ddf3ba1aaf3a252bcec7be7c45a3792f80d615c85ba75cda419929641ffacd22

Analysis

max time kernel
51s
max time network
62s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 18:21

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

youtube-dl.exe
Size

33.5MB
MD5

1c6f56e5ef0f6f95072a7161a01b3378
SHA1

f7d6be43e8e3172a88f529974c50caca297e93e7
SHA256

ddf3ba1aaf3a252bcec7be7c45a3792f80d615c85ba75cda419929641ffacd22
SHA512

c93623af01c39a2ebd31da1dfd89e7875dfff8742adf7597ffdd400504ab0a652325bf42b3de52ff2576ca6de669e96f3a3207076c0d5b167facea7dff3b4a08
SSDEEP

393216:6ybRbwi/zUu2jerSm3nfa1IvweZA7h1LBxegOCpRVkPszYOFrkMfHovSVJu9VY3V:5bRXv2jerFncIYRagRRVkPszYI3ffDB

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2796-9-0x0000000140000000-0x000000014192D000-memory.dmp	upx
behavioral1/memory/2796-12-0x0000000140000000-0x000000014192D000-memory.dmp	upx
behavioral1/memory/2796-13-0x0000000140000000-0x000000014192D000-memory.dmp	upx
behavioral1/memory/2796-14-0x0000000140000000-0x000000014192D000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2796	youtube-dl.exe
2796	youtube-dl.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2796	youtube-dl.exe
2796	youtube-dl.exe
2440	chrome.exe
2440	chrome.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	youtube-dl.exe
Token: SeDebugPrivilege	2456	firefox.exe
Token: SeDebugPrivilege	2456	firefox.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
2456	firefox.exe
2456	firefox.exe
2456	firefox.exe
2456	firefox.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
2456	firefox.exe
2456	firefox.exe
2456	firefox.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2456	2572	firefox.exe	30
PID 2572 wrote to memory of 2456	2572	firefox.exe	30
PID 2572 wrote to memory of 2456	2572	firefox.exe	30
PID 2572 wrote to memory of 2456	2572	firefox.exe	30
PID 2572 wrote to memory of 2456	2572	firefox.exe	30
PID 2572 wrote to memory of 2456	2572	firefox.exe	30
PID 2572 wrote to memory of 2456	2572	firefox.exe	30
PID 2572 wrote to memory of 2456	2572	firefox.exe	30
PID 2572 wrote to memory of 2456	2572	firefox.exe	30
PID 2572 wrote to memory of 2456	2572	firefox.exe	30
PID 2572 wrote to memory of 2456	2572	firefox.exe	30
PID 2572 wrote to memory of 2456	2572	firefox.exe	30
PID 2456 wrote to memory of 2196	2456	firefox.exe	31
PID 2456 wrote to memory of 2196	2456	firefox.exe	31
PID 2456 wrote to memory of 2196	2456	firefox.exe	31
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1960	2456	firefox.exe	32
PID 2456 wrote to memory of 1660	2456	firefox.exe	33
PID 2456 wrote to memory of 1660	2456	firefox.exe	33
PID 2456 wrote to memory of 1660	2456	firefox.exe	33
PID 2456 wrote to memory of 1660	2456	firefox.exe	33
PID 2456 wrote to memory of 1660	2456	firefox.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\youtube-dl.exe
"C:\Users\Admin\AppData\Local\Temp\youtube-dl.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2456.0.1843894036\296557756" -parentBuildID 20221007134813 -prefsHandle 1280 -prefMapHandle 1164 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {89383a31-b139-43c5-9aa0-b45b70d54d9a} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 1344 113dc358 gpu
    3⤵
    PID:2196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2456.1.1421407647\646338576" -parentBuildID 20221007134813 -prefsHandle 1536 -prefMapHandle 1532 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5c38b42-936d-4d8b-86b1-5948306d20dd} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 1560 f72b58 socket
    3⤵
    - Checks processor information in registry
    PID:1960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2456.2.1278825641\888720951" -childID 1 -isForBrowser -prefsHandle 2096 -prefMapHandle 2092 -prefsLen 20868 -prefMapSize 233444 -jsInitHandle 620 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7bc9eac-315b-4680-8416-a393426a9e58} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 2108 1135a058 tab
    3⤵
    PID:1660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2456.3.1994399340\1977178595" -childID 2 -isForBrowser -prefsHandle 2064 -prefMapHandle 2488 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 620 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5607e5f-013b-4075-9144-178bc8d27fa8} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 2484 1af73658 tab
    3⤵
    PID:2076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2456.4.1890384242\15642737" -childID 3 -isForBrowser -prefsHandle 2916 -prefMapHandle 2912 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 620 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a550a2f-87b1-49ae-baf6-602e350bc7a1} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 2928 f62b58 tab
    3⤵
    PID:1720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2456.5.332584879\1049182909" -childID 4 -isForBrowser -prefsHandle 3768 -prefMapHandle 3764 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 620 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28a0c042-9057-4497-90fc-2fc1aa39397d} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 3756 1cc06258 tab
    3⤵
    PID:880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2456.6.347958889\339302751" -childID 5 -isForBrowser -prefsHandle 3876 -prefMapHandle 3880 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 620 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {decd9bc9-c22c-466a-915f-78f52338da4b} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 3864 1e7c4458 tab
    3⤵
    PID:868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2456.7.786351520\456439228" -childID 6 -isForBrowser -prefsHandle 4056 -prefMapHandle 4060 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 620 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {141befc2-9730-4467-a2fc-2e540dd12f72} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 4044 1e7c4758 tab
    3⤵
    PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef61f9758,0x7fef61f9768,0x7fef61f9778
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1220,i,13879012708092232050,12611975116049157839,131072 /prefetch:2
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1220,i,13879012708092232050,12611975116049157839,131072 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1516 --field-trial-handle=1220,i,13879012708092232050,12611975116049157839,131072 /prefetch:8
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1508 --field-trial-handle=1220,i,13879012708092232050,12611975116049157839,131072 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1220,i,13879012708092232050,12611975116049157839,131072 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1276 --field-trial-handle=1220,i,13879012708092232050,12611975116049157839,131072 /prefetch:2
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1320 --field-trial-handle=1220,i,13879012708092232050,12611975116049157839,131072 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3176 --field-trial-handle=1220,i,13879012708092232050,12611975116049157839,131072 /prefetch:8
  2⤵
  PID:1244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3180 --field-trial-handle=1220,i,13879012708092232050,12611975116049157839,131072 /prefetch:8
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 --field-trial-handle=1220,i,13879012708092232050,12611975116049157839,131072 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3768 --field-trial-handle=1220,i,13879012708092232050,12611975116049157839,131072 /prefetch:1
  2⤵
  PID:2832

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1388

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2564

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e2309db3-35b3-4d69-846f-beea1dce3c84.tmp

Filesize
271KB

MD5
b551ab7f7e13dec01a4779485fa29c6c

SHA1
f6e08cfccea84c80d855a64b9fecb938df9faf83

SHA256
7da845b46a2a1ed92b983ee8efbc92326466d3fd60edef5264c8a1687cd1616b

SHA512
d9474146372c3a8b2bb840d7854081bcae2de6b7093511ae733e4511e86c870ccdb4127e3d34f45e7a784bedc07e6f2e364ad4520fa44d03b7757e0393c04c42

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
084fbc12fb907f3cde3b8897f444646b

SHA1
72e50bb59f988e9afba2c90563c61288354b6ee1

SHA256
0f410db40c63b8e96bdf55390f1f763247051958edf9d5547eecbc996cf41da5

SHA512
5fb6dc9d8f5f98854b92e55b6e38eff9756415a84181b6cbafc52eeb131558bb2c41a163f2b2f936277074064b08767a7d884a9f5bc23df7cabbfcce91c0e04b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\datareporting\glean\pending_pings\7b0fa78a-c3ba-4712-a9a9-a6fa92108231

Filesize
12KB

MD5
bfa999df48bf8f8478839c98e51e44c4

SHA1
f5b028438b79790ab896e7165b418d425f7967a9

SHA256
58cf63c43473666a5e1858e292f7716e0e28ae7605fb9993fb9a0d8bc746c7f4

SHA512
5cd37d85635ad7e5db2112860321b5d405536a8ef2fe2bee636dc983b68a27b766f4886af5e28ab46be79fccb962e928154e57fc33a43f2386ffd9dea7d0b629

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\datareporting\glean\pending_pings\bd56184f-55d8-4ce2-927b-826e1764ada7

Filesize
745B

MD5
1f964d275a3930b204f9777c2437bd28

SHA1
1c4abb422eeb254ec7e9293e6315812f0fb084d4

SHA256
d199e72a402c10ea9bb5ee069a28080ca84de932bb5ef5eb01648d6ca7d8f546

SHA512
d9d84aa2480879d5817637c813a608cdadc7d66f2a5cd2e67fca7e936332363241e3334582f039859ee16c0e60b8a41dab007f5f7da21c9f2df507da22f0c24f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\prefs-1.js

Filesize
6KB

MD5
d53529413a3c777b124d09e0b6259d0f

SHA1
c05442cca19ef7109bf72c9022f91a563db70291

SHA256
0b5476b72564112ef9fb3fc29cd999d4d0fa31b6e43007cec91b45e6232584fa

SHA512
ef021d6ae99441f4f398947e3fc66e9c7165196a3f0e59df9c956d9ce2099c677dc657a710d08a18f695c6289ce79476f7bc9e33feeb826ef5cfccb6734aa864

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\sessionstore.jsonlz4

Filesize
852B

MD5
18f445b15b9c7e9768188b7bcfd005ff

SHA1
d6e8749149c15b0e9abb9ad326e079c57e25e247

SHA256
89e1ef709dcd17c6c0c1a615fd2ee0a84dcd9a963a04a1ea50368f26b90a5a8e

SHA512
ea9c2ba6b3f131ce831de211af229ffdb3ed8ce6c94e4e86c314e3b2d9b1ad6e3e7ad377a88701c39b5062f645d205586df34b4d065309859f2b1ed784a6bc65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
b5eed58a327ffb6914f4f635732fb850

SHA1
cc776b1f9ea48e86e298c86eb83e8a9ae0a22305

SHA256
8e91d1f233de3678a15e61f91f8acc11c05a6676a746773ee586d6cdf1fb1cf9

SHA512
50c5a3fa175d783f5612ff6c9802f7573547566712e407474921c83d34ef9c7fc3d5004aef5f5826328a6394e0bfb9efc4d7119a0e6278c3c1fd0e2a5140d569

Download Submit
memory/2564-334-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2792-335-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2796-6-0x0000000077420000-0x0000000077422000-memory.dmp

Filesize
8KB

Download
memory/2796-12-0x0000000140000000-0x000000014192D000-memory.dmp

Filesize
25.2MB

Download
memory/2796-3-0x0000000077410000-0x0000000077412000-memory.dmp

Filesize
8KB

Download
memory/2796-5-0x0000000077410000-0x0000000077412000-memory.dmp

Filesize
8KB

Download
memory/2796-15-0x00000001401DB000-0x0000000141316000-memory.dmp

Filesize
17.2MB

Download
memory/2796-0-0x00000001401DB000-0x0000000141316000-memory.dmp

Filesize
17.2MB

Download
memory/2796-8-0x0000000077420000-0x0000000077422000-memory.dmp

Filesize
8KB

Download
memory/2796-9-0x0000000140000000-0x000000014192D000-memory.dmp

Filesize
25.2MB

Download
memory/2796-11-0x0000000077420000-0x0000000077422000-memory.dmp

Filesize
8KB

Download
memory/2796-1-0x0000000077410000-0x0000000077412000-memory.dmp

Filesize
8KB

Download
memory/2796-13-0x0000000140000000-0x000000014192D000-memory.dmp

Filesize
25.2MB

Download
memory/2796-14-0x0000000140000000-0x000000014192D000-memory.dmp

Filesize
25.2MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads