b6c282624ffb856b74a12c1d1e5011bc38830c345be1efbc5551e6a98f362ec2

Analysis

max time kernel
83s
max time network
137s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24-02-2024 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Other servers/The Photo Gallery (843246367546540082).json
Size

30.7MB
MD5

e4638a7ded98e3a591a41c6bdf8ff9fc
SHA1

e60b985ff5e7e59396a17ef4808deabdd74c72a4
SHA256

7826e49f326104116880b0b55a8b534da56666226dde5f2ee26e23d2c3080a0a
SHA512

76ba6c94f2fe6f9f243a83bd00e76d74973c5a2753c8a46aa303c5a7b72a9ed9ef78710213d7a6e9eceb8a5fa6ea6b193a3b78d7228084fe1118526d7915f4ff
SSDEEP

49152:bKC5VXGwLRYPLYt1rgYARANRf61RYckLejngCH3+mnXHnprd95LPH/VOe0HRc8pJ:hQ1RYckq7dk9

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.json	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\json_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\json_auto_file\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\json_auto_file\shell\open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\json_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\json_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\json_auto_file\	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1092	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
596	chrome.exe
596	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2812	rundll32.exe
1092	vlc.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	firefox.exe
Token: SeDebugPrivilege	2560	firefox.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2560	firefox.exe
2560	firefox.exe
2560	firefox.exe
2560	firefox.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2560	firefox.exe
2560	firefox.exe
2560	firefox.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
1092	vlc.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1092	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2812	1720	cmd.exe	29
PID 1720 wrote to memory of 2812	1720	cmd.exe	29
PID 1720 wrote to memory of 2812	1720	cmd.exe	29
PID 2812 wrote to memory of 2804	2812	rundll32.exe	30
PID 2812 wrote to memory of 2804	2812	rundll32.exe	30
PID 2812 wrote to memory of 2804	2812	rundll32.exe	30
PID 2804 wrote to memory of 2560	2804	firefox.exe	31
PID 2804 wrote to memory of 2560	2804	firefox.exe	31
PID 2804 wrote to memory of 2560	2804	firefox.exe	31
PID 2804 wrote to memory of 2560	2804	firefox.exe	31
PID 2804 wrote to memory of 2560	2804	firefox.exe	31
PID 2804 wrote to memory of 2560	2804	firefox.exe	31
PID 2804 wrote to memory of 2560	2804	firefox.exe	31
PID 2804 wrote to memory of 2560	2804	firefox.exe	31
PID 2804 wrote to memory of 2560	2804	firefox.exe	31
PID 2804 wrote to memory of 2560	2804	firefox.exe	31
PID 2804 wrote to memory of 2560	2804	firefox.exe	31
PID 2804 wrote to memory of 2560	2804	firefox.exe	31
PID 2560 wrote to memory of 2880	2560	firefox.exe	32
PID 2560 wrote to memory of 2880	2560	firefox.exe	32
PID 2560 wrote to memory of 2880	2560	firefox.exe	32
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34
PID 2560 wrote to memory of 2732	2560	firefox.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Other servers\The Photo Gallery (843246367546540082).json"
1⤵
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Other servers\The Photo Gallery (843246367546540082).json
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Other servers\The Photo Gallery (843246367546540082).json"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Other servers\The Photo Gallery (843246367546540082).json"
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2560.0.1067396153\334064386" -parentBuildID 20221007134813 -prefsHandle 1204 -prefMapHandle 1196 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af1f0c6f-03b7-4326-b9b8-8fc0e940b7a3} 2560 "\\.\pipe\gecko-crash-server-pipe.2560" 1268 11cd5e58 gpu
        5⤵
        
        PID:2880
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2560.1.1494793945\1685326930" -parentBuildID 20221007134813 -prefsHandle 1456 -prefMapHandle 1452 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0de8699e-08e2-4cc3-82ea-e3c068ea23c3} 2560 "\\.\pipe\gecko-crash-server-pipe.2560" 1484 d73158 socket
        5⤵
        Checks processor information in registry
        
        PID:2732
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2560.2.50535281\1151540574" -childID 1 -isForBrowser -prefsHandle 1992 -prefMapHandle 1704 -prefsLen 21713 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b126850e-4d31-4362-a196-c7bd33b9a97f} 2560 "\\.\pipe\gecko-crash-server-pipe.2560" 1940 19ebbc58 tab
        5⤵
        
        PID:1108
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2560.3.1231412800\44147107" -childID 2 -isForBrowser -prefsHandle 2556 -prefMapHandle 2552 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {949057a3-a577-4650-ba82-c30b25548b1f} 2560 "\\.\pipe\gecko-crash-server-pipe.2560" 2568 1ba31258 tab
        5⤵
        
        PID:3040
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2560.4.616819169\1849260556" -childID 3 -isForBrowser -prefsHandle 3540 -prefMapHandle 3532 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c6595a7-96bc-47ac-a682-44eec1d3c1d2} 2560 "\\.\pipe\gecko-crash-server-pipe.2560" 1096 18cc9c58 tab
        5⤵
        
        PID:2688
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2560.5.1279722187\747630789" -childID 4 -isForBrowser -prefsHandle 3708 -prefMapHandle 3712 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10715581-7d25-4a06-803b-c41be3741baf} 2560 "\\.\pipe\gecko-crash-server-pipe.2560" 3692 1e743a58 tab
        5⤵
        
        PID:2540
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2560.6.1347181547\1520860915" -childID 5 -isForBrowser -prefsHandle 3896 -prefMapHandle 3900 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f7ad924-257c-475d-a495-a379a7a56b96} 2560 "\\.\pipe\gecko-crash-server-pipe.2560" 3880 1e743458 tab
        5⤵
        
        PID:2700

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\EnterResolve.aif"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6149758,0x7fef6149768,0x7fef6149778
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1216,i,1161705438409597740,1853073663307723466,131072 /prefetch:2
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1440 --field-trial-handle=1216,i,1161705438409597740,1853073663307723466,131072 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1216,i,1161705438409597740,1853073663307723466,131072 /prefetch:8
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2116 --field-trial-handle=1216,i,1161705438409597740,1853073663307723466,131072 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2124 --field-trial-handle=1216,i,1161705438409597740,1853073663307723466,131072 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1576 --field-trial-handle=1216,i,1161705438409597740,1853073663307723466,131072 /prefetch:2
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2308 --field-trial-handle=1216,i,1161705438409597740,1853073663307723466,131072 /prefetch:1
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3684 --field-trial-handle=1216,i,1161705438409597740,1853073663307723466,131072 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3796 --field-trial-handle=1216,i,1161705438409597740,1853073663307723466,131072 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2100 --field-trial-handle=1216,i,1161705438409597740,1853073663307723466,131072 /prefetch:1
  2⤵
  PID:328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1616 --field-trial-handle=1216,i,1161705438409597740,1853073663307723466,131072 /prefetch:1
  2⤵
  PID:2396

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
195KB

MD5
873734b55d4c7d35a177c8318b0caec7

SHA1
469b913b09ea5b55e60098c95120cc9b935ddb28

SHA256
4ee3aa3dc43cb3ef3f6bfb91ed8214659e9c2600a45bee9728ebbcb6f33b088d

SHA512
24f05ed981e994475879ca2221b6948418c4412063b9c07f46b8de581047ddd5d73401562fa9ee54d4ce5f97a6288c54eac5de0ca29b1bb5797bdac5a1b30308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
8451133bfcc73691e02943d6b2278520

SHA1
41e53bedb2e3b5306dcd4a23a9c6c6f63237cb4c

SHA256
9ebadc7fbdbf06f34e3b707290ee62d030a9dc52952f7ebe9c8fc859b4c131e4

SHA512
645a05fe507b15c57f3269f641077442cb29bb5687ad3abc8f71f9c904c624f6c5b61be298dd654affe50a13901b360d2a2d331d63421dca2c961573ace304f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
35e4c7e953a9b10d163e1eed57bf3a2d

SHA1
4d0e3a16999bce616b34697c83e61e6b358ba1bc

SHA256
56efaf23c6a383760dcbc6fd11d9181d5ed21c6f4a6fcc5ad62caef7c29fc30a

SHA512
46070fc8b2a842f34eaf6e52c2b9287f548ef8bf76f557572aa99ef97a0c4a8a78f44aa44896ffb750ac43af5688f8b1574108ad8cab4aef93423a2db0ee88f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
ec1cda0bcdaa28965781ec294acac2ed

SHA1
279d0359be0043086671c2179db9a39bc15b4fc1

SHA256
be3fa97c8e039874523faad80ba371a1a588eb5ad31c2303c087ed21a04f953d

SHA512
81eee4067ea5dd5d36193733daa7fcc3e90b33316e289bcaac27a100558a654b598c7813cad059363a599cb22d5ae717fd856d3d7751ec147b5f53500f51e4ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3d68910c05c9a9c52999f9cf5eaef852

SHA1
2e4b233b60c1d5ffe34e2bb0f5743832572c90cf

SHA256
94315a4e5731e2555f885af721ceecf65504fba68bb5b114eefe7bd6eecade89

SHA512
8c20c42ef5c418995c7b1e55dc6e90a90ad73f74ee5d98601fafcd241ca51748119baf3912e0bdcba1b5560adc7eabc82b285e324eb6c55e2395952d7095c938

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1bdf54f1bf1dbdc160f634c34dda9177

SHA1
61d63a4267ddb901ee861063b3da537d7cdeda2f

SHA256
fa4ccb8e9b3a2501c885cf0d600e141c8a62275f04498617e066f73f5e0e2b92

SHA512
c27abffa66fc8b538a60b521e3eb520aeed21bfaca203cdc88d0916743a89a82812d53c82ff6a76e3e4e5b093e9aab1f5c9fe6d0a287ef6a0789c008efa4f2b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d65bc9c8bb0005159674bd2a2f188525

SHA1
988bc1002909715aa4e718b0be1e65422a1024e7

SHA256
f5a3170a5a95d943e37aa0c73fb32a3b98ce4f78faedb86bdcb4b5d53ecf2096

SHA512
9927b4b70a38cfb6cd7dfa0532996902ca8ea35979caf8af3eb505143d5a2fc4dbe9450722c1b87dde233b2dd5d031f1170cb6279ae258e9a76a4a7a095b6065

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cf47cb490d3fad1235d0b4e53e45de2a

SHA1
3e0619526786293b73cc0d290264448bcc8b4a60

SHA256
42578be6c7dec7c09ce8736b6e0f0e99e0bd3ee1bcb2365effadf318e5d4ec6c

SHA512
ab327fdd5fb097ff548bb48a9809beba6076c4353465f9ecd79296418f8416cd25f00bedfac7db97af2b559ec0b96b78662cf10bdfe7225a035fbb08bb3f7d1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
dd5b6a9606550f4a8e264948a30b324b

SHA1
0eb0f5da0c4a4685f7613973a66014527e3c5b2b

SHA256
e1758c6b0e6cc817ac77a4701a530ffe1719f074fc1a3514f2348b8f35704fdb

SHA512
e1059c5c332aa5ec74a029e8c17b5e2063527e3b2a2441010b564fc4c4279c113da7a2612af2472aecc4784f149b6b5795024b9fe4410460fc85e3a8fc9cc25f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\datareporting\glean\pending_pings\0773d456-a7c4-4434-bfa2-21d02d28729a

Filesize
11KB

MD5
08aacc9877d1e096f890f86ccdd0049c

SHA1
1f2c49a4a1ef9dd26d69a98620e83d937ec7fc0e

SHA256
0345304b2c49476dce30c0be7399724e2de4a6b34e1300245fbcafbdb5fd2d6f

SHA512
e73e4f7c8f86043e7e86e2f9c9702a47c23be8abcc54963367e410c91c14418556dd25a9a4071c27576ac8ed437ef62ab89bdc3a63fbdece9c3a0c46443d5db5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\datareporting\glean\pending_pings\edab96f4-9b1a-4cc1-981c-19159bb2239f

Filesize
745B

MD5
60d8b7a5c855271321a26e7bf44f3ac6

SHA1
5fc12edb3ea45a0c10260b0fec8497fda30254d6

SHA256
8eb06954c136c888a6b091ce394fdf5f974bb94dc1691037727a427c0f273ed7

SHA512
d11aa567f7851cca9e6c2f09df1a965fccbe858c1c877fed1714f2924ad98220aeb2f61aef586476cb3a6b8d9402b58fcd3b874161e6d7c58875d2a3312eb8f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\prefs-1.js

Filesize
6KB

MD5
52f50f448beb5600fadc3433ae0f8b04

SHA1
3a50a455bde104599780ce363fd4de7be1889361

SHA256
0fc9ac61a4468f9a4664130dc756c542f44584089d74f22ad011cf46ffaacecf

SHA512
260ab77f2e296b6ece9fb7c63c284439ad8d12d7d355e59ae359b9b1092c1043815b60613468793b3335799c655adef5d06a92620560cc9abef8ce4e63281eea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
45f0c0bc91f45ab070106a79dde2cd09

SHA1
9f6165ff66a2e41c6d781b1c9df15368a67b5e44

SHA256
163f094f4291fe3f0f8381450d41738ee07706cc32e46475807075438edf9a3c

SHA512
2f3d225043b602f5c9b35e1a03763bb0d05c2557ec0fca19d031637e5c205acb889e0c76d28a1e71d36ae6ab9cbdf80ea625cd82c081742293d3998e87e4ca82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\sessionstore.jsonlz4

Filesize
970B

MD5
792b3eb8eb7ad441e9228eaeda558cdb

SHA1
d936232ce10cedb648738b59c8472ac465bb898f

SHA256
4c6a699703124686ce7c3ffb5458f0fe7f3f4ae46952c745f87507e06edfaaa3

SHA512
d6636225aed2e7b64b9d3269aa8d10aa15cf1eb89fd83774d26fe39c130cf6bb97891026142b789e282e447cc674a0c0fef5516336663832bf230df3752c9cde

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
77B

MD5
3b26b9bd0f492490321c26213b84758f

SHA1
92c23a00e171bf099d76294c412f33ce35b9c874

SHA256
c286a23353fbe3de4dc607220c4befad4daf65dcc9131e310f099f220f007156

SHA512
b260fd09197a7febda497a0f9c7be1bb07b21971809e07449183caf536108725f0903cced7747fea9fcb68e8bf7e01a4fa087292a4425f234e5cc261caebb2e0

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
18B

MD5
e1e7785c8d9537d59d45cefe432deb61

SHA1
eb7a7358a97a79938009733d7f604b0bc55b7cc5

SHA256
c084f3c01daa6b8cf1c108da3e2eb54e3a4be5c4a1dda7c7aa14040c04249933

SHA512
9f7d04d7ae7e703fb274abfeaf6525d54737460a748e148d875e749b0f88c5136c00902554dd8e8be1685647f8e27688625eea4d364b339585b8adda4d0510da

Download Submit
memory/1092-247-0x000007FEF5A40000-0x000007FEF5A70000-memory.dmp

Filesize
192KB

Download
memory/1092-259-0x000007FEF4DB0000-0x000007FEF4DC3000-memory.dmp

Filesize
76KB

Download
memory/1092-237-0x000007FEF5B80000-0x000007FEF5D80000-memory.dmp

Filesize
2.0MB

Download
memory/1092-238-0x000007FEF65B0000-0x000007FEF65EF000-memory.dmp

Filesize
252KB

Download
memory/1092-239-0x000007FEF6580000-0x000007FEF65A1000-memory.dmp

Filesize
132KB

Download
memory/1092-240-0x000007FEF6BE0000-0x000007FEF6BF8000-memory.dmp

Filesize
96KB

Download
memory/1092-241-0x000007FEF6560000-0x000007FEF6571000-memory.dmp

Filesize
68KB

Download
memory/1092-242-0x000007FEF6540000-0x000007FEF6551000-memory.dmp

Filesize
68KB

Download
memory/1092-243-0x000007FEF6520000-0x000007FEF6531000-memory.dmp

Filesize
68KB

Download
memory/1092-244-0x000007FEF6500000-0x000007FEF651B000-memory.dmp

Filesize
108KB

Download
memory/1092-245-0x000007FEF64E0000-0x000007FEF64F1000-memory.dmp

Filesize
68KB

Download
memory/1092-248-0x000007FEF5490000-0x000007FEF54F7000-memory.dmp

Filesize
412KB

Download
memory/1092-231-0x000007FEF7200000-0x000007FEF7211000-memory.dmp

Filesize
68KB

Download
memory/1092-246-0x000007FEF5B60000-0x000007FEF5B78000-memory.dmp

Filesize
96KB

Download
memory/1092-250-0x000007FEF5A20000-0x000007FEF5A31000-memory.dmp

Filesize
68KB

Download
memory/1092-249-0x000007FEF5420000-0x000007FEF548F000-memory.dmp

Filesize
444KB

Download
memory/1092-251-0x000007FEF53C0000-0x000007FEF5416000-memory.dmp

Filesize
344KB

Download
memory/1092-255-0x000007FEF4E00000-0x000007FEF4E23000-memory.dmp

Filesize
140KB

Download
memory/1092-254-0x000007FEF5A00000-0x000007FEF5A17000-memory.dmp

Filesize
92KB

Download
memory/1092-253-0x000007FEF4E30000-0x000007FEF4E54000-memory.dmp

Filesize
144KB

Download
memory/1092-258-0x000007FEF4DD0000-0x000007FEF4DF1000-memory.dmp

Filesize
132KB

Download
memory/1092-257-0x000007FEF5330000-0x000007FEF5342000-memory.dmp

Filesize
72KB

Download
memory/1092-256-0x000007FEF53A0000-0x000007FEF53B1000-memory.dmp

Filesize
68KB

Download
memory/1092-236-0x000007FEF3270000-0x000007FEF431B000-memory.dmp

Filesize
16.7MB

Download
memory/1092-260-0x000007FEF4D90000-0x000007FEF4DA2000-memory.dmp

Filesize
72KB

Download
memory/1092-252-0x000007FEF4E60000-0x000007FEF4E88000-memory.dmp

Filesize
160KB

Download
memory/1092-261-0x000007FEF4C50000-0x000007FEF4D8B000-memory.dmp

Filesize
1.2MB

Download
memory/1092-262-0x000007FEF4C20000-0x000007FEF4C4C000-memory.dmp

Filesize
176KB

Download
memory/1092-263-0x000007FEF30B0000-0x000007FEF3262000-memory.dmp

Filesize
1.7MB

Download
memory/1092-264-0x000007FEF4BC0000-0x000007FEF4C1C000-memory.dmp

Filesize
368KB

Download
memory/1092-265-0x000007FEF4BA0000-0x000007FEF4BB1000-memory.dmp

Filesize
68KB

Download
memory/1092-266-0x000007FEF4B00000-0x000007FEF4B97000-memory.dmp

Filesize
604KB

Download
memory/1092-267-0x000007FEF4AE0000-0x000007FEF4AF2000-memory.dmp

Filesize
72KB

Download
memory/1092-279-0x000000013F390000-0x000000013F488000-memory.dmp

Filesize
992KB

Download
memory/1092-281-0x000007FEF72D0000-0x000007FEF7304000-memory.dmp

Filesize
208KB

Download
memory/1092-232-0x000007FEF71E0000-0x000007FEF71F7000-memory.dmp

Filesize
92KB

Download
memory/1092-233-0x000007FEF71C0000-0x000007FEF71D1000-memory.dmp

Filesize
68KB

Download
memory/1092-234-0x000007FEF71A0000-0x000007FEF71BD000-memory.dmp

Filesize
116KB

Download
memory/1092-235-0x000007FEF7180000-0x000007FEF7191000-memory.dmp

Filesize
68KB

Download
memory/1092-230-0x000007FEF7220000-0x000007FEF7237000-memory.dmp

Filesize
92KB

Download
memory/1092-229-0x000007FEFB8B0000-0x000007FEFB8C8000-memory.dmp

Filesize
96KB

Download
memory/1092-228-0x000007FEF5EB0000-0x000007FEF6164000-memory.dmp

Filesize
2.7MB

Download
memory/1092-227-0x000007FEF72D0000-0x000007FEF7304000-memory.dmp

Filesize
208KB

Download
memory/1092-226-0x000000013F390000-0x000000013F488000-memory.dmp

Filesize
992KB

Download
memory/1092-282-0x000007FEF5EB0000-0x000007FEF6164000-memory.dmp

Filesize
2.7MB

Download
memory/1092-283-0x000007FEF3270000-0x000007FEF431B000-memory.dmp

Filesize
16.7MB

Download
memory/1092-280-0x000007FEF2D50000-0x000007FEF2E62000-memory.dmp

Filesize
1.1MB

Download