bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa

Analysis

max time kernel
171s
max time network
171s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
28-04-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42.zip
Size

41KB
MD5

1df9a18b18332f153918030b7b516615
SHA1

6c42c62696616b72bbfc88a4be4ead57aa7bc503
SHA256

bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa
SHA512

6382ca9c307d66ab7566acf78b1afd44b18b24d766253e1dc1cb3a3c0be96ecf1f2042d6bd3332d49078ffee571cf98869c1284c1d3e5c1c7dc3e4c64f71af80
SSDEEP

768:hzyVr8GSKL6O3QOXk/0u3wqOghrFCezL1VFJdbq2QTJTw02Q:hGx8DKXE//ZhhCirFi2cwK

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587982582601880"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4536	chrome.exe
4536	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	firefox.exe
Token: SeDebugPrivilege	1352	firefox.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4492	MiniSearchHost.exe
1352	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 1352	3192	firefox.exe	91
PID 3192 wrote to memory of 1352	3192	firefox.exe	91
PID 3192 wrote to memory of 1352	3192	firefox.exe	91
PID 3192 wrote to memory of 1352	3192	firefox.exe	91
PID 3192 wrote to memory of 1352	3192	firefox.exe	91
PID 3192 wrote to memory of 1352	3192	firefox.exe	91
PID 3192 wrote to memory of 1352	3192	firefox.exe	91
PID 3192 wrote to memory of 1352	3192	firefox.exe	91
PID 3192 wrote to memory of 1352	3192	firefox.exe	91
PID 3192 wrote to memory of 1352	3192	firefox.exe	91
PID 3192 wrote to memory of 1352	3192	firefox.exe	91
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2844	1352	firefox.exe	92
PID 1352 wrote to memory of 2884	1352	firefox.exe	93
PID 1352 wrote to memory of 2884	1352	firefox.exe	93
PID 1352 wrote to memory of 2884	1352	firefox.exe	93
PID 1352 wrote to memory of 2884	1352	firefox.exe	93
PID 1352 wrote to memory of 2884	1352	firefox.exe	93
PID 1352 wrote to memory of 2884	1352	firefox.exe	93
PID 1352 wrote to memory of 2884	1352	firefox.exe	93
PID 1352 wrote to memory of 2884	1352	firefox.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\42.zip
1⤵
PID:1056

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4072

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1632

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4492

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 25459 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b14e249-ca80-4d6a-a052-627c8999d120} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" gpu
    3⤵
    PID:2844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2344 -parentBuildID 20240401114208 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 25495 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bca7af37-2eb2-459e-898d-176f9aadde10} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" socket
    3⤵
    - Checks processor information in registry
    PID:2884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3220 -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 2988 -prefsLen 25636 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78bee981-cea6-4c35-b010-1db8eb2ef0ac} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" tab
    3⤵
    PID:4356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3544 -childID 2 -isForBrowser -prefsHandle 3536 -prefMapHandle 3532 -prefsLen 30869 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3205ec9d-33d0-4c84-90b7-c050eabaabb4} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" tab
    3⤵
    PID:740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4312 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 3448 -prefMapHandle 4248 -prefsLen 30869 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {737cb9b4-241d-4cba-bf01-e916c2bcb426} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" utility
    3⤵
    - Checks processor information in registry
    PID:2128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5132 -childID 3 -isForBrowser -prefsHandle 5128 -prefMapHandle 1176 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2b8077a-a403-46ba-b6e5-a577fab7d1d9} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" tab
    3⤵
    PID:3900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 4 -isForBrowser -prefsHandle 5300 -prefMapHandle 5304 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02d8f027-1261-4ad3-936a-8e9e21c61960} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" tab
    3⤵
    PID:788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 5 -isForBrowser -prefsHandle 5576 -prefMapHandle 5572 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {328181ea-7228-4024-bdb8-5e979ea71d4e} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" tab
    3⤵
    PID:3684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4068 -childID 6 -isForBrowser -prefsHandle 5336 -prefMapHandle 2784 -prefsLen 27069 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d79bf4b-03ac-47b1-a90d-199eb149b70b} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" tab
    3⤵
    PID:2044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94bc3cc40,0x7ff94bc3cc4c,0x7ff94bc3cc58
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1632,i,13956458667792387120,5752322828499351281,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1828,i,13956458667792387120,5752322828499351281,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2016 /prefetch:3
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,13956458667792387120,5752322828499351281,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2196 /prefetch:8
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,13956458667792387120,5752322828499351281,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,13956458667792387120,5752322828499351281,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4464,i,13956458667792387120,5752322828499351281,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3728 /prefetch:1
  2⤵
  PID:5448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4356,i,13956458667792387120,5752322828499351281,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4880,i,13956458667792387120,5752322828499351281,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:5596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4492,i,13956458667792387120,5752322828499351281,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4920,i,13956458667792387120,5752322828499351281,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:5868

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:5224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3f11a80442976a116dbd54ebfbc7a664

SHA1
4e1b1eaef1efb94540324164307f22cf66ee19a9

SHA256
0b8a1806f729237e5f47df7a8d30bce26691148d65fc913462351656126612da

SHA512
214e22edbfd7628f4cfd8bef4edba46a666766438306f5159380cbecaebfac39922b14a7c43b7c23fd264d15f48d6ba999d05db23ca3d09755a11705e7e9b184

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
54f23795fa30aede0af1a59b97f37a95

SHA1
db8242292610619c47982603a0e972ad1128c501

SHA256
d738146074e4f1506e772c28af889428d24338186a5338f66bd8470d95600ef0

SHA512
52a4359198d3d35d42b73024a55f8d94e9fc5a6f47bad89a81ff3e008cc93ae456aeb35891fec425fd34aaeb5247ef98c0ef1e6420d95bbaef9148298d4ae458

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3e4dc293a88395305a1db1537a823520

SHA1
1c431f13296943f62dac5c0f40d7bacc95b1caac

SHA256
c849a5c257a5fd6c4fe0731ded0a28b1c2405127f8d007f95d38bfe1d02260d9

SHA512
b6139beb7167d060d28a5400b769b440881520d01f5955de034ebb8f64fa417e09a4f488e8f86d0755315486c91638cf9fe91526642891b47e26aa8dbb49a8e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
fd3e1c73cd48e8a291c35d3f5b28858f

SHA1
4e6b3c8422b681aea279c79a987638abeeca4c2d

SHA256
4177da02beb4b4b16ece026b7a5c5e15079aad449dd3cb981f29f3a41f4e3286

SHA512
3f3c5a94268dddba1b00c0abaae39aa0e88639cd5bd1a65746c65d818a83d028947128de656fbc473f3ee8f748d10e475554a121e166132a5a9a1893332d0673

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
c5e0d027171bc43876f27e71cbeaea34

SHA1
d51ac5c8d0e4879f5b4eb9531a1037b4f7502e8e

SHA256
da8d0eda0e46c7192cbc5598000b8d047d69a0252ab9b3db37bc830aad8954e8

SHA512
75f79e450e570be8f230f57a8a42a75d20c91b1ea3d9d0d0d0875280056365688951ae4113d834080d79c5f09af911d3a426100637e3e274a862663fce9ffeea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0zdbhklj.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
b500b10972028f367d8893aeaac15d32

SHA1
3dbc6729cbde6e7128a08dc7a5398e762f56c423

SHA256
c82191f78661bdf8d65a4775aab4f2b6dce777ff0f555835c346651d864099e7

SHA512
7421555b1208df8f32adfdbdea8d58a5d84b31dfe7b96a9755810cbd1ef11c3de5ecdc9196fdc851789a35c1989f32b606fbf5738739d8c44c057817463382b4

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
8a51923dc86e7e260938733ea15a0372

SHA1
7a6801c986356b5f4975c1ff726a539d7bf80861

SHA256
38eb96af7d6d27f348d2fe4076d0aceda7e77d5dbedd68b746922cd2d0493778

SHA512
bd69c8058d6191414b11b5ab50c11cdcce711b28c216487ba907abbb0d062ca4e9e0952ae565dfd2569f12932907ed4b2cd2626c2216b95992f5f79619855ca5

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
709ea4f194033ad11003db4cb2ba4f2f

SHA1
dcabb3b0fde498d8ce59476fdd284ce1320f6e21

SHA256
162e7656185aaa1fcf8f8f672568627d5e0662f1c761a4be69bdd64dde3a1199

SHA512
ff097d22d949af91887d66b077966d1af5940e6948ca27dc1583d5252c1d7554c55552b4362d0ae76782a9b30ea885d7fd79c8bbbd8e386daabf5b628059761c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\db\data.safe.bin

Filesize
13KB

MD5
fcf1e558404441c61dff8257db14aae4

SHA1
33dcf32c3dbbad9b45f1344e876f7af7b225d824

SHA256
54098c3b742b27c92f0b37aa5db1248de844f613803acebc5b0a0bfc34d3c7f6

SHA512
1beff984fad34aed60d6fb391e45793fffbdd887935b7e207ddba88aed764f3ad1a41049822c4ca9348035883bb8b0279d28c94d6d7c7acf055d5ef7400021bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
78ef1f56db130398b709a8ce0aa1d6b1

SHA1
503d784508112f3954b0b0157f2d60055157072a

SHA256
b8de08602858c40d5208c261bc370ae2ccaa23c196339fa4d22e0b67596aee86

SHA512
5023e0e66b16e543dd77b0c5f437245a8ee739a7c48508b8352ce6067b31325dfde6878072a57f1cbbbd67cb85a97ddd37634db082594083ce60653ce57960f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\db\data.safe.tmp

Filesize
13KB

MD5
b414d5e301fa18651014c1fc37cedd51

SHA1
d72cb16d73749168a5dc086eba95a3e3d532c5f1

SHA256
772887e44e22527fc2c66691a024e3542fa9722c67ca4b083ceaf49ae77f87b3

SHA512
d3fc86d356640edf34160045af5cc7b559e18683b5cb8a8ecf35b58ea4a03069763ec2fc34b1401cde4f13009c97e0d88554b213ff649d6db1a83142cb9779cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\pending_pings\34064e4f-d7f6-48ed-8da3-2c5fd385e932

Filesize
982B

MD5
ed9125249f5d284b1b7c724fc3d9b6af

SHA1
ef0c637b2668ba6c8d34da84896ceb33b0596c3b

SHA256
69010590a292f479090c9e68fa6713639be56bc2ba9f72e7748d41dc90e8f02f

SHA512
1bf39f44a70e5cab9afbedb4bcda55e3816317d4a6f082ec3458ca2690f81e44381f6fd0fff7a042646c86386cd5dd718f269b762102073ce4ca068c7b94ded0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\pending_pings\7f179c8e-f782-4cd8-b3e2-7e081d1200fc

Filesize
25KB

MD5
83ccab7c2378f7a6230c81e51a95aeb5

SHA1
a3ba1257e3d3dcf89153896652792768522ca065

SHA256
68d7831d0078ad96b37d21ed78f80ce56bdb839d250be5e29eaf1108bfdacfb8

SHA512
c0c32d272d7b527ccaa746cfb9cb21c1dd04810369abcf1d807805171874da6e283dc7e448c2cea8357f8274b69a996667e94ad4228e001f0c84a9885806cf71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\pending_pings\c268aac9-4cc6-44a9-a5da-7f5dcce04fbd

Filesize
671B

MD5
9cd3149f37f5f80f9175deaeb520f6e1

SHA1
9e09b4f85109d0a388f3ea5589dc6563090f2dfc

SHA256
6ec03bf29d0baf94ffd6ff795ce03b4693d66f9d1d7cc8ea4233111422e33390

SHA512
fb6cc93b9630f7429d1d23483b89c05cc06adcc85389da347f5451db02b87a9372083b4b124ffab39c658fc91aaec02775bbb507c3158cd2ea5645d71535aae1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\prefs-1.js

Filesize
8KB

MD5
d6d598bf7d41b408fb8d5b97d866715b

SHA1
b7cb520a35b0fe618392f15d453deba00af68dc6

SHA256
bcfbc0a46cf308165f62297320ba496e18055026cac2869ab0592e7b058ed572

SHA512
210a3ac3f9c98c4def1a71a29c41cf481abee3f0b2f82b86b1f93dc54a2b2f06d4753c1b3035b234859e58879e18a75a8c0d52e809011c7c35ec849c3ef42b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\prefs-1.js

Filesize
8KB

MD5
c073c67e620f73c2c938337c5af486d7

SHA1
a29e902fc43d95941cde4d6ea290d484c81c428c

SHA256
3f3bf2696b28096f90951acae4c0b72846efaf4695cf91640cc1715658a3f53e

SHA512
4b3d09a70edb2581dd3481f2bb137fd95845ced652b91d92f1d1cd61b78cc4ec7e3c7d3a67545e7243fcd366e2814f0193ab54708adef712e560d10b92de3ac5

Download Submit