d82d49e9ad153ef84670c1d0bde5f36b540d32fa037cca6127ce9e4e366b7403

max time kernel
143s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoIt-Extractor-net40-x64.exe
Size

1.2MB
MD5

205792ce0da5273baffa6aa5b87d3a88
SHA1

50439afe5c2bd328f68206d06d6c31190b3946c6
SHA256

d82d49e9ad153ef84670c1d0bde5f36b540d32fa037cca6127ce9e4e366b7403
SHA512

186f2fac650ee02683c689b0c04867a30330a5475475b106a2aaaedc5e2fa3c9325cf07a2c5321044f5aed1502d729d1d9537ac57bf7733cc228c44ceaba7821
SSDEEP

24576:pcdWeAKpCklFpaQ3vGvW68WxOFxT6YP7KPU48YNL8SsbJDeAKpCZG:QFAcdFpa068WxOFxT6YP7KPU48YNVsbu

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607705240276607"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	firefox.exe
Token: SeDebugPrivilege	1984	firefox.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
1984	firefox.exe
1984	firefox.exe
1984	firefox.exe
1984	firefox.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1984	firefox.exe
1984	firefox.exe
1984	firefox.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1984	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1984	5072	firefox.exe	99
PID 5072 wrote to memory of 1984	5072	firefox.exe	99
PID 5072 wrote to memory of 1984	5072	firefox.exe	99
PID 5072 wrote to memory of 1984	5072	firefox.exe	99
PID 5072 wrote to memory of 1984	5072	firefox.exe	99
PID 5072 wrote to memory of 1984	5072	firefox.exe	99
PID 5072 wrote to memory of 1984	5072	firefox.exe	99
PID 5072 wrote to memory of 1984	5072	firefox.exe	99
PID 5072 wrote to memory of 1984	5072	firefox.exe	99
PID 5072 wrote to memory of 1984	5072	firefox.exe	99
PID 5072 wrote to memory of 1984	5072	firefox.exe	99
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 3492	1984	firefox.exe	100
PID 1984 wrote to memory of 4420	1984	firefox.exe	101
PID 1984 wrote to memory of 4420	1984	firefox.exe	101
PID 1984 wrote to memory of 4420	1984	firefox.exe	101
PID 1984 wrote to memory of 4420	1984	firefox.exe	101
PID 1984 wrote to memory of 4420	1984	firefox.exe	101
PID 1984 wrote to memory of 4420	1984	firefox.exe	101
PID 1984 wrote to memory of 4420	1984	firefox.exe	101
PID 1984 wrote to memory of 4420	1984	firefox.exe	101
PID 1984 wrote to memory of 4420	1984	firefox.exe	101
PID 1984 wrote to memory of 4420	1984	firefox.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AutoIt-Extractor-net40-x64.exe
"C:\Users\Admin\AppData\Local\Temp\AutoIt-Extractor-net40-x64.exe"
1⤵
PID:4700

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1984.0.282772492\299268200" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {279466d5-eb47-4f39-91b0-fe85824851d5} 1984 "\\.\pipe\gecko-crash-server-pipe.1984" 1852 29d0af23758 gpu
    3⤵
    PID:3492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1984.1.1092675982\2093596326" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {516f6bee-e564-49e1-a606-5d3637b831a5} 1984 "\\.\pipe\gecko-crash-server-pipe.1984" 2420 29d0b47a658 socket
    3⤵
    - Checks processor information in registry
    PID:4420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1984.2.1759684058\173196167" -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 2972 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86c0c192-d211-454e-b6ac-3ab7d7c3fb6c} 1984 "\\.\pipe\gecko-crash-server-pipe.1984" 2988 29d0de19258 tab
    3⤵
    PID:436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1984.3.1562938005\1892607048" -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 3660 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f346284-27a3-4d9c-96c2-38b2adbebf75} 1984 "\\.\pipe\gecko-crash-server-pipe.1984" 3676 29d0fe04758 tab
    3⤵
    PID:3524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1984.4.583956452\266220578" -childID 3 -isForBrowser -prefsHandle 5172 -prefMapHandle 5308 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f798de7-85e3-4088-a81a-8f0a43c3acdd} 1984 "\\.\pipe\gecko-crash-server-pipe.1984" 5184 29d0d4dea58 tab
    3⤵
    PID:1080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1984.5.1927480788\1976574322" -childID 4 -isForBrowser -prefsHandle 5500 -prefMapHandle 5496 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b875dd8a-cb7f-4563-8149-cd923343bb5a} 1984 "\\.\pipe\gecko-crash-server-pipe.1984" 5508 29d1245ec58 tab
    3⤵
    PID:3016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1984.6.1686171138\394375127" -childID 5 -isForBrowser -prefsHandle 5616 -prefMapHandle 5624 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ba974a7-eb5d-4fb1-afb6-e2c8ed221a0e} 1984 "\\.\pipe\gecko-crash-server-pipe.1984" 5700 29d135d5858 tab
    3⤵
    PID:4640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1984.7.542607061\463790001" -childID 6 -isForBrowser -prefsHandle 5968 -prefMapHandle 5964 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4497f79-1871-4c89-9509-1413020a63ec} 1984 "\\.\pipe\gecko-crash-server-pipe.1984" 5976 29d14071058 tab
    3⤵
    PID:5072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1984.8.396875889\1447695330" -childID 7 -isForBrowser -prefsHandle 5312 -prefMapHandle 5176 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a43925f-a67d-46b7-b0c2-486429f082b8} 1984 "\\.\pipe\gecko-crash-server-pipe.1984" 5388 29d0deec758 tab
    3⤵
    PID:5620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1984.9.1000088921\987289513" -childID 8 -isForBrowser -prefsHandle 5552 -prefMapHandle 5184 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cd0c2b3-c6db-47db-8beb-5592e7f25d64} 1984 "\\.\pipe\gecko-crash-server-pipe.1984" 5544 29d7e188158 tab
    3⤵
    PID:6016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffee4e5ab58,0x7ffee4e5ab68,0x7ffee4e5ab78
  2⤵
  PID:5476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1992,i,7704986191567961137,3414268448868890090,131072 /prefetch:2
  2⤵
  PID:5552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1992,i,7704986191567961137,3414268448868890090,131072 /prefetch:8
  2⤵
  PID:5548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1384 --field-trial-handle=1992,i,7704986191567961137,3414268448868890090,131072 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1992,i,7704986191567961137,3414268448868890090,131072 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1992,i,7704986191567961137,3414268448868890090,131072 /prefetch:1
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4276 --field-trial-handle=1992,i,7704986191567961137,3414268448868890090,131072 /prefetch:1
  2⤵
  PID:5920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3904 --field-trial-handle=1992,i,7704986191567961137,3414268448868890090,131072 /prefetch:8
  2⤵
  PID:6000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4248 --field-trial-handle=1992,i,7704986191567961137,3414268448868890090,131072 /prefetch:8
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 --field-trial-handle=1992,i,7704986191567961137,3414268448868890090,131072 /prefetch:8
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1992,i,7704986191567961137,3414268448868890090,131072 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3520 --field-trial-handle=1992,i,7704986191567961137,3414268448868890090,131072 /prefetch:8
  2⤵
  PID:5216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1992,i,7704986191567961137,3414268448868890090,131072 /prefetch:8
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=1992,i,7704986191567961137,3414268448868890090,131072 /prefetch:8
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1992,i,7704986191567961137,3414268448868890090,131072 /prefetch:8
  2⤵
  PID:4420

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
bb885bd5f2f72446dba5e2bce61789e9

SHA1
60aaeacf6fac3521fded25d4c25f585b8c6a2de9

SHA256
77ab0074d7b90dabd2cb6a1bae95b2d9245a647f1399dafbbd22d9c5f13bce6f

SHA512
38c2dacb3d0947c5dd2be022585f9b4dbe4c27b9bca3761ffe254e063953e4ca5e86768189fe4c33231f556378ff63131e8f287cdda62751bdffbdd6e5e5368e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
84540882718b27499b565155d494ac91

SHA1
ff9913b024c318238970aa5716c736488606f7be

SHA256
82c5512231ea0cc4b11c09484a0589a816ab506092b3e424c1283bf4bfae8b85

SHA512
56e510b26ec1c317ab46d84c0c94113e3581d97ead32c848a8889acac8b7930b9c993f407bbecf858b7ce055ce8820fbc9525b615be97551d285ef4d0072d2b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
db9216412e97ec6c5c996651b3e795ac

SHA1
1f5867bae0d3e70dcd7ad52c608a401d81b90bb1

SHA256
350f0d52e9eeab45ba28b0d54a15b8be606493b0d01838ec1ed111153e19edc5

SHA512
b55693c4389d4cfe839680dc7e773326edbb359b212e7fc42d0772fadc14c598fd348e668f121eb9d8bddd8c60d3aa81e61b4ae13b9fb6087a31713c5249062f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
7f33cc0401b744c64a8f65499164a829

SHA1
840a5b434ddba0d3217c3b011f17f532542191ca

SHA256
e3bdc6007361dd96d4d43c0ada2652d8bfb14a1ff6e503201930a31c02536f36

SHA512
b68f0807183ad7f6ea99d722677f78039cb6ba6bc5e6e6fdf9c97e0ee62725e318e53abe3090f4b746c10b51e8be7560549083c19f3a06186b4448ce0b01afba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
ed5c109c0c5208558f1638bb37f6e67d

SHA1
3287ae0c003164fa453d33efff0e32a929c10d0c

SHA256
6e8dab5eaa81d99111139adf7e8a9a8699c299dd68dca097954ada93d9465767

SHA512
c18c3c87f734464e978a7d6c3248aa7fd0449ab3ffba8fe2ba126fa60bc8aca1091a9ef2097ae5603671fd2c4e482845cea2dec730e90e6fdc23900344740f7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
92KB

MD5
3e2932fd3e5522d81364d4d241647a3b

SHA1
247fdd4953f74967429e086c534d9b2893d72bb9

SHA256
03269a88eda450beda82a8e8d3f86a2f68b0f0ef45ffad0cf98923f62e6ae2ec

SHA512
53998ae2b8304af5a22edc5af2c64713e689ce3ec3cddcede082f468d846740b1195b1c04469bfe7d5b98b4ad2b7229f3a7ae6406502cbcf4b2abe96bde1ff7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe592486.TMP

Filesize
89KB

MD5
1aea5501c8011e2d4a6b452e85720de6

SHA1
73711c8f57120cb0dfd9466c120854d76fdea185

SHA256
2eb457231cc2e42ddb6aa8da163c110712d7adbe25139f5cd8b9a168128e1814

SHA512
5128ae56d327606d64d4fc2db29571c1d15c6d305add31e479a640e9512e876e8097a0d0164ae3fc5fe7f9f180dd4ce124a20ac80fe558e39bebd0cf97e61927

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
bbbd49219ef4a1a2278154300664cb01

SHA1
4abcb74dfa27a712c3e8385c87fb07d807d9cff1

SHA256
b5f5597d0ccd26deec32fb38c07bae2638554b76f02d16360ab6d30b013a879b

SHA512
206df0feda8b43ef53178443f5ca4233c1a7a014ff34ef6e7ac83b44f08288f9f6d7f03926df07b7ad1965e2a8d26f54916eada0b76b3962ef3d2924a2124d75

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\cache2\doomed\28645

Filesize
15KB

MD5
8ddaccb3ba7dece5f8052161b889f999

SHA1
f2a16b1065da4eb81d2d052349b2a959a542de2a

SHA256
2fa1e2ed87340171e71c55a62b492f52abe07b7c207ec0612e84375e86c16e9b

SHA512
41deeb6d587b650c07699424eb98d50bb98e29b9c0bb49781c7b361d89e4a2d0a670522ae21112ebb5c33d95cc4cec77f9c0fcf233a7ce88a397c89591539f97

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\cache2\doomed\30677

Filesize
21KB

MD5
7e4c80b703e5e3463a8c2840dcf74490

SHA1
a2ea5f1539ee924474ccd2f14e4b685faf1b5859

SHA256
3b29e9c26458718fabb3d915bb07165e83a6d0ac6e3ac49c79c407a8328565ce

SHA512
921f45b4adab88c6f49b4fc6cbee645cc9c60092992ba743cb0fc7dfdf04bb1a2e985091de77540120a99501f57a5fec4aebc137c20d6878882a13370dfee078

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\cache2\entries\F3FB44F84307DBF3D6A29BDF071427A7858CB98F

Filesize
103KB

MD5
50d4dc674a994199badd087eaa64d777

SHA1
8df1509a2667bde86501e17fed3963039dbc9840

SHA256
bc587cb967db118b35cb976a11a41150c8af8744d62eabcf93009f6e21c665cb

SHA512
79272bbd2775fd339a57ee01234f37c3bdf118f9e23157ce5f3f6128b0370e5e65c7d6428dd9102a92d62a261f78cf0fca4f700df19bd8b338601e09b27cdf79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

Filesize
6KB

MD5
af00d6d98d0521c549feac8e718c6a6c

SHA1
ffb79d36bb9b87d3065266387084847645688ef4

SHA256
d1a490f764af48a2fd1987a8cc4048e8a0c5ea065e72027684721fa3b98d5daa

SHA512
495800384e7ad5fa31753b11d9cce483b9ae3143496484aa1f76fc188245cbd1c64f20f9147fbb7c41811e005bcbdce59c039c2eb6583fd6001c78b9b824786a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs.js

Filesize
6KB

MD5
734bfda52b0981cc2179d10c716589cd

SHA1
86f700ecd48a70226bb738793804332cb520e33c

SHA256
d99e05fb60217070f1170a7f7ef904be58a9da47370a17351b4073171a79b2ed

SHA512
45fe76e090e6fe358c53160af9f67d5f7f88e94e97349185d47f1f88a9dabbc49da86963a5facdead14df84a3cda20d061ddcb85e665befaa25af5803ae6dac4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
65439053cb1c18b14cff3001770e62ff

SHA1
cf654c48bc42dc1d1e0d95de2ec7ae55d41791da

SHA256
1fd9584c17f8488c671f2caece0965f7748921ac800bbe5673510165d5bce4a1

SHA512
0ec6adb8b56e0fd0894d066b60672aa0c705a33746d0e324b01cc29b5bcf2321f6bd01b6f336034d90165e7d370acf0e800abb1b8b8272584a52120779ca80ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore.jsonlz4

Filesize
5KB

MD5
74d89882ecdae16ca093ffdc526b900c

SHA1
24af306e62361a757b190f543b5f85d67222dbb3

SHA256
752dd82ad842853bdb049f75ed04eab56249c535d155b470760620a445d4eb5f

SHA512
6bec13d9bf8253edda93f39ebeb8240593c5174721178c09cc9fed52a987ff27083ae3edb17153e38fc4f5f1fea4f650c510a0c90df21f648bd1f60adc4fa173

Download Submit
memory/4700-0-0x00007FFEE9C43000-0x00007FFEE9C45000-memory.dmp

Filesize
8KB

Download
memory/4700-4-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

Filesize
10.8MB

Download
memory/4700-3-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

Filesize
10.8MB

Download
memory/4700-2-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

Filesize
10.8MB

Download
memory/4700-1-0x00000000008E0000-0x0000000000A1C000-memory.dmp

Filesize
1.2MB

Download