hxxp://cdn[.]discordapp[.]com/attachments/1087849368675176460/1088103716277723146/Setup[.]rar

Resubmissions

01-04-2023 07:12

230401-h1ragshh9x 1

01-04-2023 07:00

230401-hsy1csge76 10

01-04-2023 06:57

230401-hq4stshh51 1

Analysis

max time kernel
36s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://cdn.discordapp.com/attachments/1087849368675176460/1088103716277723146/Setup.rar

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133248139822203496"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2528 chrome.exe
2528 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2528 chrome.exe
2528 chrome.exe
2528 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

Processes:

chrome.exefirefox.exe

pid	process
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
1132	firefox.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
1132	firefox.exe
1132	firefox.exe
2528	chrome.exe
1132	firefox.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exefirefox.exe

pid	process
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
1132	firefox.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
1132	firefox.exe
1132	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

1132 firefox.exe

pid	process
1132	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exefirefox.exefirefox.exe

description	pid	process	target process
PID 2528 wrote to memory of 2484	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 2484	2528	chrome.exe	chrome.exe
PID 364 wrote to memory of 1132	364	firefox.exe	firefox.exe
PID 364 wrote to memory of 1132	364	firefox.exe	firefox.exe
PID 364 wrote to memory of 1132	364	firefox.exe	firefox.exe
PID 364 wrote to memory of 1132	364	firefox.exe	firefox.exe
PID 364 wrote to memory of 1132	364	firefox.exe	firefox.exe
PID 364 wrote to memory of 1132	364	firefox.exe	firefox.exe
PID 364 wrote to memory of 1132	364	firefox.exe	firefox.exe
PID 364 wrote to memory of 1132	364	firefox.exe	firefox.exe
PID 364 wrote to memory of 1132	364	firefox.exe	firefox.exe
PID 364 wrote to memory of 1132	364	firefox.exe	firefox.exe
PID 364 wrote to memory of 1132	364	firefox.exe	firefox.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4808	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4216	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 4216	2528	chrome.exe	chrome.exe
PID 1132 wrote to memory of 744	1132	firefox.exe	firefox.exe
PID 1132 wrote to memory of 744	1132	firefox.exe	firefox.exe
PID 2528 wrote to memory of 760	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 760	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 760	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 760	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 760	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 760	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 760	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 760	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 760	2528	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://cdn.discordapp.com/attachments/1087849368675176460/1088103716277723146/Setup.rar
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe13009758,0x7ffe13009768,0x7ffe13009778
2⤵
PID:2484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1348 --field-trial-handle=1796,i,18263456298873146352,11872502089429397423,131072 /prefetch:2
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1796,i,18263456298873146352,11872502089429397423,131072 /prefetch:8
2⤵
PID:4216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1792 --field-trial-handle=1796,i,18263456298873146352,11872502089429397423,131072 /prefetch:8
2⤵
PID:760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1796,i,18263456298873146352,11872502089429397423,131072 /prefetch:1
2⤵
PID:3688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1796,i,18263456298873146352,11872502089429397423,131072 /prefetch:1
2⤵
PID:4692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1796,i,18263456298873146352,11872502089429397423,131072 /prefetch:8
2⤵
PID:2868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1796,i,18263456298873146352,11872502089429397423,131072 /prefetch:8
2⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1796,i,18263456298873146352,11872502089429397423,131072 /prefetch:8
2⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 --field-trial-handle=1796,i,18263456298873146352,11872502089429397423,131072 /prefetch:8
2⤵
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5292 --field-trial-handle=1796,i,18263456298873146352,11872502089429397423,131072 /prefetch:1
2⤵
PID:5800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1796,i,18263456298873146352,11872502089429397423,131072 /prefetch:8
2⤵
PID:5752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3304 --field-trial-handle=1796,i,18263456298873146352,11872502089429397423,131072 /prefetch:8
2⤵
PID:5760

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:364

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1132

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.0.1298265888\1644874328" -parentBuildID 20221007134813 -prefsHandle 1824 -prefMapHandle 1808 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7963d72c-fa75-487b-b82b-6b4b5613c0fe} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 1916 1a6b1ce7858 gpu
3⤵
PID:744

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.1.531069847\1247912250" -parentBuildID 20221007134813 -prefsHandle 2300 -prefMapHandle 2304 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca26b039-2f5d-41eb-8278-a28c946c16d7} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 2316 1a6a4d6f858 socket
3⤵
PID:4388

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.2.1025932778\1457291367" -childID 1 -isForBrowser -prefsHandle 3028 -prefMapHandle 2904 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {273dec96-6199-4abc-995e-c310583da326} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 2928 1a6b587b058 tab
3⤵
PID:5004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.5.1565658633\726163452" -childID 4 -isForBrowser -prefsHandle 3752 -prefMapHandle 3756 -prefsLen 21115 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1598e44b-7ffc-4740-b4c3-aae287cc3f8f} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 3740 1a6b53af658 tab
3⤵
PID:4752

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.4.472024767\1935992240" -childID 3 -isForBrowser -prefsHandle 3068 -prefMapHandle 3376 -prefsLen 21115 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43a30178-6946-496e-8c94-2d03497315bf} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 3080 1a6b4ff9758 tab
3⤵
PID:3156

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.3.939673607\1293793124" -childID 2 -isForBrowser -prefsHandle 3436 -prefMapHandle 3216 -prefsLen 21115 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b98ae987-0cfd-48a6-936b-93a4e5b7fc37} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 3180 1a6b3263458 tab
3⤵
PID:2288

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3e8ad97257fa0e3b0bb48d9bee3cfbf6

SHA1
32401622aefcf08c8f42942b73b45cfdc450206f

SHA256
9ce2a14360e6088498021ec65f6cbf6d70b6907e37e66b5fb33905d9f657917d

SHA512
b6d30747d523af6347299012f15c9247ae6991643138659511439936560d2adee9960d2984f299e85c021f6aca6004a9079f32194a2f70b36f1ff0654fe4ef21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
afac70ef96d612478ab40ccc5f75881e

SHA1
1a3957ccc928330a7bf0ccabe4246204491a86b3

SHA256
29568a43c7adcee491e54f3f8371da6e7967d0740ed2c6254ed8db6f62d04f3e

SHA512
aca03ad4b9b972f882aaaa42eff44329fd535e8076301d0d8f38db02612ac52e2e42f0ab686e933496dfee4da1d642c866a8a520068a8c2574f40575bb97aaec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6c5ae8c3f5cb498f32de372ee9d545c1

SHA1
8a61cd921e75e23b7c224c8480799e421186f9ee

SHA256
8f6f396e1bfd185da9edacb456ae2eb9706d99d03bfc1f24310b6e76955bf273

SHA512
fce8f3378b8443b2aac7c0ddcb2ca2281afe65a0d3d4f68db0d3abb313d499dc60e627092323ec3de9ac8408d9fb8abf2154b5de041a5d609d15c002b5c7f158

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
72KB

MD5
383cd696908438269fd56ca24dba635f

SHA1
085d4ad9779819ce078495fec6d902800bebf9b3

SHA256
52f868db4273690560e961e921d57b06c764784f0a48f2facbf224cf559e1a6e

SHA512
2bbb23c1ea3fdc5899b5ec4244324436490f0c4cddb1727c55dbd12a503d6bdbf0ca9387fc59d56f265ebc27e541011bb098d43b32bce5d0ef89f23e666ad0e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
175KB

MD5
27930ee22566bb1c1e2bae2ae05c294d

SHA1
c1dcd145d1749dc063b746e6fb2484e0059dc9d2

SHA256
9d3744332d74b48ccdde4d952751b2adf9349813f0b79a33155e10171574d78b

SHA512
da62e7e35c1d336c6766f9a250252b24da4dca92afbac87a404ac89b000c79c0bdcd24fbc6a6c8f6390613e37c87aac4005713421709c6968918f9e8618d2a35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
b274c2523afe3411d738ca738ba29eb3

SHA1
19b09115d3fd1758906d8c2599260361feb531db

SHA256
9c2bb525187196b8327d10447b53d0b88d0240bb7e49526f883ef588570feed1

SHA512
ccc0630304fcc9354f291aff597a9baff8ccc55589ef3a8aecd37a4b42f9b3de998e2368166feed069e7e7834c06564620c47e041549c960fc32b15b0fcc566a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57031d.TMP

Filesize
102KB

MD5
bcd12db077ba10f97d648c93141fec47

SHA1
fa05ae582ce64a20a8caa69019120ba232b75147

SHA256
058198283dbe0b657730b2401a23d784939135510ad10f04fafcfd3b1fd9100d

SHA512
560846e7dfe2df03b8a3c3547773ae86a10e785b0a3e2bc7fa4b57b3de3ce70aec4c0f9ebd63f54ca39c48c51d731102667bf01b8e23efa1cf6d637e243706d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js

Filesize
6KB

MD5
3425d247ab92b56037dffee96a90f15f

SHA1
e7b4d1f5da45d31badffa17b5bf2f7830b1122d3

SHA256
3cec81913a9a277e92a40661d7af06a7469f364467348c614a68cf041d0af025

SHA512
008cd2753f32167e9ed5d48e181bf9b964a6b4eb84fdfe1d93a602b9cae2dd3b4999b09cd87beee7b74321bac3886b8981bf6578b1363a333cea2fd2cc0f5a03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js

Filesize
6KB

MD5
b114c02dd9bd10baf4347b270c593f08

SHA1
1926d84a9ea0a5467a31c1b80ce387d7dd07d76f

SHA256
5b74aa75f0b3f1d8989dbff29da2f53a0c906199aea972a9c7371aace61fbb2c

SHA512
34ab3511a266971fe444c56dd436c80a3923da4ae58ad54dd1341b833e1c7057a321a0e1e9a3e2e095f10abdbb2476f0f63e58f9e484080a17d975af55e233f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js

Filesize
6KB

MD5
95f7f0742aa992b59dba3a3ff990f019

SHA1
a469a9b2fd15060d6eb148d6b5004c536a477d2e

SHA256
9dfcb7804ed6aa8cbde04a6d44fba14fc6649a744e2c26094aad73d7ef11b58e

SHA512
bd221f0ea61d0cab87c0d0c2384a92f44d5abea9009637bc9557c7c62e4c9b93df67fa3d0934d70da8776873b50818f1f6d5de364cf50ccf9f4327230a57e4b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs.js

Filesize
6KB

MD5
1984b45f201f1fd79d2154406648433b

SHA1
42f082dc6d4d43333688690bf4dfa7c7f8b618ab

SHA256
000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9

SHA512
e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
272B

MD5
ed148b3913288ce99014ecefb6f675fc

SHA1
aaca0900d66825a8820e37b984a4c6767ef10725

SHA256
b745912cf50749e525b408ff75eb434e226a907c285164dd93b4ddd53b5f37bb

SHA512
8eb3e5362a095825b3f97e1325d70bdbab39be42fb7628282a2ebb787b46cad486d80f275cb0e646d829ca6c53ea0ea007fcc60bc0c4c9829e9bdb7de1efbd78

Download Submit
\??\pipe\crashpad_2528_IIDJLTHEBJORDIPU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit