6dd816500911d664ef74b5a5e726916a223581f94eb8615f983ea4d7570199df

Analysis

max time kernel
96s
max time network
145s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
30/05/2024, 00:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

TextInputHost.exe
Size

30KB
MD5

c5265ff0e7ec1d77a52a81224252fe5e
SHA1

53015f370e5c1ac84f6525066790976bba443d71
SHA256

6dd816500911d664ef74b5a5e726916a223581f94eb8615f983ea4d7570199df
SHA512

af9fa8f50ca0f749b93c3f5d010934ef0a4ee94085e68ddbf149c651927d942cd776213ca880412720e011c48fd7a6bd1562a22dce905054af1507721731b219
SSDEEP

768:n2dHTZ/fNEzPmjp5qsk9b1lij/4mLWwrQ9abBq0excH:n2dt+jmjXc9b1l6JlQSq0JH

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615012522227660"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2528	chrome.exe
2528	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2528	chrome.exe
2528	chrome.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeDebugPrivilege	984	firefox.exe
Token: SeDebugPrivilege	984	firefox.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
984	firefox.exe
984	firefox.exe
984	firefox.exe
984	firefox.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
984	firefox.exe
984	firefox.exe
984	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
984	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2712	2528	chrome.exe	80
PID 2528 wrote to memory of 2712	2528	chrome.exe	80
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 924	2528	chrome.exe	81
PID 2528 wrote to memory of 4080	2528	chrome.exe	82
PID 2528 wrote to memory of 4080	2528	chrome.exe	82
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83
PID 2528 wrote to memory of 2040	2528	chrome.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TextInputHost.exe
"C:\Users\Admin\AppData\Local\Temp\TextInputHost.exe"
1⤵
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\Admin\Desktop\ProtectMount.shtml
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb947bab58,0x7ffb947bab68,0x7ffb947bab78
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1840,i,5109882435604639059,15235990466652452338,131072 /prefetch:2
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1840,i,5109882435604639059,15235990466652452338,131072 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1840,i,5109882435604639059,15235990466652452338,131072 /prefetch:8
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1840,i,5109882435604639059,15235990466652452338,131072 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=1840,i,5109882435604639059,15235990466652452338,131072 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4052 --field-trial-handle=1840,i,5109882435604639059,15235990466652452338,131072 /prefetch:8
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1840,i,5109882435604639059,15235990466652452338,131072 /prefetch:8
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1840,i,5109882435604639059,15235990466652452338,131072 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:1628
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff64bf6ae48,0x7ff64bf6ae58,0x7ff64bf6ae68
    3⤵
    PID:3052

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2856

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2568
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="984.0.324565161\1371815001" -parentBuildID 20230214051806 -prefsHandle 1768 -prefMapHandle 1760 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a381657f-5ca8-4a03-878c-773b4f70a65a} 984 "\\.\pipe\gecko-crash-server-pipe.984" 1848 2802430d758 gpu
    3⤵
    PID:3676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="984.1.2046796165\349486254" -parentBuildID 20230214051806 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49468c90-6b06-4362-84e3-bd74726191f5} 984 "\\.\pipe\gecko-crash-server-pipe.984" 2372 28017485d58 socket
    3⤵
    PID:2396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="984.2.1332018258\1451257565" -childID 1 -isForBrowser -prefsHandle 2716 -prefMapHandle 2708 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1340 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c35e3107-f59d-4be1-9daf-7836cdd31ce9} 984 "\\.\pipe\gecko-crash-server-pipe.984" 2924 28026acde58 tab
    3⤵
    PID:3344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="984.3.1640906853\1756668733" -childID 2 -isForBrowser -prefsHandle 3348 -prefMapHandle 3260 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1340 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfee0fc8-8892-4b89-98c3-ff1259545bf0} 984 "\\.\pipe\gecko-crash-server-pipe.984" 2520 2802971fe58 tab
    3⤵
    PID:1556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="984.4.219963911\1323089430" -childID 3 -isForBrowser -prefsHandle 5148 -prefMapHandle 5164 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1340 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd43d3d9-36f3-4ceb-8093-a9a11790dd89} 984 "\\.\pipe\gecko-crash-server-pipe.984" 5152 2802cec5b58 tab
    3⤵
    PID:4620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="984.5.1383059243\15482643" -childID 4 -isForBrowser -prefsHandle 5260 -prefMapHandle 5020 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1340 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c02bdcf-1864-4995-953c-857c60c1efea} 984 "\\.\pipe\gecko-crash-server-pipe.984" 5308 2802cec5558 tab
    3⤵
    PID:1236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="984.6.1629836330\1259179545" -childID 5 -isForBrowser -prefsHandle 5572 -prefMapHandle 5568 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1340 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f44b876-eb7c-4c24-ac85-fd0ab7bd80de} 984 "\\.\pipe\gecko-crash-server-pipe.984" 5488 2802cec7358 tab
    3⤵
    PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
970B

MD5
b6f9af7b0f16c9c1369009d452a3cc67

SHA1
51b635794eb1455c8e4bb6889295a8925ec6a5fd

SHA256
d06f10839b4bf2a3709ce502fc9a972209fe1e74e7371ca5639be1d50be67ec1

SHA512
d18c0cd4ece87821f8b0409d0e8390cd37a2b8e16233c2107a746aaa0127db33d6cea4941cadfe95c48d301d41fffd5784194645b3a1703ab2d47ad92e385971

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7780cd0e25171cf0ad7969418007734d

SHA1
bee8209b7154f18b56314b62f6f37a89c9a18868

SHA256
5b7d6d28e37aab715f1a0a93907a2b9878acd977e6341405274a03e2fcdc1058

SHA512
fb50699732e8e6bc26a5537e047703462567c5aedee8e3c4e845b50d607092ae87204f6ecf1bfbf4c2760e5d658892ef3c68efa11c0a9c8930b8a98f2cde010c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
48ccfda2e4809295967576e7609d2ee7

SHA1
73821ef3a641e626a2b44c13a35b812da152a6b5

SHA256
42d8aaff9a36a7d24c618fd730ef9537f502933acb0d13a12a482046f588a94c

SHA512
d921f003a9af31ce3b9ade07cfd8b9c54182ae3574dd755657cba69ab5aa079a4de3d059e8858befadeb301b2cfecc2ccf246cb304bd0faf70bce5d143776719

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
08c49e185188df2ce7cb7ca39cc1cb12

SHA1
3f6be6a6df518da158839b4d9d074f5f291f09e0

SHA256
7dd70dfc64dbd6d7ec3e17365266a1a678380626fd557f005a09c6e0157bfc98

SHA512
0c4b90349fc86ca294063ffcd8ffdd811b7f3e1d966de5c8992d0d4cbda1130b0581f71121bb4a25c5f1c923cc383eabd16486cdf7530e94a5feea1ecf5fa805

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
5c0d45b0526991c82526177a02dceeba

SHA1
8023c874b2a6f3abd885f491daadac3ef9f0edfe

SHA256
d48eabe129b493f1833704933ff9c30b89fc0e2069397dfa60bd3483f0170525

SHA512
adc0dacdababbd9c742e80760e65e3fa7cac75cf329b8fa4eaf8953ada16c501161ce6899b1217fb95081dd8f18177a4a852579bc83bb71c99dee1b195937363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
0f541a79fa3838f240bf0aac3add2ab8

SHA1
301e4df4e839b7a3d4b8762b9cbfbda9877c0b87

SHA256
43a11c5e1afab9e8522b6ecfca2a66959a73c855950267a58a435369e0f2c7d9

SHA512
529904d26c2b6b55c6f66f7577f1a003d86110f6dca761e8181895553632744c44592596daae325053761625e2c2207461aa6b82814f2fc505594b81617d50e9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649

Filesize
13KB

MD5
eb682e6c203bd2b7bff729b9ee89ca24

SHA1
fc67e24f369fcb7ebdf03a2f4d1582787f3521e5

SHA256
1bcfe8f05536ce886c97e58c2313c746a5c0fd538b91fb7085b2bf09a54e9cf7

SHA512
dbd9015feb42556f54d342ef141289db3ca8904f91daf4f3e90d15b0271f58922dbcabe8e47a21b9720d4f3ed07502cd9c77b3788aae21fc64bc83b32d8ca4ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs-1.js

Filesize
10KB

MD5
c1f859e668ca23a541a224027d08b130

SHA1
306c18a6737f2e6ad92003e7dba02b9d0e74eff0

SHA256
3e086732290e457fb8aedda889d0774f983c2192e5594ddccf1a9d8ff0a45fd0

SHA512
33daf643ab40a545089be90bb4b5ff05a0b634ec1c21e7400e575ec619e8464560f395d937d5c23624c371d27f4c7bebeb105392f873aae6621de1f2b60bb0a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs-1.js

Filesize
8KB

MD5
02d095b5be4177e0b4c2def95684e594

SHA1
eb4fe6906da9922f75a5eb3f3f4a462b665ab85a

SHA256
586f63a59d18e859b74f87c2874e2f8cbe3b4a3f6cb57d6be610a0565e861e8c

SHA512
95d20ffb1ff81bec10dcfa0d7f7b186c677cf432e96748e98b3874b304d267cf421019615d0ab3463b19c5773d0244257818fc74f978d88e1ae90b9f17f13a73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
90747701c6f980fb19486e5674dbafe1

SHA1
15ccabe9fa762e836e4cd39138ef3b27ad01a67c

SHA256
d94cf490f7ca563ddf1bc785e16c35008f0f72f4c420e96c706b6934bbf25b46

SHA512
e64e86e2d18723aa7085f730ef16cd83c59c1ee6cddb196a54951892946b0fe80ed4cdd4e4295c94b392ab39123bd6cb46b4b6f1a6698a288b9f827ee5a23db5

Download Submit