21373a6d949a357dd7cab0df39490d440415d0887316430771923547f65a349c

Resubmissions

05-03-2023 10:32

230305-mk95wagc54 10

26-02-2023 16:19

26-02-2023 16:16

26-02-2023 16:07

26-02-2023 15:50

26-02-2023 15:19

Analysis

max time kernel
33s
max time network
158s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26-02-2023 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ChatgptHelper.exe
Size

36KB
MD5

b50645ca6885b8f2dfd3571eae7afd1e
SHA1

2bc22b2fe4b75825deff008634390661b7802de5
SHA256

2a03b714a7d8a52e79746c1bb5fd0a08615f526d6390272d5678fa452846840a
SHA512

cd7eb7f8bbd4d3b30d7fd3d51f57f2202dbd3949463ec225df6b5c4c64f3cad9bb0f4e173c996cfde570877edf23600937ca5eaba8180083d92d9c83019338c0
SSDEEP

384:of+Nb7LsikZ9zNf/1uyU71evdjsOaP0rAF+rMRTyN/0L+EcoinblneHQM3epzX4F:lNf4l1lU71e9FacrM+rMRa8Nu2Pt

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

328 netsh.exe

pid	process
328	netsh.exe

Drops startup file 2 IoCs

Processes:

ChatgptHelper.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\330867499299d35c5dff831d5c393122.exe	ChatgptHelper.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\330867499299d35c5dff831d5c393122.exe	ChatgptHelper.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

2908 taskkill.exe
2352 taskkill.exe
2648 taskkill.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1448 chrome.exe
1448 chrome.exe

pid	process
2908	taskkill.exe
2352	taskkill.exe
2648	taskkill.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

ChatgptHelper.exechrome.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	2000	ChatgptHelper.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: 33	2000	ChatgptHelper.exe
Token: SeIncBasePriorityPrivilege	2000	ChatgptHelper.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: 33	1396	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1396	AUDIODG.EXE
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: 33	2000	ChatgptHelper.exe
Token: SeIncBasePriorityPrivilege	2000	ChatgptHelper.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exeChatgptHelper.exe

description	pid	process	target process
PID 1448 wrote to memory of 1964	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1964	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1964	1448	chrome.exe	chrome.exe
PID 2000 wrote to memory of 328	2000	ChatgptHelper.exe	netsh.exe
PID 2000 wrote to memory of 328	2000	ChatgptHelper.exe	netsh.exe
PID 2000 wrote to memory of 328	2000	ChatgptHelper.exe	netsh.exe
PID 2000 wrote to memory of 328	2000	ChatgptHelper.exe	netsh.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 844	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1248	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1248	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1248	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1208	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1208	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1208	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1208	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1208	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1208	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1208	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1208	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1208	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1208	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1208	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1208	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1208	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1208	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1208	1448	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\ChatgptHelper.exe
"C:\Users\Admin\AppData\Local\Temp\ChatgptHelper.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\ChatgptHelper.exe" "ChatgptHelper.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefad49758,0x7fefad49768,0x7fefad49778
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1208 --field-trial-handle=1256,i,7733532870918832518,14436979058915392407,131072 /prefetch:2
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1416 --field-trial-handle=1256,i,7733532870918832518,14436979058915392407,131072 /prefetch:8
  2⤵
  PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1564 --field-trial-handle=1256,i,7733532870918832518,14436979058915392407,131072 /prefetch:8
  2⤵
  PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2172 --field-trial-handle=1256,i,7733532870918832518,14436979058915392407,131072 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2220 --field-trial-handle=1256,i,7733532870918832518,14436979058915392407,131072 /prefetch:1
  2⤵
  PID:1608

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1688

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2200
- C:\Windows\system32\taskkill.exe
  "C:\Windows\system32\taskkill.exe" /f /im chrome.exe
  2⤵
  - Kills process with taskkill
  PID:2908
- C:\Windows\system32\taskkill.exe
  "C:\Windows\system32\taskkill.exe" /f /im chrome.exe
  2⤵
  - Kills process with taskkill
  PID:2352
- C:\Windows\system32\taskkill.exe
  "C:\Windows\system32\taskkill.exe" /f /im chrome.exe
  2⤵
  - Kills process with taskkill
  PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefad49758,0x7fefad49768,0x7fefad49778
  2⤵
  PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefad49758,0x7fefad49768,0x7fefad49778
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1280,i,9510164448832022935,12093108082500451878,131072 /prefetch:2
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1444 --field-trial-handle=1280,i,9510164448832022935,12093108082500451878,131072 /prefetch:8
  2⤵
  PID:1908

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2460
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:2468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2468.0.1580401832\813564148" -parentBuildID 20221007134813 -prefsHandle 1196 -prefMapHandle 1188 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {831e4e2e-4402-44ba-a576-e35f6e310915} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" 1260 175fa858 gpu
    3⤵
    PID:1192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2468.1.310499523\544242795" -parentBuildID 20221007134813 -prefsHandle 1452 -prefMapHandle 1448 -prefsLen 20971 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ee02981-b3bd-433b-ba7e-f1e358b455a7} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" 1464 e72258 socket
    3⤵
    PID:2528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2468.2.1329327432\1473063075" -childID 1 -isForBrowser -prefsHandle 1068 -prefMapHandle 1772 -prefsLen 21119 -prefMapSize 232675 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {77be9a6d-a9fb-461c-915e-7578a768facb} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" 1688 1fae3158 tab
    3⤵
    PID:3012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2468.3.1237098077\1335806419" -childID 2 -isForBrowser -prefsHandle 2368 -prefMapHandle 2372 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a412d713-2089-423c-a204-f84bb9a3e057} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" 2428 1adbdb58 tab
    3⤵
    PID:2312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2468.4.1456533117\1157272775" -childID 3 -isForBrowser -prefsHandle 1892 -prefMapHandle 1888 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d35509a-9fe2-4937-9fc5-0b15972605ee} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" 2924 e62b58 tab
    3⤵
    PID:2296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2468.5.531208618\1821367719" -childID 4 -isForBrowser -prefsHandle 3152 -prefMapHandle 3188 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc331b5a-36ee-4e3e-bc82-d77bb6bf3bdd} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" 3200 175fba58 tab
    3⤵
    PID:2764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ce02c3a1c2e2258c20b1dd34b4a59138

SHA1
90b58959a14186809ae02b948820e46c5725bc13

SHA256
9a2beec3fa05d9df01bdc7e7fadf883071062497bfeae892ab0337f263813d12

SHA512
f23196fa06d28b33455db7be66cca56ea5fcd110c4344725a19a7625ade33b39df1fee7150aa977f6e6ec08c8f5fc8cbff1772b2cb4e43737b6fbf74b964358d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ce02c3a1c2e2258c20b1dd34b4a59138

SHA1
90b58959a14186809ae02b948820e46c5725bc13

SHA256
9a2beec3fa05d9df01bdc7e7fadf883071062497bfeae892ab0337f263813d12

SHA512
f23196fa06d28b33455db7be66cca56ea5fcd110c4344725a19a7625ade33b39df1fee7150aa977f6e6ec08c8f5fc8cbff1772b2cb4e43737b6fbf74b964358d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ce02c3a1c2e2258c20b1dd34b4a59138

SHA1
90b58959a14186809ae02b948820e46c5725bc13

SHA256
9a2beec3fa05d9df01bdc7e7fadf883071062497bfeae892ab0337f263813d12

SHA512
f23196fa06d28b33455db7be66cca56ea5fcd110c4344725a19a7625ade33b39df1fee7150aa977f6e6ec08c8f5fc8cbff1772b2cb4e43737b6fbf74b964358d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\962d5e1f-0f4c-4443-86db-63d9ee0aecda.tmp

Filesize
4KB

MD5
7770a91913d760d68755bfc4d87b59ba

SHA1
0d1e268f304e8e88f9240146b8439c61077eed44

SHA256
0e1092968fca1b7122cc013ad823c0fabb5c4760abed6740419f1c4ed6e07b34

SHA512
38396375520d6df5eb34c830e838253d9e5061de0ee6874b909e02b84b3d2652cd1cc74bfc0c3e339cc92e81537e9d6e3abe738f94293bb1b6b9e7e7b2cf7a62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\dc6017ef-d8ea-466a-a5a3-5f13d0de195a.tmp

Filesize
4KB

MD5
65603cec8cf743af8df87d98d029e20c

SHA1
9e271c32517dd96d2668bd94a6e5051823309980

SHA256
e0470d1fdcdc39e25edc3c8d6b2d0cc06925b3cd6c53163113249d461d22464d

SHA512
173c9858bfe58849ceec099e9046a10943d4f18cf9c016c3337de52f2e4845575cc4e8b966e1f29ba4ae56106c9dce1f9a2cd36b9d1e345cee103fbb7a82fdf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
140KB

MD5
f1341bafa51b107dd47fe4517a7d6ecb

SHA1
2f1ac836bdaaaa5530d8c653db29099d726d6ba2

SHA256
5d84b19dcbed2ca00717ab504e2cb734c56888bffcfe5fd9878e0e987de05931

SHA512
1d146452bff6a4d4e2ad2b5222b14af0335c392886acbce6fbd38f7740b5116dbf674cdb225708f6e53c086b7443e1033c8b7f931043e074d43f69bf2f55b15b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
140KB

MD5
92829ad1fa866247eb3197a377f81277

SHA1
1393651095bc45df12963faec02dfd1090924979

SHA256
cdd661a7f550740d8a9286f02c9c9978b7bb62b0cffa6e457633ab0f3a25f27f

SHA512
b0a7344ed58f53cc3d5ef2511202ce89a9b05ef1a22289e05b1471689826e69d10431a1be9ccc57972978007289d711061ace7f3385f1e387bfea38231c2b6eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
140KB

MD5
fbc4d623da43a451ef02789879b37a40

SHA1
0fd18443d8bec739d460f66563d1ad438da874f9

SHA256
6dfc1d536660c48913f92ce3357dd9cf81a5f081accf7f1f72bee77c564adb1f

SHA512
7262763824ca8b21f929a164fff11b1a3e3ce277318b063d5c91ff04b318fb9c773fe9a507ef70792a6ed59dc64eb67cbc41686983ed6c728046da0e1b838840

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
257ca036e7c33ca8729cfc11675d1885

SHA1
fbebbf71d6d5c6a1dc734059e72b6fad6cf680a6

SHA256
8dc72b9a432e3f3f5f86165ed57501c1a46f861e37cd7b5b324c1252c1632163

SHA512
6560267bb17ecdd6a119fdcef9115747059ac4dcf22fcc759b152f00d7720df69ec0f71d508478aa4855670bb6e2916de05a562a0693d261cb538b2e3b018540

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\b162e0d5-2e37-4817-ab60-980f5627d4cd.tmp

Filesize
140KB

MD5
6e52f1bd8f28cea34eab36d5b5d0ad74

SHA1
2ab03c4dcf7b6c9f81381b373265e7d90588f939

SHA256
8b46e1c4c960769377628b89a8f2526c9761ae07feb4aa8815f07eb23343209f

SHA512
172ed370b98c54b04ad09c075730792354519ef596af7a2f9a65836acfc40d6d8e3b63fa0f67854ab8ea2ca4799707230561d9e03213a73f8d19d371a68b7782

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\f1f36f03-4678-404d-bf71-53bb796e76f2.tmp

Filesize
140KB

MD5
fbc4d623da43a451ef02789879b37a40

SHA1
0fd18443d8bec739d460f66563d1ad438da874f9

SHA256
6dfc1d536660c48913f92ce3357dd9cf81a5f081accf7f1f72bee77c564adb1f

SHA512
7262763824ca8b21f929a164fff11b1a3e3ce277318b063d5c91ff04b318fb9c773fe9a507ef70792a6ed59dc64eb67cbc41686983ed6c728046da0e1b838840

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzjlrayv.default-release\prefs.js

Filesize
6KB

MD5
26b09660b11450d3ead4bc6a2a4d0077

SHA1
d69e65efae83a24184703949b308de45d0217880

SHA256
633729ab3e06b4e256b80cf5d77d5d51fff9e509e35bfa2d3fa44eabd76b7ef2

SHA512
fbca4293de0bc263568762c6f19ad31fd57c0538060f8a4370a472e3fc6a9544468267ebd7c1e74b1ff18e98e33f633e1198220c7c6a5d88f07fda16dd15e377

Download Submit
C:\Users\Admin\Desktop\CopyEnable.asp

Filesize
499KB

MD5
080adabcf51b7dc1b114445e98ac48bb

SHA1
79b4504b6345214dc7e54d0a39f0382bcdfb426d

SHA256
4379fc31be1c836be580b4ea9dceb3b1ce4f1153a9cc9c2cc0e39b688f6e1774

SHA512
842e7090792588b19beba69dbe7700ab3f5d987d1baf0a6b6dc80830279d20ec139ba09f39052361da9c7e3489084b526653305308f199de51848a437b92ab8b

Download Submit
C:\Users\Admin\Desktop\CopyUnblock.wmv

Filesize
255KB

MD5
f6f2c8ace86935d4ef7a5f71cffb3627

SHA1
ed6d139a2e64688a58e5278a4a69c4cace7f4c90

SHA256
ce62239d9ce8dbf08cbf9d73cef7936c378b38c8ef3bd61bcb61368dfebd670e

SHA512
5e45b25e2583934c42e21eea8660f7a6af52a5709586c82a8cee52b40e4005105826851538df77a41050d1a427d1adc9f95731731047022d8fab815685e3cbb9

Download Submit
C:\Users\Admin\Desktop\DenyStop.ico

Filesize
358KB

MD5
66b2a70873dea080ef3b8fb8a139c5d6

SHA1
ee466b3dc4e3ccaa366ad9d1dcb594aed05094fc

SHA256
39b51f52afad0d1058e3b0fd1f82c2110ff5be269a3ff167644ccf7286650923

SHA512
af6b3cc2c0331c05bc1790c48faf9ebd713d334f63e73a97c3d37fa24cddf02634024639b93309c17b07afd37875a57a0bed8c20b434f089e2bbeb6b521d38d5

Download Submit
C:\Users\Admin\Desktop\EditCopy.vdx

Filesize
166KB

MD5
e15bf503518156557aad20429daa7ee4

SHA1
01090cf73440bf26e03b428c7fc89cfdc45e2843

SHA256
b74becd7f3c6ef42f02db5b6c45bc2394d009beeada3a0349c4571e4fdccd7d9

SHA512
066a57ee54a8af5b653d60071ba50a0d667e11395376213559bf08011b64aef92810f086315160178e6cdcb33ecf8e4d66172a6482015245cdb8334596dd2b68

Download Submit
C:\Users\Admin\Desktop\GetUndo.vstx

Filesize
153KB

MD5
8e823d174def5c7b6202b3063063736c

SHA1
b736cfd21f528a05c0528b5ffd3c79ed104fdc5d

SHA256
ffcb65bf2954d12b755a7a70b24033c8fd3f74239f419101012fc4973a710ddd

SHA512
6b518bd124e71ce3cadbde3d197c4ab3a7e50613352466100746a809e0b67d71f2e7daf365ecd4cf4c88797207bd1c1ef836cc679a6a7fce0fecb4de0d3fb1d1

Download Submit
C:\Users\Admin\Desktop\GrantCheckpoint.htm

Filesize
307KB

MD5
9cbc6dcb03d5f5c8d0ecd51298c0254f

SHA1
62f55d5365d6be0d6562c1fb51d615a6752f8292

SHA256
b276b5fe80c54404118509e16b663945f940a24dd3a5be826e8d534864b6f25d

SHA512
98daa26293fa57ba2283f5dd2464c918642d28d412b5441a7aa5196a84039d6a4460a0d03df6551eeb811054b6391b9448d0036b630ad07b579c0386438a17ca

Download Submit
C:\Users\Admin\Desktop\HideGet.svgz

Filesize
319KB

MD5
3e3c776d298ac5c1ad713937fdb0271a

SHA1
ae81160141045849e2b9e828f57be9a90e935cd9

SHA256
d4490117c11593ef76c0fb5a3fa512cec9d62c473e5d3bd913aa64338a291280

SHA512
f3673fb7a9f4064c294c5f9c2727a4dd579277ba5f71a04240f6da43dcee6b0b6aaedf807f953da20e45058710ce482e19b04f92243c8468a3d1733fe26e557d

Download Submit
C:\Users\Admin\Desktop\InitializeApprove.mht

Filesize
345KB

MD5
9b00ed1985b108bd6cc15a0ee588233d

SHA1
be1f1bf0f412f15b78933add7cfeaaf2fd2b65ed

SHA256
78f3b5615e099ac1cb38229282e6d2d23e50a59aefec6bf7b19228f3cd1035f7

SHA512
18443510ac9ff02be024352c493c3d3dc2e7d02000401f9f15f1b322b3d175603dac0f82e1271b40584eb6960f4f489f0081eee4d64f9c112594b364ea41fb2b

Download Submit
C:\Users\Admin\Desktop\InitializeFormat.jfif

Filesize
217KB

MD5
c9822c1a01fb4521739ae01130c7827e

SHA1
22b4d303b0a0c1edf96aacbca850921795d2d751

SHA256
3875f24a69ce2cc1f494b6f0ac54aa6737511543e93d9ba9274553e397c199f2

SHA512
d856665bdbb975c489644a16d59c22eaf53f3829661c09e5142f5acc87c1d9b23caeb72e6c43e990bf5f7dc38c1cc25dd83ccb77abf7413841cd168be36f9707

Download Submit
C:\Users\Admin\Desktop\InstallSkip.mpg

Filesize
127KB

MD5
6ebf76724e90e95e8ec2afebf4b325b9

SHA1
df30709644f3fd6851d362c4f8b5e7b5c9e23650

SHA256
8a41348fc299977df6aa5816a612d6fecbd282a79e3a2650e016ea4687bb6c0d

SHA512
ff07a547c178f870a87aef482a8722088eb8acea89e0c58755e5973ddc2e3b2d27a6e9989969618dc3ebed36939545a3b131296cfabdd3ceb0bda7fd32054d52

Download Submit
C:\Users\Admin\Desktop\LimitCopy.ppsx

Filesize
140KB

MD5
2d74e5adedfa2e67704f59b2bfeb2e18

SHA1
88ee0789d8ce74c4085f87ec4cd19778b423f9cb

SHA256
55c4f77ddc3f5143fb9a684227d1029bb4803bc247004725c162b68617d55c40

SHA512
474761543469750669435e32aafc825aebd0abae809d26b3dbc256c76f7a0c2424e0691dae9c081e11d3dc6061f5372445c869471fe1b1fe127c92716a3401d2

Download Submit
C:\Users\Admin\Desktop\PingStep.vdw

Filesize
281KB

MD5
8074d7138e783de32b90d2480836e8e7

SHA1
f239b4375b49c28b483b19d8758c265b5ac18272

SHA256
269048e39b4e6bd6a8da84f3e65b3355785b3d3b9681b04a058f296dd2848ab4

SHA512
11a7ee1274c6d843b6c7be063edef6851366bb7c61b2b4b1bf352589d1381e6bc55cd184dabb4381c31305ab0626c53cf2cbc57cc93dd48b9fed4e0be51e7144

Download Submit
C:\Users\Admin\Desktop\PublishTrace.jpeg

Filesize
243KB

MD5
7ca1cc89891b32cfa5021a08b1a2f99d

SHA1
7675004366b236c6c6eea2cba98987cd0f253236

SHA256
6f95152b463ce9bfcb7d15d53f49869af8989f43aa9d407cd3763a2b17ced3b7

SHA512
d48a5f992f4f7ba47d6d4bc48324de3d7b52fb07020382d8266a743fb9f20847faa454804df99bdd92ba6b1c52b8d5fd3bc18ad2c5cd56b5389a2a5425fff8ff

Download Submit
C:\Users\Admin\Desktop\RemoveRegister.wmv

Filesize
268KB

MD5
9838dd36d103f3e15ec7939f02e25f77

SHA1
3c6b4121699775e17008e7d1af4177f57603db7d

SHA256
f47e5d8fa36b3c1bc45da5a8d191aab1b9e7fb27de974f87bcdf1a63a33a24f9

SHA512
1d359b25a781fb05b231e6b6507303eb37e96699f212e01d4c04a2cd5f9416e508439e7741172f360c9d1953b0bd3ae7689d3877bfa1cf66edd936fff7967e17

Download Submit
C:\Users\Admin\Desktop\RepairCopy.xsl

Filesize
191KB

MD5
3600dc6ac7b15a8b5819c681551f1504

SHA1
f2b9c6672fb45968dd021ddffdf6b88ef4ba36cd

SHA256
58d5ef650746cf6e03e6e9ceeff64c2aaedf6464f935a9e0e6999536178048d3

SHA512
1b41e1eb1623bcff0b44808c4388acd722210eb741d3b98e481f0b4249837d273346dfff96b6db423acd50ef7df2e577eb092241bbcde184a258bcbb10cbf13e

Download Submit
C:\Users\Admin\Desktop\SearchWait.3gp2

Filesize
204KB

MD5
78889fe50ff346843e9003e42d3addc0

SHA1
8dd8a8cb7ea58f04840695b3b3509c8b38530d48

SHA256
bd0bb35ac870a581c57cc763993ad02e7f997da10099273e155d49f1c6e69fbe

SHA512
f4d7e1b7240df31851599f6fd4f5f93fcc32690ad021add4b16b37a38d47268a8398768ed31112a9ecbbf51d13df3211359f86dbb94397388dbdee17cabe54ab

Download Submit
C:\Users\Admin\Desktop\SuspendOpen.rle

Filesize
230KB

MD5
44a0779d90f068242478b43195d324de

SHA1
11d5be6678e11050bf18a9145e43712064226225

SHA256
5cab0f8077b4664071a0312f36e8d0a5552f250f204a338ae8bc184714889ae1

SHA512
3a74a1aa047a1367f08d8e6c11a90033ec0c1c509248f00eab6814b60bdde6d2e872b56f45677a875b9d61522fd3b12a7897f9f7d6dedbe611f3149358edbde0

Download Submit
C:\Users\Admin\Desktop\TestConvertFrom.001

Filesize
294KB

MD5
9da0b9c86fd95167f7684f613c391565

SHA1
6cf3117ff6d569b900899abd297685cc67744e51

SHA256
35ec699330685947185857feec5e86c770d8e8aad57a623d44284a86931d50e9

SHA512
2932d53b470fe1da6066c7e34c7208178c2d4175e535186a058625f72806675a6dc9d3e2363076ef1ea44623f2c3358c2c411994cf3918f11d54426cdf7ba914

Download Submit
C:\Users\Admin\Desktop\TestCopy.txt

Filesize
332KB

MD5
a5a63cd602dd0c313133386886093079

SHA1
541406ae31a94d2fc13505d81d4c7b65e8725086

SHA256
e052c5270f35e30176dd004ba2de677a972e23d2a6afd08aa1bb6f3cf2ab8968

SHA512
e1f97a8c602d8c8e3180d96fc77d75dd649b53d060c5e4ae632b5e54e9cb0465d4aabccd5fdae5dff4338f8bb8422be930b6798ac0ecf56539532a43509813c0

Download Submit
C:\Users\Admin\Desktop\WaitStart.mpp

Filesize
179KB

MD5
671a1d8ffa625a0e93efca69c2a5bdb8

SHA1
bf54946ae0ee2944a731b6b81fe0cba83fcbe827

SHA256
78907e76fab6db780fb0f0584b56c9b40b8fbfc1535bed8d23d763ef1e4f00be

SHA512
c60964507cc295333552c5370e5b7dfae49c60cef3c38a5bf6436be05e4aa9b6b1cf2353adc8f78e19ca904fbcfb3ae2db3fd6a5305265322eec2eb1a8c5ab2f

Download Submit
\??\PIPE\samr

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_1448_DLDIPWXDUTCHZELT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_2972_KWGUFUJFYNRRURWE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/844-77-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/844-124-0x0000000076EA0000-0x0000000076EA1000-memory.dmp

Filesize
4KB

Download
memory/2000-93-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/2000-73-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/2000-239-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/2000-230-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/2000-256-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/2000-247-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/2200-238-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2200-248-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2468-1625-0x0000000017460000-0x0000000017470000-memory.dmp

Filesize
64KB

Download