hxxp://tempmail[.]org

Analysis

max time kernel
448s
max time network
407s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 13:38

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://tempmail.org

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	bootim.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	bootim.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "218"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133478987861174374"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
4708	chrome.exe
4708	chrome.exe
4492	msedge.exe
4492	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1412	bootim.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2332	firefox.exe
2332	firefox.exe
2332	firefox.exe
2332	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2332	firefox.exe
2332	firefox.exe
2332	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2332	firefox.exe
2344	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 3460	2416	chrome.exe	68
PID 2416 wrote to memory of 3460	2416	chrome.exe	68
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 3740	2416	chrome.exe	89
PID 2416 wrote to memory of 1452	2416	chrome.exe	90
PID 2416 wrote to memory of 1452	2416	chrome.exe	90
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91
PID 2416 wrote to memory of 2012	2416	chrome.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://tempmail.org
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd5b119758,0x7ffd5b119768,0x7ffd5b119778
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1880,i,6021029931246392432,10532344625299115623,131072 /prefetch:2
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1880,i,6021029931246392432,10532344625299115623,131072 /prefetch:8
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1880,i,6021029931246392432,10532344625299115623,131072 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2864 --field-trial-handle=1880,i,6021029931246392432,10532344625299115623,131072 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1880,i,6021029931246392432,10532344625299115623,131072 /prefetch:1
  2⤵
  PID:264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4624 --field-trial-handle=1880,i,6021029931246392432,10532344625299115623,131072 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1880,i,6021029931246392432,10532344625299115623,131072 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 --field-trial-handle=1880,i,6021029931246392432,10532344625299115623,131072 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 --field-trial-handle=1880,i,6021029931246392432,10532344625299115623,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4708

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1644

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1788
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2332.0.644532769\278659532" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {39c1b337-ad62-4ba1-89bd-c1662de94172} 2332 "\\.\pipe\gecko-crash-server-pipe.2332" 1980 1f3346d8f58 gpu
    3⤵
    PID:4324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2332.1.1580498937\187112285" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0f03bf0-4539-47b6-b133-e70038a32be4} 2332 "\\.\pipe\gecko-crash-server-pipe.2332" 2380 1f327c72e58 socket
    3⤵
    - Checks processor information in registry
    PID:3924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2332.2.358411976\1851620440" -childID 1 -isForBrowser -prefsHandle 3124 -prefMapHandle 2984 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b55fb28a-b972-4f62-b60c-7456dae0439c} 2332 "\\.\pipe\gecko-crash-server-pipe.2332" 3112 1f3385a8d58 tab
    3⤵
    PID:3968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2332.3.5307706\567062193" -childID 2 -isForBrowser -prefsHandle 3544 -prefMapHandle 3540 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7a4bd6d-dc47-447b-a084-dabe7d114314} 2332 "\\.\pipe\gecko-crash-server-pipe.2332" 3556 1f327c62b58 tab
    3⤵
    PID:4764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2332.4.476290550\1633325500" -childID 3 -isForBrowser -prefsHandle 3740 -prefMapHandle 3736 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad269905-4260-4689-a402-415a3cb93a57} 2332 "\\.\pipe\gecko-crash-server-pipe.2332" 3540 1f3396cd158 tab
    3⤵
    PID:808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2332.5.770815224\1958720305" -childID 4 -isForBrowser -prefsHandle 5008 -prefMapHandle 5112 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3b1439a-6996-423e-82c3-e07672f60086} 2332 "\\.\pipe\gecko-crash-server-pipe.2332" 5096 1f33a6fa858 tab
    3⤵
    PID:1412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2332.7.1781388279\790229556" -childID 6 -isForBrowser -prefsHandle 5344 -prefMapHandle 5340 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {597bb4a2-780e-42f3-9f05-1007b11917f5} 2332 "\\.\pipe\gecko-crash-server-pipe.2332" 5096 1f33a8c4058 tab
    3⤵
    PID:5072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2332.6.911367972\953611931" -childID 5 -isForBrowser -prefsHandle 5248 -prefMapHandle 5252 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d590275d-45e9-4d98-a5e8-f4738adbfb55} 2332 "\\.\pipe\gecko-crash-server-pipe.2332" 5324 1f33a8c4958 tab
    3⤵
    PID:2900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2332.8.323021976\1129984644" -childID 7 -isForBrowser -prefsHandle 2832 -prefMapHandle 3248 -prefsLen 26646 -prefMapSize 233444 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c12fca3-6519-4a93-9db0-0671220ec5d7} 2332 "\\.\pipe\gecko-crash-server-pipe.2332" 3484 1f33460ae58 tab
    3⤵
    PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault9f5bd535ha899h475ahb0dch9ab8d9440806
1⤵
PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xd8,0x12c,0x7ffd494446f8,0x7ffd49444708,0x7ffd49444718
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,4800729559665182128,9242625187416858160,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,4800729559665182128,9242625187416858160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,4800729559665182128,9242625187416858160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
  2⤵
  PID:3704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2960

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3912855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2344

C:\Windows\system32\bootim.exe
bootim.exe /startpage:1
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
a2d404037dfb8301c1ed91d821f9367b

SHA1
54d7740a191f9c33cc27c03040143e4efe68245f

SHA256
a8135f6b1949415814e34ba825fe11a8643350076728b17808c9b1135b36bf59

SHA512
bc33f6cd60c8cf76b92e9ec7e98799146062978c1cb92a2225bf5a00ba75c51794c92ab77f0546852b3fd99aec6e438e609b7ece19cafe5445393febbb28f3ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
55a1eec618aa5f00e9f50513878d110a

SHA1
845d9170472de50ad9be4c324cca3e05ec2800da

SHA256
716c1568000e469524ca0a413210c41b2d7256e64bd0a40d88f67d6643def25d

SHA512
c97d5a85e3c70183efe9ef480c4a17022db0804ab9fb51e9e99355ac3bfb495cf4216ffe01b0d9e0376dfa104defb73c89ed146c0c42affee79b529497fbcda8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
81465b0daa7fa01a5607e44c68e6443b

SHA1
0b6b869d900ae9ad9b1e459f22f58ee1027e6d97

SHA256
c1dffeb9de3d3d6aeca816a2548ce5577d4aaf5d69e9dea7d8c4dc1a37bc2e16

SHA512
89d130a90085a607fa93c7d1578500f9fccbea50d32b9e75f5691c758a532d14121b1618d2855bb18a160b1841f5cba4c24e8ae0aec0d5630e267fa3a58336e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ebb5afa9c3717a26a5cd07f27ee2c78e

SHA1
cc1bb93386ee1eb6f5499600dd4e61029c1e300e

SHA256
8c5362107b7f7e6e69ae4513a53258e9e328116cd04293aa31cf0c722be8474b

SHA512
0e3f817b0b819e8adfbbb9bbcde302d3456424dbeac7b8378e709cde2368ff7dce073367e88f0d247e42af3a7a92a243171a2bbaa7f5cd977a9a18de5b3ae910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a34f02645d89ca86f8451a1928f973eb

SHA1
ba320b0337d1b6fef4cbff84cf1637fadfc1982a

SHA256
2dbe6acf30231880aecf3d0b9c27c77e10c18d109bd700a3920bcce1ff6f31d0

SHA512
5ada07d63fcee9d9f03632e483a43435eb3cd4638e3c4060d668fbc637347d7f4b01666a3c78cd277190ed7c72233401e8b99977d948bb786f25ae1d3970d3ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
3f5f1c3634aa3f06e49b224f0aa0c459

SHA1
9f03129934f126fa536e5c6519266b524785e6d9

SHA256
edda587fbab0dccea7e85f026cb65f8363f0955c6996e294da14be250b777e02

SHA512
1e8c26d22419619d31ac91975914eaebaf14f17d0ff3175d5a6f85bddf319856c455dd9e11bc13597bde93d89b7d89a18c6bdf830589ece4a41176efafbcc752

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6d6fe44f718faea2a23b376010bb5f6b

SHA1
ec612eac34a556c8fc4f553b243a8ec4eaf450d2

SHA256
d4f61e95bdee5aac8a6874897fe88f2871bc0535075e7aafaa6c38781a900305

SHA512
6140d078a0d8ee5b0469089cd4f6f09566026320f1f28eb74a5e56ca77c44b4ebac2a2301f78959dd0a949c5847e1d9d9e7d3c42c0054feafa1721ffa4ace682

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
556b08f94ae14ba59cc54f543e7ca951

SHA1
01cff9cf05010237a2dc345cdb6590ef2287217c

SHA256
fe0376c79a635ac090deb2b2fb37853f4166420703f1e91b10b765147ff687d0

SHA512
7eae9b3cd7926ffa6239058a034b603c587a3ea296a2069e8078227a7bd79ab2f62fd69664c8dd6b4cb9b0871d5c72eac6b9f194a9b45e253d1894607c3d4e0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
818ec75e70403bc7d1fad754f9f07757

SHA1
73223f1e9017a663c2ce2e9ceb0227f610e32269

SHA256
db3d9ca26adbd72e22ebabb4ccaf0ae58928bf9afa0e07b46b8f7de3f45f0d41

SHA512
8bed323868cef9bdea016ebf983633b226c68892073c3b1571bb612800681619dc2214b0504786f66708cafe787090186b1070e4868f34d2d27d10f5820f6175

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
ae86660e7e5bb42b34edc9e048dbcd98

SHA1
5293c0b0d24f0859f5077616906f82fbe989aedd

SHA256
41adf5eeeaa69f47bdd13788dd948b9c0dfa62476a9ca2d74a8ee178ad3a6222

SHA512
3888b9ab9615811318f1e9773540beb298ad824f15f8d35aeb211c396bf7abd65a563de9c6c006e85ec937b83a04f5a6d0a1243a2dc34b74e40f3f29bd6f212d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
31164df23938cfa0f1bd0fe8894b2b52

SHA1
4bc6c5c04dae40858e02c9225a69c271ca769d79

SHA256
7fec7478dd6ecb2ad878253a97b1aed35676370fb6d98f4202300a978b0cf1ac

SHA512
57f576761044ebb70bd2e577b1ab350bd845e5683631f4e0ec94ac2bea6f782a0f765e4c278c2856c2a89ce509d8dfb69d1d9e976e924fe8011d1defe612d093

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
69eef72138b590f77d2d373f07feeb09

SHA1
ceb7dfe7df6d608f46bf8a1e4aaac1a94a9c1853

SHA256
749923b44a3d095f9116f61e216ca921061d3c02717bc1af827e24ca996b16ea

SHA512
f15a1d79daaf6c7404f88ed40321277fe50c738b919443b0069783197bee6f8ea96877868473705ccfb30f78b9da771e652b2744616ca43811fb751f399f9712

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eb20b5930f48aa090358398afb25b683

SHA1
4892c8b72aa16c5b3f1b72811bf32b89f2d13392

SHA256
2695ab23c2b43aa257f44b6943b6a56b395ea77dc24e5a9bd16acc2578168a35

SHA512
d0c6012a0059bc1bb49b2f293e6c07019153e0faf833961f646a85b992b47896092f33fdccc893334c79f452218d1542e339ded3f1b69bd8e343d232e6c3d9e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3901c6c20b48aa66443b4036894f8647

SHA1
b0ddb5edc5d9f4112c66eb4234aa505302c450e7

SHA256
9d0206fe6c2187aa56d7f957bdab3e1aba22ce00016190ba680b2daf055afa81

SHA512
01ccf708abb726bf47f3783807aabcff31214301aa82ae123bfb6a77be3c84d24ddf132bf575e32b37a09b3c46fa12866bbe1c7a3a9d4cbc08b63c577b03a127

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
b2068552035dad0cb7439f59aed0c1da

SHA1
e2d65dc4d7664361c5996e824a614725ea46248b

SHA256
ade458020995eec8e4fc9eb6e7579d28e8ab93ceb5b665df13890f0276e0437e

SHA512
b23d7ecc9eb6ddf3605ce5e9950154045212d6ccd4b73a74be8876d0bda5a1db386ec61463055addb8ff62737e59a05ce8f0f837c995f4980eb92c4d287bd50f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eypn1lcs.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
faf9386d2b3ead95cb6b5c4db02401a7

SHA1
ab3c9ddbe659dd613b71f3f08492a6783974f2aa

SHA256
f7e4aca1dbff10d1d9c28adf7fa1b560c5dbd47f1dc2e3d6252f3c422d77604f

SHA512
0f73653ccd9df5e1121b376cca8a153197ddb34d5f0b3dab7bd6f4d5e1892884df8be4554233735bf8f202614d1690b0744ac0b0a7397862a84ad666ab6a2641

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eypn1lcs.default-release\datareporting\glean\pending_pings\8b276d67-d8da-4192-aaf5-d1ba653a862b

Filesize
11KB

MD5
cd859b2e34ff54f0d63cbf3a17f51a07

SHA1
0fdecdd570a786d16c1202f1618ff5858f4f5e4f

SHA256
a481e75b773404a94d5edb1355bfb40810e70601170b7cb33411a7fddef9fdb0

SHA512
31f366dabe74823e695e8d67bcbea96e1c783b3cd550a4c9a646bc3d07fb33ca61c6dff6533784b2f08a8854956c6981aa2d3a4ab8b2ffab7001e968a58a0e93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eypn1lcs.default-release\datareporting\glean\pending_pings\a14086ec-2674-4c7c-8388-823170b011c4

Filesize
746B

MD5
262efcac7fd2a5d99d6f466ab5e38914

SHA1
5940945dd64f4d8ec5ef8075b595bdba8850ebaa

SHA256
1d1c0ed0cb6c27491f3d6e35309684ffa091809b4e52fba5b9005891aeb0234b

SHA512
063cd12b07497d2befe2524fd48f87f8f58a733687000d11a465d94c3f83b4a6f302c73535aa911835a6c8a8121f754a974c06294f8d88318d3dc1671693f891

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eypn1lcs.default-release\prefs-1.js

Filesize
6KB

MD5
d75a1c19bad638ac52515a9a469be2c2

SHA1
d7f9aa0ec1459b6e53e27c6d6ca4864a7b5e36bb

SHA256
e61dfbf9059bd97d5b7606169c80d49d78ff4511a001bdaa75d05aa4947dfe79

SHA512
abe315767226d6b87eca7b7a2fd12c674bf55a191088f38c2dc8d3cbe7ca0d014f7eba44d12892a18e1b7bcfd532f02ebbf6ac39fbfbbf32c97c2d2f3c9e5ee2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eypn1lcs.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
175f72fd2043c47a73b0bbab517b7dcb

SHA1
9a4e206e8b1e353d4b111b89c5322ce623604676

SHA256
4f9ebde97d7f264a900d00bd75f5d21aab1e15c81c06d32b9f1ef4cd37617982

SHA512
9292b20b7fb9ce9cacd85f1ae088e1114ccc93e33ee10aed639fb405a3f48d233db81918d2d1692e00ade43c0a5d28d401ea61ef605456ecb42794a034d255dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eypn1lcs.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
b1e9109b208aafe37670f10ac8e81d74

SHA1
0f26017fa33404e3191425ce6ddd2764d3d359b0

SHA256
6860a02677c25ba9489a1dbb229d6b00838d1ef8ae73b1ef8f0c0fcf71df60ce

SHA512
a532e27b459763d0276eefd94d5b09d58689386d58f0e96f1b35976fc4b9976dc847108fb4bc67d4e2c1b1d6cc8806ae2dc5fcbfb522a536fc88d8b8e809a240

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eypn1lcs.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
f7dd1783e608ac49c60cb391651eb8e5

SHA1
0125aab2c6e18ec80db36767300fcaebb43e35c3

SHA256
58f2c2e63fb14fe862a5473a7ab58f15540740b09c0ff82987e644629d4c8eed

SHA512
aed21e96b2212f5aaddc1ab9948d36a950c69c165f1457e1596d4653b9dd16a5ce1c0ec3104ffca2a698bc2545b3ddf62a6911807abc7a6785bc052146c52076

Download Submit
C:\Windows\System32\Recovery\ReAgent.xml

Filesize
1KB

MD5
a073123747b31e146eb5aa6c8598abfe

SHA1
5d2bc1f6f0138b03c359d5276543a5cfc501f288

SHA256
585c76eaebe477dfcb8832a2456dc869fca918a9427f7a62939cf400ae757a60

SHA512
65aa4bc50adfd4000e0b8c5ce1652b78ab3a08c34ca3a9cb72163e1476a58f9ac3b4ff774e3ed1a10270aef537fe966784307016c7d173ec05442a848cfbfc94

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads