6950e9fec1f8bbbb2cfcb04490bdb3aea6e837975b4fbc9291fc333ddbb7a71e

Resubmissions

27/02/2024, 19:56

240227-ynrngsab29 7

Analysis

max time kernel
139s
max time network
142s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
27/02/2024, 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db/completionist.db3
Size

48.0MB
MD5

e58e08509f23d12c9b3f94847896013f
SHA1

a07cd5aab2fb7e5ce035701fc8524503acbe209c
SHA256

c2da7eb5ad86b55fd0e59013cc35caa6c12ea0072a62d133ba171de2937ab408
SHA512

d4de39775f69881967e79462d933ccb59c43da5df3c984a9abc3c78ce0aac67a09df565ce773903fdccc2d72bffd837764d62f0def63b7b1fcce79394c9ab458
SSDEEP

196608:xgKo5sk+dIiniD2irVKCxkYDspTAffsMmMlXZ39ZnMK90aBr:xgKo3+dIim2iRkMIJolXZ3MKy2r

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133535375367971112"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
4764	firefox.exe
4764	firefox.exe
4764	firefox.exe
4764	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
4764	firefox.exe
4764	firefox.exe
4764	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1400	OpenWith.exe
4764	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 1604	1524	chrome.exe	81
PID 1524 wrote to memory of 1604	1524	chrome.exe	81
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 3732	1524	chrome.exe	84
PID 1524 wrote to memory of 4648	1524	chrome.exe	83
PID 1524 wrote to memory of 4648	1524	chrome.exe	83
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85
PID 1524 wrote to memory of 2224	1524	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\db\completionist.db3
1⤵
- Modifies registry class
PID:1588

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffee62a9758,0x7ffee62a9768,0x7ffee62a9778
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1776 --field-trial-handle=1864,i,4291553265138005873,10290579961692535524,131072 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1864,i,4291553265138005873,10290579961692535524,131072 /prefetch:2
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1864,i,4291553265138005873,10290579961692535524,131072 /prefetch:8
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1864,i,4291553265138005873,10290579961692535524,131072 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1864,i,4291553265138005873,10290579961692535524,131072 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4432 --field-trial-handle=1864,i,4291553265138005873,10290579961692535524,131072 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1864,i,4291553265138005873,10290579961692535524,131072 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1864,i,4291553265138005873,10290579961692535524,131072 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4884 --field-trial-handle=1864,i,4291553265138005873,10290579961692535524,131072 /prefetch:8
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3808 --field-trial-handle=1864,i,4291553265138005873,10290579961692535524,131072 /prefetch:1
  2⤵
  PID:3768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1128

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1284
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4764.0.1484355925\536829423" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d45fb815-6606-4f22-91f5-7b5ac03588ed} 4764 "\\.\pipe\gecko-crash-server-pipe.4764" 1796 2149b0d6758 gpu
    3⤵
    PID:3440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4764.1.1537704931\1621017038" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ef759bb-2732-4242-910f-62d7ec50557b} 4764 "\\.\pipe\gecko-crash-server-pipe.4764" 2152 21488d71958 socket
    3⤵
    - Checks processor information in registry
    PID:1940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4764.2.1166819258\766437377" -childID 1 -isForBrowser -prefsHandle 2760 -prefMapHandle 2736 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a88168aa-b5e6-4f65-b1ca-c3b4472eb25b} 4764 "\\.\pipe\gecko-crash-server-pipe.4764" 2860 2149f39d858 tab
    3⤵
    PID:1588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4764.3.756738391\1037379021" -childID 2 -isForBrowser -prefsHandle 3104 -prefMapHandle 3108 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8871c7a-eccd-4163-8d30-97c3d6a938bb} 4764 "\\.\pipe\gecko-crash-server-pipe.4764" 3112 21488d62858 tab
    3⤵
    PID:4428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4764.4.905852755\63339719" -childID 3 -isForBrowser -prefsHandle 4252 -prefMapHandle 4248 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc40ced3-8081-4ed5-b2b7-3aef3bc6f8e4} 4764 "\\.\pipe\gecko-crash-server-pipe.4764" 4260 214a0ed8c58 tab
    3⤵
    PID:4656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4764.5.1180549036\604235932" -childID 4 -isForBrowser -prefsHandle 4740 -prefMapHandle 4724 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {538e5c0f-2bf4-4058-b4e7-e2f47ee818c6} 4764 "\\.\pipe\gecko-crash-server-pipe.4764" 4860 214a0ed7458 tab
    3⤵
    PID:1144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4764.7.1813116685\1581924965" -childID 6 -isForBrowser -prefsHandle 5196 -prefMapHandle 5200 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cf56c00-e18b-459a-827e-2e0a345a263b} 4764 "\\.\pipe\gecko-crash-server-pipe.4764" 5280 214a18a8158 tab
    3⤵
    PID:4368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4764.6.482573194\105979432" -childID 5 -isForBrowser -prefsHandle 5004 -prefMapHandle 5008 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbc87597-f445-48e0-84aa-454a9f60f093} 4764 "\\.\pipe\gecko-crash-server-pipe.4764" 4996 214a18a7b58 tab
    3⤵
    PID:5016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4764.8.263704616\1931754168" -childID 7 -isForBrowser -prefsHandle 5660 -prefMapHandle 5656 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad487ea0-eb66-4bd7-be77-2da39ea85de0} 4764 "\\.\pipe\gecko-crash-server-pipe.4764" 5668 214a35a4858 tab
    3⤵
    PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
195KB

MD5
873734b55d4c7d35a177c8318b0caec7

SHA1
469b913b09ea5b55e60098c95120cc9b935ddb28

SHA256
4ee3aa3dc43cb3ef3f6bfb91ed8214659e9c2600a45bee9728ebbcb6f33b088d

SHA512
24f05ed981e994475879ca2221b6948418c4412063b9c07f46b8de581047ddd5d73401562fa9ee54d4ce5f97a6288c54eac5de0ca29b1bb5797bdac5a1b30308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
16d3aeb94cd553b7a4f6c71217755e40

SHA1
8eaa22303d083a7d5c2b5a05dcb0df34c504565f

SHA256
542bbddc92a9ba61970bf466ffa2b6fb4b037339042a9f680e0c0cb37b25f0e5

SHA512
8ceb38548fdab8096ddd40c0e49a2f38dbed398d9ac7f0dbbd7bdcd8ad944fd39c2c46e9a34b2e812635878583b5726601dfa312a18b2bd8de0687a6e0c23029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
8776542bbb2753acdbb45ca9c3803ec6

SHA1
8dacb3a66b53c2c5a6c5a94f860f7eaa346c8bd8

SHA256
7ef3fe825bc7751d3d24d3cd5e179828e0c10688796ba00ea7718fd83cf1d45b

SHA512
a263c68f7ac00d6e3c5b4fe49ba9c6b56b7301fdcab018676e162e75c3340815095c4e3a697e238499d13da5152edfa784e7029a7bd8394966b68a7e1ada469a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0ca4374a5b3e02cb9cc1c522a9c73e0d

SHA1
e5b44f049a75b0c0b56fcad1cb082ff981cb708f

SHA256
528140826e0837a6f262e7947a34b808e4fee1640f88462658b0d5343a9305b2

SHA512
97449359e9d0799d4d263350333fef975c4c51769bf8ea4ebe45a6cf8db2075c9fbb7b530394edcbcd05e558404d6c0af2632922a215ec80995219d4c999f474

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
bbec45edb11383a2c7676e544854c056

SHA1
8b8e2f53fb3ea3885919b294f74fde297371acb9

SHA256
706c9665a3c01734beedc71d53f24ae334d17a3f6d23f7e884d8d98bfe3a5b64

SHA512
df965f797d5a1d8790f3dfec79e1775fceae18fcf7d07ec194e2e9bcff11f7bf7426be8efc9bc5614f42ebcd021268e1c952816f1c7c45ad7c88b6c9fb9e7f48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
dcd8637f8306c1465e0e0a886c543bd6

SHA1
1471e493d1a93b98a89c0da5239a4dc5a40bcc7a

SHA256
a695baafbf9febe1cf7f50dc1dd354e2e15d7d11b0069ba4cf21979f38410ad6

SHA512
c3811f41e4907a74dc56bc84cb93b8cd3b2554c5a251c523a3759750169ea8a8270f7c965d8b3794218d229fe3513dc05548914d10c04096857adaf59e51eaaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a06bfe79c33125081f64822423483b11

SHA1
53ebce5f87a8a42817e7f35132d9495188458784

SHA256
3ca3e54f1edb5c35958622d1b57e9e0ddab7dcf29568ffaa804caf0c0c01f23f

SHA512
c9af401564e60c54929baaacdf8d8a7b425eb226fa3341bcc68185e81ffbba322a989861eff3ceac4937d3ba1a48daec0ac497d4d68b84557246f4d5a18afb5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a4501d83b129db95a5a820a857b99f13

SHA1
d270a23f4a1a5c61a6464d1d3747fa9a225a2a5d

SHA256
7b7d43a0bb1d4bcae2ffa9b8991ea1b1a986d5d07b640b8b8a64aa7eca0f189a

SHA512
d548e5dd44b4f726e93f445d0c3c4e4e226dd2ba808f1cc758c925a500107b48d5361cb9d3a54adb75cd0745066183df12c3ca451320a085818ce557354f00b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
59fe8889cabda7c3af665592bcda5426

SHA1
03e510a77e887b9de2afcbd50753f32f0580fa6f

SHA256
a252d4edcc459f23c561a0e65f456be86a85f0cc54ba4b60c1e5c5d6f83e4e41

SHA512
9b679accd15089c9a4f613c2d95528c691b5d791b8e9dcff864796bea48f4a5b7fe9976c313a5c1c2d7b8ba960d3bf4281b5a52d05b282899d39b5916c48a537

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4b9e4488606993d49311fbc85c923ef6

SHA1
0f3f2c78581e8888edaab12d8eb145d289ac4fd2

SHA256
0b40124fe08fb64a8737732297812593a3da0de7146a56fbab0a08a4cc70ec17

SHA512
43470312594afcded2894c55ff0a880d01f5db7d03710f67e005762a6c3e50daf24cead437ba5723c83a8f679d00b7a4f9164bb79dc7a0dce57d7c81158e863a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
5c824725244fb1ca6061cd3dc335baa7

SHA1
082aeeef0030d667a03a1e48eae60a471d504cbb

SHA256
561d974a3157362424c687ffd9c9310c09efc1827c241463a4297fcd1d66d430

SHA512
e9dc5d8ec3877cd6af12b84a5f61d5e7054bc2e6feb6b71a6b234dc23aefe069d7d89990b8ea38784ec5b1af966801946b4ccae5fa6cf6b2f82a9ece678747b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
bf81e4ecaeda3cb4ba69fc6f13d0e0ae

SHA1
c145e919630f6580e8e2ffb487b02680bfd9ad72

SHA256
8b819b960753af8e7b1446ab1467d6aeee5d7553bc774686601108b2b767a360

SHA512
69592dd123fd3cd7a37db9eea3dd2c5db8150aa783aa36ef5ace3f1fa12a6aae1d06502b6784654e3f23a560fa3148a0b1f0fb35c584fca818dd5fb65d6ab631

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
a72bdecec0cd1b5c3bea737bf0ce6128

SHA1
ac6a864ca1c2c1ebdeae8cf001d7b270d6badd95

SHA256
3cc92c9438496b85362fe62312c1714b086627246fe640327be6fa85f1b752f1

SHA512
a51224ab49396d0f3cc6bdb5a0e8418e6d477a6b7e1b544c38e97fe62698c65a4e2ee7bb4d06e297ba6528a4fdcb2f0d1bf22364ad9fd8bba260f70f4c9a1ec7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\cswg9rdm.default-release\cache2\entries\569C61B7C5AF4CF1CD3C872D4AA55B34BC2D473F

Filesize
33KB

MD5
7cfb352866d86f6b6d74e2a1f9f5d5b9

SHA1
66056068470dd79271804a80ee6dbd3223030df7

SHA256
c4e1728ec85403f95a7122cc67bdba1f6492d4d04976e0797e2b3051ef0d1110

SHA512
b9a11d30b5bbd8ec3dfc995c1eb8702b3edace9f07ff362cb4289c86d655c5e99289b16bb99da0fff9a46fc951bce42feb5a8b92408852788921aa41fe5aad5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
98e3b8345e259f7490837dee462f5f42

SHA1
e3e8b28a530f5b165dff2800384a74e406806786

SHA256
aa3aa4dcc7610f71eaf312bf5af8fff5d76f0dfbdcb3206bed2b05ef4c482daf

SHA512
b4d592accb311b048b0ecf9541d7b3fd89d6dde4034a42d597c38da9cbe5710d7b3d28998a4ab7208a91b8b375fccc36245000fccc7436a3e9a1e5f67af78abd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\datareporting\glean\pending_pings\a5ff65eb-de8b-4be5-b0d6-473a22850301

Filesize
746B

MD5
bc76d096c1f66275f41fa2f214cb9500

SHA1
219bbe5a74d4394cf34a51c159a5d8bba9db3b10

SHA256
ebfe91642505d235e687cea28dc2061cc06d808b8def939e2317391baafb64ea

SHA512
7987e413c4b76f4b8e5d25eba19648897593d18c08d6be6823308c1404260aa4f8635b9bcd120b8e3812209ec7e4f6f5ecac1fad8258dba594774032708da9fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\datareporting\glean\pending_pings\fa11b706-af80-44bb-b16a-2f856287a715

Filesize
10KB

MD5
d3b38a5514f5de6476c1e4f48860bdef

SHA1
67335105704b141ccbe7a1e4f6b0021b5ddd5a05

SHA256
cd6b5118acd4461393da0f9e58fd1376a3642f10e508df7c1d9b9110121f1759

SHA512
7c72655537c922ece93320553b56fc3dd4f7223c3803deb1194f143dc38f2a70c77e9516aae8298ba05f438bed94095bf39013631ad466cdeed7f3031d4dd9a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\prefs-1.js

Filesize
6KB

MD5
41412b46fd014e058c5c16b9ae0e9502

SHA1
7e108a5b2cbe1a8d82a21742df9d42f5f3e2852b

SHA256
654ba5bcd1d96d46bd8d786571f9ce8ef64fd6a146811843108c3ebe1718e447

SHA512
27f1a231423d501ec8c3767e703779e5b45e9d59cff9a3c45c2cddbbf3cdbe87cff68709c07f9217e94d436748813d56986a67904ef9ddd1b1a0b1663918aaa3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
31654054551b79f2651218e756cea442

SHA1
734c44bef6ef56f595affe6f0f79df30b04d3eb1

SHA256
eeefc2b0edef73dbd6cee298486ad1b7b257adcbfb8904c4f0fdfce18597303b

SHA512
5cb601c6af05cce9f9edc8b4f0b003be56ebf2a65b0777b21ebc50bcb2d55f1f25c4d153d3cac8d9dd1b1a7c388b21962b4d0ff9954562c79ab0077fb6fab113

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cswg9rdm.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
135e00d13b61fb2325c02ee9ef3a14d9

SHA1
700e303d2cfe5cce9d38bf243e62c258905c6817

SHA256
e462879cc04d4a251b45e267ae87154288d1005ea8b099803c08d52a26c1290c

SHA512
7d8e2b60a693f39c93cac0539618171f89dacb4c2d0b681d0b55db1f76e823ab5af63f63d5b9e50e558ae322affadc94262844ca7c8f2bee445c823450451e27

Download Submit