hxxp://legalhub[.]la

Analysis

max time kernel
180s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://legalhub.la

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133500550258860649"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4996	chrome.exe
4996	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
3228	firefox.exe
3228	firefox.exe
3228	firefox.exe
3228	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
3228	firefox.exe
3228	firefox.exe
3228	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3228	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 3996	4996	chrome.exe	67
PID 4996 wrote to memory of 3996	4996	chrome.exe	67
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 2220	4996	chrome.exe	84
PID 4996 wrote to memory of 4460	4996	chrome.exe	83
PID 4996 wrote to memory of 4460	4996	chrome.exe	83
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82
PID 4996 wrote to memory of 3676	4996	chrome.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://legalhub.la
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8464f9758,0x7ff8464f9768,0x7ff8464f9778
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1744,i,11239384541694315043,4712732907485560867,131072 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1744,i,11239384541694315043,4712732907485560867,131072 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1744,i,11239384541694315043,4712732907485560867,131072 /prefetch:2
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1744,i,11239384541694315043,4712732907485560867,131072 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1744,i,11239384541694315043,4712732907485560867,131072 /prefetch:1
  2⤵
  PID:1276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4632 --field-trial-handle=1744,i,11239384541694315043,4712732907485560867,131072 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1744,i,11239384541694315043,4712732907485560867,131072 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3416 --field-trial-handle=1744,i,11239384541694315043,4712732907485560867,131072 /prefetch:8
  2⤵
  PID:1228

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4040

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2220
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3228.0.727587623\448596322" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20671 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e744ab3-334f-4780-bc33-4ab9a8670132} 3228 "\\.\pipe\gecko-crash-server-pipe.3228" 1964 155fecd8458 gpu
    3⤵
    PID:1012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3228.1.531296660\2009317408" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2340 -prefsLen 20707 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bebf396f-f11c-457b-b10b-34a2a982c676} 3228 "\\.\pipe\gecko-crash-server-pipe.3228" 2364 155f6a72258 socket
    3⤵
    PID:4228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3228.2.2095936126\240977044" -childID 1 -isForBrowser -prefsHandle 3292 -prefMapHandle 3188 -prefsLen 20810 -prefMapSize 233414 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c053daf6-cfd7-45f4-8ebd-1e4783b08edf} 3228 "\\.\pipe\gecko-crash-server-pipe.3228" 2876 155875ab858 tab
    3⤵
    PID:384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3228.3.2072230082\1092229290" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3564 -prefsLen 25988 -prefMapSize 233414 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {742eb0df-72e9-4e6c-ae56-145a5bc0847f} 3228 "\\.\pipe\gecko-crash-server-pipe.3228" 3580 15586964958 tab
    3⤵
    PID:920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3228.4.1256055110\2133588128" -childID 3 -isForBrowser -prefsHandle 4024 -prefMapHandle 4020 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0fc1aad-5e9a-42f8-b6e4-d580557063e7} 3228 "\\.\pipe\gecko-crash-server-pipe.3228" 2764 155888e6a58 tab
    3⤵
    PID:4300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3228.7.1870990471\1126523196" -childID 6 -isForBrowser -prefsHandle 5536 -prefMapHandle 5540 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e7bc659-b85d-4262-af99-08f92e2751aa} 3228 "\\.\pipe\gecko-crash-server-pipe.3228" 5620 155894c8f58 tab
    3⤵
    PID:3640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3228.6.910154340\228235396" -childID 5 -isForBrowser -prefsHandle 5352 -prefMapHandle 5356 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5dd00bc4-c20a-4121-99d9-412c0d3857f9} 3228 "\\.\pipe\gecko-crash-server-pipe.3228" 5344 155894c9e58 tab
    3⤵
    PID:1600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3228.5.1068520009\776200095" -childID 4 -isForBrowser -prefsHandle 5208 -prefMapHandle 5204 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f17837a9-3fb0-4431-b162-035e17f29352} 3228 "\\.\pipe\gecko-crash-server-pipe.3228" 5216 155888e6158 tab
    3⤵
    PID:1648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3228.8.143071145\124945543" -childID 7 -isForBrowser -prefsHandle 2912 -prefMapHandle 2900 -prefsLen 26206 -prefMapSize 233414 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ff78bee-85c6-40fc-af4d-ac62994ba483} 3228 "\\.\pipe\gecko-crash-server-pipe.3228" 3088 15589047f58 tab
    3⤵
    PID:5860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
1e9c6283888dc1ffb8c640f12110d429

SHA1
0adcdff3d00e3e5625b07d7a46f27616b431d851

SHA256
d460920f22782144e45a56e243f7a3ae6820addf9127b560d586a4b0c6fdc347

SHA512
2750aa9453900ea3501b98c853b5b9ef67c2cf7760fde78948b5ed567eaa80b7015c844cb4e1f5e1e6b60c45c3b2c9d0a2f2bdfbb2a26251c60cfa30bfb2c530

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
1f10b790ba8486f16ebdeeecfcf18aee

SHA1
9b6e99fbf424f30d60ca55089781bda2b0966c1f

SHA256
b7767912e3020c8d022be95f2ce1ed587f4789edf34ed41b65f9d7d3b9262219

SHA512
c586614ff62a0dfdee140bc702240f56537873372db6cda064f19d8f30e3daab28ae898b03034e90462c91803bcb6ef63988d8d2ff6143a4a35e78cdf9e1fdd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4adfc3e3d37e907f68c025ee2dc66b8e

SHA1
9d51c582b1ae68fda03e93e517882806d4ffef6b

SHA256
de4eb14c3bc4b3cf3da7c9d8cfb796c19f87d85b3e6b9963def92894119c6afd

SHA512
ba28208b96d7383e45e78eae0fd64efcd9ae9fafefe3336aaf2acf49d1db87e4b223cb058a3afa5eaafbe5d46b1761640e1f94a06874d83f0f6744578a852e19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9f4e36f136d25bc5dd00584b28a0c6ef

SHA1
6f1387a4fd5d4c5919ccc43278834f97cf3949ae

SHA256
26345fbfca259da552fc8b75b4a8fcbe36070078729e327442945b14dd7c9986

SHA512
82a4bd27dfc6e5e04d6a9c6ec1614ad6246f5e99b7e4207311b275f0ce1e728569cb540260d3cd7cf96b035fd3645274163226465fe1f2cb0dce77c09082ca39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
536B

MD5
d495205939a3c4015d2674056af2d990

SHA1
ba9b3935d36c10ea2f20db9bc5e441eb11efd9a0

SHA256
09572fdd882d24e5dd55d4904644f446957db87045bb010cdc638b4c3fc9b228

SHA512
fbdb2efbf0e5e9a5a74999162ab559b82407ac95ad3846140531e82d2db818f67f3a783f0b445029946bf08da66a718ef85a1c18e155e2f4bc7a30d0f52c878d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
810088dc74b6fb393c97548e5b7d99e4

SHA1
bf902350f2c99ce71a6da21cc9767062ea4af8d6

SHA256
fb34c2028bdf02ea5c4b7682751ed7626df0826192d7e4773cb9ca3e2bcd699a

SHA512
7dc90856e6506ec9d0b13d681abfc7bff322436b31033e5e6e1d01313849ff04b6d454a685072064c77c65b3ec6b800390c05766fa28885440b3dde039ef54fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
93d6553d27df1f539ad9e7808eff7c05

SHA1
f9580426a017bbcbf2f002049f8cfe24351bf2c6

SHA256
57a1f6b55cbb52890d0863d4bf0b0a28dadb79c3ea6621a93802e90092352477

SHA512
c69ecc6e359d5bef4215b20e9bfd77364a0144edef575040da30b85c916201903d4f7f69201a87f84e7398279bd8f79a186e876cca7f6701f9159a9d46f306a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
d90ccec9b781bd3a38e497e8d3aaa91a

SHA1
42852b440f43399fadd24cae42e76b7997153507

SHA256
e8d1734c62afe18f451deb1bfefbf8e9c82ed205a99db5ff8a8de320621b01a2

SHA512
aaf5ccd1052da79466ed7fb050feed4b6ff8c42765cfd9e099b77fcd8ea4ba6bbe537c4f46f65ad88acd9fa6a0028618e8d2f1f349091176a20163e403731344

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
fbe8c3fa1f93bfb33dc1be562cd18d21

SHA1
fae2c3163e1f8b03e934c7896fe15a743339ba48

SHA256
c48c87189f64dc18f7825c911c34df6c6bc8e99e3bfc9558b298d5a7d1b29bb4

SHA512
c91b77038cb15ec45ebb38d826620bba2db19467714fea31dfac6c3064c1695d00503706d328b73e838a871de140a918f634825dc1f27578a9392ce30fa1a47c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
c65cf296fc32aefb3dbe3c3ebb3a441c

SHA1
dee973229ee102fe3e67ffc869c21d0a9aa03046

SHA256
a030a788edca8e3e3ad34bfe104ef515be05af8dcdceea1757e2dbac941a3197

SHA512
70ab28d5bfdc2d2e436d926340ac3cc4fe8b93e5fa67501937b7850f085998ad70b366dc3a8097c71c95388ae3fed11e13fb6d86447b8ca5489a639ed68c467c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\datareporting\glean\pending_pings\1f82157f-6272-41da-8eb5-bf81f5b74dc1

Filesize
10KB

MD5
f4e12bc78968dd83ea7434f6f11e818e

SHA1
ca6bc9e0e0489eaf64675a7ceaba60e510c8c9e3

SHA256
cb91a870cba2d24a991f68eddbae0c9bee8ffb416960927016c908bd09bbd502

SHA512
38674c13470b474cfbe92cff63c6b2530ecd1825eb2cbdd62ec326e1ea7579ca312ff4da6486da3de95a2296c8a8aa34dffaf6de17b314eb53c9be8e3d6b29f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\datareporting\glean\pending_pings\421f9ecc-6091-4f8e-a361-e4ec083778fe

Filesize
746B

MD5
6feed9da6f862b5a8e5be6b516ea8ca3

SHA1
0d46cd98e6bb1f0aae16a188d8d44ec63fec70fb

SHA256
4d347c2e66c9e5cee39ead675e64ff6babb0e73d4ac1fb1e63325d5b8f77bd7f

SHA512
1c7f274381f27f9d9b5e4883de391cf2ec70e8f69208f86ae2e0d96cccc8d1bd85074c42b56c7852087a6a637220f594cfa4fb5b6f55e9ab956cb3d09c16849b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\prefs-1.js

Filesize
6KB

MD5
cb609dc61710073af67167b70d9e0eb1

SHA1
43de4cf6e247f22e5fe69587dfb175c83e81ca89

SHA256
82858617ff66b15c859cacbef194a461d80ca3fe82bbe124c965817332490da0

SHA512
70080772e94acec4e508723719ca89e54e4739501d13c80183baee20a800015bb6c6392312d971adbfec10413b9241438df497959403723f14a3efbe5630847f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
7d1d3a07bef8cd4045c964592dc059fc

SHA1
bed771140a46b538d2f2b5bf2d08b03d172a30d9

SHA256
0fed73e942190cac7fbc2c45235b4e1e97a1d76eada07d2a9a14a2ffcd81b2d4

SHA512
e3b6f78093e2e87cdee196f3989cfb9cb2c339cd12e648405d19ea6042a6cac603e51e5238efefd8f2ebfc175864164ce71a66cd9ebcd7d9ff8caaf28cc197ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
bf8fbb9d68afbc878a97145ccd99ebbe

SHA1
c9be87f02f47f3ad45efd96f11310673c16c54a8

SHA256
e3dce62b89b57acceacbde4ce0541d4585c235a66ef2737a412d1b8d00e29688

SHA512
908fb86ea36d415ea87a08bb74b1709464fa14e9b74f9184c25690734e34094e39927bc7c63d272a3c7237cfd26848d02c8bf88b0fc608f84591a711ed71a658

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
b9d439facf83a5b1b9c012144c537cee

SHA1
eb7d1d392e9ffcda5db15320e2e21da89c279a25

SHA256
20ebef7a304c20c31e34884a00b1ed2eec407aeb820b405f98e0417bafb32252

SHA512
d23127a2be17822cd0e5204e776f857d053df4a3c639e3d7ac73be1b5aaf096e7f695212ec2764a6fe401ef2f29f793bea7743b705acb94f8b51deb88f7556f4

Download Submit