5233e067e0204a3356be54e1ae8a3e6484009f17164898710db6312cc91809b9

Resubmissions

23-05-2024 03:53

240523-ef2zpsdb69 1

23-05-2024 03:52

23-05-2024 00:07

23-05-2024 00:04

22-05-2024 23:56

22-05-2024 03:59

Analysis

max time kernel
1799s
max time network
1731s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
22-05-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

020_jjk_256_28_018.png
Size

1.8MB
MD5

bdab4cf08aa821038ded126aa95f0085
SHA1

aba24f7d88e776f1866b4cf0c673374bf4b9ce43
SHA256

5233e067e0204a3356be54e1ae8a3e6484009f17164898710db6312cc91809b9
SHA512

d0697e2dff103b036d40de009a008fe1c8443bcfc76e4ed1ffd9f24e5e6bccc745c06a066746a79efb60fa8e0d1c01a130424ab9d24c0efa2521890bfd3e8efd
SSDEEP

49152:X7D3F5MzF5WbaT7hbILE8EoQGhmitQxTzrXS:X7D3npa7hcw8DQGhFQxTXS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608960082431283"	chrome.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings firefox.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3544 chrome.exe
3544 chrome.exe
1952 chrome.exe
1952 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3544 chrome.exe
3544 chrome.exe
3544 chrome.exe
3544 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings	firefox.exe

pid	process
3544	chrome.exe
3544	chrome.exe
1952	chrome.exe
1952	chrome.exe

pid	process
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3376	firefox.exe
Token: SeDebugPrivilege	3376	firefox.exe
Token: SeDebugPrivilege	3376	firefox.exe
Token: SeDebugPrivilege	3376	firefox.exe
Token: SeDebugPrivilege	3376	firefox.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

firefox.exechrome.exe

pid	process
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

firefox.exechrome.exe

pid	process
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

3376 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3124 wrote to memory of 3376	3124	firefox.exe	firefox.exe
PID 3124 wrote to memory of 3376	3124	firefox.exe	firefox.exe
PID 3124 wrote to memory of 3376	3124	firefox.exe	firefox.exe
PID 3124 wrote to memory of 3376	3124	firefox.exe	firefox.exe
PID 3124 wrote to memory of 3376	3124	firefox.exe	firefox.exe
PID 3124 wrote to memory of 3376	3124	firefox.exe	firefox.exe
PID 3124 wrote to memory of 3376	3124	firefox.exe	firefox.exe
PID 3124 wrote to memory of 3376	3124	firefox.exe	firefox.exe
PID 3124 wrote to memory of 3376	3124	firefox.exe	firefox.exe
PID 3124 wrote to memory of 3376	3124	firefox.exe	firefox.exe
PID 3124 wrote to memory of 3376	3124	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 1408	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 4604	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 4604	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 4604	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 4604	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 4604	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 4604	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 4604	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 4604	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 4604	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 4604	3376	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\020_jjk_256_28_018.png
1⤵
PID:1216

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3124

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3376.0.1057248033\1340930570" -parentBuildID 20230214051806 -prefsHandle 1800 -prefMapHandle 1792 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bdbcaa2-17bb-41dd-85a5-b19933371af3} 3376 "\\.\pipe\gecko-crash-server-pipe.3376" 1876 1a650b0fd58 gpu
3⤵
PID:1408

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3376.1.1963171796\361397032" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4396f88-460b-4f9d-b01a-48761d7bc42d} 3376 "\\.\pipe\gecko-crash-server-pipe.3376" 2404 1a643e85c58 socket
3⤵
- Checks processor information in registry
PID:4604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3376.2.1622618734\536992270" -childID 1 -isForBrowser -prefsHandle 3084 -prefMapHandle 3112 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1328 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55768dfc-a25c-46e1-a679-aaa7ba6506f3} 3376 "\\.\pipe\gecko-crash-server-pipe.3376" 2916 1a6534f7758 tab
3⤵
PID:4480

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3376.3.1365319936\425490274" -childID 2 -isForBrowser -prefsHandle 3548 -prefMapHandle 3544 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1328 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {405cb059-5a6d-402e-8564-647e825deb23} 3376 "\\.\pipe\gecko-crash-server-pipe.3376" 3556 1a65618f058 tab
3⤵
PID:1612

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3376.4.1623084159\597991297" -childID 3 -isForBrowser -prefsHandle 5004 -prefMapHandle 5012 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1328 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc72129f-c8e3-45a0-99e3-920d1e509b7f} 3376 "\\.\pipe\gecko-crash-server-pipe.3376" 4996 1a659182858 tab
3⤵
PID:2456

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3376.5.100705815\87582634" -childID 4 -isForBrowser -prefsHandle 5252 -prefMapHandle 5256 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1328 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62e1eeb1-e071-4841-9607-6650d524d395} 3376 "\\.\pipe\gecko-crash-server-pipe.3376" 5240 1a659182e58 tab
3⤵
PID:5072

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3376.6.1268610004\1160545681" -childID 5 -isForBrowser -prefsHandle 5444 -prefMapHandle 5448 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1328 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ab2447c-b5a6-48db-bd55-ef65aea6464a} 3376 "\\.\pipe\gecko-crash-server-pipe.3376" 5432 1a659183158 tab
3⤵
PID:1760

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3376.7.171173907\1020083895" -childID 6 -isForBrowser -prefsHandle 5908 -prefMapHandle 5896 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1328 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4aa50b42-7f80-4435-b636-1f401acd2b3e} 3376 "\\.\pipe\gecko-crash-server-pipe.3376" 5920 1a65a43b858 tab
3⤵
PID:4100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd1a4fab58,0x7ffd1a4fab68,0x7ffd1a4fab78
2⤵
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1844,i,14221163919931995478,11081619905596385248,131072 /prefetch:2
2⤵
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1844,i,14221163919931995478,11081619905596385248,131072 /prefetch:8
2⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1844,i,14221163919931995478,11081619905596385248,131072 /prefetch:8
2⤵
PID:1900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1844,i,14221163919931995478,11081619905596385248,131072 /prefetch:1
2⤵
PID:3008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1844,i,14221163919931995478,11081619905596385248,131072 /prefetch:1
2⤵
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3544 --field-trial-handle=1844,i,14221163919931995478,11081619905596385248,131072 /prefetch:1
2⤵
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4348 --field-trial-handle=1844,i,14221163919931995478,11081619905596385248,131072 /prefetch:8
2⤵
PID:956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1844,i,14221163919931995478,11081619905596385248,131072 /prefetch:8
2⤵
PID:1452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1844,i,14221163919931995478,11081619905596385248,131072 /prefetch:8
2⤵
PID:3848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1844,i,14221163919931995478,11081619905596385248,131072 /prefetch:8
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4100 --field-trial-handle=1844,i,14221163919931995478,11081619905596385248,131072 /prefetch:1
2⤵
PID:1040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 --field-trial-handle=1844,i,14221163919931995478,11081619905596385248,131072 /prefetch:8
2⤵
PID:1396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4860 --field-trial-handle=1844,i,14221163919931995478,11081619905596385248,131072 /prefetch:8
2⤵
PID:984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4496 --field-trial-handle=1844,i,14221163919931995478,11081619905596385248,131072 /prefetch:8
2⤵
PID:2136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2908 --field-trial-handle=1844,i,14221163919931995478,11081619905596385248,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1952

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
dc255d4fcbef506a61b4852ba458da9c

SHA1
e4a39668ae142016ad1ebe31ba849fb3ca3bbce6

SHA256
e1d3a805f754e69b0a8214e4a26d560296c27e19f55c08586d3422cd25d97f25

SHA512
25c2068fafe8e010e67c92fd8e30d1d772ea769b12f868bc20f505b7943cca59460bfc9d419816c6a6d2d7bac7e1ca315b74daaaaf9e2f7b7615f6b2cd3a3e89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
ea6f760622319889f6db24617ebe3ac3

SHA1
f4f3e5764dc96af7089bcb50cc5671412ce35558

SHA256
a539bbdbf127a12d400b6a32a8a691915c52e05c8b4a94ba484a9f5f35e5d2a4

SHA512
65ef721df3c5f4c7d5c18a346c120357486e8e9a92b6f9c775f90a4c4c0f40cc259d0a9317edfb2b543a525d3dabc0f4506c6623f93cb1033fc98983b4b006e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
b46cbc9dfda4c47f9e82dbc3d03d1e0e

SHA1
f88c3e3d14c6dd663629cd596e4b32d2be6c46f0

SHA256
467f4bacf50ef858cb96539c53ccebb2d12e2b7839f43b61cce40bd6ee3bdbd6

SHA512
2255d8fc70f4c7b69697a4b22f63462b808ae87cf94212ed064e2efbf9ac9836ad0947f73fddbf47b8c3944e11efaac3aab2f16312c2ff21f174262b7995a75f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2192b9eb9c3b1b356ee7daacb13a336e

SHA1
5e93baeb5aae944efdd067cd731ee8b26c553892

SHA256
9d8b6868aa105a84121061bae73793277a38257ac8f7f92e307558d550cf0082

SHA512
e77e7d240ffe81432c117ca4705626eefe50ac86968af26e62e462a3cd311304e7d0fcd7aecbc8259ef56e1052045a8e13916463fac7ba727c7682aa1df815ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
bd857416a28abf3c1eb55c3cbec656dc

SHA1
b380e35a4cf7220a8bb84d78df890514c68ea954

SHA256
5848958fee7f9be054b11ec98048ae9c68bc4312b78d757e84a7e09f9f2d83cd

SHA512
77f21f72ae284b4af8f206a951f2598012b45c553d70df1d33a1a38ce220a5ce5b7c7fa24c43a497ea767a218f3e3110f80c45e7993c256d53755ce0a9e30c05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
aa2c711f41d0406ee68d254d2be8ac96

SHA1
4c71802a01195e12504fb310954a91698d796d5f

SHA256
a9f9c10bce2b96d95bbb67e900cb0bbecab02e663eaf125e3f0542ec6f85e457

SHA512
5ede3437c4cd32197f5019dd6ac750061188330dc39dff501f9e30558f56be9b0ded8729504f0f94243307572fcd85b573bec46d51d76f0e412936ca3aab6bb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
76c7b075fb4d34e733bc9b4628b9a256

SHA1
6a99f2484d304d4b6db5712f12941c5ca6c7fdb0

SHA256
13e1ba9de419937e79ca36d993400611e6a72a388f9907e18b99bbd03613088b

SHA512
03661bc075cf4447a8df031a6d75fb116c25248905488c17240d923c6144cbeff917ee629c0164800a5ae253f70a875d9d0fedcd7751dec986b8672dad88f2ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
83dcb7ac528cf95ed1ab79cb8839ba52

SHA1
d7a2a3422b7aa53a210fefeacdcc894415de37a3

SHA256
f272b4bafe85f69d4933a6484c7bebc1f6b4b114c0497819407642dcb5ac4fe8

SHA512
a144786b87a9cade49ce4ec1c8ca9f2fc4f41ce2a3bb72815a33af582e30f995c75e24aba98681782e24e9d3a2899fc196af75307c7f09939179f61506063892

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b66a3c68afb53de0043501a7df9b48db

SHA1
6997d52fd5ed6d4d078ec5f51be5a51bd569e913

SHA256
45186cb45b595598202c5b13e13769995faacb4afa202ac54914c3e689d0fdcf

SHA512
e5ae04955dd340db3a631ede92f1dd67b2ad8bd4f4b117d92352ce50d9ac1f41f3202ebf34ddd20e976a70de30c221c878356d7b8341884c6a9018ba4ef8e79c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
9495c3586bfeb6bd4b5ee9cb9c998bc9

SHA1
93798d664e7c9a32f3d7baf7e7ad910d586edf18

SHA256
5830e11698e97dd0da22b6504619af2a6497db4d46b948b9b0d4e4bd028d57e2

SHA512
bd41ea2c7a428f5ae26c6409963334115bd11929174c6c349666072439d16016b39d319634288bc1f5476f273934917724331b3be8a624eef9649d87b24c56b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
67a9ac02c88d35623ed2da1ed4aee750

SHA1
781977676e9466eb0d61af2b7b991ddadd3e2a47

SHA256
ab11f1f7505908f1ca6856b3019d0e57baf2abca410a689a0451e92df1bc18e5

SHA512
cb0bb1bf96d700e2288161745dfccafa2c6b9c35774286c79be546ef2e3eea9c4fc3990a3f2522d19559edf3ce5512cbd9253d6a1df80d0d21b898251cb0c3c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
89369adcf7b03dc3ddb1ec94aa5f178e

SHA1
ebf28ea7877d4dce45148c7e8cccd87c6c77b2b2

SHA256
4ed924cc71e31ec45b21b8751563b2734030dfd037f4a2c7ca4bf65e90f89ef1

SHA512
8758a11f74a38fe473191659075e7c45d7d9b922b52cd01ee1818a7b8c9db23d5a590d3d45d5998ea415b24859193efd7253975f74301afa23c0a4aa60dfc64c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
94faf622d5d352821af7288fd126d6bf

SHA1
c87a91c059b46c8d6231634164828ab59f1ac01c

SHA256
45bd4923fcd6fb5e8b117882db6975b865b1d54be2722e03898ccc26d9dc7c43

SHA512
962b8841e9f61fef639c92e41104677047ff8e26181c1cfbd79f2321f33eaff6fdb6a2c5bf639baa24b8aa07310972f55e9b51fcbe5ad881c2c3c89b7b27a410

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\activity-stream.discovery_stream.json.tmp

Filesize
27KB

MD5
9498d19073cc71ca5ad3fde5a7eed0d1

SHA1
f03520cffda237cde3e5d3dbd126d646bccb626c

SHA256
d57c134bf529782c0e711344fc54fc27116e7754214ecbb1ccd6f81f12c29da5

SHA512
45fb3b7e3d09b94e3f576c48134df31e8e16ea38ed597fd6c9346126839f1cda58d266f5c595e34dc900ceb22a6a6fe17fd4346b46a4e1646efd4cd6730c5943

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\cache2\entries\A27CC73CCCD824F5EDA1C255E8D398AF51E6A9E5

Filesize
60KB

MD5
bbf12579adef18743f3c74f53a9d95aa

SHA1
6f0833f02d22bb56e144138ec38b023aa1efd12c

SHA256
e84555a161c9f0c7deffa0c3447ba1b3ecc54c4424c50f25a7077edb6e51bd35

SHA512
dd659833d2ff63e09d04e3317c825a96624bea35b325aab10adf394b50579bdb333bd5c360b15d28b2a10aad87098500406ad025dee42686949eca3e35ca7e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs-1.js

Filesize
7KB

MD5
f4cbf5358a35e56f63f624b699fe9431

SHA1
f70fbd20e06369638f2adb62f352c388fe6546aa

SHA256
db031b41adb34ae78cac02b11ac4c44ae48320b666d7788f9cef953aef1bda9b

SHA512
47bd70d9611dbab71279bf35e6b4fbdae0e210a854189a5ad85475612c159775e515220a954b3aa3f7b35b281591d87649fe15fd4ba01e4f847cf5187ab224b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs-1.js

Filesize
7KB

MD5
38efa5c5aa99156e6f607ca596c3af77

SHA1
3d16ef5fda54ea486360359c48a7d80f6af07699

SHA256
0b07bf3c38dca4dc6253f91ab459002a78284da6e6cb847d9b6da150370aa191

SHA512
6314b182efe8784b91a5843fb6cfa79679d7826ebdc88d9886c4d6f35164473672f0668c0f422ca200a920a5ffc17fb5c03ca797a9c441c468ae58be1ec1d05b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs.js

Filesize
6KB

MD5
35ef6ac9e19318e41a7011a48cc95a8d

SHA1
bdfb4a5550c330fec5f7310d1657ae96924ac2ec

SHA256
5aea57cf50cb6f368ceb4a54ebc41eaf79325d32d5aa4f8bb56e9cd37cd0935c

SHA512
460ec811a02c733546bcad28a01e740193a4238044483afee0c42c6b16497c65f1283563221113571f29935548e4560442a45330834c7fcb2ee403f54b5dd984

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
f75313acd184eba4dc8137566aa76f58

SHA1
1c57a331413475fe42808d59d5b6fac91659ca08

SHA256
fb8c53eb5726f3edc1b8fcffb0bba1e5748575c451836f9d879cac819059cdf0

SHA512
ca5d508b9fcc46e36785d0645e9a39bda8ac8bd25f6b0bdc6723f0f37d6de68508f85c7d7d4665a632782e7213c429ea98f7176d346052f9c4e4d0c25db0c313

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
852a333d69a71a3e0055a35032b6dbf1

SHA1
9439dc9bde6b3fd4969484e0489d1a6b4e92acf8

SHA256
2ea46cf99ea2a73c6a0da6dbe72e9c0bcf197bed778b27cb8533381668ecce32

SHA512
b5b04c9159c6c0502bbfce3a513e636d13431618dc054997aaab4d92909bb11e836f913457d843cbea67a153156bf3bbe1a837ae0e8fe1231356847e4f9b436d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
83924598f3b316a1df470dec921fb2ed

SHA1
4046a9d116687f1b87875949af7f5ba53c53ef88

SHA256
45e05e07a556ffa0252f24073e9c30ab125663db576bb9691869e75079ce5537

SHA512
d0c4f81a26fd7ccde8b2d374b907a897ef0238664f81a8746663847b65153030217f74d621cefd231ba3cf68c6b6e6b7f6350cb3b142d930339f8458c2132ec5

Download Submit
\??\pipe\crashpad_3544_OSGGCGEVXAGXCBXZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit