2cee09ed857190b86fb172149b110ef981b07da7cda52f2c0b71dee7d1676928

Analysis

max time kernel
29s
max time network
263s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cee09ed857190b86fb172149b110ef981b07da7cda52f2c0b71dee7d1676928.ps1
Size

2KB
MD5

74b11b2ced42657dac71e2bc9d3bdb3e
SHA1

6ed8eb346f88fa603a0fd6fc5c7564491f7b44bd
SHA256

2cee09ed857190b86fb172149b110ef981b07da7cda52f2c0b71dee7d1676928
SHA512

85afe0d2f15c198a84546ca50ae3e0b07a1e4fb4d9bc0d4cc59ae2ca2335a1ff146be4158479cdd7f9a595e9c8bb6bbed6819c6aec8b4cbeb1444188dd6dc526

Score

9^/10

credential_access discovery execution stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
948	powershell.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
948	powershell.exe
948	powershell.exe
948	powershell.exe
948	powershell.exe
948	powershell.exe
948	powershell.exe
948	powershell.exe
948	powershell.exe
948	powershell.exe
948	powershell.exe
948	powershell.exe
2704	chrome.exe
2704	chrome.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	948	powershell.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeDebugPrivilege	2816	firefox.exe
Token: SeDebugPrivilege	2816	firefox.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2816	firefox.exe
2816	firefox.exe
2816	firefox.exe
2816	firefox.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2816	firefox.exe
2816	firefox.exe
2816	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 2704	948	powershell.exe	32
PID 948 wrote to memory of 2704	948	powershell.exe	32
PID 948 wrote to memory of 2704	948	powershell.exe	32
PID 2704 wrote to memory of 2736	2704	chrome.exe	33
PID 2704 wrote to memory of 2736	2704	chrome.exe	33
PID 2704 wrote to memory of 2736	2704	chrome.exe	33
PID 948 wrote to memory of 2748	948	powershell.exe	34
PID 948 wrote to memory of 2748	948	powershell.exe	34
PID 948 wrote to memory of 2748	948	powershell.exe	34
PID 2748 wrote to memory of 2816	2748	firefox.exe	35
PID 2748 wrote to memory of 2816	2748	firefox.exe	35
PID 2748 wrote to memory of 2816	2748	firefox.exe	35
PID 2748 wrote to memory of 2816	2748	firefox.exe	35
PID 2748 wrote to memory of 2816	2748	firefox.exe	35
PID 2748 wrote to memory of 2816	2748	firefox.exe	35
PID 2748 wrote to memory of 2816	2748	firefox.exe	35
PID 2748 wrote to memory of 2816	2748	firefox.exe	35
PID 2748 wrote to memory of 2816	2748	firefox.exe	35
PID 2748 wrote to memory of 2816	2748	firefox.exe	35
PID 2748 wrote to memory of 2816	2748	firefox.exe	35
PID 2748 wrote to memory of 2816	2748	firefox.exe	35
PID 2816 wrote to memory of 844	2816	firefox.exe	37
PID 2816 wrote to memory of 844	2816	firefox.exe	37
PID 2816 wrote to memory of 844	2816	firefox.exe	37
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 2928	2704	chrome.exe	38
PID 2704 wrote to memory of 1128	2704	chrome.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2cee09ed857190b86fb172149b110ef981b07da7cda52f2c0b71dee7d1676928.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef1b99758,0x7fef1b99768,0x7fef1b99778
    3⤵
    PID:2736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1284,i,13118348896218056578,3067746063892875742,131072 /prefetch:2
    3⤵
    PID:2928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1284,i,13118348896218056578,3067746063892875742,131072 /prefetch:8
    3⤵
    PID:1128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1284,i,13118348896218056578,3067746063892875742,131072 /prefetch:8
    3⤵
    PID:2924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2224 --field-trial-handle=1284,i,13118348896218056578,3067746063892875742,131072 /prefetch:1
    3⤵
    PID:2988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2228 --field-trial-handle=1284,i,13118348896218056578,3067746063892875742,131072 /prefetch:1
    3⤵
    PID:2480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1296 --field-trial-handle=1284,i,13118348896218056578,3067746063892875742,131072 /prefetch:2
    3⤵
    PID:2680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3600 --field-trial-handle=1284,i,13118348896218056578,3067746063892875742,131072 /prefetch:1
    3⤵
    PID:3840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3820 --field-trial-handle=1284,i,13118348896218056578,3067746063892875742,131072 /prefetch:8
    3⤵
    PID:3908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4032 --field-trial-handle=1284,i,13118348896218056578,3067746063892875742,131072 /prefetch:8
    3⤵
    PID:1088
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.0.1272898941\1529575689" -parentBuildID 20221007134813 -prefsHandle 1292 -prefMapHandle 1284 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b82e8ca-8019-400b-b447-b3bd52c3b99f} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 1376 13a07758 gpu
      4⤵
      PID:844
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.1.1048040912\1637564937" -parentBuildID 20221007134813 -prefsHandle 1544 -prefMapHandle 1540 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da4b9cd4-f4ad-4a8d-8310-cafa0d189d41} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 1556 f3eb258 socket
      4⤵
      PID:2996
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.2.1471498601\1147437182" -childID 1 -isForBrowser -prefsHandle 2172 -prefMapHandle 2188 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 660 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f8f7c36-94f3-4514-9ece-26b86dff1f4b} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 2136 18ec4b58 tab
      4⤵
      PID:2552
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.3.2053472716\654963723" -childID 2 -isForBrowser -prefsHandle 2980 -prefMapHandle 2976 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 660 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90366c63-c7b1-4a5e-ac16-77a1d9edc7df} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 2992 e63958 tab
      4⤵
      PID:1612
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.4.644046294\1410117245" -childID 3 -isForBrowser -prefsHandle 3704 -prefMapHandle 3700 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 660 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {36b0ed18-4342-44b2-892e-13bd004a7af8} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 3688 1effd258 tab
      4⤵
      PID:3124
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.5.1872246467\1937532043" -childID 4 -isForBrowser -prefsHandle 3816 -prefMapHandle 3820 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 660 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8c28f6e-6955-4dfd-bd45-d6ace6515b3c} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 3804 1f0b4458 tab
      4⤵
      PID:3140
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.6.1802892772\1915986142" -childID 5 -isForBrowser -prefsHandle 3988 -prefMapHandle 3992 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 660 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5456f99-8a4c-4f1f-8e64-5f9b37e746c7} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 3976 1f0b4758 tab
      4⤵
      PID:3148
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.7.994334517\1699598561" -childID 6 -isForBrowser -prefsHandle 4212 -prefMapHandle 3848 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 660 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7e39605-a8a6-4e4b-89d0-77918451afe0} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 3852 20f6d658 tab
      4⤵
      PID:3656

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3f2ee8821ab7543e24c69ec7703d3cb8

SHA1
7808a7311527465fe538d274465bed7d868eecc8

SHA256
4f2a26d86af059846e78063c9467a25244302f32beb431fe7fc616264aa3ee64

SHA512
57e14d2f19adc02936e14f70c57995380487b9d66508c89c86f0bf81cc7ce2d57bc33fa2c7f5d8852e1b626a9dfd15d168541e93ba5e3c24b7fbb0b42259d439

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
aceef0f3b30da852900c38c3083aa4e2

SHA1
1aab822e2c0e6a7306ff9c445e908e2e75c768f9

SHA256
a10b15fed61ecd6167b37412b5505e36c9f7029845b8d7e26a2736ef7a5b005a

SHA512
2cf840066e95d28c075bf9ee72191b9ab64fdd9caeee34932d9388bd89250ce1bc3c46ed05493dac92413666a23a55ad2eedcb0d90100d4dfd03dd6b2dfe943b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
740ab06f81464faccedc7dafa37108e6

SHA1
f46e84d9a8501a8d5b35a0c6230b06f071d14298

SHA256
8ecbb859a310cab6a287905b12c0e4032532a1ffddf85b3ec1f7dc25fb2734f2

SHA512
b34727e0f6fb0baa7b4cfee8977093f0f33316a6643e598dd75af829c987673e2aba566ab5f7df6c1d15a2d9fe0a78da0e6a84134265c9410b939cbb5da752c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c6dae91cf36f6e33c0b07936df9ada28

SHA1
0007dab96f06e842ef17518d5b2cb08fda3158cd

SHA256
7fbe70004e3b609ee7c842e6caead84ce9bbf447a0825e131c3fa98e0d150800

SHA512
1c878f739104653845abf1a340c0eb4c6f6c247d7259874c4f97519a9c899d626f3e061ec8464ec3a358de4d7fec5d6e6ad2a207b32075b1dcf785ff08e82dd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\eee851d7-ce03-4b58-a6e2-3c8bbe871ffb.tmp

Filesize
5KB

MD5
d8ed3e552b42ec02520862244bcdd080

SHA1
317ac3a583c1697695a1d21697d40ee545426c38

SHA256
b758a242b687db510b2faea6bfd0353e344451213775dc22124f6972292d31f1

SHA512
1a4ffeb0579899f0950b9ecf41bd5c68218925b43c0f5432d293d4cd70ac9c52239f5ca77ae442df35b587bf3924836d807c57dcf5ac18a2716e0c96415b185a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\activity-stream.discovery_stream.json.tmp

Filesize
37KB

MD5
2a63c5bb70821467fa586fc367622db5

SHA1
822f784e050dd7be0c26f6a220d0cdc68f1d36b7

SHA256
dbfba8d496946a4c4a9b168fe7829ec7ba2202a6e0445bee677d17d193fd9849

SHA512
91f1f2098128706db454e66db51788ce0829dd7d973e33641b97a338408fcb7b8e78e9a20f8a964260b9db7c2aaf459d684ab95bafec2fc252dfa4f4793ed5ae

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\activity-stream.discovery_stream.json.tmp

Filesize
37KB

MD5
8ab519d2f4013b659246305a11a8e46d

SHA1
e96be99811b79fdb928cf93ae08662a792b1d0a5

SHA256
439f7c5c64fc78f16152628b2be662ca67c28332696ed039303ffa395155d47d

SHA512
f3b671e8a1117fcfc9421f5f71ed11bd8edc0d0278025968ea0678f3785994f5077aba81487f59a3810b7ce8bc3553fc8d1d8a0643891146bd12e18871e8f597

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
8a1b0561c048a0f6edcf62d53e6ce6bc

SHA1
60da0b6f50347451aec6a1a6aba4d56752152d7b

SHA256
ca241195ea3bab8d6143c662eb768191d0d9ee7d0ba820f0cf26379a264fe87d

SHA512
6d127daaf13d874190fe8106ce2c877e9ff8768996e4604bd8d9f38045992974d28842940a2459f1c6fbd7a7146137794fd21af6da1a9df2f34715e1d299fc7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
df2d50416ca6916b550df3234d7d16ff

SHA1
69e6f198e58f9589a4ef7e247a5843fed82b5009

SHA256
134df61178be88ca24fff4aa55d19a348fb796a0dbd6d2e9e08e15f0e9a2478c

SHA512
e76d5db2eebde140553e0143724b47ceadd44d514da3e52c9f455af9c7a4940c577e485ac72ff7cad1f41263e6a9c4ebdaa9c26e8a4e4bebbc95b6721fab90bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
67e98920287f69096a405d61bf0793cd

SHA1
8b52bb259896603343d739e052d47ef50a2d373f

SHA256
07b5b15d68dcccd176f1e7cf14c4989aa145275cb3e7fff6b2eebc785df331c0

SHA512
4252e386101a53a2340a41c8169147af559f6a247818a270b120eaa228c895612f867fd99e54e06a4867303e192625b857232a53959c9537d6cf630a67b5b373

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\datareporting\glean\pending_pings\100058ca-6d2d-4bb9-985a-2f98d8d39cf0

Filesize
745B

MD5
3e481cfd7f2d05c7c584681fb612b886

SHA1
67dc64d90855fe6ae9c2d3aa562236dde68a0742

SHA256
63a8a350b1c5e790c4ef743357e2b4a9999f6eeac346c4f5f0fce3c4aa85511f

SHA512
e28eff218e0f547b21400d57eed5cb8136f0c95b437f94dd3ead80136dd9e61ddea0ac7cc567ea7be143942c69b6bd96ae41601dd2b3c214459b6bdbbee37a3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\datareporting\glean\pending_pings\87a0d5aa-2a98-461d-bac3-04e7ee358298

Filesize
13KB

MD5
fffad8c58d3ef5b6b38f5cb4239a37ba

SHA1
c32dd11b794191e79bf696c3f4a8a5a26d9e7db5

SHA256
6046df85a1baa672bd2cb8ded84925f7dd3ee79c0d5493733069f4510cd5e0d0

SHA512
0fb7f3b04f3a87abb7117da87096babbe84dd4112818bb7eb5d392bd8f7af35170f31d7021b106428cce064a9c817a2b787a93b6e54e406db35c7ca091f9360d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\prefs-1.js

Filesize
6KB

MD5
d1a1727905bbcff6756cc21eb3037cee

SHA1
6ae78e350ccedc647771fba33f64b99f261b559d

SHA256
8583d51179ad1b94343c3ab17a326f256e656a8fd59f846f9268d7cce75c95e6

SHA512
2a5d69a2dcf46cbee128a8d7d8cb96a725e0c48d4815e6311fa625c52c68d807d3acda57fb807a2cf250723889af9236101fa3bc95f8db67f1f7ef8d1d485e67

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\prefs-1.js

Filesize
7KB

MD5
8ab3f2747aa07537d3677e770fe12ee8

SHA1
5ef6a596c838bdbe25ce494b899c6151a2223d2a

SHA256
862a5695c34151d6576fe06310a3f0c9a60a542b541947def31e66002a39a856

SHA512
cb92ac2e5016cfa44b029c9ee0a6c698de368e85ccb9eb5d598f68a4e2b842d03eead4a14d307447734d79930de1f9aa65427ae068ef748ec32905828bbdcaaf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\prefs-1.js

Filesize
7KB

MD5
e2773db130486298e7084dfaa902de36

SHA1
0ee85adf8b5ab9026da9a7bb6c2bc2c2c3949c82

SHA256
632934c6d28503fca51494986e6c3f9b8eb96cc87aa87dc082bc74262a6e812f

SHA512
2e11aa855d3a17bdaa6ff33749cb4bd16f7aaa2996a4cbb21671cf51e2997bff8c8457b76b0fb799ddce1c7fae01baaed4bc0cbac81c701552c76feb0f1b1e3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\prefs.js

Filesize
6KB

MD5
2079a5d34fa9c838c5b4904940dba665

SHA1
191721a9295f79da486cd8256dffa8032249bceb

SHA256
87350a9825dbb40e0c33cf49623ec769895f8e5eb146e2c1ec5a1a970ce163d9

SHA512
cbae5ca0eccb67288ac1a5ac6696cf07559f09d9f3d326d6c68b7c7cb650f20a52aaae488d3155fd65f6d2c977d85025cda8d0cc02cf6a7c00978be6ab104e40

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
0631161890e4611238e138f46cff7888

SHA1
296c7b8e4e1c3a96f5dbe10c2a40b2e90c8374b1

SHA256
5bb393af993a006a786cab31574d546d18b15044363c87cb390acbc1c6602885

SHA512
10fbfbbce83d6c03d4694ba1a5741b6620386679b000db1dcb645aab67448d85f3ffb04c074b4356ee704e0caa3ba6c572912b0caa5798e9c14afc385e5bf0b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
423cb25555dd9b2bb19d6af1e4280199

SHA1
5f4a1969f41114e8855c53f719ff4758a347e964

SHA256
02d0b8aade94c432a985c7b84ac7fd6904bc983b596fa634ccb17e841d15b13f

SHA512
17b1eacf7f5de7cb0af80db7ebd1b059dcafc14ccd885e001f0b24024237907ec266ca1cf371f23d1efe3299b5f8b8632aed47c7fcb415973f62e56494597d73

Download Submit
memory/948-11-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/948-4-0x000007FEF55EE000-0x000007FEF55EF000-memory.dmp

Filesize
4KB

Download
memory/948-14-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/948-10-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/948-9-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/948-7-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/948-8-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/948-6-0x000000001B430000-0x000000001B712000-memory.dmp

Filesize
2.9MB

Download
memory/948-5-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download