hxxps://cdn[.]discordapp[.]com/attachments/1226930708153630771/1227768582419644448/JG[.]avif?ex=66299b98&is=66172698&hm=34e1942120d875d0f67db50092ac1483bb5593ce04850ae5389f58b9564d62a1&

Analysis

max time kernel
55s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1226930708153630771/1227768582419644448/JG.avif?ex=66299b98&is=66172698&hm=34e1942120d875d0f67db50092ac1483bb5593ce04850ae5389f58b9564d62a1&

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133572668901293964"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-557049126-2506969350-2798870634-1000\{BB14B97A-F793-43C9-8C9E-470A25C35E55}	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-557049126-2506969350-2798870634-1000\{EBA41E66-2753-4241-9797-133200643039}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4612	chrome.exe
4612	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1952	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4612	chrome.exe
4612	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeDebugPrivilege	1848	firefox.exe
Token: SeDebugPrivilege	1848	firefox.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
1848	firefox.exe
1848	firefox.exe
1848	firefox.exe
1848	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
1848	firefox.exe
1848	firefox.exe
1848	firefox.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1848	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 5072	4612	chrome.exe	84
PID 4612 wrote to memory of 5072	4612	chrome.exe	84
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2352	4612	chrome.exe	86
PID 4612 wrote to memory of 2120	4612	chrome.exe	87
PID 4612 wrote to memory of 2120	4612	chrome.exe	87
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88
PID 4612 wrote to memory of 4028	4612	chrome.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1226930708153630771/1227768582419644448/JG.avif?ex=66299b98&is=66172698&hm=34e1942120d875d0f67db50092ac1483bb5593ce04850ae5389f58b9564d62a1&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff968219758,0x7ff968219768,0x7ff968219778
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1884,i,11786016935208746914,3175564782064122292,131072 /prefetch:2
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1884,i,11786016935208746914,3175564782064122292,131072 /prefetch:8
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1884,i,11786016935208746914,3175564782064122292,131072 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1884,i,11786016935208746914,3175564782064122292,131072 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1884,i,11786016935208746914,3175564782064122292,131072 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1884,i,11786016935208746914,3175564782064122292,131072 /prefetch:8
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1884,i,11786016935208746914,3175564782064122292,131072 /prefetch:8
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 --field-trial-handle=1884,i,11786016935208746914,3175564782064122292,131072 /prefetch:8
  2⤵
  PID:4504

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3248

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1952
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\JG.avif"
  2⤵
  PID:3888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\JG.avif
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1848
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.0.534843941\1587213955" -parentBuildID 20221007134813 -prefsHandle 1916 -prefMapHandle 1576 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76519fa3-45d3-4d5e-9c11-a3146c11e3f3} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 1996 238ebbe5758 gpu
      4⤵
      PID:1468
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.1.762123630\512275543" -parentBuildID 20221007134813 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2d89e22-d2aa-45b1-aeba-4f0799ded8f7} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 2420 238ebb0c058 socket
      4⤵
      PID:3772
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.2.455328989\1091058002" -childID 1 -isForBrowser -prefsHandle 3340 -prefMapHandle 2988 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {106cb1c2-7b92-452b-b03f-7005b253fb77} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 3208 238efdde958 tab
      4⤵
      PID:2252
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.3.1002876538\1531653646" -childID 2 -isForBrowser -prefsHandle 3704 -prefMapHandle 3700 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fc87051-744a-4c04-8d22-142f86d711f3} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 3712 238d7f62858 tab
      4⤵
      PID:4400
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.4.865721452\2132369627" -childID 3 -isForBrowser -prefsHandle 4604 -prefMapHandle 4592 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {315afc8a-fd49-439b-a32f-ce726a56c8bd} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 4616 238f17d6358 tab
      4⤵
      PID:5460
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.5.874113477\364568069" -childID 4 -isForBrowser -prefsHandle 4788 -prefMapHandle 4800 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b1fb64c-08cf-4c5f-afd1-48f1f48daff2} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 4844 238f1a95658 tab
      4⤵
      PID:5552
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.6.1309236204\557082180" -childID 5 -isForBrowser -prefsHandle 4784 -prefMapHandle 5160 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a451a53-9c9c-47ed-98eb-1d5a5e1e0f5c} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 5208 238f2977458 tab
      4⤵
      PID:5872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ed32b2dbd601a58b3bbb577c9e8a7eb0

SHA1
067f3ff3a3a3c0cd20b0d39c9043c46ccffcc44b

SHA256
0dc908cab8e848dfd66a3cd2050bd8e5725b05a30bcd530efd2120347672a4f2

SHA512
4962fd8e44431c8bce70a1ff86e9783a159d5a856764c51c213f460742120de9b8f6c3f566c38402bda9ea024082db5f8c5bfd39cd0242fe7df3debe717259f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d628a37fc5fcb70c44ce205a729d4388

SHA1
c0285f7e4f820632f244ae29d70755d6a73ee951

SHA256
00fb487f630b3a38e0e97cc5daac37e5f43601da8218da42e08c588808863676

SHA512
99234f0fb4f102e867e0db7230e691730f0170952b5fde057a96d77bfbca212971329e86c88ea798d911037dc0fb610f7e043428cc22f742ca9065c1853f6b83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
3dd5d6be71aa4a87df03f6757970f099

SHA1
5a021ce909b65d12e969e75f77b99b3f2f3a4e3c

SHA256
6565b543345a473067126e198c877a780aad8f2d966bb16e68af5e8cad4ad22c

SHA512
8763ceaba2776a543a2c06c29a49a45c24bb9d1463a82857bfd98d862537da17865ccc559d7a7a9b26a04b42eab16cd289f64c7dcc5f787347b03973659f4d29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0z1r4qkh.default-release\datareporting\glean\db\data.safe.bin

Filesize
3KB

MD5
79f1f267cb8dff0177e9041e447e9b04

SHA1
cba2f7034caf7218d1469a95bc122f6b034c573c

SHA256
c41c0b18cab8110a67ec9fc0e7802236e10765da1e48b8dd97c97e91267c46d7

SHA512
694e241c7e1e99f46793eba78cf4afec059645cc64f43d00e3b8270936f2cf64dd45a55270df895ff15202fb43a510550ff6d77a2c9d6e526ecf9b31c10e5da8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0z1r4qkh.default-release\datareporting\glean\db\data.safe.bin

Filesize
3KB

MD5
af712f6cdf7a7d1cb2e89d9c7163f3a8

SHA1
94e34ef73d8cf48d23ea8e2e33038d59382f6b3d

SHA256
5b8e587400cb64dc3bd2c1c24e379bd7437bd87591dbe100991881a944fc1ee2

SHA512
6d37266c3a8fc4e093b638b90e28afd5e4f4af2bb29af78e07bf623ee00f7ded2c58ac09c30a529cae165ea5d79bcd6534f2e1545bf914ddc834d3fa25d24a5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0z1r4qkh.default-release\datareporting\glean\pending_pings\1c558673-25f0-45ca-adb9-867a639f7e1c

Filesize
746B

MD5
7359e3958378829c7de46254f1b4ae86

SHA1
a8c625415a066717d35b35d3304ea5ef0d2c13ae

SHA256
997dc47a98e66923540f5d73d126f0b2f52a66c53f8a38a151e7ef41667f343e

SHA512
5f95546a92974f88f156555e3cc86956eeb715b6c112f7f57ab73d5867887848f3984a314f5cc22e933d0d537d25d5c1552a010a61590d8517a81e9ad16e70ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0z1r4qkh.default-release\datareporting\glean\pending_pings\5d10cf8c-0ae2-4737-bd4c-28356eef648c

Filesize
12KB

MD5
8a69631b6203effda5bad8cc7f54157c

SHA1
b59e9ddf20619c2da447b67dfed5173bb52ae213

SHA256
1340a7f9c113ff04c0f4f276f823d380e440f2befd8d4ed434543fcae9a248bb

SHA512
d6869a21e97d6289a7c54f4b89dc1b494ca18551e590a1a94828234ce308f077a93a614fe354b2284d63bae32df88cfe5d732902e92873a6b8680de31cb66609

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0z1r4qkh.default-release\prefs-1.js

Filesize
6KB

MD5
249ecbd84b376c32f96f53fa5ab7bd06

SHA1
29ec82389971c5a27f0d5a478415fab3094003d2

SHA256
ebffaae8de8ed48f4aa519f76552ee9db443e52bac062c25713a56ffc26825a5

SHA512
376ffda11a59416a2ea79f6fb3e49bdbc00a3d4077ddac036d8ff626f852193fc67a59e443b8762f6763f0af51169f7cc97190548e07139d7fc44aea081b80b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0z1r4qkh.default-release\prefs-1.js

Filesize
6KB

MD5
8158b9e9567b0a433a66a246f78e22e7

SHA1
732c6bf998feb626c3ee642b76dc813509b76b6a

SHA256
6be3719daff6e6a0fd1ee44183387d776dd980894cf6d072a64347fe4d27b193

SHA512
9ef10b2c1715ec0f686ee14c31608c4016d48631a906fb9b4d1cd5aa3b24db4c7c17b5306d2677d685312d973c17a7750b3a81261ab1250c70477ceab19e082f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0z1r4qkh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
7630b938787d5067e572e00e047853d6

SHA1
b074797c5e77cc6feb2b8af3e960aca803fe5f0c

SHA256
14edc6824d8ce39a216b7363cd8638b438e78dad885d921655b57e2f11f6250d

SHA512
927763a3a104c66f20a652b7d7abe6dbb4bab73de88a7e373b97d6fce6c465e60ba07baa0bd01fcb0c4b5956fe860fa0e705e081823bf74b6ae30c35a37e5361

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0z1r4qkh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
45f94f47245f1dfea4b5fc0cf410a803

SHA1
97c21292f599e7e37600a43045d7bec766a4c6eb

SHA256
1bd5d07c0a290c80fc0fd294dd91b701c93d77417e5acfb2f549653896583c02

SHA512
fc65a353e652a5d7737af439dbd46fd8d31648d924e1539ef2265271137866c06ad638874e96f834a13afb25323239849c4abe2b24b0a1ec3db92ebe7adb427d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0z1r4qkh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
e1ed536cfc21b22b57a06e9ecba9f29d

SHA1
39e1db80cd151ae7a4c4ab3c4f65e4901111dd4f

SHA256
631df0a6e68939040d63af0f14c48145e56d60aae69275e37195ead31b2c3a92

SHA512
4118df4d667ec8616fd7a36558abed1894af3a4e7f246e764777ca21d0547fd299f02d7492311a040b8a9d05302b497d261b8b14ac5e17cf81bc3019465a90dd

Download Submit
C:\Users\Admin\Downloads\JG.avif.crdownload

Filesize
107KB

MD5
33100562196bedb2d30b8273dc7318db

SHA1
29780a6e850e1d9da1b721e75803cd9b486c9813

SHA256
29a040fc62d18b032940379e7aa368ec2c2ebbc31b3d0d17116e5168e4cffcbd

SHA512
49966356670e77be248be62f7e902f5e355c99ef841ea1b011d80ab632d85b2f34f631abc76c3937f14a926a87de9a1705113f63ce5929273d751bd189a2a9a8

Download Submit