eafd8f574ea7fd0f345eaa19eae8d0d78d5323c8154592c850a2d78a86817744

Analysis

max time kernel
598s
max time network
606s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
19-05-2023 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zbxl.zip
Size

43.8MB
MD5

da596c5fa1bfe53dc6ef777e810c2e7d
SHA1

dc756fddd264eaadcc0c8e8576d11259bbe1c150
SHA256

eafd8f574ea7fd0f345eaa19eae8d0d78d5323c8154592c850a2d78a86817744
SHA512

bb7a10c4d9decee9687dfba5987939d1f55c3966bd80d06103d4bde6f61df3957d89392ac185b96ac668bc794193319dad33e34dde199df91eb2981e7e5f9fc3
SSDEEP

196608:rAA/coo9ZmMOfGI0QIdgCUlo1JKq5LJ2q82M/nSk827:rAHX9DQGI0Q321tr82MPl

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133289891726526360"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
2704	chrome.exe
2704	chrome.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4892	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5004	firefox.exe
Token: SeDebugPrivilege	5004	firefox.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5004	firefox.exe
5004	firefox.exe
5004	firefox.exe
5004	firefox.exe
5004	firefox.exe
5004	firefox.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5004	firefox.exe
5004	firefox.exe
5004	firefox.exe
5004	firefox.exe
5004	firefox.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5004	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 5004	1476	firefox.exe	68
PID 1476 wrote to memory of 5004	1476	firefox.exe	68
PID 1476 wrote to memory of 5004	1476	firefox.exe	68
PID 1476 wrote to memory of 5004	1476	firefox.exe	68
PID 1476 wrote to memory of 5004	1476	firefox.exe	68
PID 1476 wrote to memory of 5004	1476	firefox.exe	68
PID 1476 wrote to memory of 5004	1476	firefox.exe	68
PID 1476 wrote to memory of 5004	1476	firefox.exe	68
PID 1476 wrote to memory of 5004	1476	firefox.exe	68
PID 1476 wrote to memory of 5004	1476	firefox.exe	68
PID 1476 wrote to memory of 5004	1476	firefox.exe	68
PID 5004 wrote to memory of 4020	5004	firefox.exe	69
PID 5004 wrote to memory of 4020	5004	firefox.exe	69
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 4244	5004	firefox.exe	70
PID 5004 wrote to memory of 2972	5004	firefox.exe	71
PID 5004 wrote to memory of 2972	5004	firefox.exe	71
PID 5004 wrote to memory of 2972	5004	firefox.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\zbxl.zip
1⤵
PID:420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5004.0.402707309\1736833059" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1676 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e12cb56-f99f-4a0e-9865-6fb00876b5c2} 5004 "\\.\pipe\gecko-crash-server-pipe.5004" 1628 22197217158 gpu
    3⤵
    PID:4020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5004.1.1652363350\1492918271" -parentBuildID 20221007134813 -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3e3b019-2c05-4ce6-bd93-eda1ecda430b} 5004 "\\.\pipe\gecko-crash-server-pipe.5004" 2104 22196111258 socket
    3⤵
    - Checks processor information in registry
    PID:4244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5004.2.17007926\343431531" -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3020 -prefsLen 21052 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d46f1d6b-bdd5-4a46-a857-1aa2481359f1} 5004 "\\.\pipe\gecko-crash-server-pipe.5004" 3032 2219a028558 tab
    3⤵
    PID:2972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5004.4.1033291055\1024184542" -childID 3 -isForBrowser -prefsHandle 3512 -prefMapHandle 3508 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19daa02e-b3be-4191-b416-2efa25705a21} 5004 "\\.\pipe\gecko-crash-server-pipe.5004" 3532 2218aa62b58 tab
    3⤵
    PID:3196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5004.3.28788743\770202443" -childID 2 -isForBrowser -prefsHandle 3308 -prefMapHandle 3304 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e5653c4-3e63-42a0-bcd1-caba01cef2ff} 5004 "\\.\pipe\gecko-crash-server-pipe.5004" 2256 2218aa68d58 tab
    3⤵
    PID:4780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5004.7.1687112790\1127850489" -childID 6 -isForBrowser -prefsHandle 4816 -prefMapHandle 4812 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95eff9c5-fb07-42d7-87cc-7592fcc249af} 5004 "\\.\pipe\gecko-crash-server-pipe.5004" 4824 22199e88058 tab
    3⤵
    PID:3952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5004.6.921975512\50877317" -childID 5 -isForBrowser -prefsHandle 4632 -prefMapHandle 4628 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {600d95ef-25d8-4d22-be7d-3d2f2de9bb55} 5004 "\\.\pipe\gecko-crash-server-pipe.5004" 4668 22199e86558 tab
    3⤵
    PID:4720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5004.5.418739211\1437376953" -childID 4 -isForBrowser -prefsHandle 4620 -prefMapHandle 4616 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88f22b05-b7c6-4f95-8faf-8524bb96bf78} 5004 "\\.\pipe\gecko-crash-server-pipe.5004" 4640 22199e89b58 tab
    3⤵
    PID:3220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5004.8.1641684742\1164287133" -childID 7 -isForBrowser -prefsHandle 3252 -prefMapHandle 2688 -prefsLen 26903 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {951952e5-6ce4-4730-a3d6-76ab17d8313f} 5004 "\\.\pipe\gecko-crash-server-pipe.5004" 3268 2219d927a58 tab
    3⤵
    PID:1840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5004.9.1435373133\2053487689" -childID 8 -isForBrowser -prefsHandle 5588 -prefMapHandle 5628 -prefsLen 27214 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8217ff10-5f8c-4fa2-85b9-22361beb0f5b} 5004 "\\.\pipe\gecko-crash-server-pipe.5004" 5604 2219c237258 tab
    3⤵
    PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffedf039758,0x7ffedf039768,0x7ffedf039778
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:8
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:2
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4428 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4432 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:8
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4708 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4716 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:8
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:5028
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff772727688,0x7ff772727698,0x7ff7727276a8
    3⤵
    PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5044 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3248 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3248 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:8
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3132 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2964 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4644 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2640 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5756 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3144 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:8
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4544 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5884 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=1064 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5108 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=4560 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5612 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=3356 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4728 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:8
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5384 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=2492 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=3136 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=5268 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=5936 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=6084 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:68
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=6096 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=5944 --field-trial-handle=1788,i,1389495909933998766,11321219881506882837,131072 /prefetch:1
  2⤵
  PID:3784

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:428

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3836

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\zbxl\" -spe -an -ai#7zMap2356:70:7zEvent24830
1⤵
PID:704

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:4892

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e4
1⤵
PID:3808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\SetupMetrics\20230519165933.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002a

Filesize
37KB

MD5
519005befdbc6eedc73862996b59a9f7

SHA1
e9bad4dc75c55f583747dbc4abd80a95d5796528

SHA256
603abe3532b1cc1eb1c3da44f3679804dd463d07d4430d55c630aba986b17c44

SHA512
b210b12a78c6134d66b14f46f924ebc95328c10f92bfed22a361b2554eca21ee7892f7d9718ae7415074d753026682903beba2bd40b35a4eeb60bf186dcdf589

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
70d23e62514b7df05f3d52d54cd710d2

SHA1
513ec83dc2a9a3c7e9920e3330d5d2eda3e90724

SHA256
fd0dd9bae58d40464036b823215879c95c2e9737f23b3d33de82eb1885513b8f

SHA512
91a0d863ba87c41a0f54e42f9669244301f7039b7e1ae26a1a7a477b8cc9d48b6e63cd6dbe6c65d0b11e346bc7eb51861d10c559236c281fcffe2cc21ceec933

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
1a396849f5774c7c01812b61602d2766

SHA1
52b22ef70f9a7f42fc53f3e7e105bd98799c3091

SHA256
6eb3916d2f4430591e7c305688c945522c9a31750054386c06493459e8b93d79

SHA512
749ff29c66f4c1e1fc2984d55966c4325cff435097b10853c0764186a8fb5003ba6fa24fd1d958527eb03245d774605a6c6de579e53c5f20deaf6f09d2dbdb1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
73be1aaf7879894c39133f22c0b1aee9

SHA1
7a3d186b467d378abaf527b74778da06ad0e2f40

SHA256
c37abdd9779e1fb6540291be3407a916d63062b933f89da327f41232c0776f74

SHA512
da2ffd51efa03f013b992dc59a08807d0d88bb33e49ae6964c337c71a93a8eb2875bc41dfbc4d4a0e0c5a6ef56a36713502dc4015679304629880ca9cc290373

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
4ce76ca2e4abfa472f273c3ebbd837d3

SHA1
8e288939c4730e4c223c18387a801b1773abf1c2

SHA256
d4613b01254117320d027387433838abddd03ac601d17c94cc966f240787d9ce

SHA512
5dec665ae7c65433332b716823b3c45ce7015e6be5fca4b44b035216e72733a74f8302e078cc167f944711dac9bc27f8d4450f46b0c0ae0ab257c28c34ac6428

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
707B

MD5
99fc9e2412ade676613937cfb2ad51bd

SHA1
233a368c83906c78855004c80d600f66d95dc2ec

SHA256
acc99f9333a9106473309a8c5561cff66394a842ba7b378400f05cda7242bcdd

SHA512
dd2eb593ee4e4c4e265286bcc9478ce54bfa0f2bca024c40839b06ca94a2d99017ef282bb57fa49c4def41a5a7247d2a58e9653aa32766257f90878801969b1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3082170fb5874d6c9964ef2311239df2

SHA1
d511670706d8b002d7b2e7bbbbfec2c00dc302a5

SHA256
7c6ff93e78ea73d812653bdb83b7f3608d6818fb44b62bf34f32a0fd8be3b2cf

SHA512
ba215a59d0c1d0468edf5264adcbc8ae5a005d9428911310ae5d3e84b0d6622f15e24d7b448e78b418f17e55dc4852a8d13986eb9f38cad11f0fc879be8b9ccd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
12e101900781521a9b6db5f2d5ed9738

SHA1
3b124cc2fc2a09c8b02598fff0901c3807bbc0f5

SHA256
6f4784ad04e22655d2d8ae16e122b3ce6520f3c8ddf2e5b8e0a841ba1a559a3b

SHA512
ae3676e91649ab884036c8d8fe9c7e5baa828614bed113fee357a990e71be8cf942c4d783c0db827472f75c45f84612c78855490af0c3fd4b7bb5651274f52ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f155518c22174747be3ecb6a3bd9c8f8

SHA1
9e02d1c638a0de8837cb23a5302e7c01c1cd5054

SHA256
1d3a5cceec987bfa62a83b9fd99a915fe3cc6259dfc90f81de857b83b0354ad7

SHA512
f7d4708153bba602625b101302f53ea8906a0dfe375c2d2c280d83ecefbec062fc6d5e9c986a00f2d6a040ec681ba7ed55b556310bac9159eda2bf92eff016a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9ed02583cb0d21b13c0d498f1ada744e

SHA1
adcf9f6c7fa5092058bd0c5c6283d2d645536062

SHA256
eef20b6933a72f09bb3db784fd8a752ed841bd56079bb8294acec90440a0d785

SHA512
72c25c9ad7f9f9b5d3ae1ce416cdb45c167f2499b5b9a387c2e2f96f55c0b36412c756881b42c72ffe386c306c28849c42e9b67e16535d0772d21b351cbedc3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13328989637579302

Filesize
156B

MD5
af5c6f1d225af8d94e27c2b89faafcbb

SHA1
711e42290c5991c4369f880b61de858f0f4fb510

SHA256
7b00cc2abf4a935fc1a13a5ccf941bf8c193d2294afcc29d2caf1c684fc4a6f9

SHA512
5fe31c27e36e728b8affe5304091b3c74fa6be8d97d707be5564de33c13d0439b941b45535770aa91adcdf9e57f77843a0da67f0234fa5ce22a4e3dddee99b04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
ce0973816117fb6110ea6321800b1dc1

SHA1
672361b8860cae450c9ed31e6d8cd766004d344f

SHA256
bb73d44c452d24c30e3728aec1a74076893fc4db67d88af8f6f2937983b871c5

SHA512
6053e5d3cd6fd064160c74f12a0f93bc001f77a9144a75a970afbd497012cf9fa33986e88e9d0293a8edac778768fd72506aa017a9696a07058452a2ecbd2251

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
72KB

MD5
ce53db215ea99ee559df2dcb7da6cf1a

SHA1
b7ac297052016a595de98c08b1c7088e8ce69c13

SHA256
37a3abc6bfa9b53680dcb4cf847a204532823c8a67631a101472592ad45aa5c8

SHA512
aa2e93ed4ff15ed14090f2a09484a85739d50cbe9ee0e288ef6834bc5037e5c34a790b86d620b390ccd0ebe73c285daa9ee25d2deb6a761b31a9c0657a80b975

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
4b30949759bb26a80c70d4eb81e657f6

SHA1
e38e2c23b46c3a718f4fc57d507428a67a037300

SHA256
86207366a2092aa947591feb35c4847db10efa21950fbdd28bbd2409d54e9484

SHA512
a0fb10e0df7138257b1ef79ad7feb9b2ccdb078ef67688ceca16cc737bbd942e533e8c8e24ab442670cd4bc4cc2ad05a76ec0dcc1a88fa94b08d8e04818592ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\evlzgz75.default-release\activity-stream.discovery_stream.json.tmp

Filesize
156KB

MD5
eb0a7a2006803f8694fb9f8212700e1c

SHA1
5fdee720fe4265f551e393bcd2592581b66f18d4

SHA256
0ab42bf66a9674288f99fe58f608e9b5e9726ff86f2cec070b1d7f105a79e22b

SHA512
d96e1805efd37dd71c2c532afa0800158989a8210bc15962f31f1f8c07ecf046bb091fd31a6db14eb32943c990bcb7c023afb38ee1d2965147f0b998dc8f4667

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\prefs.js

Filesize
6KB

MD5
f843fc3b858888d342076c7199266348

SHA1
97dea7b7d8486f03cc085ef488fda80fe53515a0

SHA256
19b6e95d7e0e109333b648d994d42f1f8552467f8f43a4570f84dc5c5e2189a4

SHA512
9b25cfb2a279bda5827e7d4c3446c75cb5057e7a886e23b7f3eb44d3a2fbb04d19249ff423c821cc41ea7a6d8585fafb0b4f9ae8d54274883250c4a4a1c7c1f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
50108aa41edc66e4b66b961d49b0d7cf

SHA1
a140fc89b39bb19be6849b57f27d7e010aeeb51a

SHA256
1b75ede6e4a123134c3586557031742812cb32a18581bee3ceec4b120a441a3c

SHA512
c041f111160a8eb3326c3c1e5c5b6df196b2359a635a5164dc1c3ffda81cb7a62986f347c440b33c639067805eb95f37ae51105b0ad321363b4d437e10940237

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
42df3a084b497c2019b9c92ba73e77d0

SHA1
aac4797cf05832f38e4ccbc9d4593d05fe616ad9

SHA256
8a229fd4cb1feb4bdda11ddaaad3f7612b6a3b361bbfa9a93e126fa9cac6d92f

SHA512
ee343c3e46c0eed05754bcf6fbb2bb8dc3104e16a1bf5ecead81c708b5fc9d38274019ce92c8d7dcd35b9877418e2470d5e0fa6027c4f5be90a5c9ea8233274c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
a3f2b53b08504a0350db96f6a089f0a2

SHA1
fc3b39124ceb58a3a5316c56c2553d988b0090c4

SHA256
d50cf5e605873e54f85567e59fb71896610299a00181f3cd66b67002053af3bd

SHA512
e6c9af6298b9cbd1a8c932181754e4291aa2e61eff5c8d69c68fc76e65e3abdd82d0d37b5752b3fda7cb80f578983609650261f0be5e90f7d8d7507a64023692

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
13f4ea7224417985aabae4a2f59fc2ba

SHA1
2d20752d98ce84d37a69d349d2c008e302748b59

SHA256
929688d666a67a627252819b523a1a80c92a092a94b155728b8ae603ec370c4f

SHA512
0cf9e68368fff17491537a97f62cd1dc0ac9d1d7330cb2ad3f3e252ad973097fd53e416c70e9c0abb7a5cf97ac92e58f364fa96c47c95c071df71aca94dd8501

Download Submit
C:\Users\Admin\Downloads\zbxl.zip

Filesize
43.8MB

MD5
da596c5fa1bfe53dc6ef777e810c2e7d

SHA1
dc756fddd264eaadcc0c8e8576d11259bbe1c150

SHA256
eafd8f574ea7fd0f345eaa19eae8d0d78d5323c8154592c850a2d78a86817744

SHA512
bb7a10c4d9decee9687dfba5987939d1f55c3966bd80d06103d4bde6f61df3957d89392ac185b96ac668bc794193319dad33e34dde199df91eb2981e7e5f9fc3

Download Submit