e7fef8cf84638066b0991bf6a6fd8842e35ada8a0ce50f9b51afc390ab0c3a8e

Resubmissions

01-05-2024 17:14

240501-vsfj8sbh7y 9

26-04-2024 18:08

26-04-2024 18:06

26-04-2024 18:04

26-04-2024 18:00

Analysis

max time kernel
146s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
26-04-2024 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.js
Size

82KB
MD5

fcd9409e118563034437873e3970cd41
SHA1

c1f415ba7edaf4c36df0bf551c208aa4361f9e0a
SHA256

e7fef8cf84638066b0991bf6a6fd8842e35ada8a0ce50f9b51afc390ab0c3a8e
SHA512

2ae93aab56e51eaf891017531a05f61b6b3efde4c64210663ec256b7b839b17c204d281506380cc5ed388b2a0bdd1be5d52caf3093ae4c52779729f8c91026f3
SSDEEP

1536:zqcEYq4NOFYWvjpA8KQkeSVN0NtsJtkt0xo8J:GcEYqmOjpOtS0j

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133586280803669378"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1424	chrome.exe
1424	chrome.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
676	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeDebugPrivilege	1652	firefox.exe
Token: SeDebugPrivilege	1652	firefox.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1652	firefox.exe
1652	firefox.exe
1652	firefox.exe
1652	firefox.exe
1652	firefox.exe
1652	firefox.exe
1652	firefox.exe
1652	firefox.exe
1652	firefox.exe
1652	firefox.exe
1652	firefox.exe
1652	firefox.exe
1652	firefox.exe
1652	firefox.exe
1652	firefox.exe
1652	firefox.exe
1652	firefox.exe
1652	firefox.exe
1652	firefox.exe
1652	firefox.exe
1652	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1652	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 2480	1424	chrome.exe	84
PID 1424 wrote to memory of 2480	1424	chrome.exe	84
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4772	1424	chrome.exe	85
PID 1424 wrote to memory of 4604	1424	chrome.exe	86
PID 1424 wrote to memory of 4604	1424	chrome.exe	86
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87
PID 1424 wrote to memory of 3704	1424	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js
1⤵
PID:4648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffe5d02cc40,0x7ffe5d02cc4c,0x7ffe5d02cc58
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,15276450539973862991,16463700750264721348,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1840,i,15276450539973862991,16463700750264721348,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,15276450539973862991,16463700750264721348,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2352 /prefetch:8
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,15276450539973862991,16463700750264721348,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,15276450539973862991,16463700750264721348,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4444,i,15276450539973862991,16463700750264721348,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4288,i,15276450539973862991,16463700750264721348,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4336,i,15276450539973862991,16463700750264721348,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4428,i,15276450539973862991,16463700750264721348,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4484 /prefetch:1
  2⤵
  PID:2804

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4716

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1212
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 25459 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f536dcb6-ee14-4da7-96dc-5e8f9b12344c} 1652 "\\.\pipe\gecko-crash-server-pipe.1652" gpu
    3⤵
    PID:1476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 25495 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {afcac312-22d7-4c8b-8ee9-0657c44262d3} 1652 "\\.\pipe\gecko-crash-server-pipe.1652" socket
    3⤵
    - Checks processor information in registry
    PID:2296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2920 -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 3288 -prefsLen 25636 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01c4261a-8e46-4893-a682-bfc0c83cb73d} 1652 "\\.\pipe\gecko-crash-server-pipe.1652" tab
    3⤵
    PID:1848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3060 -childID 2 -isForBrowser -prefsHandle 3048 -prefMapHandle 2676 -prefsLen 30869 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f005176-4dbb-4ebd-91ad-6dc0c6003e04} 1652 "\\.\pipe\gecko-crash-server-pipe.1652" tab
    3⤵
    PID:4148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4812 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4824 -prefMapHandle 4820 -prefsLen 30869 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63ad7b34-e8c9-41f9-8f87-34c9c74d9ba6} 1652 "\\.\pipe\gecko-crash-server-pipe.1652" utility
    3⤵
    - Checks processor information in registry
    PID:5252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5192 -childID 3 -isForBrowser -prefsHandle 5132 -prefMapHandle 4800 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb7bfead-4b28-4f4f-a60b-17c0bc5f3a83} 1652 "\\.\pipe\gecko-crash-server-pipe.1652" tab
    3⤵
    PID:5612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 4 -isForBrowser -prefsHandle 5424 -prefMapHandle 5420 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ae3ed11-9f3d-4bee-8a6f-cfb35e4c220e} 1652 "\\.\pipe\gecko-crash-server-pipe.1652" tab
    3⤵
    PID:5624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 5 -isForBrowser -prefsHandle 5328 -prefMapHandle 5332 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4af992a2-64ec-4a3d-89bd-04be1a06d762} 1652 "\\.\pipe\gecko-crash-server-pipe.1652" tab
    3⤵
    PID:5636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5884 -childID 6 -isForBrowser -prefsHandle 5876 -prefMapHandle 2688 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cfbb163-60cb-4b12-b26b-a0d4674be21d} 1652 "\\.\pipe\gecko-crash-server-pipe.1652" tab
    3⤵
    PID:2620

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5200

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4924

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:5420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
680169578f628af4c40aeb056a6bbf52

SHA1
e9621d3773c02a829b50025e1709d8757888b2d2

SHA256
b7c4054dadf5874f1201c0d2f4650258c111ecadfac135f9a5e9c6fb548e19cd

SHA512
cb32d3c66cd6b7b4ca78b155f21febe6462682191966be58e9b14e1fe52cf1326eb489a16c031916341862762d5a168490d5804c98587f809cfbaf2a50cbdc95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d2b3cb1068fa40e7738e37b31c72cf25

SHA1
3124e6e5716b49fb02b75c5bebd01b067cefdf80

SHA256
77130e24dde8e3b6477d52193dcea33bff70bba090eca94688f9fd7d0b036260

SHA512
afda469152344871041780fcb6fb836de2bf2fa87cbefc8d29af13ea2a97721b69780ebf6f44f1407f48c2d1d431d808dff0ba30846112bf354febd2e6466312

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
224cc28422255787c37fe9fc1250ca80

SHA1
1bff69bada52e29294d69d6d4129319d9c83a129

SHA256
05b099a3ac2dcbbca15ee40b52bd0d018a2cee725355c85278eeaa35849b413d

SHA512
3160cd6a76320b38e96fe44feccb8ac990a570f984146cc3ff944f4e03ba7932e4eede41ad799393d75c057baa234bd340fba655c2281f86eb5961dd87ef6314

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8c1054a8b01a6884cce7b3b5004934f2

SHA1
6b65418c6c4cadddab50b7293702cc5eaacf17c2

SHA256
de56a50e951cfed86704415e0c067cf8f1b9bdc1ea916ede643a215b19d0eade

SHA512
7864b59a6659666d564463319771ef67de67d6477890dfa826b957a8602ff968126e2b667b287db4c2b751c07d5cb85a2c1726ffb2b12e59ab063304b9013f10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
d992db3dd9892e5512e204bbc3028053

SHA1
bf783fdc33b396ae2c9f1db7fd15b99bdac5b21b

SHA256
b942fe8cf2e6d9b0927af42e5ab3672cf8917d12e9de85ba083ef81c7eb77f73

SHA512
57893461684dbfd6bfb9e4e2447c6850b3b3f7205ffb2e201dd9b157bdae932189646a2ef1765c0fd8b093bd8bb40f1afd9923ba91b8268f0cb058ec71b5a300

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
3432f069934668f208c68358f57e4bb6

SHA1
648010f7876e96f77e55320044ab14e1ad15ae17

SHA256
4bf1384e3369fc42a6bbe1fd2aab1205d9a980bf2af03ca18b0aac0dd86c0f05

SHA512
229f9eaede25007e5cd5643bc6c5abb1bb7e33c11bb611a19c7dd0685a25c83dc92fa2e1b03e06540eb24954a7e1761df1614cdeb14d3325c5ae624f7f52f882

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oil2g1jl.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
62ad5fb7035092b1dd80e878643d1173

SHA1
2e2a8af108344f1318b63bbdf263193f7e19e5b0

SHA256
37b662a19ea008a41820c32881e261ba39904b4177b514c6b212d7a7b12a36b8

SHA512
82affa999081a31a582f2a38ede74e0501b8f4c4bacb2f774c539dc1a7338a8cf9e038d145f242b84fd500baf69a5fddcb984ffe8287052c9f54e5ee9b9d3a86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
f8156d9c6d52a496d4a3fe6c24903530

SHA1
b2684853a583d5753ba5fe44951e61792211af6e

SHA256
a1a9e077062fc24e257d5357bc41c8498b50270d6ca66366fff38fb0b9730ae4

SHA512
76fde933d8d526626e4c2af171b3cf8327ba62feef71dc6021cc12cdcf9dfc0a06e761af4261e4f8c61c86d2f7d038e19b6c5e53decf4dd344a2072e6659d610

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
6092a558430f9c07765aae58bdaf5f40

SHA1
df65c5d1e874e73460391a0122e99849c15cc5e7

SHA256
dfab3a392150824f1c2e57fcb25742fdee3a96f3aec3bf1911da34659c0d88b4

SHA512
c429fda056b53e2ee7fb4adb3aa0e97828d16f0f729eed9856972aaf15bae1b748d3726a71028cc3dce203f0609e79cdc4ae96a6bbff7cd0e27f76fd309ae15e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
1b660bfa337f56b794d5dd2e9e16da27

SHA1
7a4f3286aee8ec624eacddfec16fb9b520b08c0c

SHA256
c395db108d05e2ce942cce17ab3e2dff0152c772d6baccd4c09f1e1a45051983

SHA512
c3158f26809abdecb2cf3e0afdda41d29259bdf283f16e3d52b458d4697524f9949b193fa9c5cfdcc11b02192748b567443ea6e3863afe19b39d454ccb19f8ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\datareporting\glean\pending_pings\0f8726bd-14e9-420e-aed9-2a1ca63c082c

Filesize
982B

MD5
f7f1bf94f5ea29295fbe8293b64e3e8b

SHA1
0f4f90250938922392778bd09fd778813713d7a6

SHA256
56a57c8c2e99ee75879b9f24dc00e28cada2ff4020513fad995ab9e3763e7866

SHA512
99c973d83ae3f5407119172c43fabd3ec93f4a6c723e3eee79ef1f255f00531b9b3fcea45a4dc623dc03d4cf664b96cc107e74f5bb20cf9dfb03ffc761bff69d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\datareporting\glean\pending_pings\3a202bb5-b361-46ab-8464-a861978790f3

Filesize
26KB

MD5
62c8908e3a502a2148dc67af7254d64c

SHA1
6d90f4c77ac4408f90e114066a6ff2065b029814

SHA256
88afdfb1f7a2988bd22e26ac115c0adf553ca8af3103dddd1ab3aa0cd3eaf7c7

SHA512
482cd7fc1121fe185a2f2d57eaf4e80bba495acbcb75277cd93af79d7d815b5515de893b7bbeaf6aa6031c63bed58cebf190bd0d552a8ae4e6ad30c135b3e1c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\datareporting\glean\pending_pings\95a66156-78a8-441a-bf77-f0796e3ad3eb

Filesize
671B

MD5
80fbfe586c7551eec2bff6a05252ac81

SHA1
cf4aa03ea57be5aac1c123d05e2ef486dbcfd9cd

SHA256
fcc317fa82b316da098b7fe1a68287c83e65b99496f4d894c12445c4864db18c

SHA512
5ee3da36ca51e7f45a2aefc75cdfe628e4cdad49c4d0c60fd4c5cf516664b3fc5f50dfe4d20056447cd8cf6fad8668c4396292337d2940959b1773a7a88cd82a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\prefs-1.js

Filesize
8KB

MD5
23f2a5bccf5bfa9052aa6210be9ed927

SHA1
ad38e7a80c6b3c69b68b9dde5004781262995f67

SHA256
365c6003028b70365ca3a5b51f95f66a377335260f0d080376f037c2c7bbbf7b

SHA512
0dda3dec9447f47837221d1840b89bd42399018a420744f0274eb33a1bf922cb8172f2acf86acf6683b83a5781be5b6bac17e67491e646ba22673eb6bc6efa96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit