db4506c1dcea27e8090186d1fe8ccc7333e2bb23344c16d33cf40d4f7b015a2d

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db4506c1dcea27e8090186d1fe8ccc7333e2bb23344c16d33cf40d4f7b015a2d.exe
Size

896KB
MD5

6e0bb02a2301460b37979b6b3d6a82ba
SHA1

51508ce09684990821b9ec4ec3b265d5beb3ef09
SHA256

db4506c1dcea27e8090186d1fe8ccc7333e2bb23344c16d33cf40d4f7b015a2d
SHA512

4d5f567a1c0324caad9ccf3b23ade93b986ae6cffab21c0d779285049659cf04718b96b5d702f50faa04d8dfbbcd5f3039a06e397f338197157b8f1ab476b768
SSDEEP

12288:rqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgarTx:rqDEvCTbMWu7rQYlBQcBiT6rprG8avx

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	db4506c1dcea27e8090186d1fe8ccc7333e2bb23344c16d33cf40d4f7b015a2d.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db4506c1dcea27e8090186d1fe8ccc7333e2bb23344c16d33cf40d4f7b015a2d.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1076	db4506c1dcea27e8090186d1fe8ccc7333e2bb23344c16d33cf40d4f7b015a2d.exe
1076	db4506c1dcea27e8090186d1fe8ccc7333e2bb23344c16d33cf40d4f7b015a2d.exe
232	msedge.exe
232	msedge.exe
3396	msedge.exe
3396	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3396	msedge.exe
3396	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4072	firefox.exe
Token: SeDebugPrivilege	4072	firefox.exe
Token: SeDebugPrivilege	4072	firefox.exe
Token: SeDebugPrivilege	4072	firefox.exe
Token: SeDebugPrivilege	4072	firefox.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
1076	db4506c1dcea27e8090186d1fe8ccc7333e2bb23344c16d33cf40d4f7b015a2d.exe
1076	db4506c1dcea27e8090186d1fe8ccc7333e2bb23344c16d33cf40d4f7b015a2d.exe
1076	db4506c1dcea27e8090186d1fe8ccc7333e2bb23344c16d33cf40d4f7b015a2d.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
1076	db4506c1dcea27e8090186d1fe8ccc7333e2bb23344c16d33cf40d4f7b015a2d.exe
1076	db4506c1dcea27e8090186d1fe8ccc7333e2bb23344c16d33cf40d4f7b015a2d.exe
1076	db4506c1dcea27e8090186d1fe8ccc7333e2bb23344c16d33cf40d4f7b015a2d.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 3396	1076	db4506c1dcea27e8090186d1fe8ccc7333e2bb23344c16d33cf40d4f7b015a2d.exe	84
PID 1076 wrote to memory of 3396	1076	db4506c1dcea27e8090186d1fe8ccc7333e2bb23344c16d33cf40d4f7b015a2d.exe	84
PID 3396 wrote to memory of 116	3396	msedge.exe	86
PID 3396 wrote to memory of 116	3396	msedge.exe	86
PID 1076 wrote to memory of 536	1076	db4506c1dcea27e8090186d1fe8ccc7333e2bb23344c16d33cf40d4f7b015a2d.exe	87
PID 1076 wrote to memory of 536	1076	db4506c1dcea27e8090186d1fe8ccc7333e2bb23344c16d33cf40d4f7b015a2d.exe	87
PID 536 wrote to memory of 4072	536	firefox.exe	88
PID 536 wrote to memory of 4072	536	firefox.exe	88
PID 536 wrote to memory of 4072	536	firefox.exe	88
PID 536 wrote to memory of 4072	536	firefox.exe	88
PID 536 wrote to memory of 4072	536	firefox.exe	88
PID 536 wrote to memory of 4072	536	firefox.exe	88
PID 536 wrote to memory of 4072	536	firefox.exe	88
PID 536 wrote to memory of 4072	536	firefox.exe	88
PID 536 wrote to memory of 4072	536	firefox.exe	88
PID 536 wrote to memory of 4072	536	firefox.exe	88
PID 536 wrote to memory of 4072	536	firefox.exe	88
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 4072 wrote to memory of 1500	4072	firefox.exe	89
PID 3396 wrote to memory of 112	3396	msedge.exe	90
PID 3396 wrote to memory of 112	3396	msedge.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\db4506c1dcea27e8090186d1fe8ccc7333e2bb23344c16d33cf40d4f7b015a2d.exe
"C:\Users\Admin\AppData\Local\Temp\db4506c1dcea27e8090186d1fe8ccc7333e2bb23344c16d33cf40d4f7b015a2d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa2cd46f8,0x7ffaa2cd4708,0x7ffaa2cd4718
    3⤵
    PID:116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,3188293538537052837,3484809507327596636,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
    3⤵
    PID:112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,3188293538537052837,3484809507327596636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,3188293538537052837,3484809507327596636,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
    3⤵
    PID:2152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3188293538537052837,3484809507327596636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:1432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3188293538537052837,3484809507327596636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
    3⤵
    PID:4108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,3188293538537052837,3484809507327596636,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4964 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1048
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {81751ffb-8607-4193-82a2-eb6f5682e6e8} 4072 "\\.\pipe\gecko-crash-server-pipe.4072" gpu
      4⤵
      PID:1500
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {923baddd-4fbf-41e9-abf8-1e71e1c93ddd} 4072 "\\.\pipe\gecko-crash-server-pipe.4072" socket
      4⤵
      PID:2848
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1728 -childID 1 -isForBrowser -prefsHandle 2784 -prefMapHandle 2788 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55b70e79-e515-41d9-8f28-937d1153d06b} 4072 "\\.\pipe\gecko-crash-server-pipe.4072" tab
      4⤵
      PID:2528
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3712 -childID 2 -isForBrowser -prefsHandle 3704 -prefMapHandle 1836 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b61bbcdf-a9e1-467f-a9b3-a000cfcbc325} 4072 "\\.\pipe\gecko-crash-server-pipe.4072" tab
      4⤵
      PID:2464
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4216 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4264 -prefMapHandle 4176 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ec6730b-f08e-4bdf-9f1d-e4c11517b095} 4072 "\\.\pipe\gecko-crash-server-pipe.4072" utility
      4⤵
      Checks processor information in registry
      PID:5304
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 3 -isForBrowser -prefsHandle 5412 -prefMapHandle 5296 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b61c4f01-6cb4-4957-9fbb-dbb9c047f956} 4072 "\\.\pipe\gecko-crash-server-pipe.4072" tab
      4⤵
      PID:1884
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5656 -childID 4 -isForBrowser -prefsHandle 5664 -prefMapHandle 5132 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f18e3178-5b32-4044-8a5d-f8e271497904} 4072 "\\.\pipe\gecko-crash-server-pipe.4072" tab
      4⤵
      PID:456
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5836 -childID 5 -isForBrowser -prefsHandle 5916 -prefMapHandle 5912 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69e1371e-3547-4ea7-b012-ebf6a63d2ac1} 4072 "\\.\pipe\gecko-crash-server-pipe.4072" tab
      4⤵
      PID:4104
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 6 -isForBrowser -prefsHandle 5912 -prefMapHandle 5620 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6ef597c-c4f5-4515-92c0-af5d5799a16d} 4072 "\\.\pipe\gecko-crash-server-pipe.4072" tab
      4⤵
      PID:3056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\412c3e0d-54b5-430a-b723-b220e02d9769.tmp

Filesize
1KB

MD5
08330333caa4bda2d2d74befa9efb2fc

SHA1
6d310ee33e7ad70084ece12d650c15c2d8ad5325

SHA256
d831278034808c633532340c4816500e839897af76b8ff0dc7ca98379c10cd9c

SHA512
3d9718bfcf0387ed0ce106334664296ebb49851f563aa724eee9a2f3bdce99792fa7aa1a9072b421a8660566d428a6eeec5322d9403c81b08d81922073c51e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
8cd01ea3efaff20b87fdba13957d6237

SHA1
5dd7430b6e6ebe5affa61f2541941f96201589b3

SHA256
0359fe09295bbabfe355f3e31848286eb4e0bda31c4b31bb6f97a7266a85f8d3

SHA512
295d844340a4352534c745f1a83fea9aa3e3de68adcf5866c9dd0ce307f348a2168aed57b1e7665448da54e34b509d65c076277a03a615a684c0cd6c4b428912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b6743770c8ec3f0215abfb7b4007f064

SHA1
b41b2890077cccfbe82a442f07a4157b8e925f97

SHA256
56a9955f26673981582f8dc55aaa72ad79cffe6c93bde8ab2233cbfd654821ae

SHA512
38a4ccfccab559bde051f644852128be12d7661415b7a1235bfd2edd5974fe515c16a4f8dc0675d802200b5b481be3bf5d68815edc619a6374830d886b74c3b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f413a3bac0386871912073d79e67935b

SHA1
76eedb286918cc599943a64ee3322695bf970b26

SHA256
38912f2e2d845705c9833db675798bda53f46ae2ed9a573d25e994433324de69

SHA512
1ad4b0cef6399edf85ec7705f3367aed5156378b7c4bdec360bdb61490a554ea89632d29e140ba09e36349067e6d1cc41afa69c6ee001d359f4704fd60a6230c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
05337ddbe87a21cff430591076616b2c

SHA1
99276acf3b75878cadac7900b17774e89f848e69

SHA256
6354b43b57a9b7d28959bee2c054378a486b916bc2bc0551dbbb55d8019bcfde

SHA512
4d0d4ad0879e29f9cd35df9ea99a57482642145add160d2fceb9ed69e06751ef2d60f9a65c0678e43347a2392c61f7b68cbec3fa21c184b20644891b0b646d10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9e64df3ab2eb0c980b71851df4bd6c9e

SHA1
595dfc0fd599371e44d1c5692ae0407ebbfef358

SHA256
ca37fff4422b736e9c831980120618e88aad84c28a859e1aa1bedda6425bf94e

SHA512
d1dec8dafcb2b7677b99d8a6143b23e6244c2b75ef3ebec888f9ffd5d6928d72173f0d57c5ad8b32e0ebdb475eab07a293ae69cc08f70de8d53ff569aab7471c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\activity-stream.discovery_stream.json

Filesize
36KB

MD5
190977b6df9ee2c0eddc30598b62f2df

SHA1
64723bc086fc1e4917ee41652ab751b7aaa5509e

SHA256
d306ba96ea068993318115ee1df16491a237cba7a83fd04fb359de5780e72444

SHA512
5ca19dbf28038fd83bfe9b417529f2308bebc8e0f560c272feb78e3c779946ae00b4d7700bb4188fd10f15890e5cbdfc547e7193809e4cce76c143d1fd6bc06c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
5602487e0302df8848a66be00b409be3

SHA1
d55326392f5de9f97bba908b3cc9a7079d802a52

SHA256
9cb6d80e09b9957ac2e7468ece7eafdb1f4850cae107788616cfc9bc5801ccf5

SHA512
644360121bad0b0c19b55b1aad105cf89aaf3e88c2db9b02e85a64237dd8f9ffb81cb9f4a2664ab6a0f8a86db9f22d2a1df3f712a649683a8ddedd57ccf0478d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
6KB

MD5
9b1a64c271d44a2facb117b85b883286

SHA1
5d6e0bc96939e02039eae9158641b2656feef0d1

SHA256
275df990c8f3738dbab74ae5452e818cd69ead3231a99c08af11d0d23c47c8f2

SHA512
92c2081d6d95ed7805b65de18c03b0abb0318adf346bdb063feb1c6e10147148baf443dc1bd2e56dd9e0fcd96114608b71c597bb9c2d19245b3ec3bae778f944

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
8KB

MD5
cdc08e88d0a951e3fe380e9553303b2c

SHA1
4970f4caa8991c9abfebd5217fa42eb4d678f7b1

SHA256
b17096623ec93872ab1599d05322d117a13690d1d64598337d1448679c942d39

SHA512
8c6a85d4d2c090dba0ef6db272ff037c739168232ff169cb71c68394f72ecc9d4614b81eb021c16cf7f54986f50715f251862a95bd600dc0b97cf2ccc3ab116b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
13KB

MD5
ef43a9f98f6025256fd7b47134f284ef

SHA1
871247200e55db7132a66a8131ae9899b1c940d0

SHA256
bb4ae3cf749466f31e458f877d1537a4d7f9c99ab42f1ff0c46dcac4f1284e4f

SHA512
eddabe6bfa1f8d13ab60e89caa83cb45c20562c68ff0bda0175f205a9d5b1c1165c0b00a47c3b376dcda83d7886baf77fc6a77720e349819a328543ec747d3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
16KB

MD5
e86a26e83b2d14046f874ade9289135f

SHA1
19f89dd65cd0f23dfc62d41179b1762d8fe01c0c

SHA256
6487ea8062695c1c56f15e8fbf64fead9935b79598f92343ad4c8eb736f99ccc

SHA512
f0c84497f9f9f92efe156d040c59466a716c2cbfd17645855551f4bbc7be4f30fabd7557b92cc1b4a7aae188937a5ab468e62689cd06986a3ae3c04bd202c5c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
81c66892eed6b8f4c8d5ef108e4938f4

SHA1
4c244f4d5d4cb99e17e6f91cc69adb6334c0ed9a

SHA256
4ce8f3cd05b96f23f942918c3305f2e81f4386bbe49b864d5bbc74a05c280d39

SHA512
f46e1eda808f985227d2f78bd39d5ce3f7e8b60c3bda99778820b406cd15a867619deac2acd56150f0a5a6735c3fabb58d8362606d394979d90b6dbdc59cbb70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
98e46fccfda9634d6fdfd7791715c0a8

SHA1
8aa9504ed937c4e1e9e95204e9dd748382ccedb5

SHA256
e7a2ff652bcaee70b1868b5347f5119709cd493f41b82393f6f555c3aa7ba3b5

SHA512
a8778b87aec89b7997408894ede263720fb3f8266362a1d07bd6fdc12166d116f3a4508de54c6b641e4b494e3e300f16c2035246aba2439e5da6d2d209c40e90

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
c2d0430f27d2be5734b30f6843293462

SHA1
6bff7ee96e514a3ee69e59923796553e77d222d1

SHA256
ed522b24c582a1675b826afe0d0631fbf56bc298f62e826b6c4b0b5a25085872

SHA512
7db26efeabeb4e4d49351170f30b273ea612f4a134e802e2c81b777c386ef8055164add7f7a3b7f94d78b5230345765cdc6331fa81c2ee811082b4e7c03f5dbf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
844b48e63ed9651a179a2d7326a2ead1

SHA1
3181d3400f9337f0c731557726aa4543747f6e55

SHA256
637902be05c5955b7d7170d4dae561ea7f3996a677b9a28c3bbf70c5612ecdb5

SHA512
66b210f948365478fd34ef1d5d0592111efefb1749a0724188c51c139d6e4d7228c3a8951d6bc9c906581cc719907c72bbe4a914f1b3adff0580ca5536c240fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\671dfc2a-f987-42a1-9c92-867a9d7f287d

Filesize
982B

MD5
fc430526846156d0f77ff00e560f21c2

SHA1
b45669f2d0b7f2271db71c287c7b3f79ed58b6f1

SHA256
2cc597774740cf6c783df573fecb00d19183ff5d51744f81a991f55048ed8b43

SHA512
3e2fd3adbbc6014f574a32d8ed3db75564382ef30093c3be4375c0c14fd770ce3ed79dff321bab3ab5c2b8bb191895b9f89dc5c189048e70aedec62be8b90bae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\a1c7d74b-9425-4e91-882e-75e549464f61

Filesize
659B

MD5
dff2cc37916f4e7a233fd5c573775567

SHA1
e98c110d759a023d5d8a06d848d320b1bfba6c67

SHA256
4818dc44248fe8b7be71c93bba0a00e36a653ffe958bfcbc91a85dcc72d3d768

SHA512
57aae9a8b17b61d14d40a3b8778dcbbb5cf0fd0b5025927064df44088df129e1254c4b14911158daf90748e61544042325cbf6a960ea16af1954ba823bf1d8a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

Filesize
11KB

MD5
9390a46344ba8ba40f8f304e435af69e

SHA1
b6ee684732282828f07b0213b75b33703553fe8d

SHA256
033e8eb237de08a865e4517ed892b0bd882dd25fb52fa02c19b1ff6ec4028489

SHA512
14d2410c868e37fe043c58de0ca240ca7d5282d221b50162c375cf23eec2707ab5073dace0b6f0d6b1e1de94a933bf4062a4563cded14ab8b5935355cbef732a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

Filesize
13KB

MD5
6b120ce2f08a63fe0cebc716eb33bb2d

SHA1
e7d01ce14cd14eb670e29aeaa375b8c2abae0106

SHA256
52a0eac4eddc541254adb94fc49b37e832bf42c499540ff6b726c647c0cf70c4

SHA512
51ad492108f2633d315b26b2a145b2702058014b3876e708a6dfd8c78f659bec45d87e0680bb02f70a33fd4d2615da11320cf1c2969e2f8e6686f6099503dbe8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

Filesize
16KB

MD5
8d5044118df0b2db06ec1c6b035a5b54

SHA1
36f1ad090e1d78bb612cda242c6580b1f9f2e389

SHA256
1dabf872ec27e70f19fc9ae9cbad52f8eb62d86e46e03604c4b8adf67743f5ad

SHA512
781616e34eeac01b4f92030da1efaa350c6bbc16f69a0ca93681f523733db7fd4ad0587bdbd88ed0cc259079f35947392cd00c8bda3c20355dcef6d5c0f6de70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs.js

Filesize
11KB

MD5
ebb356642773884a89669a368754697e

SHA1
5e142588af197e799414c774432588d8ddc043ae

SHA256
0e53ec0e7fb1dbfbff6977ce042cc1801e6b89edbf7ed2651cc20a1d6f5885ed

SHA512
3c71401b1d6d5bc4a16c478efd1fd637e1642b2d35f7a1130342031dd672c65ecbf41986a4bcf2935f8fc250d1e509ce0760239993deb2a6ce4072f2728fdc26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
7d914bf3c7aa64ed0f31915d3970ff98

SHA1
8a87af2f3ccbecaa45890f4a942d7b3a00757f5e

SHA256
3bcda8d4116afde89080dfa5e1b55f9f02e76ed563d8073a62e20fbb20405447

SHA512
dd2fe30a0277e34267399d5fd33b21efd70ab2566398774afd0947d209e747350491dedb5fbaf9070eaa92fb388c17df72055fa54e5e0c1dbde9a258b4b4ed96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.2MB

MD5
9428ab3728c526e126e365117830c659

SHA1
42a140dca3e7f72ef77a7b3a9b03bb36ad567018

SHA256
1d025b0967f7eb22e3f8f03f702a4cf3991a56570fe82c24fdaeb235420fb98c

SHA512
bdd0b0fd028a108e4ac02d8ef59d3885aca8f28dd9ff1513b957ede096b9f25cd7fb8acc8ceacce4c2b04de23c5255058a8ca67bd69b83bd55aa118989e19e9b

Download Submit