hxxp://maddenword[.]com

Analysis

max time kernel
138s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2023, 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://maddenword.com

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2984	chrome.exe
2984	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeDebugPrivilege	416	firefox.exe
Token: SeDebugPrivilege	416	firefox.exe
Token: SeDebugPrivilege	416	firefox.exe
Token: SeDebugPrivilege	416	firefox.exe
Token: SeDebugPrivilege	416	firefox.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
416	firefox.exe
416	firefox.exe
416	firefox.exe
416	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
416	firefox.exe
416	firefox.exe
416	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
416	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 464	2984	chrome.exe	41
PID 2984 wrote to memory of 464	2984	chrome.exe	41
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 3568	2984	chrome.exe	85
PID 2984 wrote to memory of 4860	2984	chrome.exe	87
PID 2984 wrote to memory of 4860	2984	chrome.exe	87
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86
PID 2984 wrote to memory of 2844	2984	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://maddenword.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa14d9758,0x7fffa14d9768,0x7fffa14d9778
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1904,i,3809306475134678160,14605895446213339598,131072 /prefetch:2
  2⤵
  PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1904,i,3809306475134678160,14605895446213339598,131072 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1904,i,3809306475134678160,14605895446213339598,131072 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2936 --field-trial-handle=1904,i,3809306475134678160,14605895446213339598,131072 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1904,i,3809306475134678160,14605895446213339598,131072 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4636 --field-trial-handle=1904,i,3809306475134678160,14605895446213339598,131072 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2984 --field-trial-handle=1904,i,3809306475134678160,14605895446213339598,131072 /prefetch:8
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3140 --field-trial-handle=1904,i,3809306475134678160,14605895446213339598,131072 /prefetch:8
  2⤵
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5168 --field-trial-handle=1904,i,3809306475134678160,14605895446213339598,131072 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4840 --field-trial-handle=1904,i,3809306475134678160,14605895446213339598,131072 /prefetch:1
  2⤵
  PID:3364

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:112

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:836
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="416.0.1155238395\1117495250" -parentBuildID 20221007134813 -prefsHandle 1920 -prefMapHandle 1904 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {27ef0222-b222-4f8f-bc8e-44642aa1597a} 416 "\\.\pipe\gecko-crash-server-pipe.416" 2028 22feb8d4c58 gpu
    3⤵
    PID:3180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="416.1.1434409937\379531911" -parentBuildID 20221007134813 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2248a99-86fa-42cf-b755-e7c21cceb6ff} 416 "\\.\pipe\gecko-crash-server-pipe.416" 2412 22fdee6df58 socket
    3⤵
    PID:116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="416.2.1605776054\1505937498" -childID 1 -isForBrowser -prefsHandle 3124 -prefMapHandle 3004 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {694dd403-a933-4970-b54c-b9f9c079eab3} 416 "\\.\pipe\gecko-crash-server-pipe.416" 3204 22feb85b758 tab
    3⤵
    PID:380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="416.3.1524764436\1836929520" -childID 2 -isForBrowser -prefsHandle 3580 -prefMapHandle 3576 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73db0df5-6bc1-47b4-a35d-ccf16657428a} 416 "\\.\pipe\gecko-crash-server-pipe.416" 3588 22fefea2858 tab
    3⤵
    PID:3960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="416.4.1001104068\1615862756" -childID 3 -isForBrowser -prefsHandle 4108 -prefMapHandle 4104 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53fff4c1-17ac-4206-ab16-fc3609af6868} 416 "\\.\pipe\gecko-crash-server-pipe.416" 4120 22ff0d05c58 tab
    3⤵
    PID:668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="416.5.619551305\692086820" -childID 4 -isForBrowser -prefsHandle 5084 -prefMapHandle 5064 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6495e31a-f2a1-4e02-bb65-66444976470d} 416 "\\.\pipe\gecko-crash-server-pipe.416" 5032 22feddce458 tab
    3⤵
    PID:4176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="416.6.535783616\151243295" -childID 5 -isForBrowser -prefsHandle 5244 -prefMapHandle 5248 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1562e8df-1a12-4c85-9392-b7a5c36b1434} 416 "\\.\pipe\gecko-crash-server-pipe.416" 5236 22ff1cc8158 tab
    3⤵
    PID:396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="416.7.1127426344\1746745464" -childID 6 -isForBrowser -prefsHandle 5304 -prefMapHandle 5256 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a67f7bb-1ad5-47fe-96cd-931e84eda226} 416 "\\.\pipe\gecko-crash-server-pipe.416" 5300 22ff1cc9358 tab
    3⤵
    PID:3572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="416.8.1737787375\902126531" -childID 7 -isForBrowser -prefsHandle 5968 -prefMapHandle 5976 -prefsLen 26831 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {905a4d98-407c-4988-9d28-1671cafb81c8} 416 "\\.\pipe\gecko-crash-server-pipe.416" 5984 22fdee62558 tab
    3⤵
    PID:2844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="416.9.401916751\1614949118" -parentBuildID 20221007134813 -prefsHandle 3160 -prefMapHandle 6244 -prefsLen 26831 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c861ff5a-1d98-49c8-9f19-8e36b487fa0d} 416 "\\.\pipe\gecko-crash-server-pipe.416" 3360 22ff4070e58 rdd
    3⤵
    PID:3860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="416.10.518519402\680384836" -childID 8 -isForBrowser -prefsHandle 2892 -prefMapHandle 6368 -prefsLen 26831 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f994bb5-9dd7-41e4-a788-70faa1496b1a} 416 "\\.\pipe\gecko-crash-server-pipe.416" 3376 22fee11ab58 tab
    3⤵
    PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
22d056964e85d41104305634d5d76753

SHA1
1c7b36c5f0c19f4e92c4e6f9d89b88f2ba760c70

SHA256
0c5d84f473b97d04dcdf8dc87dbd7ac369ff14c3d9a80c619aaafd74ac04f283

SHA512
99ed8ff9cd6f36ed381040559a26babb6bd7c3bd4783163162232774c9546298b475308af4787f8265838cd0052de838acf713a26e692d064b514d34f37caa34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
09d8987a4e8b2dbeea22c5cd9ac493e8

SHA1
aaac1917bb19bfd1c27244e3b3ddd988d08b8eb7

SHA256
81fa503ebb8fa6a5c869f8039e8b0d1c617a6a8a3da2599639c46d5b5981159b

SHA512
bb218bdab11250aa20d2977d83d428b00fa2a6d511b6019d760b623cb6acae93ca857e861fbfe2147cd0cad454b578d896e4e76b57492c009529778dcc679da5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
61d11a918e08831137f7218444a7bd1a

SHA1
5ee969f40d74cf08686d30c4bebf19142c8f7405

SHA256
8939ad3379a01d1600731669c2e539870626a005f98240272660497ee5090887

SHA512
05e01c0cd2eea309d2942af3a19c4ddb02ea10af7aee2463d290e8d29856166e1e17168c26b4d515369ec018f18879b59fe8deb515099b19feff63ea300134f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2febb8121433f12513ac9c2d6a93d345

SHA1
5d3e2fdff8a949e1f158818a832c0d84db90e619

SHA256
6b0a25ab4fe53fbc4789cff660c03ed1f9dcfa186835508f3b667512abdd4a17

SHA512
1a160d2f330113019be02be033297156088237e230f4fd731fb75e4ad194e7ebe2f705eb93acfdfaf4e7b0ffd5cf4918a762e4d9be7d9cea3346e245f31fc6cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bf197342b030b63d753659c8787003a6

SHA1
a1add860e0e93f58d3f8f4b4fd88547b97c11bc4

SHA256
1e341f1c6d10f3af077df7a546385664a3940e74278addff36f8a4c66b6a26a9

SHA512
fd081d72eda1527693f4cf492415a82566c6a34f1524c463ebef3f5e5a2aff39339e11f6d603bebd740c7bf6f2fec9e0a701210a6b39df6145b11511131e7194

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
97KB

MD5
ca7e8606aadf1b37cd6ad6055f6b4308

SHA1
47443b5470627034118518ab339b15f845e6eecb

SHA256
decb00ffd548fe7fd5ae338e25bffe7f83b5a728775d45232a561078e6790f98

SHA512
cb691737d4e40d0d1e117bbeb06b14b57a20ff8908cda4e2b08531ff11cfd911b3a76395427bbfdd9aff31b01770bbeaf92ab17f46b6314a03f08a473e8ce5c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
97KB

MD5
8b8145669b46fb75a10ea5e4f1846de9

SHA1
3d236b9a8f02c737ff7434ef84b87667efa3b4ef

SHA256
d56acab510b3498816c555a38c39c22702e20eaee62459b6fbd2c1f4a04f436d

SHA512
1b9aeb7048d679de6b4c13d2035e10556180fc28728d711572979fe6ff3b6d13d84237d7294096475ec0a5f597b5399b66d77a1c86b2fdb57a0e616070f09ff1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
233c754cdb516d4c73680b1882178ff7

SHA1
ed96c4933ac9a76bc465d95853115fe0c7a31503

SHA256
d485f2a907a5e2aa99af2e215e4c982ea503811ac03d9017d4c846a87bd69bfc

SHA512
dee4679c12c7bf1ac394aeb9404d3726ce831a885d9f605d2bb9618fb40b30f03cb439f59f3b6341c0b1187e0faf0741ced1a3ca35f7d753859dbb9dfd4901f2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\cache2\doomed\23532

Filesize
15KB

MD5
4a72720fd77b700dc7db424a61f30aae

SHA1
b244aa70a66bfe368da13098f6b846243e257b22

SHA256
aa0ed897f12c861084f81ee8a1ec16e52dd9f3544c3bc5379c62a9cb60801b9d

SHA512
3dc4d019988d8cc23f5c6d8b9c6be3bd0802478cb4c94d60982f622a37396459b3754bf1f7e3f75791a37f8969308d97687e5e3c5730a91b4564515a75ec99b2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\cache2\entries\44B7548965B7945D1A2430BB436FE3CDE9406FAD

Filesize
80KB

MD5
557ed534c8210164c1063a8a969f0a58

SHA1
c743169d2f8d5753a51d968648e3fb753b81ef94

SHA256
333e1d496b98364dfd290c276dee87d405d0c6cfa79258186fcb8b155afb0e58

SHA512
df1ab875f5801e04e53b8b1b5ff977ec4824ae12ec681079bad43d63bb6e2f94c685eb1ba07b13473ab0f340b98a0b566999203e6fb600fa4c958b7d2e180f85

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\cache2\entries\8F479D668BCECEF12EFEA2791B0E1652C40ED285

Filesize
49KB

MD5
101c648db49cfdf25b1368d00843b5a0

SHA1
8e1871028dbdb688e1bbb3923da149d408b3f7e4

SHA256
c4d4ef93b2029d7f7eeabafee502af908cfb79ffb27f9e910df33bd6ac4cb963

SHA512
e37efc4c4f1a91d77218c5bb81a00009e4dcf3eddb70c288a7de68bfe9760fa25c71f3b692dc6ec961f165d4ea4ee07eb80a40dee52073f96b65413954787271

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\cache2\entries\FCC030F57940296B4C989D2C74BA07DCC70A995E

Filesize
13KB

MD5
296da5fd569580bf40cd1f3621157968

SHA1
8af5c9b2444ae7bfeceaeb671e42224c766420a5

SHA256
8e00fc50f2902e1d24696118eceece1aa04ee00cd4e0a916a55e3f4189d4fdc4

SHA512
fff8574cd543a0243d2f5e390a573aa74ba171d09d544df817875997c59a1fb4a10ea1ced2a823ec469b79587107666ce370807e7a534585ce261ac9a5780ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\prefs-1.js

Filesize
10KB

MD5
174c3029b16d947b3bedcd8b1b6672ec

SHA1
c3432b789614deb83c8e1eecb3bc5421613f268b

SHA256
34b9a67f43ef59b38333392549e10925b6ca3abf8167d5ca95d47e5e7d46bd4e

SHA512
07557f0371e0f2446ea4f4446cb3137093a107e27315ceb4e34deb0a9893d09d6b55182ca8e6850945c0c777154bc4a92f469ebfcb017ea1b29bb2926914aaa2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\prefs-1.js

Filesize
7KB

MD5
b4683e75e8179636e070086abe101841

SHA1
92aa426f860d1f21461b79ed8adc3c10c69dff8f

SHA256
bbd1fe5b0b42011aeb905c50005a9d1846cc26421e09b6ae9dec153278051940

SHA512
3bf8ea7cdf108c0cee68c8ea4abc13e02cb2b9cea3935e51863ae98ce5d3f733f13e363f3c661bd8d413a4aedf5d716f708042282f4c0572a30f0031d637cde0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\prefs.js

Filesize
6KB

MD5
04c609b1eb586d8ff72872222a9ab3e7

SHA1
67c54dcf97eb364ca33fbdcf5cbb60e3ae52f8f5

SHA256
0cb32fa90860cb86b25bdce9efa404a21a19d59648a5eb88145eb7d01d3a7093

SHA512
95b082807d97bd58bdf43f5073f03f8d1a2e757d1e43485bfc48d9e6478753f75a4e93a953f00e5c433ace3dd4ebf3145a13020f20d862a6d999c2113d8be84a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\prefs.js

Filesize
8KB

MD5
0d9f67c4c3ae6d12e1a95aa58c879da3

SHA1
1e0bc6f017d485fd390244f8a496ec4d8ae3b855

SHA256
799c8a5903b1a047a44c91f8c1d5a29faad5347123ec2735dbee2243a281fe16

SHA512
31ac8cb8d9bd75d79df1b461c048ddad0575bd4f362ee505d6c169454e9b41344069ca5f473a6bbf55c99317cc3ddf9b3e28ea88ad971e7cd952652ddec2eb3f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\prefs.js

Filesize
6KB

MD5
b7995d1b13b3ab00a6d4d617fc6ca612

SHA1
3f08f349ebdf8bbd0fca44fbb6c1164e7e7fa5ce

SHA256
38160f21f2bed91d0565137ff6e86c557b6b9719d60a14d8925e37eb53c0e82e

SHA512
56160b39473854ff2fb9b0fd83c89dd7362af7590cbbd680a591a1e1af13cedd2d4ad35f12e7e9bdbf5a678e7a1cb795761e7a1ce091b59cb6b2f822d27c5e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
4329cdf6d8f9c2e1feb743ed175e9538

SHA1
81b5ac6172b03f82bea4c9ed522236810dbcc1c7

SHA256
c5a9efd19ae2f76642c0e7b5c92d839e338df1258c4eff1ea57e3a978f3f47b7

SHA512
937e3afb147ee0f06e4fc1edacfd4e7f4b4beeed77e8ea1264705f8cd012c14a67742304e0a20fc71047400d50dff19ab9e10c813418f2130286dd454db70063

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
4e04adfb05ef89483305861a9315ba2b

SHA1
77e8413cfad18db7a095bdecae03a86f81fd3831

SHA256
29662ec8afa29c0dcfd0576f9d4b9aa724a115af99691b35286b40437d16434f

SHA512
eff8248f9a18e8956ea8aa80a0d1474cdab83fe2c8324fee7714898d0433ce41114febcbb82e50ab37c87d7c86cc607e36c8f86f92713046b1fed8bdad1f33eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
4728955d5d3a3108821df3086c327dd3

SHA1
96e19f359f6506e4ab43ef130a3405145e7b0526

SHA256
47d97c2f2a7b8e9eb3687c1563cfcb89dfe22452d7da2ce222a1fe23534353d0

SHA512
b47281016bcdb3d61515f9e5ab6bf246e628b13579f8299e8cbae9a50c629bf80717520ce8c4357c5ff2580cdc6780fbe4dd0223d39fb2f2531ea596e995d9a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zd1c0nsj.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
72c84ccbe14a7145485e5da833f4eb03

SHA1
c533882422300e735cc4140e7dc89c54b7dca3d1

SHA256
6efe7f3d1509f2f9e1ead58a2fcc4749b4e63a131bc1301d6f934001697df3e6

SHA512
193acead9c3b44e3970f0629b0e7b1e27b6a49132f1b398e98279ce154a03a41d45ba603d50c3ae17b3712ccd5aedfeefb90d6fcefafa362ce53558c7f61995f

Download Submit