metasploit | 2ca47f7ab7e0b4da1fa3fe7ea4b4cedf431c212df06e68a85d0de372fb20e867

Analysis

max time kernel
382s
max time network
381s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29-04-2024 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shell.exe
Size

7KB
MD5

792638f04fab15fdfdd40d90de3f543a
SHA1

cf452a13f7b29ba2b6649540571cd3372817f4f4
SHA256

2ca47f7ab7e0b4da1fa3fe7ea4b4cedf431c212df06e68a85d0de372fb20e867
SHA512

5b9b28e5a3764af754e97a4fb6836bd3062121b5edee10900687fb5d069dde1798caf36920d179092e9731b193a097a30f6459da32507a49bf4d90a21997b8cf
SSDEEP

24:eFGStrJ9u0/6gSnZdkBQAVK86WYiKZqM2eNDMSCvOXpmB:is0tqkBQv8iiu2SD9C2kB

Score

10^/10

metasploit backdoor persistence trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

192.168.88.128:8080

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
File opened (read-only) \??\F: explorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Windows directory 6 IoCs

Processes:

explorer.exetaskmgr.exeSearchUI.exeSearchUI.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4032412167\4002656488.pri	explorer.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\2717123927\1590785016.pri	explorer.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	SearchUI.exe

Checks SCSI registry key(s) 3 TTPs 29 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exeSearchUI.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchUI.exeSearchUI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\GPU	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\GPU	SearchUI.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133589088379757336"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 50 IoCs

Processes:

explorer.exeSearchUI.exeSearchUI.exefirefox.exesihost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133567065789565016"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Cortana_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010006000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e80704004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000006452b93b929ada0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80704004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000088189f3b929ada0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b0031004e005000310034005200370037002d0030003200520037002d0034005200350051002d004f003700340034002d00320052004f0031004e00520035003100390038004f0037007d005c0047006e00660078007a00740065002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e807040050004300480020003500370025000d000a005a0072007a00620065006c0020003600300025000d000a0051007600660078002000310025000d000a004100720067006a0062006500780020003000250000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000089061b3e929ada0100000000000000000000000047006e006600780020005a006e0061006e0074007200650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000006b8308248a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d0000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exetaskmgr.exe

pid	process
4152	chrome.exe
4152	chrome.exe
312	chrome.exe
312	chrome.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

2000 taskmgr.exe

pid	process
2000	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

Processes:

chrome.exe

pid	process
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	4572	firefox.exe
Token: SeDebugPrivilege	4572	firefox.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exechrome.exetaskmgr.exe

pid	process
4572	firefox.exe
4572	firefox.exe
4572	firefox.exe
4572	firefox.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exechrome.exetaskmgr.exe

pid	process
4572	firefox.exe
4572	firefox.exe
4572	firefox.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

firefox.exeSearchUI.exeSearchUI.exe

pid process

4572 firefox.exe
364 SearchUI.exe
4168 SearchUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4892 wrote to memory of 4572	4892	firefox.exe	firefox.exe
PID 4892 wrote to memory of 4572	4892	firefox.exe	firefox.exe
PID 4892 wrote to memory of 4572	4892	firefox.exe	firefox.exe
PID 4892 wrote to memory of 4572	4892	firefox.exe	firefox.exe
PID 4892 wrote to memory of 4572	4892	firefox.exe	firefox.exe
PID 4892 wrote to memory of 4572	4892	firefox.exe	firefox.exe
PID 4892 wrote to memory of 4572	4892	firefox.exe	firefox.exe
PID 4892 wrote to memory of 4572	4892	firefox.exe	firefox.exe
PID 4892 wrote to memory of 4572	4892	firefox.exe	firefox.exe
PID 4892 wrote to memory of 4572	4892	firefox.exe	firefox.exe
PID 4892 wrote to memory of 4572	4892	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1928	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1928	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1420	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1216	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1216	4572	firefox.exe	firefox.exe
PID 4572 wrote to memory of 1216	4572	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\shell.exe
"C:\Users\Admin\AppData\Local\Temp\shell.exe"
1⤵
PID:4812

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4572

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4572.0.1605446403\401064690" -parentBuildID 20221007134813 -prefsHandle 1708 -prefMapHandle 1700 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6cb361f-f8bd-48a3-a47b-21faac92a93c} 4572 "\\.\pipe\gecko-crash-server-pipe.4572" 1780 1b4b3dd8858 gpu
3⤵
PID:1928

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4572.1.1299999411\1454454123" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {924616c0-0b97-4134-bbec-daa15b34a556} 4572 "\\.\pipe\gecko-crash-server-pipe.4572" 2136 1b4a1a71d58 socket
3⤵
- Checks processor information in registry
PID:1420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4572.2.88480604\213437525" -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 2896 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f021430-9d1f-4818-a2c5-7b9b97e2afd0} 4572 "\\.\pipe\gecko-crash-server-pipe.4572" 2872 1b4b7f98158 tab
3⤵
PID:1216

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4572.3.1960602226\430063766" -childID 2 -isForBrowser -prefsHandle 3384 -prefMapHandle 3376 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc5b823b-9e09-4217-9e58-7a7ee2c49b48} 4572 "\\.\pipe\gecko-crash-server-pipe.4572" 3400 1b4a1a6a058 tab
3⤵
PID:3564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4572.4.135364710\13920702" -childID 3 -isForBrowser -prefsHandle 4168 -prefMapHandle 4164 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ebbe1cf-4081-4ffc-bc06-1440c8d1f7a1} 4572 "\\.\pipe\gecko-crash-server-pipe.4572" 4180 1b4b94f0558 tab
3⤵
PID:1576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4572.5.651152067\905302134" -childID 4 -isForBrowser -prefsHandle 4788 -prefMapHandle 4704 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {325d3ef9-801c-48c4-a1f7-4fab59caf0ca} 4572 "\\.\pipe\gecko-crash-server-pipe.4572" 4796 1b4ba068958 tab
3⤵
PID:4332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4572.6.924709936\722343789" -childID 5 -isForBrowser -prefsHandle 4932 -prefMapHandle 4936 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b763099-4460-4984-a191-2625d9d704bd} 4572 "\\.\pipe\gecko-crash-server-pipe.4572" 4924 1b4ba259e58 tab
3⤵
PID:4972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4572.7.1236182265\205597535" -childID 6 -isForBrowser -prefsHandle 4796 -prefMapHandle 4756 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd0e322b-fdfc-4ab8-90ee-48393f05c432} 4572 "\\.\pipe\gecko-crash-server-pipe.4572" 5108 1b4ba257758 tab
3⤵
PID:4664

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4572.8.1253259672\330623223" -childID 7 -isForBrowser -prefsHandle 5616 -prefMapHandle 5600 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8b6bd70-f057-4213-8463-7b06edbb6447} 4572 "\\.\pipe\gecko-crash-server-pipe.4572" 5612 1b4bb8a9758 tab
3⤵
PID:3136

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4572.9.337870377\1656933084" -childID 8 -isForBrowser -prefsHandle 2604 -prefMapHandle 1504 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e8384a8-504b-454b-91f5-36ae0f7dc6b7} 4572 "\\.\pipe\gecko-crash-server-pipe.4572" 2620 1b4bb9ed058 tab
3⤵
PID:796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffedcc9758,0x7fffedcc9768,0x7fffedcc9778
2⤵
PID:3116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=480 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:2
2⤵
PID:4560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1816 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:8
2⤵
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1652 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:8
2⤵
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2956 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:3608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4452 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:4332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4448 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:8
2⤵
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4604 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:8
2⤵
PID:1336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4788 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:4712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2940 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:8
2⤵
PID:2944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2972 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:8
2⤵
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3808 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:8
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1960 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:1092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2916 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:3772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3024 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:8
2⤵
PID:3404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:8
2⤵
PID:516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4448 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:3448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:8
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4796 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2956 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:4268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4880 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:2536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4852 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:2300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5176 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4700 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4552 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:3632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=4528 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:3016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=1560 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:2624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=4864 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:3968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5244 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=4844 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:2892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=4764 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=4636 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=5136 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:1392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=4452 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:2000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=5200 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:4128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=3064 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:1724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5188 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:8
2⤵
PID:2440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5592 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:8
2⤵
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=4832 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:3156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=5344 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:3720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=4424 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:2508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=4588 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:4124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=4512 --field-trial-handle=1824,i,14334611328074795214,4409972976106380270,131072 /prefetch:1
2⤵
PID:2892

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4264

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2000

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:364

\??\c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
PID:2628

C:\Windows\explorer.exe
explorer.exe /LOADSAVEDWINDOWS
2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
PID:3172

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002
Filesize
58KB

MD5
9b603992d96c764cbd57766940845236

SHA1
4f081f843a1ae0bbd5df265e00826af6c580cfe7

SHA256
520408fec7c6d419184ec68ad3d3f35f452d83bd75546aa5d171ffc7fe72cb2b

SHA512
abd88ee09909c116db1f424f2d1cbc0795dbc855fef81f0587d9a4e1a8d90de693fa72841259cf4a80e0e41d9f3e1f4bf3a78c4801264e3e9c7d9635bb79ccf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000003
Filesize
40KB

MD5
5ce7bdeeea547dc5e395554f1de0b179

SHA1
3dba53fa4da7c828a468d17abc09b265b664078a

SHA256
675cd5fdfe3c14504b7af2d1012c921ab0b5af2ab93bf4dfbfe6505cae8b79a9

SHA512
0bf3e39c11cfefbd4de7ec60f2adaacfba14eac0a4bf8e4d2bc80c4cf1e9d173035c068d8488436c4cf9840ae5c7cfccbefddf9d184e60cab78d1043dc3b9c4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004
Filesize
200KB

MD5
a484f2f3418f65b8214cbcd3e4a31057

SHA1
5c002c51b67db40f88b6895a5d5caa67608a65ce

SHA256
79cbe928773386d07f0127f256f383debed5ccea5ff230465bf46ec7c87319d6

SHA512
0be1bb8db08f6e6041a85cfee90cd36a5b595afbca34d52a125465454fc806b4bb7ae569eaf4c882922fb1b962b6060534e597791cd0ad23483be5981d9be85c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
Filesize
24KB

MD5
f782de7f00a1e90076b6b77a05fa908a

SHA1
4ed15dad2baa61e9627bf2179aa7b9188ce7d4e1

SHA256
d0b96d69ee7f70f041f493592de3805bfb338e50babdee522fcf145cb98fc968

SHA512
78ec6f253e876d8f0812a9570f6079903d63dd000458f4f517ec44c8dd7468e51703ea17ecce2658d9ea1fdb5246c8db5887a16be80115bbf71fe53f439d8766

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
168B

MD5
84daa3a7620bdca252f2ac4babb95723

SHA1
96b91d9a8e5fcf551457706368cdd31372c1de09

SHA256
1b2235855f3e296b024803ba986d615c3abe803392d3bda642f3429a409cb8ec

SHA512
b7fba1aa1e75ae270ee9f24e681c5869992e31c6c822cac2456c70b858f8a35f4023277ce04bb7965947df789e46b84e644c25308a6e030cb8dd18fab7604c8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
168B

MD5
4a110c7722866c32df442d8ad722b2ee

SHA1
753616dad49c6c5f6ce008544e4e5489d8f249fb

SHA256
4c6e274483346c1c0a259c8bac803850059a6348e8a636b4e7b299e972a319d9

SHA512
8b245234e8a2dd1e25e64e5cbbcd1b676e3989e628e73747d561ddc47e33aeb2f7824c8674806d836c2411b3ca11114e34c5dbbba72d06bb10a7113b74139260

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
168B

MD5
6a00d47b89a3c39a3f940104140ea99c

SHA1
60d16382d0422ddd25554fdf897ccfe302d88519

SHA256
f80f4cb549b18f0038f5f87b54bc69d65ab52bd85ba651b1535de82469d050e1

SHA512
f85f980afa4b43a4c7c9c263606b9b4d27c546afd657f444ceaa9269671dc9d661c4a2c1fc3f0fb71566dcfbb01e2b3046873b1887a27fb96f91e6e09c3258c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
3ed4006550c6e679b2d1a85bf802e63d

SHA1
95e66dd1256f15499a1c731514ec91ec80b5fe76

SHA256
ecd68da601f415f3ccb1f83ab2e68980dcd535d589478c16166ca8551d97aa3a

SHA512
aa34b1a39b6f94afac4a5d8ef1a2092b306a8286b8c13a89a0585bbf7800d74727198b62cb77137f0b9ee85c2e1975edef78005c0a6e48dea8d52748f26dc20e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
8ee01a6d4e34c7801b455e741593a69c

SHA1
ef97d23e35b34560f14d98e25f31fe3bb55667e1

SHA256
4dffdb64297b53950b57070193b0488c141e7f7cf2612c267b08dd374c8d4ebc

SHA512
4904800fb9c813c1f729d08601a14fb7d683b38426f99f71ef513cfc53bcea14ef364bd94bf345c1e03c77649a2330c9e67f71bae949fe15d830bdef40ef4dfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
0f8af565877f6192aa9107757e431e71

SHA1
c98b65cb238dc9ead2120c7ffe05d55297f35a86

SHA256
935fdc74a105c54931361b0fe0c4ad3e5464b109a420b0f1460dee0afe8bfbc2

SHA512
0c74cbf55de4014041bfe12ce8ba64a4ed692c2689e6bf7de0c47828c626c5b724c997d346cf8cd2213c6ad0424b5f8238c78769ebbec6b4edf4c89375729893

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
678ad863332503eadc4a80850686e4d0

SHA1
e3f0b1ec2b2febc9d312428fbb369492e1660e82

SHA256
e366d20151d9d292ce5698cf40a4591e69ca3b8241b9ef807e484ca87297cc4c

SHA512
e5875fca78a1d4368dfa068a815cc30831d9304fbcad5ff26b4a3d52095e20d73f7d912ffecb8767014d4c583784e0d8d0fabb1c7ce79145a3975c1741205633

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
d765c75deb91fad28ca2b6f08738b209

SHA1
1e440141f475bc3017a80ff3bdf04f3bb7c1fb68

SHA256
329aeee38dc90348054f811bf1bd565d1bdf67ad60d866fba2948aebb6bb9950

SHA512
a1bd7b9ce7123b33fddeff1be55949533678b0b97029d841ad3b566409cccaad8573abce6dc706b98c22ce09782bce89983e6f893493054769941dd45a033f35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
d1d95aae50d34002c472a252ca65d831

SHA1
5e3130a2f33dc9b830100b99183a80c7c6b88fb2

SHA256
7dd2e4861a6899c02feb6b85cbc5f10d01f14bdbba756a38f948fe6d5fc78dd4

SHA512
dc3d2246a1cb2c6997ec76fcb1b674cef8af8825a39519484fa1539c33244601a16c17295c35e4588c982bc56668a6795ff10331e47a1c229d0c7cc248b065c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
41a684660a009043cf01029ffa7cbed3

SHA1
fb63b9fc7ba33bd811011f7d0b89970c40cc80e2

SHA256
898f9daccd98c9e8a426f70472a4c0689e115fcc9069004e3f104ff0106d2d08

SHA512
257d5039e14742326e4fbc8d0709289fcd69260f27569c99952af860e26669db24ea1215fd801e393cf816c34ee9165959f58912294193400c0518d6b0055dc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
132276671f2a1c6b899384e2b87e558d

SHA1
dada5d4887abf6b21c36a6da1cd4ea7fc9486031

SHA256
512d3f9402a364e4df626b71d7c5936ade7f950a7fcfa94c7ff51c761c03bcc3

SHA512
8acb01befb589df7777006ceb6af4127602bd38e4017f8122e42f6718ede7495beacdf2d334e04dff2c77fde6e31cc533d23762228321fa7cc3da892bfedb16e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
ed73a654f6c818750d251eeab3611e57

SHA1
2f43d1543720d761e4110fe13dab6afb8b7ddd83

SHA256
d5de20fa4e63c449b16eb40ee26b4fd1bb1af05cea4eddae9ccf7a3e303ca6a1

SHA512
8443906ff55211b88ecb890fc2dba7080f8f49e790b9f1bb0d44aa6d923ffb38ca3dab8a2d9ac3408ddd67d6dbe0e78db92a39d620e783ee709a0ba4c031b8d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
054421ad5ce8199d01f73f68de0828d3

SHA1
d4a991ccc0df389c3537bc834bb91e3b71f611c7

SHA256
3d48d31c8355f25129727a7ca1b9bea24eb8ce867de72dc20924e4938e95b1af

SHA512
8f85701767164ffa9955908c07662097b123435d7bfd7cad40759588a18f947f51feb54e07f0f893d9577a9b8562c453e2e7d1b268bbb55ecf2800f5b985f136

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
f8e2cd92765f7a6a66704972e7edb428

SHA1
aa23a7de551ce92a716ac5c6ce2d5b2f6ed1160d

SHA256
9a1b14d2fc8dc397458e820671c0b514204a2911e58610481fb8c973ed9f2998

SHA512
1bfea4e92f7dafb1dcfebfb4e1c7433c469aca3fa6495b1c610612d8302cc72ed0adda50a97a3ef41bb1dbd70ed199fb8e0726f790dbcb3c3eb72e7c1b050ca8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
2a76345679cf68dd49f7f4b97aceaa8c

SHA1
6613229d1339f460a22ced2b58508e4719d9aced

SHA256
8e5bcc1e0546fc9fbbdfe131abc3f545688444526ea644c3af62597e3e7062f3

SHA512
135fe9217a374ac8191e443451787b65a847e72233f7baf6e26c7e889dc73a593d4a2e6eba803e86c4fe7564789a11aa93d52b343ae03e737b0160c909b40489

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
49b180f816a0149ec4f8b01235fafb35

SHA1
bd1d3a9e14078338710b9ec907262314ed7e9432

SHA256
ffb6f07451fa06c0cd2ff826182b693ff50a6f619fe41f594a07f4ef9cd6c8a9

SHA512
3a3d3405960b1a3cfe58ea2c5e61af269cad990ea27f72e06deb308e1fa12b3e951da0692b54c661909948751c237b0d9688a4df15d0c8558279266c86dc7dcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
074703ebc3a37355a12cbcebfd86bfec

SHA1
f98587444da15d2506004a4c1ae8112635b7fbc8

SHA256
b31071ee10205c70de11f8b4ddff537e5b5c650474a587ea4def578e52eb19a6

SHA512
19683065f9ec5fde05112297922772b321039dba57102a1dae23e5d63484ed71f8fc4bc8a18e6ba9a7f32b33cb1d4fe24b99910e55de7505082721efb7d74e36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
12KB

MD5
03d353a625ef3a2ca4883071834c3a14

SHA1
7f7500e8e55cba86a5ffaac45665875ba4186b85

SHA256
ac02e4656a0c16c792463e8b8903bd42f72c368e499cad92fade45fe57fb3cb7

SHA512
145340e12d5288c8b6449b69c14b920b85b6e7c09cfa37d518ca76631662a1fbde2e890b6d083649124a0c2f2714c7c6e343bfa613afa9deaee3e88c865c6acd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f5c6a9bc-57b7-4ee8-9106-b7c284403b29.tmp
Filesize
5KB

MD5
689246a4c7d7bbf9f0d228c950a1e25c

SHA1
6ac78f8ff01c0d231082c97bbe345dd5f7a3a636

SHA256
09c3f32a1894aaddaa7c004ec031de8e8bff6b89012f2e09bd9c5cede5d9374a

SHA512
b685881b2dd83ee7e308322f8dc67af2e4cccc4c3aa340b8431995fd49bcb0351f1f955f9575d5eb6ad1470a812ef2756d15bbbe9f09cc7955e8f8d5c2f18e5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
273KB

MD5
587af8feb4b46e3b90f022f87e9c22de

SHA1
bbe91f7e33cb1655eaeb5ddc6f9203b8318a19c2

SHA256
5180d9e7287e993ccd9d070ee9f1372938c4f06dd9f8581c6748149acc20a2a4

SHA512
73daf897d4412b4cf900f01ae59533e1aa09ed39fd6642a07ab123a4a4253b79bb317d98bf382963596c77a7b71cff2ec2d8006030b97b1deb6841c601b2a248

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
273KB

MD5
39e252227f3c344615521587a38dd902

SHA1
622325354633aa1bf23058cd6b1a29aa4750b54c

SHA256
551db873cf28b9a7c512897b843d77194ad4dc3067dbfe4f14bb6f9fcd21e4fd

SHA512
6cec443992abb0b70de6e14a3631b477129b91bfa76e8a052f69a1682bd4bcfbca8a7f4b77ba345a8e7321b75a0cd7a5245fa034045f9f20e61dea21a183c7d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
273KB

MD5
14fdced61518457f95c8cbcdd70999b1

SHA1
e826cfd1c2719a0de8c07bfeb97c6bc301e27661

SHA256
d0efea4c041bfdca368f2b3aa029ac15a7b5700b91e55e577a965863e3d1febe

SHA512
8426d8fd7cd047a872e69bc3bb4ec045efe53eea28483180f981ba64836f12471685673a782de618fe0e6a9a589fabbdc40ecae4de03f403eb67b20f8d3a78fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
273KB

MD5
d7f0fdb72eaece2def47f62e05bbdcf8

SHA1
05871c323ff69ff21c6dd538de1252af9952a415

SHA256
696bdeafd0f9302f7f69586765f085f2820cea936fde89abdbe5b1ddd229cc76

SHA512
263b4dc8b95db6d39587d1715681dde85a55c62b37d405db6fca317f45077efc24a40457ff640445d2259a19e8c59102d4551751d546dbe4305197f7075252a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
102KB

MD5
7e3e49819d2dce2839466b10cfcf1681

SHA1
b467aa9768f1e4800ef723aa5364180ded617382

SHA256
ced2860977cdf4b234bae75bf1294c70bedc23e7d50136fed4b8726fc9a1a836

SHA512
bec86f11768e160d277c0441baca7229a1f4658eedb0887c39b482c8700da8d988d97efc2ad11c0aee4b706170a921fc9c5545372927ef131680d4b9337caec6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59b953.TMP
Filesize
93KB

MD5
0d36326cd65b99c16a33036b84a9588a

SHA1
652d94193527847cc7c4fb4c962b9422e015ea93

SHA256
d3bc4aa42736ca20230e289530b7b457b7751582a6a453a0fd2b71b3d3174ba2

SHA512
38fa2e5bed1c6f10e2a2b437fdeb6c7d01120282a5751522cc54298108b82decdd1254d47c5c7bd48fedb1d61ebda9209ea6cdaac82ad86804f1cfa3f16d3d41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
540cf65285a47f960f0ee1fbe8ed9cb6

SHA1
21236903e8b993b1d298bcad0baf904dc21d761c

SHA256
589bed68881b0571cadfe1f4aac8598af711ff0431a2945acd1cf3fa1fc0ebf9

SHA512
ee82fc88103a2f79c88d6f5a934a1f65a93fef4972efd527e9e7ae513f9abf7ee3e1cc1e5ea41e64da5c9765d12662fd420f644ccacae234c122a50dc0ca999c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\715946058.pri
Filesize
171KB

MD5
30ec43ce86e297c1ee42df6209f5b18f

SHA1
fe0a5ea6566502081cb23b2f0e91a3ab166aeed6

SHA256
8ccddf0c77743a42067782bc7782321330406a752f58fb15fb1cd446e1ef0ee4

SHA512
19e5a7197a92eeef0482142cfe0fb46f16ddfb5bf6d64e372e7258fa6d01cf9a1fac9f7258fd2fd73c0f8a064b8d79b51a1ec6d29bbb9b04cdbd926352388bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\2290032291.pri
Filesize
2KB

MD5
b8da5aac926bbaec818b15f56bb5d7f6

SHA1
2b5bf97cd59e82c7ea96c31cf9998fbbf4884dc5

SHA256
5be5216ae1d0aed64986299528f4d4fe629067d5f4097b8e4b9d1c6bcf4f3086

SHA512
c39a28d58fb03f4f491bf9122a86a5cbe7677ec2856cf588f6263fa1f84f9ffc1e21b9bcaa60d290356f9018fb84375db532c8b678cf95cc0a2cc6ed8da89436

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\MOQY2KJ2\microsoft.windows[1].xml
Filesize
97B

MD5
84b7c4690f63511549fcd09051686efb

SHA1
fe3af98a7c3ec1df582e49c5068ac693c5fab153

SHA256
b27285d3ba18f60ed462a22a42ad437f0902b9af242019978bd9708dd20dc41c

SHA512
8787a0411eca8a8aec6a7341ff306e8ef1031e63d40ee41c8f2cba39f845ff123b9cc3862016b254e880c31d347aa56d6deb9b62137c9958a002bacd58310ccf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
Filesize
9KB

MD5
475634734febcc058935f88f45322a95

SHA1
de7fec146509e68a2d188f1353fe6e3bee605427

SHA256
e35295bd2811f0ca955f788a6c3cc2fe806f15f02e82ac8dbcedcef6b1e44b2b

SHA512
d475b9da62b3a7a5a54879404fd7d1a459d33c19d954f6324125a66131bbdae02c8ea8e48fbe6e922785ec802917f3dddda18252011b8e33ba0f3bf32f687d10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\0a26a7d1-796d-4485-9e08-8b44b8924d86
Filesize
734B

MD5
2330506ec39ca8498e7579d51a603244

SHA1
1777221406ec60e906c82f0cd0dd59abb698c50e

SHA256
a04a55bba22a633d8b750cfbdedf34477a7429694c7b565f5ce8e13f363a9313

SHA512
712d223f92f3fa7a56b946980ce1896bf08b86fc99a2340d8a849c5090f22ba2d76d86b129f45d49d4aedfc8b5de9038fe4c0700576931173436cc5275896e7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
Filesize
6KB

MD5
ca7b946dbe9836c524ef959aa4cda427

SHA1
25e08d9d49616c2a179a67af008ccae1f89578ab

SHA256
4c27ed82828005d477a41680143cca19b85b874a74a6c58bbd59db447b07e34d

SHA512
980fb1204880a2b4e22cbaee12ef92af22cdd0c71448fae2e295bb06034bd573d65231c8046ea5bf80c9224d8b9fe13f3bed729390f339923d7d514fc562e458

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json.tmp
Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
2KB

MD5
a656fe0ab3fef8c1bdf92ee490470f20

SHA1
ae5429832f4427c81cec90d566c198905d5613bf

SHA256
ad95b4b8cf57cad4c9bce9960e189d5c29042897ebb275abd362f2af34b68c35

SHA512
138b9641e0e6331f1a8d295d573b03354a5f2fdee0fd2383058926a5dac75560075c9390b9d4ee9f1775cca01b2be487f140493181b591079075bb3dc8bdd9ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore.jsonlz4
Filesize
4KB

MD5
6216cc262a4af8011b001566539e850d

SHA1
2b6c9a4ba73490f8f773d1ad3e09576c1fc5c505

SHA256
957d9458e4eaa6afe0ab4ea87746eb2f38f20791ee290e70fc3f3348574f293c

SHA512
44856375482bbba970ee192f83b5dfa9d2fc276bca885d9c33892e13db338a48055f33559a9d31c607244de94174dc70cb8e59f3c0c3257190d707c1f118333f

Download Submit
\??\pipe\crashpad_4152_UEMWLTYQGZFICAJI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/364-971-0x0000024264200000-0x0000024264300000-memory.dmp

Filesize
1024KB

Download
memory/364-974-0x0000024264800000-0x0000024264820000-memory.dmp

Filesize
128KB

Download
memory/364-995-0x0000024264980000-0x00000242649A0000-memory.dmp

Filesize
128KB

Download
memory/364-969-0x0000024264200000-0x0000024264300000-memory.dmp

Filesize
1024KB

Download
memory/364-970-0x0000024264200000-0x0000024264300000-memory.dmp

Filesize
1024KB

Download
memory/3172-1035-0x00000000015A0000-0x00000000015A1000-memory.dmp

Filesize
4KB

Download
memory/4168-1036-0x000002D5F4000000-0x000002D5F4100000-memory.dmp

Filesize
1024KB

Download
memory/4168-1066-0x000002D5F4840000-0x000002D5F4860000-memory.dmp

Filesize
128KB

Download
memory/4812-0-0x0000000140000000-0x0000000140004278-memory.dmp

Filesize
16KB

Download