13a6027cf5de59d0bb8f06610f500ca7f3b1409f5388eca44bf26fb1aea17a3b

Analysis

max time kernel
61s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27/04/2024, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddd.txt
Size

68B
MD5

2521ee726cbaf65cb78d03d53f509a7a
SHA1

db658fd5ceeaad827271bee8909bcbc8d35ac8f4
SHA256

13a6027cf5de59d0bb8f06610f500ca7f3b1409f5388eca44bf26fb1aea17a3b
SHA512

8263cc34193c77e47d761b08e12a6cfba0c7103c486c456041b73e3d2861500fe5526d000a3ab66e8c56e78f25cff8d28d44910feb2f911b75412a5fe5886ab0

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587188235930201"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1188	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1828	chrome.exe
1828	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe
4996	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4996	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 1008	1828	chrome.exe	90
PID 1828 wrote to memory of 1008	1828	chrome.exe	90
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 2132	1828	chrome.exe	91
PID 1828 wrote to memory of 3776	1828	chrome.exe	92
PID 1828 wrote to memory of 3776	1828	chrome.exe	92
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93
PID 1828 wrote to memory of 2520	1828	chrome.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\ddd.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8969bcc40,0x7ff8969bcc4c,0x7ff8969bcc58
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,9361236385203041762,8204533294255522670,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1892,i,9361236385203041762,8204533294255522670,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1976 /prefetch:3
  2⤵
  PID:3776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,9361236385203041762,8204533294255522670,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2416 /prefetch:8
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,9361236385203041762,8204533294255522670,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,9361236385203041762,8204533294255522670,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,9361236385203041762,8204533294255522670,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4384,i,9361236385203041762,8204533294255522670,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4980,i,9361236385203041762,8204533294255522670,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4468,i,9361236385203041762,8204533294255522670,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4692,i,9361236385203041762,8204533294255522670,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3528,i,9361236385203041762,8204533294255522670,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=208,i,9361236385203041762,8204533294255522670,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3392,i,9361236385203041762,8204533294255522670,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5288,i,9361236385203041762,8204533294255522670,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5012,i,9361236385203041762,8204533294255522670,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:2160

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4848

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3312
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57e10bbf-2240-4627-93c1-10d801a07b27} 4996 "\\.\pipe\gecko-crash-server-pipe.4996" gpu
    3⤵
    PID:4148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 25493 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {227790f6-c05f-4ad0-b48b-c0ea9b410406} 4996 "\\.\pipe\gecko-crash-server-pipe.4996" socket
    3⤵
    - Checks processor information in registry
    PID:2376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1496 -childID 1 -isForBrowser -prefsHandle 2928 -prefMapHandle 2956 -prefsLen 25634 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {232850b7-bd41-4c31-8f55-fcb15380bd50} 4996 "\\.\pipe\gecko-crash-server-pipe.4996" tab
    3⤵
    PID:3056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3704 -childID 2 -isForBrowser -prefsHandle 2720 -prefMapHandle 3692 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {111452ea-3e96-493b-acb1-ffc057107279} 4996 "\\.\pipe\gecko-crash-server-pipe.4996" tab
    3⤵
    PID:2084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4612 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4528 -prefMapHandle 4616 -prefsLen 30867 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10988a05-65d2-4ea2-bbb2-552bcd08423d} 4996 "\\.\pipe\gecko-crash-server-pipe.4996" utility
    3⤵
    - Checks processor information in registry
    PID:5164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5228 -childID 3 -isForBrowser -prefsHandle 1452 -prefMapHandle 3064 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5430a216-5b15-4708-9654-f6376552fe8a} 4996 "\\.\pipe\gecko-crash-server-pipe.4996" tab
    3⤵
    PID:5640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 4 -isForBrowser -prefsHandle 5356 -prefMapHandle 3064 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54d7f507-915a-4585-98be-88686d3d6df8} 4996 "\\.\pipe\gecko-crash-server-pipe.4996" tab
    3⤵
    PID:5664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 5 -isForBrowser -prefsHandle 5412 -prefMapHandle 5416 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54f366d1-5d80-4d11-9ba8-db1576bce01b} 4996 "\\.\pipe\gecko-crash-server-pipe.4996" tab
    3⤵
    PID:5692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1636 -childID 6 -isForBrowser -prefsHandle 4400 -prefMapHandle 2468 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1187d027-029e-4b30-a87a-8c4029c1818b} 4996 "\\.\pipe\gecko-crash-server-pipe.4996" tab
    3⤵
    PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d886440364b896a9dd39dbeb78d72629

SHA1
92d66d9258eed04436d627814a13032255028808

SHA256
cf98cffa738f32b091d2a669470520979f464aed90f4bc8c2d917ee3b9a076f5

SHA512
9d40cad55ab061c5773e4ce033bd1e37ffe12eff9d5e2b4a8dba56372064a962913b47eef4b60606c1e88d8a752706b3a5627b0e77122ff8d68ef660f0508d2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b130913fba840edc317dc1d4fe59f819

SHA1
34eeca9f7f0c4b29528023765467f761c3209947

SHA256
2dc37d2df059668eb8d30ac0960bf69e25baff32aec0611e88db2f0b86ea8b24

SHA512
876d0745f3c08873cfcfa9734dc2b1996d511c7b38a0a835ab6af1816e3d0dba85aaa5ba4fc1959626e135e24567cac0a08dea7d685bc379de409ff10d4e45f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
46b13e96249c9f1263ede95c47d628bb

SHA1
f616f140b8b283d378d3ad0388e24af31318194c

SHA256
a4be863d617767e07331fc5f1b89a1f5771fda038f639070672de5a9668e7bf5

SHA512
7a9b9ed2685e8dcfd0032e4ffd200b8679db0a5b6f6a52fe5a92afeb70e1b38184da0eae94c2bd198fcbdb019d087ab4566f92d1fbf8dd36328053633e559f4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ba90d9ff4cc318539520e83a04360aa9

SHA1
5dd55cf0371fea4c8b51e912cd94304a2119d686

SHA256
224ae94eec5c5339d3949326813e9c8911cae3c8c2c72d672abf373875d36969

SHA512
cee660700526f2a3914c7ded9c4be2dc35e0d5811e99016a48a140bdf37bc1eda1527614e1dade64ac8026a198de1182e7dbd7749780cb42d28307287623008c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7267e5df580dc29832ef3b8591354ad2

SHA1
6e770b061b4efbd1682503a61aba86b326678492

SHA256
2173c1916beba4b3af5e74df3eab04d30c327e474c746ec3d71bd70f0b244c12

SHA512
f528634f74d172e17d56b2176d612601e3daff212b6ce2bcaf64f36c8d2a13c6943c748f4d17eceb7a7d66071af1fa07481b0b18f1301718819f110ce1281c4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
8d43fd42e443f6812ab636703ed78ee4

SHA1
13021d0fc2c7ab462a2e262fdf9b42376b4fb230

SHA256
0bf1484681576220a2755d01fc8f88934133898b8d33669ea9d5cf04449bfd08

SHA512
59ff815ecea44cef2d3a31391ae9f3b7f25b664f4fa0faf3614192fba258bf8afddcadeb032cc181d0e377419bc84c6a91e3df785cc007b56cf7afb8b731340f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
d0ed4a6a7dd4429e239090f3dc913cb5

SHA1
4e7a25ba7d6e702d0f9c8e2fab4962f7eaec7f5b

SHA256
7face766ffee4535d4e19170faa5b185c12f0bd39ec7697e707509d1c7f82253

SHA512
9eda91d21a587b333815715bbf5890f2f521476aaf1aa60ad895717be08019a9dfd2f0b849f6b90a8a57b31a0a29b8e9fa2c43fd25371d196e31402ec1bd92f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
ffe7c3f62fc0a70333f50eee1c1f1439

SHA1
f56788f28f0f6f78f0c8d2874ba70c96e96ad6a4

SHA256
133adc96b7188da0f6d9da26510424c24ffc01647c66877cb1cdc710b0c4a954

SHA512
b022e932327b831ba5b784599a1456c5bc77af28d2d072e74f8f2747abf7b2c6ef21673666305f040840e2c361cd6afa78aa521ff1c177ef4f6a37cad6df4893

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\md1ejlmw.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
452ccdc99eadcbbb5b5918d22f534b43

SHA1
b80d85ca651ed16ae87ac0ae13318bca27bbb427

SHA256
733f23249e58f9c9464e36c5bfffb2a729a676f56bf05437d8d83f1dc65463ba

SHA512
e69d51fc14f95624446137551cc1234f3cf2b9ed519e956d0ff11a1c87b042b94fdc43dbd22ed2857a9e922358290ec577e07c9396b6e75e960a156305fcda32

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
176265e9d8096bddc749c7548701026b

SHA1
b9f55d111f608abb45800dcd1d263be2a86d84eb

SHA256
a261db42bbf28cf9a910a8803447b431f1460c91c27d220e715ca98ec57804a5

SHA512
d158901a76e9b24eac4e4007b30639acdf234da2214bb6652c131da7df19dbc8845d145a6ffda52c53b6766bd3e4e1fd58f9625b6a475dccfa791c3db40ed71c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
dc3a06e5833582bccac86ba4a26c7a8b

SHA1
38de041b60ac28c5367523ecb5c1edb8c35163a7

SHA256
5460ec7bf45150f7f38d2b62d246e6f4f6ee4a4924586f982871defe62e6a852

SHA512
71f29c4b6958bccd7dd65c0c3081f385f9cd78f49be0f1bbafad5c296348e8ef0800f0ecaaf149564bb228cbe1d7149fb990b65c64cad54bef0b4bad8ed446af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\datareporting\glean\pending_pings\2b5bf011-1672-43c5-a96d-60bcc2fd4bfc

Filesize
671B

MD5
903a7f98084e6c02c937abe24498cc4f

SHA1
b3b87557431014fa44d245d812aa0d1d5a8cd49e

SHA256
23b1de21fd4cd437ae7b6131196dbc97f51af3de9e3cd1f2276a0bd4a19a8fe1

SHA512
0dd6ef3988443522e8fe39e71c50fb67aa3f3dd42e8944ab685be04bd7670c4bd5f92f1ead50f2bf4ad2b5b844a7181b19c75b50d8b4026cba3124ba43d4ec5d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\datareporting\glean\pending_pings\321304cd-a911-4112-aa3a-87b7bec8bd9a

Filesize
982B

MD5
bf8c15a0ad9910a602bca2f91777f309

SHA1
2d9aef678b7b3798f6ef7a444c204579d86c6c86

SHA256
e662273b3b130a092f00bc89d3c09f60159292e61a4131d2acc2fd81a4200d35

SHA512
962fce076cb0a9c8337c50a17cd7705e87d95c2b98d8da88c66644f00adbf65dbccef99dda1f785e43cc13e7447d4f8cd1e107767b0e41b602386a6358e7e6b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\datareporting\glean\pending_pings\52acc920-ada5-4c89-a6d0-c7110fd96714

Filesize
797B

MD5
356e1d492cbc0e3b92f64477f2c2b1aa

SHA1
a13e61359086a2e7f0f297ff1e33302e1f2c8d6a

SHA256
c58d92f4b87b6206ae5d5dd8b33fe5c14110f1e7c0c7da45299faebe3055e0c3

SHA512
677344e36dd7381c62e187658156471b98fdd2f8fdc1705df37c65a1d7c5144b11adaad14c28bd21d85b95c0bfd46983d9fd13f4b1a0c013a3501b3d725765ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\datareporting\glean\pending_pings\74f1e509-80b4-4e14-9954-5c1c868b0f0e

Filesize
27KB

MD5
65b72254444ce4e181afbd6d838dbebf

SHA1
625799fb09db3643b966843a5715c4ecdef5ea4d

SHA256
9552a00cbba029f40c2167163140fb0251d9b2e41b76decb04b808cffc790bd2

SHA512
ef9e708da6957308d25efcddf2e0975b14eaf6a4ebb1a34363333a78dc3bb68b94ba36446abfe1b9d13260d8fe0baa49140a4b6762f3ac5d1cfb11580812c92d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\prefs-1.js

Filesize
8KB

MD5
54cc88109da1bf6611d573a7d592c1db

SHA1
1ea50008b29f39454782cd0658d1f69d0657ce1b

SHA256
672489c3e85884d45c7e0257eebdb247a3dad60ec0b6f61d34f2c581f7e68cba

SHA512
7efcaa200583e9c05c5d302386afd4743a13cf0684f2c9bea2324cb9be83609ea0e48836bd57821dd4808ba143d6ef2cae2e18f38c12258ae48062721eebbb4d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\prefs.js

Filesize
8KB

MD5
cba878eca573ae8ae150a52a4f33de88

SHA1
4db6e39de5774726b9844d3d7b1f38287464475a

SHA256
9655f273d0cd8c51321f613ce9a660501b0bbcce083628e6d13bb8d6404241e0

SHA512
1bdd031b35c2748a4a36924997295a0ff3b2161218dc616f1daf7397225296b891a7b338920dcd6db66c02e0ab3790378dca594b6eae49e2c958e44c6058fbe9

Download Submit