bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa

Resubmissions

19-05-2024 12:56

240519-p6vneshh8x 6

19-05-2024 12:51

240519-p3zg7shh2w 1

19-05-2024 12:48

240519-p14zxahg6y 1

19-05-2024 12:43

240519-pya9tahf8y 1

Analysis

max time kernel
258s
max time network
257s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42.zip
Size

41KB
MD5

1df9a18b18332f153918030b7b516615
SHA1

6c42c62696616b72bbfc88a4be4ead57aa7bc503
SHA256

bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa
SHA512

6382ca9c307d66ab7566acf78b1afd44b18b24d766253e1dc1cb3a3c0be96ecf1f2042d6bd3332d49078ffee571cf98869c1284c1d3e5c1c7dc3e4c64f71af80
SSDEEP

768:hzyVr8GSKL6O3QOXk/0u3wqOghrFCezL1VFJdbq2QTJTw02Q:hGx8DKXE//ZhhCirFi2cwK

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133605964897674456"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3508	chrome.exe
3508	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	3876	firefox.exe
Token: SeDebugPrivilege	3876	firefox.exe
Token: SeDebugPrivilege	3876	firefox.exe
Token: SeDebugPrivilege	3876	firefox.exe
Token: SeDebugPrivilege	3876	firefox.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe

Suspicious use of SendNotifyMessage 41 IoCs

pid	Process
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 3876	3868	firefox.exe	110
PID 3868 wrote to memory of 3876	3868	firefox.exe	110
PID 3868 wrote to memory of 3876	3868	firefox.exe	110
PID 3868 wrote to memory of 3876	3868	firefox.exe	110
PID 3868 wrote to memory of 3876	3868	firefox.exe	110
PID 3868 wrote to memory of 3876	3868	firefox.exe	110
PID 3868 wrote to memory of 3876	3868	firefox.exe	110
PID 3868 wrote to memory of 3876	3868	firefox.exe	110
PID 3868 wrote to memory of 3876	3868	firefox.exe	110
PID 3868 wrote to memory of 3876	3868	firefox.exe	110
PID 3868 wrote to memory of 3876	3868	firefox.exe	110
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 1704	3876	firefox.exe	111
PID 3876 wrote to memory of 4896	3876	firefox.exe	112
PID 3876 wrote to memory of 4896	3876	firefox.exe	112
PID 3876 wrote to memory of 4896	3876	firefox.exe	112
PID 3876 wrote to memory of 4896	3876	firefox.exe	112
PID 3876 wrote to memory of 4896	3876	firefox.exe	112
PID 3876 wrote to memory of 4896	3876	firefox.exe	112
PID 3876 wrote to memory of 4896	3876	firefox.exe	112
PID 3876 wrote to memory of 4896	3876	firefox.exe	112
PID 3876 wrote to memory of 4896	3876	firefox.exe	112
PID 3876 wrote to memory of 4896	3876	firefox.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\42.zip
1⤵
PID:1696

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3876.0.579510013\1834327528" -parentBuildID 20230214051806 -prefsHandle 1760 -prefMapHandle 1752 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7109869-13cf-4104-aa43-47993b0c0999} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" 1852 1dcfe309d58 gpu
    3⤵
    PID:1704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3876.1.508973750\1635728277" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {246dde53-fb86-4c63-a34b-5beebe6201f9} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" 2420 1dcf1589958 socket
    3⤵
    - Checks processor information in registry
    PID:4896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3876.2.1958526422\142691420" -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2956 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca316cf9-b617-441c-ade6-c21561a28de8} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" 2972 1dc82003558 tab
    3⤵
    PID:1796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3876.3.1347643397\1516957763" -childID 2 -isForBrowser -prefsHandle 3656 -prefMapHandle 3652 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88e8472c-7137-4a46-b8ff-cb9f965ede03} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" 3672 1dc8427b558 tab
    3⤵
    PID:4608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3876.4.1919248752\1578055134" -childID 3 -isForBrowser -prefsHandle 4148 -prefMapHandle 4992 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65eaee2f-0ba8-4561-979b-49c5eb5536e5} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" 5028 1dc86753258 tab
    3⤵
    PID:5196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3876.5.1114775788\946598439" -childID 4 -isForBrowser -prefsHandle 5332 -prefMapHandle 5328 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4de1b8a0-1755-4010-a18a-8fbbf3a3b1b6} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" 5340 1dc86753e58 tab
    3⤵
    PID:5204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3876.6.747398478\396104071" -childID 5 -isForBrowser -prefsHandle 5476 -prefMapHandle 5480 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78aa1bb2-1484-42e4-a4a9-fce3603c912f} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" 5468 1dc86753558 tab
    3⤵
    PID:5212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3876.7.1420015233\2045575094" -childID 6 -isForBrowser -prefsHandle 5916 -prefMapHandle 5912 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5588b0f-92ef-43dd-bf30-5357d7f95b56} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" 5936 1dc80827558 tab
    3⤵
    PID:5796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffca11ab58,0x7fffca11ab68,0x7fffca11ab78
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1956,i,5881672934461610052,8869354416462706856,131072 /prefetch:2
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=1956,i,5881672934461610052,8869354416462706856,131072 /prefetch:8
  2⤵
  PID:6004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1956,i,5881672934461610052,8869354416462706856,131072 /prefetch:8
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=1956,i,5881672934461610052,8869354416462706856,131072 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=1956,i,5881672934461610052,8869354416462706856,131072 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4324 --field-trial-handle=1956,i,5881672934461610052,8869354416462706856,131072 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4368 --field-trial-handle=1956,i,5881672934461610052,8869354416462706856,131072 /prefetch:8
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1956,i,5881672934461610052,8869354416462706856,131072 /prefetch:8
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1956,i,5881672934461610052,8869354416462706856,131072 /prefetch:8
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1956,i,5881672934461610052,8869354416462706856,131072 /prefetch:8
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4796 --field-trial-handle=1956,i,5881672934461610052,8869354416462706856,131072 /prefetch:8
  2⤵
  PID:4648

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
62b8e6d52b4b44d47fceb1594e74eadc

SHA1
9810033c45fa149568be80edae13391b19e91d47

SHA256
406791c40275dd756c13bf60fd05ec274e151e7c2b28b49a01f2100f9c228c21

SHA512
ff1e925e1b497785bbfd7ce9ab4cc11622c202318ebb6b6827ca23906228524fc935e19d40c3ce3b277bbcd3b1165a850a030c106de079ba1cd6c709a1199427

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5eeb06b4b7abad097c1d2bb27f871043

SHA1
1b5e4db65408280b89318b8150fa8f324c3eb7e1

SHA256
8cb1bad3892893471bcb7f307e11dc0fb9eee86da518498dadb57bb436b64b97

SHA512
164760d48f383411e0b105203c300b12f10dd11d486ae915abdee2c7d229051fec6d562492a028d4f244e80adc5533b67b62e4bc70d54f045d86e332e8f568df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
259KB

MD5
bb5211770b28739b63153449f7236ad5

SHA1
ba0af22b7cfda0a164d1377828a9fafa2f94baeb

SHA256
9b292efa989d3f40b49d8a966f0228890a8f90fc80bda8af35222b30b7a3e1b0

SHA512
e72df450f2d5816330a6b2ac6b576687f4566567790d686452d2abf4872a8a4c0bb47f1c8ba42c1e3d157a52a84524f8ad0ced10acc14d43126aeb7737d6391d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
2889d1f0952317208101dacc94472c1e

SHA1
f9d4b35d43c11dee185f15c27856049fafaf69d8

SHA256
b7f43e189acf0cfd79e658e2ae9ba7f2953650cb290b09bb474b0263f0406fc8

SHA512
291e7938f009d708e2677781685584dfb18e40cc752ab5ba974f909fff4557e4da8338513d2a4ded4f9508a9c9908537f311b76db2f279cbd3057ee7f54575bb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\cache2\doomed\1007

Filesize
9KB

MD5
1928dd1e203f88659671250b2b0c7637

SHA1
0f302a17dd47e0eafa72473b92c46b02a67f23ba

SHA256
ee1660fe07cf53adcd9683d63b26a4790ca6e623aff4c73de1a9ce2b675add17

SHA512
b42a39782d594fb65d5771ff8f7cafe89a323137d379d53d9df9ab2040c9157e87965f6f83bca3c42aa6f7ac93e92cf5f6ef72d87eea0602ee07342c64ec6ba3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\cache2\entries\81D4B46E5F1C225F9056245AA4A09EA13A9F4FD3

Filesize
60KB

MD5
b2f8f8910e58af77549ba7cd7f8f34d7

SHA1
6a75cb815ce1ec193e5106590aeadece492f3173

SHA256
d526e11940af781fca5a9b2793ead46f29e970e91458f723a818e5ddf56b6645

SHA512
dadd3ac9cd01ccba2fe2da343eaf292e90726d0a66c052f5cc20142494e50954cc8398092b8376f3546be1d3193b4e4d73b3004c10ed5690d12230a092207a01

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649

Filesize
13KB

MD5
fc86565b2c3599d7983c08d5ae0e462d

SHA1
cad873def38f9e5ca48aaa02785ab7d22038347e

SHA256
1a0d1ff2014a22a295922c11a3933588ddbd7942b2a07723a35addd29251881e

SHA512
30a76f3e255b354894a552ffb6f2340d02dd6fcd311015d061fb8b54e30acc3c0be4a0372ace4c578989d7f0d8062283cc97d9c9b05908a153f4cf15811077b3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

Filesize
9KB

MD5
3823e6c9f8aac63be4d638d0de84ab42

SHA1
ebf4ea2259c30ae2bbd7ede27f10e39685ea050d

SHA256
d8c62945e81ffd80851f24cc579c1adcd64a9fee85d813168191fdf840459098

SHA512
92a8953704fdb2e30e14f9ca1b38f6df413ab365bc095798f04ba7b7d810a02a197df3a89319135db114ab22eca8fbe5a237ec04fecefae30df120aec1b5f68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js

Filesize
9KB

MD5
5ab122ecf002ee80e3cab430490492f7

SHA1
221e1e8a43ea2991580f04cd77dd172aa9da3837

SHA256
bc6849bbffe4fb6f113a9292e29350e2e2cea798071397c59ee1942b7cb6abd2

SHA512
b070f1881e0e88bb36bab6e64b45a562a2682c440b2e5ff053369af162d265b6f6c506373a12a88a491238a9391253ee6c045a60c1639c7b8dd131d79fe773bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js

Filesize
7KB

MD5
ef8403d3cb3c96fab339bd404c2c7e3c

SHA1
50f09dff2abfca5a6d7fcf52adf90aefdaf1df4a

SHA256
e0ef68ab0c7cd01f7d63580e05f52d20330074c1e907df87e2b3684dac982bd1

SHA512
543233d5a204de46d265adc0df500a39a79614a0b0e9092b4238be0a75f1fc44196403ada5d9de2ea87a14a5dfaca1a151be3bd158dace9246bc9a6cd07c0234

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs.js

Filesize
6KB

MD5
b096a0cd684545f5f6eb4ef65ff937e7

SHA1
b02b8d62a34310f60869e3ce955241bece4c810a

SHA256
b8eabb228ac3d44e0cf2b10e1b6f2294b5d6cf215e1eba7176cd64b4fe15c736

SHA512
8250682aad9c3a42b0ff505ddd8f1acd0fa797d9e7c8cac47b1746ec7ac7fe97f9094abd9dc8ee6831ceb8b206d6a481b049665654c63de92a4cacf371c9ba9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs.js

Filesize
6KB

MD5
98ccb607f0365c0643839f9c51c86c66

SHA1
7f45c0e865083b0a6b9ac9dafd41fb7237d44f36

SHA256
b532c3e356b51b880e958377506adee7a43cad4111680da2f3a5542bf48a5075

SHA512
b1e7db8576dc144528d91c8895c6c6377f1c0ad4f185975e5ba0a9d427edf89c5b8bfd7b6bc7a4a41f5db4eaf2e8335949fcd9d72ae9c9aeb051042cb78ec333

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
504ee7c39ce0f6abcbf433c989371833

SHA1
c50b10c0f1f4669350a76ee64edf815bc4adecd7

SHA256
ba35782d65df392cb2e45ad213a2b2cdb22ef7e54711e3682b694f84ceb77a85

SHA512
22f9aefb87733a495e448ee88889b2ca03ea635b31e683d71167320d1286073e5326c950982e6b4cbacc606026c8f4a7648035978410af92bb6136357efe8bc9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
14bcc2dc4627b170bd100e5cb3a15c05

SHA1
47a9550b9f444e3c66dfae532a523c6308dd46e9

SHA256
b5d985a5a7d232ff8e50a3418eb1f8a2075ce057c29ca87d93809b9f21da55d0

SHA512
e84a74adccc38f3b52d459551ada89851179a76b1e2849a8bdd72aa3fceb17fd941eb0c84cba812d96a5aa8cf1c6aa6c819d4664c217e2cd09d8e3770ff35d92

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
8e161a26905235cfb86acaeae764a093

SHA1
77a47cc707c0918ceb139c775553e87ae8f9a0f4

SHA256
a09758299691658e75e3e652a40f1bbb760e6891f46e51eb2c860722fcf6fd57

SHA512
6050eacdfbf3439a8f68ea04c0912e9164717473343fa5a1e043e530507b3ffebe23d6914fc99d9a60a2fdf5d03dc156d9e691f32bc3236228258348878f6b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
83974512f3ba9c1c686fa7756795efa8

SHA1
509702e866d67c038f34ff73e33ac53e1237257d

SHA256
c359d002c6f21d89c7ec9f38555db736b1352c6e7723bd27557c2dcb5d111a0d

SHA512
85da6db584ca856f02e4ca925786937d156d39984b7640444d907e3309760d7869bbab565dd8e6f50c36eec7cc6513c801439120fea193083dcd03bc03cf5a45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
f021670bae3272f018915c4fef014d6c

SHA1
6dd6f982a9009e45519ca769ae9b225534b6e860

SHA256
ead9c016200a1c45e6d7b0fa2e8aa275d4fe4a91722abebcdd6db43c01e144ec

SHA512
b91e5fef0353214e96cbcc81658d94f7f31c495b2bff71d24b305559bac467bbc53a0cff8a1b06aa6087c1c18369df8e6d5c2bd307c218df54497e9fb15ae420

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
c01b00589a64ce91637d9f1e4bb64e2e

SHA1
ee65013424ec989cf990a6a724873ef44f3977af

SHA256
936857765672402b6cccf59d4274f0dfa7eb1f35924136a1ab11fefd5245b925

SHA512
0c21d7eca4dc1b1e3d808089f9cc892dd8acf76af0311d3ab923f61b3e21c008e4d81c03da3ea15af515d0991af3884bc381cdea75a603aa566e7de391bcb71b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
51c671b9c40119a4e92ebec8e7d85186

SHA1
aa3299d9f266bb15a2f20e71312931c02d1bf4c8

SHA256
11cbabe4a5c55e6fe9d077795d96674bfcba81147c5df3461f3b486e72c886bc

SHA512
f914bcd825616a1ec53486dff7dbb416ffeed14f92f4a4518e46bce22305d4feec667656fc1a99433c9e5434c7b9c8eaf35d58feb7318408809d91a827268419

Download Submit