cfeb28037cbe8301b0412ee90d5a85821c59234444ccae927fc3b720c3a66d2a

Analysis

max time kernel
149s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2024, 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FMBackground1.jpg
Size

65KB
MD5

fc0dc4b4ccdf6828736bad5b4172e455
SHA1

04f2bf78038d2a228318ed90deb77e2cdd8da50d
SHA256

cfeb28037cbe8301b0412ee90d5a85821c59234444ccae927fc3b720c3a66d2a
SHA512

6cb3b41833381ade38b26c6c8c934fae4696ded819510245cfb04835ed8263884ac3c0caa5b440f4855ce66c2b50098fe333711e86d7666ae19abf00dea4eef2
SSDEEP

1536:TjhhyHra+S1oz5zWbusxhWzCF0zV8w5NTSXUoqMVTBqomB60zr:TjyLBSG9zCuUhWqwuwfSrqMVE1

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
141	camo.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133580360003445179"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1652	chrome.exe
1652	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	firefox.exe
Token: SeDebugPrivilege	4848	firefox.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
4848	firefox.exe
4848	firefox.exe
4848	firefox.exe
4848	firefox.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4848	firefox.exe
4848	firefox.exe
4848	firefox.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4848	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 4848	2228	firefox.exe	90
PID 2228 wrote to memory of 4848	2228	firefox.exe	90
PID 2228 wrote to memory of 4848	2228	firefox.exe	90
PID 2228 wrote to memory of 4848	2228	firefox.exe	90
PID 2228 wrote to memory of 4848	2228	firefox.exe	90
PID 2228 wrote to memory of 4848	2228	firefox.exe	90
PID 2228 wrote to memory of 4848	2228	firefox.exe	90
PID 2228 wrote to memory of 4848	2228	firefox.exe	90
PID 2228 wrote to memory of 4848	2228	firefox.exe	90
PID 2228 wrote to memory of 4848	2228	firefox.exe	90
PID 2228 wrote to memory of 4848	2228	firefox.exe	90
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 2500	4848	firefox.exe	91
PID 4848 wrote to memory of 3388	4848	firefox.exe	92
PID 4848 wrote to memory of 3388	4848	firefox.exe	92
PID 4848 wrote to memory of 3388	4848	firefox.exe	92
PID 4848 wrote to memory of 3388	4848	firefox.exe	92
PID 4848 wrote to memory of 3388	4848	firefox.exe	92
PID 4848 wrote to memory of 3388	4848	firefox.exe	92
PID 4848 wrote to memory of 3388	4848	firefox.exe	92
PID 4848 wrote to memory of 3388	4848	firefox.exe	92
PID 4848 wrote to memory of 3388	4848	firefox.exe	92
PID 4848 wrote to memory of 3388	4848	firefox.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\FMBackground1.jpg
1⤵
PID:3092

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4848.0.1668607497\1319014237" -parentBuildID 20230214051806 -prefsHandle 1752 -prefMapHandle 1732 -prefsLen 22035 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d71ca76-11a4-442b-a3e6-acfc2bb5cc51} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" 1832 21c4720e458 gpu
    3⤵
    PID:2500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4848.1.909519939\1899588068" -parentBuildID 20230214051806 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 22071 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07b5ad7d-ea47-4dd2-9057-ab5d0c5f4733} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" 2356 21c3a586b58 socket
    3⤵
    - Checks processor information in registry
    PID:3388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4848.2.1140585428\548890223" -childID 1 -isForBrowser -prefsHandle 3064 -prefMapHandle 3084 -prefsLen 22109 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {983b0e16-9b53-4ea2-b91c-87fb0927a0f8} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" 2864 21c4a00d858 tab
    3⤵
    PID:2896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4848.3.259437332\1410467908" -childID 2 -isForBrowser -prefsHandle 3576 -prefMapHandle 3572 -prefsLen 27575 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8035ae3c-8efa-4155-8cf8-588f4b96d82d} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" 3588 21c3a541e58 tab
    3⤵
    PID:1472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4848.4.398277565\736772171" -childID 3 -isForBrowser -prefsHandle 4048 -prefMapHandle 5080 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {649bf1be-d2bf-4116-8913-ef611f9dae4e} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" 4824 21c4ed99858 tab
    3⤵
    PID:2380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4848.5.599091477\913846257" -childID 4 -isForBrowser -prefsHandle 5080 -prefMapHandle 5288 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74048a78-8ea6-4cab-a3ab-ac272172070e} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" 5268 21c4ed99e58 tab
    3⤵
    PID:2032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4848.6.1001574980\1955103607" -childID 5 -isForBrowser -prefsHandle 5396 -prefMapHandle 5400 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b611aa5d-659c-40b0-a745-fe52b7748e88} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" 5392 21c4ed9b058 tab
    3⤵
    PID:2040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4848.7.1346284445\19529910" -childID 6 -isForBrowser -prefsHandle 5848 -prefMapHandle 5960 -prefsLen 31085 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4e2bdde-984b-41e3-827f-85faa3a2442f} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" 5804 21c51c63e58 tab
    3⤵
    PID:1316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb71d3ab58,0x7ffb71d3ab68,0x7ffb71d3ab78
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1872,i,5771221414282907514,12855984633204363572,131072 /prefetch:2
  2⤵
  PID:5948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 --field-trial-handle=1872,i,5771221414282907514,12855984633204363572,131072 /prefetch:8
  2⤵
  PID:5928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1872,i,5771221414282907514,12855984633204363572,131072 /prefetch:8
  2⤵
  PID:5944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1872,i,5771221414282907514,12855984633204363572,131072 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1872,i,5771221414282907514,12855984633204363572,131072 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4160 --field-trial-handle=1872,i,5771221414282907514,12855984633204363572,131072 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4344 --field-trial-handle=1872,i,5771221414282907514,12855984633204363572,131072 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1872,i,5771221414282907514,12855984633204363572,131072 /prefetch:8
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4456 --field-trial-handle=1872,i,5771221414282907514,12855984633204363572,131072 /prefetch:8
  2⤵
  PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1872,i,5771221414282907514,12855984633204363572,131072 /prefetch:8
  2⤵
  PID:5136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1872,i,5771221414282907514,12855984633204363572,131072 /prefetch:8
  2⤵
  PID:5856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4712 --field-trial-handle=1872,i,5771221414282907514,12855984633204363572,131072 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4080 --field-trial-handle=1872,i,5771221414282907514,12855984633204363572,131072 /prefetch:1
  2⤵
  PID:4112

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:6140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9cfc980b78008ffd4a6b90fbaf4c32bb

SHA1
7f923e71b87afc4f3bc58067582819b6dde02bed

SHA256
a0741fcb7e35943c417bbb52d9469c155675dc0a3feefacd7eea6796a5e14799

SHA512
173fdb401634fd26e1db927e48104c4f650cf67014ac9e6b869bcd52534c923e23de805a1471edb10da1f0fde1de205ca2de77e13d4eaf761d1d7e711c097c71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1a6279b452a6f9db4d07a689f7ab5b40

SHA1
f88de21209e2ecfb38155a7e9f799bbfcbc28c6d

SHA256
bc2bf43fe0180d64e3410927ed4e5d55b6562f9e21e4abdc3a3b56bff12ddbba

SHA512
b801a07f0077b90d55cc425db272f80f3b6d8a9017ae645b3f84ee04e4f6a3ac607a5a759fdb8afdd9fab2ba2cf0d2feacc37750818d38f23004688751d60ca0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
36929185a0f09506abb2c6999f83f264

SHA1
97caf2b3cfdff01b8976ea7d59ba2e30c94d8f1a

SHA256
df9fbcbb89dbe87a94bcab3a72a05010182493f664fdfd9cdf28595b6c313a73

SHA512
c9cb3bb9f976a34f6bbcd70cd9745486ecaa947346321ea538270bceffb88e00c1caa9a7b74d384aaa9de14cbda7fe4874c76362bf5940d29dee8fb1a3546d19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4776894faf93228601afe6c1dc8b1773

SHA1
e0f3dfe192f5faa99b3e8feff8a3d80d42f3dc18

SHA256
adf6e961cf54f1c3750c11b13091ff7c84ab1587133276e68173d802ef69705b

SHA512
2cd6ba678573abdcf07c59333dc0d0d18877c5e91e98dab3b1ccfe19b79809aa89747d6ece91421031a54ac9056e0b6d2131e598d71e747c9d20f8f89bb07e8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6c9892b7a66601441420f745ccea44b5

SHA1
8ddda186193e7fe16b20607fb162a22452020c08

SHA256
413d4d3f08af112fb1673e65ee6262bbb870bf8984e49a286c4417cc5d1c6b90

SHA512
dbefbbd37fccb851931fd8c94eccc9c27505cec849f04c48872e67dc920669fb98785c63561b384ac73137eb29ff3362253be97e87316132388fd22f59ebd2c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
b18ab4f798962a7459f65beca6fee199

SHA1
fb9a33c5eeb154d3a0e1516b2d9d677a4a23027b

SHA256
03f4ce4b6c632d44536ccbdcc23cc574e8facb415dad3fdee5453c4059a3241a

SHA512
896b7dd0be031fc28edd05ece42ac09ac840abbc79a8dcb2a33eb7fb9fda72c376496ce049623a16b1a5e506f45a38cd62ead1c3337ca7d3881438ef3eaec073

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
5fde2d5da359875fa29fdd344b7b980d

SHA1
1549a89a393fa0c0d9ced2278c339260620ea423

SHA256
092ea17354c02104568cc2b1e8ffe4a3764d7c37f2a5ed62196eb0b9a40a9b80

SHA512
eee135675f6d9ea9748c318be12307a54aadb59a58f19a5dcd3c1ec812b4e1ced363f93a88433192daed8c73de04ee6f3629bf64ea8235a128f4719e8f7a5871

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\activity-stream.discovery_stream.json.tmp

Filesize
25KB

MD5
26460f1efb6660696a961f52a1c07367

SHA1
f2ca1be9dbde8c39434ee603c74e4596c6fee44d

SHA256
517005c25e08bf8fd950a010ce03d63fcd522d3ac4842d5c3448a3052a20d660

SHA512
b73067f9f4bd46a87417105bb0debd456d92dc806bb9c4d9cbfeae3a68d400d6e6a190c4cfdc4c2c390bd6159a09d57168a5cbcc80d8043b7b337c3a2d4e0896

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C

Filesize
13KB

MD5
1e71d4a1a9ed40f0454f94c418462642

SHA1
d8067505cbc675288eb309295cede10fc7c0830a

SHA256
175b8d2935f5a23df6cff0b96ab4d42fe92f705ec2408db09390c0eeb977da0a

SHA512
1c9e6a40b5455f588c3ca20e3fb7a787331888bc7f23785fef951a343bac7941b307b2e4c836bfdc016b899087c5cba4d53962e1a1bbb56572a41459320a0160

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\prefs-1.js

Filesize
10KB

MD5
929598c9714c8f413b702fce97f7dfce

SHA1
dba1fbaa506f0ae0c0123488e3aac50e21ae672c

SHA256
cfbdfc5738708dc71359d8ef94de8752ed550d8c90a777e0ea45438483181267

SHA512
70d869f846a534ec7f5772bffaddbc6e1b64c84ea0b9897ea4165b3f98c505a17fbb199ff83df05505d83b703ccd2b69791a21aca8d8655effec3e76bf7348e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\prefs-1.js

Filesize
6KB

MD5
af37f7a253f074a77b08dea6bd66f3da

SHA1
01e5f9c68cf17faa8ada2865477a8fdb68377fc8

SHA256
21b9371d27197452a94df192d0780a4dbed2cc30277ecefbf8e78c773ccf5e37

SHA512
912c28d7d22c4a478a54826439b04a8e989e978128cb1c38f457d25ee1ceb5c2a02fbe5fbf679478a1d11d1180e6e177c084b0cc0a9ae98e0d5543867376fefa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\prefs-1.js

Filesize
7KB

MD5
8745a7dc59e9f63cb72007335c710534

SHA1
07abb84a57b7677e7503e6f317bd32e6760a7cac

SHA256
632e0a9a9c3591a9216df7a04b21dcf61fcbd6fb48b7ac8acc9d1db3974719f1

SHA512
2e4168e20d7f1ed02e14a7789fc419befddf33602f568f0cae796acb5fd22550b050e677a23eee7787e159676cd23fea417f260812402919f0fd2e2afb6735be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\prefs-1.js

Filesize
7KB

MD5
0f0f97a187ee07a233de8a4355625080

SHA1
890c60251495c48623a71f9302dd0274a358e0a4

SHA256
cfeb79439a2cd3a7b6e2fcf505ae3cdf87cb2d3a531c98947923e8f46f5fe004

SHA512
391ebdda12f69a0a47e987e683ef8e0c783c022112d9658136e8c423d4952dce6afffd8d92190ed01b034186669b08447cad55bbbb6f7dad1dd97a42d08a3465

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
49bf7918125d81fd387233c3ce8ab7b9

SHA1
dc82ca2fd992959a38f2d5849f9b52e90248a304

SHA256
c01284daeafc0cb040649f18491c361f9be479e5d1e5cbd572975cdfeb14b81e

SHA512
4072d529bf8649cd4246312312cc2957a3546d90b39cee7bd8a5ef6f9204fcd35cef912cf1fdfe52de79d6fddcd001271dd1196113059b2a172c393b2d13aae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
7ecd0cf147618980f8e5d314af419dce

SHA1
23b6e0fa464f6dc462a7101aa7f2fd7f08ce11b3

SHA256
153a73f7abe2b35d2af8f12453382b9619670e5a3d4c05bc71a2d6db1efd52e2

SHA512
54afa0830cafe1b4b63af1b789822c7042a7ab3e1b36485ecfdd3be0a2a3a6cf38f07b84801f7273957766d2efbfb27f5dc987ed8e07331c35c68083ce750ba6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bcdi3zmp.default-release\sessionstore.jsonlz4

Filesize
10KB

MD5
a17508e2b5f4fd2a9844655eefae2875

SHA1
c2c06fcf98b77db76f7d9a5e2d823b86e95baf4c

SHA256
d0cfed1bde2c901056b94b4d95fb7c908c8bcb05c3c1cd65173144a5189de230

SHA512
7ae67846a8e90f4864b977044ca678be60e184714d7e766fa31923d636e329647b2a633a238b096bd8c5a08fee8c604fe6deb0c9a005e544591e236622ca2273

Download Submit