hxxps://github[.]com/ScriptTestAdvanced/STA-Chat-Bypass/releases/tag/v1[.]0

Analysis

max time kernel
836s
max time network
1790s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ScriptTestAdvanced/STA-Chat-Bypass/releases/tag/v1.0

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	firefox.exe
Token: SeDebugPrivilege	2020	firefox.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2020	2200	firefox.exe	28
PID 2200 wrote to memory of 2020	2200	firefox.exe	28
PID 2200 wrote to memory of 2020	2200	firefox.exe	28
PID 2200 wrote to memory of 2020	2200	firefox.exe	28
PID 2200 wrote to memory of 2020	2200	firefox.exe	28
PID 2200 wrote to memory of 2020	2200	firefox.exe	28
PID 2200 wrote to memory of 2020	2200	firefox.exe	28
PID 2200 wrote to memory of 2020	2200	firefox.exe	28
PID 2200 wrote to memory of 2020	2200	firefox.exe	28
PID 2200 wrote to memory of 2020	2200	firefox.exe	28
PID 2200 wrote to memory of 2020	2200	firefox.exe	28
PID 2200 wrote to memory of 2020	2200	firefox.exe	28
PID 2020 wrote to memory of 2644	2020	firefox.exe	29
PID 2020 wrote to memory of 2644	2020	firefox.exe	29
PID 2020 wrote to memory of 2644	2020	firefox.exe	29
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 2656	2020	firefox.exe	30
PID 2020 wrote to memory of 1932	2020	firefox.exe	31
PID 2020 wrote to memory of 1932	2020	firefox.exe	31
PID 2020 wrote to memory of 1932	2020	firefox.exe	31
PID 2020 wrote to memory of 1932	2020	firefox.exe	31
PID 2020 wrote to memory of 1932	2020	firefox.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/ScriptTestAdvanced/STA-Chat-Bypass/releases/tag/v1.0"
1⤵
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/ScriptTestAdvanced/STA-Chat-Bypass/releases/tag/v1.0
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.0.1367185591\1603544948" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1200 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {78830728-79ec-40b5-9d29-3bc4965de0c5} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 1332 11bd6e58 gpu
    3⤵
    PID:2644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.1.1756173348\698639339" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53e03a16-8b33-4cf1-83d5-2fc951d97568} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 1512 d71758 socket
    3⤵
    PID:2656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.2.1958161130\2093839704" -childID 1 -isForBrowser -prefsHandle 1892 -prefMapHandle 2044 -prefsLen 21648 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {244f9a8a-eb95-4640-8c37-0abf1cbd196c} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 2260 1a899858 tab
    3⤵
    PID:1932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.3.1076460300\263427570" -childID 2 -isForBrowser -prefsHandle 2668 -prefMapHandle 2652 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3545799d-f5ad-4830-bc76-2d18616fd273} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 2692 1c6b8958 tab
    3⤵
    PID:1172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.4.1583701335\828417061" -childID 3 -isForBrowser -prefsHandle 3644 -prefMapHandle 3640 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e9ac71a-3079-436a-b083-16fbb1544225} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 3656 1a870158 tab
    3⤵
    PID:1072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.5.1645789375\569148109" -childID 4 -isForBrowser -prefsHandle 3780 -prefMapHandle 3784 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00e3a8ac-37b2-420c-9543-2af2d7140bd9} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 3768 1a872858 tab
    3⤵
    PID:1664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.6.1805490250\1868116081" -childID 5 -isForBrowser -prefsHandle 4048 -prefMapHandle 4044 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {212be7fd-5079-4259-842e-703f8808554b} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 4032 1fb2df58 tab
    3⤵
    PID:2912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4749758,0x7fef4749768,0x7fef4749778
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 --field-trial-handle=1344,i,9395962598014929477,3912774115588997589,131072 /prefetch:2
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1344,i,9395962598014929477,3912774115588997589,131072 /prefetch:8
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1344,i,9395962598014929477,3912774115588997589,131072 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2308 --field-trial-handle=1344,i,9395962598014929477,3912774115588997589,131072 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1456 --field-trial-handle=1344,i,9395962598014929477,3912774115588997589,131072 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1444 --field-trial-handle=1344,i,9395962598014929477,3912774115588997589,131072 /prefetch:2
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1332 --field-trial-handle=1344,i,9395962598014929477,3912774115588997589,131072 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:3500
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x140007688,0x140007698,0x1400076a8
    3⤵
    PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3768 --field-trial-handle=1344,i,9395962598014929477,3912774115588997589,131072 /prefetch:8
  2⤵
  PID:3508

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
f03e7372e453f6c310664facb2ce5c58

SHA1
c93f68677ce7a98e9872b01e51b03b816b53ecee

SHA256
e84e9d09b4e31883d63045f82687bdfcb5745ff1faa2b8c42757ac11b4797c32

SHA512
16620753f037eee412dd0d9afa07bcb77e764a60662dd15e67ca3b484bcd783b71d3b672e9088232f65892f8a4082b99532b1dfaf8a8b7acdfa14216122cd8e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4a3dc0b97656bd8cbd2f90340d4d342e

SHA1
dd5dcd18abf84dce6007cc07acdd002278510cf9

SHA256
34e66bd99df7bc567a2965e46cca9b0d410668e5bb319f0448831dc1fd8f3540

SHA512
8467e2cbb65caa7e740ada0d664574f6fc71525267c5d64cb65841a2216e70b5dd31b1d1dacb9f6a3195455b21945240bb8bc66ea29f47e35502a7136ce05412

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
02adbc2a15053a2bb622fd12f3dc38b4

SHA1
211b87f166f52571b9bc421d565b71037a3cd4f6

SHA256
93947ccd671c3776c20902e2542dc288ad51c236eb15dd8409425e26d590b1db

SHA512
d57085705641363a5e6500bcccfc570a3b84d89ddd768db50fa4853fda0faa52f9c9e2b6f629ea4f8f101be4dd1c6fbadac38e746fcb61f619051382f560b2f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
0e25828559070941d75734d14cea2ddc

SHA1
a514e0a4fdaef5eb7bce94b7afc47dbbc8b29c25

SHA256
c0c9a79ad14120bfeea10e38253f7e91f7df417fd06191b36b23149fd77efd10

SHA512
117bcae83323a96133644653bd9cb9e1b8bc0f8da08026d525084ae13fc333dc8332e2db9d7f8c326c11a52aa511bf6f8bc18a27e28a917bb1ad994160e89136

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3lcljf87.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
10KB

MD5
e92151936e14d38262339b3797634b09

SHA1
6ec2fd2511b3273ce17433c937566dc7f75f1a2e

SHA256
758047e6e08838dc9562d4f392f101bbf468d3bd98af800df81d384fe33e2db8

SHA512
53f44a8e874f1f5db15cb40761fdba5f0a95eb9ce3a6357dd09d956ca7a5c5b8ab028138d06b2d251d1422cd5cadcb5d68c86b1a3f884016db65f272cc50afcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
7a5c0855d7e992d3f7583c7e80e5c40a

SHA1
20ebd8c1d23028703c040a4ea06c8e7da53cfd08

SHA256
1f4c4f363e458c00f7ef3bd66d35a1b7dd19b9fef9e31cb3fe33662319f6c8bf

SHA512
b47fa41f6916682afd013c54142c6e0883ea115b5f9b3623da3a2b1274ff925467a930ae21e149c0626524257c88a8a673786fd3ba194ef6d5e3730af885e1d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\bookmarkbackups\bookmarks-2024-03-05_11_PQV74YXWk4VZYJg7MgWBUw==.jsonlz4

Filesize
954B

MD5
268cfa064fcd581b4c7a6a0bc8217a19

SHA1
6cf5d8726b4e764927eb8bf834a984c690f2b8db

SHA256
a7a80e2fb69facd010be0a7e5dc2b65f5b603aa561550b53753598f43431ccb5

SHA512
b6ed7e6e80eb8f09d9f6e36fd803e62cd717acaf820480a27d4c902510cbc68c5c9bae413fd0f8d786ac824bd7aa7439fdc714fac7f6264902ac5e89d0f58fae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\broadcast-listeners.json

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\datareporting\glean\db\data.safe.bin

Filesize
3KB

MD5
7aac3d87eb79fe9cce3e530f364046e2

SHA1
7b201051f267cc59be6fa72f0bc9f3d71ee1fec6

SHA256
0ff74da1faf9f642b46299b89744d9e50d65507b41a4b66b8743da1e087b968b

SHA512
332e73d7098918372a367fca0b16a097a518d52ceca8a0b1578f40d03836795c1c9746be0c0971a84bb190a36e0ef5ae7c72c4cff93dffa971272423c32ea762

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
38e04f8ddbb81d94a6696f1bca05068f

SHA1
ba5c7de4cca3ef91368c6d8070dcf1f4845a3881

SHA256
0e0e2244c810784d46c2635bb0e8a344f35a82448eb9a3a5b00828567685d4d6

SHA512
c0e5b07a199a7ed76ff73ab74f438947c112443c1ce9f9da441afb822ca8fdd627f17e98e77ab22adc78f826e66fb6f119e97f3e9db6b74577d45541b2afb24d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\datareporting\glean\pending_pings\c6712c7c-4705-452d-b7ef-6f801e514634

Filesize
13KB

MD5
fbc2c2179d3a930e107f866debe012e0

SHA1
f0a8ee785f177a81a42d6072f1bdb7ca4b653052

SHA256
63d6952b44c668b34ccc4ee2a892740b493f5e6ebe8dad0156844031060afff8

SHA512
46294f21bdffe09b4240ddf63d3a641cfb222cc852b124f5362a8e770abb35f885f3cf9d86f6930500f2245150640b8f19967d88fb9ab4a3475a82b4065d8ca6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\datareporting\glean\pending_pings\e111c1d5-f74e-49eb-9fdb-ee95c9e8e847

Filesize
745B

MD5
3fc06b27c914713cf2397cf2901665c4

SHA1
3fdfdb30f0a7e426ae7359b52fad105e7fbe1a01

SHA256
234df5f6fa93f9d5ca444ef099a7b467284692f52ec0fe4185f2587dd56b168f

SHA512
ba4664ff7178fa69eeddd3ec868bea0aacb52d035666d0b90b4efa6bf69fefb226c031c11aaf9c11904d75aeb0f9d3f232d6a09f43eabea9a44463ac98f9fc66

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\prefs-1.js

Filesize
6KB

MD5
e35130c2bfefc49a12e2d3262d717a45

SHA1
8bdb37eb31f089c3ef6c79ebf342737eddba0779

SHA256
eade6bb5ec1a979e49226ede758c6fdda10caa45538a3c1bb1686c571f911ea9

SHA512
4cec95b8e13852333a3f1681b1d7f7100d79f935eb0021549c7ad44a81dfd3f55a4f526ed73ae639cf7accb77443b75dd3d80d585f0e9a0a3a2a340592d58c35

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\prefs-1.js

Filesize
6KB

MD5
73be0f7115ecfe014b920fc9c1bd127e

SHA1
14fde7c678f5af96ac88231a25123883fe9f988f

SHA256
9113cf5ab050f4ff559da3a11160f69411a93e1d33ecad8d0bd3e166bfc8954f

SHA512
ec7d642f5753c26c8993bc817224bad84c74e6425ea0c03ce78e94044fec59c1fc46ea85500e4a8709b33418560c620d066034a8ad4afb7f7486db6722a5e90f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\prefs-1.js

Filesize
7KB

MD5
c7716bcd25924518f1b4dcc479c0cd71

SHA1
5fb3b50a84654ba9f2d0854a29b4957daa7dd8ee

SHA256
050ad4469cd24a48c828ea2cc277c60a3ef6c63b950f1c333a51c546d27e9fc2

SHA512
3e539ece7a1c35186d889bc7d41c3055d3a710f8f839968aebe312f6273c8664d5267667530b9b702f914c2a395a9a9c8ca9c0e42b37c5a454d737ff62680a28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\prefs-1.js

Filesize
7KB

MD5
f76d0e05cd31d4c207a6e3450fe2b55b

SHA1
f188b123c07de0a13baeaa520b2cb7ed38ebb82e

SHA256
75d1adf9fd520ae3430792abb28c60135a93c6e699618fad1353fd8eaf17403a

SHA512
2b8b98388219442fcd20f685fc2b765e8c9caaa3923bff35ebb57fd4dc23e80965bf7e30b40527259763ee3efdbf9fd041193fcfbfc3319b0076ba2adbf85e8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
546c994ffc117022db39bd8a874b0ebf

SHA1
551363113439d32e5837db0af27649364d71bacd

SHA256
0fe8301f35641460ea9f22c48aec0c10587fb40046a212d42f18656af353f26b

SHA512
cf8c8cfdf8a1004b6fcd2d5b0d156697c6ecf130e6ba642891062b53ee39f3c026f248968927f559a8ae3722922f3645915568094684317919b0ef42deb90171

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
5b9a559ac9cb4ecfa4e2e90e26ee8034

SHA1
7515c551fe9d764a7412c01fd4ebe264073628d0

SHA256
d865b2c17ce8267840fe7c2261ac5b7bf879e2386313e4a071ee2491d32b237c

SHA512
e95da4a265239d4209f444185109d5de4e916deb5b652bd3e809d31ba4c06678ab711eab12480ace5a401ab50cf46d074384733330936d28a5cd10cd340dcf86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
3b751beb161fff54fd1e0113f397f564

SHA1
1951525413159202accf0878a57f7c3119b15e66

SHA256
83e12d0dd07d3204274a99567108b59b0a2c93b1d691e9bc0926205b0b7d1c20

SHA512
9256f1e76ef5abd781f7e462267ca04e88f390153c3d0a447c2de175a8d9388a04e14e96e410241e2068e060ca431a42e0783ad08ce3b3d55e569e505fa70959

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\targeting.snapshot.json

Filesize
3KB

MD5
def5867cd34c3fffb1674dd4c5a4fcf0

SHA1
0c0bde0016abb3ad6c54b7dc1dff2d0c36d0dd75

SHA256
fcd2ef99490eb5684d31fcee01b7f08263f9cdc2052b416e0d912aa9a946e9ab

SHA512
0c72f41fee0846825540a08ae66c6c91817918e6f2c9254cffe0d9fb381c81ae7f406a93cb8595dbd1012a60bb4b6de717a6635559a5f552f78f5eec11d29462

Download Submit