16KB

MD5
a501f45823d73e3ee0f3d6844c56b73c

SHA1
c1a24985b2d4f78351620d4aebafb77c798feff5

SHA256
985025d019def519bd3f1d8c57f4e045fbab831e430c9a32e4c4d6e859cc8d6e

SHA512
a383d02731ed665747675e57f4e65c56a7f7b517b4176ebf379d0d92e1dcce8dc5175aab27d5f0c33ca8628e3e86cd19c2f2af9fdbb72ab69e78a5d2c9b609bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
31597f1bf66388e779d0694016141538

SHA1
42f787a5c530b1380ddc2edb9532c3fbb59c8a81

SHA256
8980b63d154d057edea9562c37e745d643c080ad3f5bf959b466dedb784e9a5f

SHA512
e760146bd481ed139cfb4b4179dfd5c93054b129d8eab513a19d811cc602323a9df4f63a4659960d14a320e334b216726cfbb2117b58c2fde7fba8d727e80223

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
3f6365a2b92565aa877fe239c5c47dc2

SHA1
72c9bb54c0b04d990f9f8e60bbbee817852eaa04

SHA256
5833f3639b7dcede2d3c55e9fdcd596dbe0e98f6905cd1da66e6140e12477cdb

SHA512
767c0507fe97248d7c1efa371fa6360ff753506e6164d414ad99852902afdf116fd23729393ad3480eb0917fe93a436b4367d478559fc03ecc049994a01d1604

Download Submit