e846b126363062be5bd8a38eab0e0eaf92e9a6343e46ec5713801ffbcac93100

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 01:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e846b126363062be5bd8a38eab0e0eaf92e9a6343e46ec5713801ffbcac93100.exe
Size

896KB
MD5

b5bad63608cb3a09248178d1e45f8b29
SHA1

97ea04370e875695ef2a07acacab98c47942bcf7
SHA256

e846b126363062be5bd8a38eab0e0eaf92e9a6343e46ec5713801ffbcac93100
SHA512

46f685442fb20ee189b475e9db656b5a4e9558c08c00b9a18a430cbc882d10ef0ea6112aa31b532ae9632faf7fa2b7bd88ded25d17914fd2eb4b762926fce96e
SSDEEP

12288:GqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgarTj:GqDEvCTbMWu7rQYlBQcBiT6rprG8avj

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	e846b126363062be5bd8a38eab0e0eaf92e9a6343e46ec5713801ffbcac93100.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e846b126363062be5bd8a38eab0e0eaf92e9a6343e46ec5713801ffbcac93100.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2416	e846b126363062be5bd8a38eab0e0eaf92e9a6343e46ec5713801ffbcac93100.exe
2416	e846b126363062be5bd8a38eab0e0eaf92e9a6343e46ec5713801ffbcac93100.exe
2592	msedge.exe
2592	msedge.exe
4616	msedge.exe
4616	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4616	msedge.exe
4616	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	firefox.exe
Token: SeDebugPrivilege	2204	firefox.exe
Token: SeDebugPrivilege	2204	firefox.exe
Token: SeDebugPrivilege	2204	firefox.exe
Token: SeDebugPrivilege	2204	firefox.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
2416	e846b126363062be5bd8a38eab0e0eaf92e9a6343e46ec5713801ffbcac93100.exe
2416	e846b126363062be5bd8a38eab0e0eaf92e9a6343e46ec5713801ffbcac93100.exe
2416	e846b126363062be5bd8a38eab0e0eaf92e9a6343e46ec5713801ffbcac93100.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
2416	e846b126363062be5bd8a38eab0e0eaf92e9a6343e46ec5713801ffbcac93100.exe
2416	e846b126363062be5bd8a38eab0e0eaf92e9a6343e46ec5713801ffbcac93100.exe
2416	e846b126363062be5bd8a38eab0e0eaf92e9a6343e46ec5713801ffbcac93100.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 4616	2416	e846b126363062be5bd8a38eab0e0eaf92e9a6343e46ec5713801ffbcac93100.exe	84
PID 2416 wrote to memory of 4616	2416	e846b126363062be5bd8a38eab0e0eaf92e9a6343e46ec5713801ffbcac93100.exe	84
PID 4616 wrote to memory of 840	4616	msedge.exe	86
PID 4616 wrote to memory of 840	4616	msedge.exe	86
PID 2416 wrote to memory of 4472	2416	e846b126363062be5bd8a38eab0e0eaf92e9a6343e46ec5713801ffbcac93100.exe	87
PID 2416 wrote to memory of 4472	2416	e846b126363062be5bd8a38eab0e0eaf92e9a6343e46ec5713801ffbcac93100.exe	87
PID 4472 wrote to memory of 2204	4472	firefox.exe	88
PID 4472 wrote to memory of 2204	4472	firefox.exe	88
PID 4472 wrote to memory of 2204	4472	firefox.exe	88
PID 4472 wrote to memory of 2204	4472	firefox.exe	88
PID 4472 wrote to memory of 2204	4472	firefox.exe	88
PID 4472 wrote to memory of 2204	4472	firefox.exe	88
PID 4472 wrote to memory of 2204	4472	firefox.exe	88
PID 4472 wrote to memory of 2204	4472	firefox.exe	88
PID 4472 wrote to memory of 2204	4472	firefox.exe	88
PID 4472 wrote to memory of 2204	4472	firefox.exe	88
PID 4472 wrote to memory of 2204	4472	firefox.exe	88
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 2204 wrote to memory of 4228	2204	firefox.exe	89
PID 4616 wrote to memory of 4212	4616	msedge.exe	90
PID 4616 wrote to memory of 4212	4616	msedge.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e846b126363062be5bd8a38eab0e0eaf92e9a6343e46ec5713801ffbcac93100.exe
"C:\Users\Admin\AppData\Local\Temp\e846b126363062be5bd8a38eab0e0eaf92e9a6343e46ec5713801ffbcac93100.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdcde846f8,0x7ffdcde84708,0x7ffdcde84718
    3⤵
    PID:840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,3321913652390398798,2221311300388282557,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
    3⤵
    PID:4212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,3321913652390398798,2221311300388282557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,3321913652390398798,2221311300388282557,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
    3⤵
    PID:4924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3321913652390398798,2221311300388282557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:1388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3321913652390398798,2221311300388282557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:3676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,3321913652390398798,2221311300388282557,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4736 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4368
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1936 -prefMapHandle 1928 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c062cbf-2303-4433-8df3-837321199af9} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" gpu
      4⤵
      PID:4228
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f252fb1e-03b8-441a-8c41-21d5cbfefe56} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" socket
      4⤵
      PID:1784
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3316 -childID 1 -isForBrowser -prefsHandle 3376 -prefMapHandle 2972 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9605c71-7328-4a09-9a94-c855a6923a7a} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" tab
      4⤵
      PID:1724
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3832 -childID 2 -isForBrowser -prefsHandle 3824 -prefMapHandle 3820 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f18d55d-0387-4a13-9434-59568d6e3d03} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" tab
      4⤵
      PID:3864
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4288 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4280 -prefMapHandle 4272 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e06f019c-cd54-48bb-bf46-70a66c9bf41d} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" utility
      4⤵
      Checks processor information in registry
      PID:1128
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5416 -childID 3 -isForBrowser -prefsHandle 5236 -prefMapHandle 5240 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f8581e7-03db-49b2-8263-667a43dc650a} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" tab
      4⤵
      PID:3728
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 4 -isForBrowser -prefsHandle 5572 -prefMapHandle 5576 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e54f34bc-5bcf-40af-a291-08145e066af4} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" tab
      4⤵
      PID:1520
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5864 -childID 5 -isForBrowser -prefsHandle 5764 -prefMapHandle 5856 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54451e35-940d-48fc-a619-d94cf82c4edb} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" tab
      4⤵
      PID:2028
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6220 -childID 6 -isForBrowser -prefsHandle 6236 -prefMapHandle 6252 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {535f1f56-2e4d-438d-82c5-186ae5dd9ac9} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" tab
      4⤵
      PID:5184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
fcc390cb041318aa640829387463f3f7

SHA1
4c4cc41cbabadd930bc87f46ff978d3ef63b3711

SHA256
f931beda765c07fce0fe590c55703bf7e655ce7a922fee13f131568e6f58a5da

SHA512
c424fc2957dfe1147e3f1058b3dff21c1de610477e424862afc2600f50feea3e192d55fa595bb7d058e458947416d48717f051166f6389643264aa05266eeb65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7b48f1bfed0e356e7d7b6e72aacf710f

SHA1
d21e650844d6d8a7845baa5684bf842c57a16a6b

SHA256
67977ec955932d9c162c192f17cbb084fcf41abb6299b756dd9d9a13c2fc0223

SHA512
9b131f0ba62abed9a7a8f8bd19ee9f7a3af5090fa073accb902cbff1fbe3dae24b3528ac4ff6082ecfddd812108779958320773f301852080838eadf5d30ac11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4a37ed7fbb4f4c6d111cf93a41f5995c

SHA1
84b5c7a6f81d2594217da21d61363b4d02d93dff

SHA256
d07a304f102de318586ed6e5e258ce0f637c9180f5dc1a8cf9770701c60420a4

SHA512
b5cef287703088abbc8e425ba4785758a6dac99bf3defc79c1316247be0b4f05224c8c48e34cbd704b4fecf7233e446ccba441adc3043257cf1cad16c5a9c509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b4445ccc272a28ad417a71499bb83aec

SHA1
e2c9b8dafa4c9f92264cfdf7e8ac666819d96d93

SHA256
342814152fd64bd6c7dcaa63a70376bb7c3d812965f58e01e1e9b5fd2cd7e627

SHA512
f9365f079e485d283db98e20748dce4aac3b50b70986af6f80dd54ad424cfe1c782ac2a4e1f071c830e239d5d9250261e03ee8d1124710e0b81099c149e8e397

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f615913f921eb94b43fb9e490ab06921

SHA1
eef664188047d8357b453864335d9d51ec83465b

SHA256
875bea1a4da50d9d3ef6bc8fa5ee201565c45dbe0d64c4f1836ab022f8c5a138

SHA512
3ae990f73c1f732ac8ed5cb90874961d4168d2cae03fa0fe0d83f88b96032d502110e86a8040ec35a700b058042be05db28011fd4f133ae91bf6c9a97cd4e474

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
b9112060401a65727f6260400a5d5a23

SHA1
2d6c5e07f6557d387ecf96a6350f259a6777dbb6

SHA256
a2b9cb9c758530ea787c6232358fc81c3d3692bae7bcfa2e61c5db8810f17426

SHA512
de0d761a04501698ef1d4f75dfd85594ee89c6c4f46946bf6830fb656988d028dae0befd9da8025ed770c0b240ad5bb033d8a11a27e1786a2f94c3e1f2a9245e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58bcd3.TMP

Filesize
203B

MD5
535527b9dd70a10799073016e013f473

SHA1
feb601d9c21501372572cee122b3999839d0ffa9

SHA256
ff868278eb8254529e796b4e7a55869f2ecf11dc6489892cdf450d861146694e

SHA512
a13bf54d34ca59a611c7594438d3d3825af85c4360b5f87a4554a6ef5480cf0e928723839deafb13fe636d8758c4663d307e5206efb54e342aa8da834138ead0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3a143341ceaa5e7e429d78a758626e44

SHA1
3bc7665339fcee57baba65ac864b2b07cd4d82f7

SHA256
2859c709fb35d7297dbe1d8160dd2f5f3d6b1aa9e079552f2c117ae7ae6c7690

SHA512
1295719ffd1cc5af9969df43846c72963947d87f61bfd3243a2d044486210accd0e910334c4cdee1e8f0b1a7f9c906a658ced6c1fbf3eb0c88f372ba1c7772aa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\activity-stream.discovery_stream.json

Filesize
39KB

MD5
a5e7aa41f4464fd34e34771900ae0b00

SHA1
feccd1f365d725a3345e651e7902571e5b9573d5

SHA256
107c6a27bdffbef3b5675605915db3bc816d480a633ff02402feb31c7998253d

SHA512
988a2b780c82b5b352653445659aaec5d00af6f19ff7a9eea63c20bff693f111cd436794e7aa2e980ff7bd6ef158354c828b2605ad4e1ca675f54d07cd896b48

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
c9b44af5357ac8622bfa6ae658c36e1a

SHA1
22e536809ae6fe567aa5c3107f01c95b299b1020

SHA256
9fb6b7f68e863ddf8e43243c55410ee632cba5d5d00950018eef162b74ccb03a

SHA512
8f4bb4194a6757b141c2c489402af7312063980da40b4a53471d09018d80df141ac9edb5afb2aba4534bf8c96717e2a84c355e34d6cd571167d503b893743167

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
6KB

MD5
dab4ea732f793a2e82498c6bc0819236

SHA1
452d9796d1490b2d4dd7c4b8f5d517736aa5b465

SHA256
25f3fb54b003b5ae57dda7efc55e2103493539f811a0fc054e28c404002314b7

SHA512
e8e3a701606e5fa949bfd70c9876f7b372c2edcb01d3e65f89d5f21ceeff3f4a8b8a8bdf9a31c0ceb23caf0d16c81938b2023a759700ad8efd4c2d1c094feeb6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
8KB

MD5
895532cad4cb5b0a6a7fcb6e8e462ba7

SHA1
731ed790ec61aac4b931777c6467ad7594ecf651

SHA256
50c9d0ffa92c89df570f6cc8c5c5cad306ae9fc5ffc5f4fea3226312d096b7ad

SHA512
3eb4233fcd9b146b7535c54b61a87addf0a8b990ca9b8f870d55b2d73c28c7b70b2cc1d8447ddcb53fdbc0ddc8871d08e9495bb7ce140f3aedab6aea86e20d6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
13KB

MD5
08a36be3230625869ced4bc6ab5324ab

SHA1
ac8034052bac2d9d844a6dcd062a5b07668f693c

SHA256
3d06badaea6c157716c842f6fc672f95513b93da8fd610b71e0913b79e097ca3

SHA512
ac032723054a1bf500fdcad0cbc3926ce3d266c5779e97a2bb82ff0a2f368afb09d2f6dd069b7dec93a68a83376453d776e01531757c0bb2a67284d63b0c5e52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
16KB

MD5
8604d624bd6b222b3b6825fc92220238

SHA1
26614839b540323d291e83c4b20336c023db2258

SHA256
0e5193dd70adc405bb740311910963632c7c2b649e7f62ea42d8d4cd413a7251

SHA512
756d0501c066bbb1f68c3682c598305f20d22552ecc85dd374cba1695e3764ef86c80186011e42d7dd6ac6586e75366ca0464cd21431f82cc3c0220e3739c193

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
d1c779e048c03f21ab2a135178011f2f

SHA1
df9d89acdeae7016ca6240328c86b20ebd292c8b

SHA256
5f4ebfe82fd53a0bef7af325811f25a12c68c715a40506e9c690233352526f1b

SHA512
44cf920c3555f358cb988c4028eb3203c2f6c7cc360894daf46a063e095a30b20947548decb08c9a62744e32606e1de9796c958861303d2c34ea6e70e6bc8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
9db28406840c0f98d6c3ef33f77a9dc8

SHA1
530dff2768d4fc70d3c1a021e308ba7c85872622

SHA256
49eb0618429baa895765c3805010231c074226ef1a768dbcd9d2fb87ed3766bd

SHA512
cfb4c232fe1ca5401a42ec13edd9ab891f8a390cc55bb7bb4c86db0685bbfbb851da7646a91eb59ec3234d6086fb7732d5e8509b96b29434c887a865aa5d968b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
78006f9fa3c674054ed10452a0d05103

SHA1
d7fd0517bd5e0b427de190e64d7b92324efcd37a

SHA256
234001173621e717432ebf3036149e93ef8993f6a0d89e8629100c8a8ff4ef4b

SHA512
8020ecc8dcd91c43e99c5f313ed73899d78c05abb73081e90ca1f2385b8d8e851fb6cfb25f5518d3a4e5bdceebcb0324be915d3b8ba115d16ee6701530e25351

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
392c1f4725bd31a4f7cdfbe155d9a958

SHA1
418e3c288f8541336ab41884a5c50492a696572a

SHA256
9ec465352dbd6bf65d9391fb2484bf2646022306fd30e92b358cb494c29a4007

SHA512
f15156da3b1491feb7ecd54e280a72f1a26d386974fc8961aa9c1c72399971789dc3263cd2970a224b74916d1ae7af0babdf9046a46791c28a8f2e4355e4cdab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\139392a6-43c3-4bad-b803-6790b56564ea

Filesize
982B

MD5
4646021aa9438bb0dd3a1f83686bb5c8

SHA1
1d82f6d28d35efaff8f62fe410ba5065de456841

SHA256
25aa78cd0315ced8bd600ff950e1dde81e1c6dc10614b8d5a6f6e3c767067177

SHA512
8057e6d8304caff603b723721f60ec52e8c9a796e509af223fb90a702460851c89a2ddf555c2804de86d6c6f52cf3cff68097ab8a7b283966d12bbe7aeeaaf76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\f5dcc921-e7a3-4f97-ba99-a7e7910fb19a

Filesize
659B

MD5
3692bc332122c58659525aaec318a4a9

SHA1
59f5283ea61c7a3c1e7d7306f4ecf1f9a12b6151

SHA256
378c6206cffd850fc16c8a732f6d096360b24e4832acb955c9fe3acc54323213

SHA512
9db6cfb55f61751f477ed3a3ebb5cc4675891b92c7039f12a2dc59632d212237ee6a2179b2856a363e73b7b85ed18b3ab5294cb31dbc4c5760aa47c9a9d06686

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

Filesize
11KB

MD5
3329b55dcd3d7b8b9c7df59f09a70136

SHA1
7d5a234abc5ea050269c306d40f53931fe86ea4f

SHA256
a9c613588a77ff67c48166ae969e8ae63ceeb595993cbd957f588937471fec15

SHA512
50860739dde526afbadbce9503cdc7ec621d6e150c4c5f863e62ee3d22e87b9e967f39821a14b936040c2b9f5c959831a766129570cb1ac05cc6801f9bdb66c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

Filesize
16KB

MD5
e58cb19b9e853506d3ec891d19cc7123

SHA1
230851b29dc50bd89a39507179ee948e32394aa3

SHA256
f257d9b52ab45c181d25bd7ebeb000d7cab1ac253295946706bf919b0b09d5d0

SHA512
bf8819b8556dec8a88b2cb4031e4845aae8e9fddae89df9d5c2e6a347815c17b3e0a0650bcff5b066c6327b1983f3ee0e56ad4aeea44ba75178f8dddde3cf47e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs.js

Filesize
11KB

MD5
b4302006333030eda0f958c0a5f3cc45

SHA1
b2f22e72f1e8800a05dba6be53a410b4acda791d

SHA256
1f1b3f466aa79200817ed242f8c2e3b778733367055c50f97a4e30bb2926fee4

SHA512
01e6eeab332f5b0a94481918d77a8236801f1e0df8f6f96a7090d63d01712cac9944036a7a925c486a4099b40b537fb1e41ce7f051afb158aba3bc4d7633916f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs.js

Filesize
12KB

MD5
051cdbd500865a5a2c01681036872bf2

SHA1
acc8a24fac0ffede7108f0c0e90704ac1f7e1179

SHA256
e73497622e4601e9e8ea2943c8a76d548e16fb0de47bd99ebdc1ba4bd5dd07d2

SHA512
13a64f3007a34ea3a06c051a6b2a7f6d0858f033dec4e2879539c046cdc611f1b565d6d306326675cdc2cd19845a7b15e5e00a037c99dc368d92e920c04c860e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
61e86291e7a2372b30167daadef15f29

SHA1
778f8b90f929c157c9484285b4892f7c1213b166

SHA256
328035c80cd535b9c106fc53937f8455ea7937432d66fff15311826fd8b3bcc4

SHA512
7d570cdf10a3ffa5b7592af2294197d725f27f9d4945052a876e7e3e01e78114a425ea15ec4088591221e5bd82e3ec3ac8757a66348b6e05bb87f061dcc30115

Download Submit