0e83cda8a94218be0f639d3e06080ee6983943ca8d955595f3ec4689ca4c15e0

Analysis

max time kernel
166s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
18/05/2023, 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

proxy.txt
Size

407B
MD5

0018d07f91e2e41d0e26bf551dc5460e
SHA1

85c3965dab2ef31d0508909a66599b46a52bd41b
SHA256

0e83cda8a94218be0f639d3e06080ee6983943ca8d955595f3ec4689ca4c15e0
SHA512

1d00ce4678ce4330b2aacd169b168164d754017028e74cb92e5c0823c856116ca4830407ef8218ef36a1a017113ff5e5f95cd690bb8fb0ddd6c966cf9c40cd31

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133288860256042827"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2296	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
968	chrome.exe
968	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
968	chrome.exe
968	chrome.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4688	firefox.exe
Token: SeDebugPrivilege	4688	firefox.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe

Suspicious use of SendNotifyMessage 45 IoCs

pid	Process
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe
4688	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 4688	3928	firefox.exe	87
PID 3928 wrote to memory of 4688	3928	firefox.exe	87
PID 3928 wrote to memory of 4688	3928	firefox.exe	87
PID 3928 wrote to memory of 4688	3928	firefox.exe	87
PID 3928 wrote to memory of 4688	3928	firefox.exe	87
PID 3928 wrote to memory of 4688	3928	firefox.exe	87
PID 3928 wrote to memory of 4688	3928	firefox.exe	87
PID 3928 wrote to memory of 4688	3928	firefox.exe	87
PID 3928 wrote to memory of 4688	3928	firefox.exe	87
PID 3928 wrote to memory of 4688	3928	firefox.exe	87
PID 3928 wrote to memory of 4688	3928	firefox.exe	87
PID 4688 wrote to memory of 1428	4688	firefox.exe	88
PID 4688 wrote to memory of 1428	4688	firefox.exe	88
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3108	4688	firefox.exe	89
PID 4688 wrote to memory of 3652	4688	firefox.exe	90
PID 4688 wrote to memory of 3652	4688	firefox.exe	90
PID 4688 wrote to memory of 3652	4688	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\proxy.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2296

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.0.441667544\1899466319" -parentBuildID 20221007134813 -prefsHandle 1812 -prefMapHandle 1768 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c427515-7274-4ea5-a08f-58d51bb59334} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 1892 1d88ffa5858 gpu
    3⤵
    PID:1428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.1.1367476318\1347951544" -parentBuildID 20221007134813 -prefsHandle 2280 -prefMapHandle 2276 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5fa39c1-898a-4768-ad19-78ac16b556c0} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 2292 1d881f72858 socket
    3⤵
    - Checks processor information in registry
    PID:3108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.2.1213932938\716921911" -childID 1 -isForBrowser -prefsHandle 2924 -prefMapHandle 3164 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {259be397-de45-4081-9055-a5338af2e29c} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 2860 1d892bf9b58 tab
    3⤵
    PID:3652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.3.1563144693\924953446" -childID 2 -isForBrowser -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d3f69af-6e2a-4935-ae3f-58c629ed4462} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 3552 1d881f5c758 tab
    3⤵
    PID:4304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.4.1604665214\102826233" -childID 3 -isForBrowser -prefsHandle 2456 -prefMapHandle 1432 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8b8569e-d1b6-44fd-a2a3-29fe45b89a5c} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 4036 1d881f62b58 tab
    3⤵
    PID:5036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.5.1841978631\1763709744" -childID 4 -isForBrowser -prefsHandle 4988 -prefMapHandle 4628 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8112cd8a-2fa3-4d80-ace9-06a610d35394} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 5008 1d8951c9358 tab
    3⤵
    PID:1772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.7.1418004912\183355911" -childID 6 -isForBrowser -prefsHandle 5340 -prefMapHandle 5344 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ed88a35-1f29-4ee4-ba8a-9e2b21ea3bf4} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 5424 1d895f1a658 tab
    3⤵
    PID:660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.6.2013666079\1296298132" -childID 5 -isForBrowser -prefsHandle 5152 -prefMapHandle 5156 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d1d11ad-e2a9-4a76-90d4-6af43a1bd08d} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 5140 1d8951ca858 tab
    3⤵
    PID:1680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.8.2129135432\1636417898" -childID 7 -isForBrowser -prefsHandle 4012 -prefMapHandle 4004 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b884ab2-d684-4148-9614-d784fb4561c2} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 4068 1d891745858 tab
    3⤵
    PID:2428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.9.1851262835\1787167552" -childID 8 -isForBrowser -prefsHandle 1444 -prefMapHandle 3372 -prefsLen 27331 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea9d56d6-fe81-4d8e-9eb6-aa0e3282d2dc} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 4852 1d881f63e58 tab
    3⤵
    PID:3832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.10.638852925\1519836235" -childID 9 -isForBrowser -prefsHandle 8792 -prefMapHandle 408 -prefsLen 27331 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc637aa1-7f24-40ee-b5d0-354fe02beb5f} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 8784 1d89627c758 tab
    3⤵
    PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Users\Admin\Desktop\InvokeExport.cr2
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe6fc99758,0x7ffe6fc99768,0x7ffe6fc99778
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1828,i,3811804645978392705,17927259911308699564,131072 /prefetch:2
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1828,i,3811804645978392705,17927259911308699564,131072 /prefetch:8
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1828,i,3811804645978392705,17927259911308699564,131072 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3232 --field-trial-handle=1828,i,3811804645978392705,17927259911308699564,131072 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3264 --field-trial-handle=1828,i,3811804645978392705,17927259911308699564,131072 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4424 --field-trial-handle=1828,i,3811804645978392705,17927259911308699564,131072 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 --field-trial-handle=1828,i,3811804645978392705,17927259911308699564,131072 /prefetch:8
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1828,i,3811804645978392705,17927259911308699564,131072 /prefetch:8
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5116 --field-trial-handle=1828,i,3811804645978392705,17927259911308699564,131072 /prefetch:8
  2⤵
  PID:3616

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\activity-stream.discovery_stream.json.tmp

Filesize
154KB

MD5
c33c8abdd2ae819ce786126d02545d37

SHA1
efc8571371b8e595380f2668768dc78fd7404f84

SHA256
d9e47194a787ec4cf6a6404eea3aaa030c4b6b799e07c93f07670fb70aa7de8e

SHA512
11c8f57c139472fe84f5b22988723ff2d1a0a3de76a39097d918177462d63755a29b0e2f5344c79990523b6ce09c015e45ca0aceb3fa8ed5e6a60ad6fd10de45

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\16643

Filesize
10KB

MD5
e8dedfb07e0c61a223b25150bd3f1783

SHA1
4b20dfe8898729e977bf9ba8ff2d4c2c080592e4

SHA256
b8478a1c7af19188a2a90c7590f7121def114fcea8e74ea909b5b39d70912658

SHA512
6cc029a73987f81317aafc88fb79458a39a4a24202f4c085e1bf931fc8e9831ed4011ff34240b1956b74b123f7363bfa2d96902eaf424e637dda9a12868c83ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
6KB

MD5
a3b390b4de32edf0f7bec6d49a2fdda8

SHA1
3c0c74ec6ce4bd99820b80d3345895b9340a302e

SHA256
77d5630fab5415b60e59ca0c393ff05e37ac4d73f83844a93c4928279dbac761

SHA512
613cb6c617abd0affadd67d30522c365290acbf8ecb07ea658a4621bb5d42c555639f95e358ce2655adb7dc17fffd5b445ce07c42519c9697355ff061bfb5636

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
6KB

MD5
89dcd5e3305317a3c50cfadaaa69e91c

SHA1
8a6b1c635b3fd6dfd52678424b9fbfaf4cb75b6f

SHA256
4d8f2f590c04dd2e682b01ad9a1cfa61a78ae0e6a4e172e3444365cb66be8840

SHA512
23cf495c29c806fc2bf116fa234b0eab4282bf9ecf1bc493b24dcd374648ab8a7eea59b7ef1d76c9ae89f1b71c8cebdd6c77e5760d4416134f233b42c88702aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
7KB

MD5
ea334e01465b94d21c79137618b2cd1a

SHA1
8394edc28ff00a6f02f7bac475f336be39779c90

SHA256
ccdf438053162a9c2686d45903ee8fd6fb4fcac4d686b753689a278173d76657

SHA512
b697c13d6111053694c87e0712d543c43c24889798c84c7659ccb42f2feed04c77288584df407c83bcb75bade5b1725c9cb4e20a99ec48f47d03fc751f4402ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
7KB

MD5
610ee1a063c84055f3d23b5ad82c81ae

SHA1
9d5bebd03cc47acf851bb248bcc60f4a75a063bc

SHA256
7660911356a7acc357f4186d65957e66e75617c031f59e00d4cafd597baeb363

SHA512
36c59cfe2c105395e573994cf15781de10b2dfcc7e762e5a953536b70eac6cd09871bc623a3d16649cc82d969e1165838fa6a8045fdd615ec24b2b8f28c31f33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
6KB

MD5
d8933d099e4b6866617a09888f38a890

SHA1
c145e7c2a39ad13e825c77eed197bbd665bad23e

SHA256
f998763565d2f3399aa3553974adf7b81d261301e63fa91a4554484eb115c4d3

SHA512
58a5b3946aab312009d41670f7f77dd2c168fb4c96b6151395964776cc4a0d592a9989c4bf6ad572f9477f3dc6f4e329e57acb12e898a384800fe4b6afeab616

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs.js

Filesize
6KB

MD5
fcd5f37e5e4066f7cffe8eb106b6ce19

SHA1
b0a1c4d3d5c96271429fb09cb71055d177c13402

SHA256
38dbdb91f24f8e138803d71d0f7e4758fbb78e7f657208325fe30a501e225c67

SHA512
afdf7697bc784c3c85f30a8a1e4caa32459cf7f19c1ffacde04f62f089218ff1899ffe69fc465677d719546c8f91bea0d04807b13d58096f79aeba8eef0a0a15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
700fe59d2eb10b8cd28525fcc46bc0cc

SHA1
339badf0e1eba5332bff317d7cf8a41d5860390d

SHA256
4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

SHA512
3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
c46e232f773026f28c588a616cd96b17

SHA1
9e13087777e1e81f670106b7e2e3f90dadcc0a2d

SHA256
2f013679b0e134cb798aa810cbfd8f99e09a31dd3b0108eff6d08ae82698cedd

SHA512
80745d333f307e5c7afa44878f954ab185ae78162ba1672d94fdea30833dd17456cd7f74cab59dd5d45fe226787cbe17eb36b1d1c08036d47df3e5034f46620e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
f204cb764338fd272c6095b92b7234b4

SHA1
cee1ff88f94a294bcfafd1bd46e1e2e66e4c8238

SHA256
cabe828da4b5aec2e4021aaecf387e7c467e2ddf76f5d8a6c67fc279ddd3f521

SHA512
bec39357dfd92d07f67226c7252dde6dc83248d13cd5360d8ec52ffe7102c87b437ef8f89eaabe7d30a5b6cae7325abeb540f3a83615ef0ca0dc3725e534be55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore.jsonlz4

Filesize
8KB

MD5
47ef1e0b341dc45ab3c3a54b1c64d886

SHA1
4af510cb1ba49354fb3ab953ab9c3f6bf999e341

SHA256
9410e1b8100d8fdfa888d237bb3935ac455e0567773c7380d33358ba75748f57

SHA512
66a168ed582e969afaacb6450587f73098ff61456435795170a7a43a83b42c0bad1b6f51623d379a094ea21bd6dded01ed6949672e5ccc2099a836d982d6fc2b

Download Submit