7fe2838ea749ec377e5dd62e3e6bf69a3f19206d5a14be38145d83e622b618ec

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 22:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

jhgjhg.txt
Size

192B
MD5

fa8fd4f94ef5a44644da0e6b7c1a56d6
SHA1

0bddc5fd5a3a0f1e3a3e3872a9d953b85e19d712
SHA256

7fe2838ea749ec377e5dd62e3e6bf69a3f19206d5a14be38145d83e622b618ec
SHA512

11ecfa2ae8d2fd3b13195326028615e5e62e610cbb5b4b1aec79c4b1905f372028c51ffdb057844509b011b09ab2d640e46a8dfd30bd8dfdc0f4a461dfba2452

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626186821177244"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3340	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	firefox.exe
Token: SeDebugPrivilege	5084	firefox.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
5084	firefox.exe
5084	firefox.exe
5084	firefox.exe
5084	firefox.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
5084	firefox.exe
5084	firefox.exe
5084	firefox.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5084	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 5084	4968	firefox.exe	88
PID 4968 wrote to memory of 5084	4968	firefox.exe	88
PID 4968 wrote to memory of 5084	4968	firefox.exe	88
PID 4968 wrote to memory of 5084	4968	firefox.exe	88
PID 4968 wrote to memory of 5084	4968	firefox.exe	88
PID 4968 wrote to memory of 5084	4968	firefox.exe	88
PID 4968 wrote to memory of 5084	4968	firefox.exe	88
PID 4968 wrote to memory of 5084	4968	firefox.exe	88
PID 4968 wrote to memory of 5084	4968	firefox.exe	88
PID 4968 wrote to memory of 5084	4968	firefox.exe	88
PID 4968 wrote to memory of 5084	4968	firefox.exe	88
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1976	5084	firefox.exe	89
PID 5084 wrote to memory of 1764	5084	firefox.exe	90
PID 5084 wrote to memory of 1764	5084	firefox.exe	90
PID 5084 wrote to memory of 1764	5084	firefox.exe	90
PID 5084 wrote to memory of 1764	5084	firefox.exe	90
PID 5084 wrote to memory of 1764	5084	firefox.exe	90
PID 5084 wrote to memory of 1764	5084	firefox.exe	90
PID 5084 wrote to memory of 1764	5084	firefox.exe	90
PID 5084 wrote to memory of 1764	5084	firefox.exe	90
PID 5084 wrote to memory of 1764	5084	firefox.exe	90
PID 5084 wrote to memory of 1764	5084	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\jhgjhg.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3340

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.0.1142918320\410987379" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f857c2c2-cf60-46e5-b612-760fe21dfcaa} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 1848 1ea3b823758 gpu
    3⤵
    PID:1976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.1.1839808141\1715417103" -parentBuildID 20230214051806 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {355d7a1b-caca-48f9-b191-99ccf5bc9ab3} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 2416 1ea2ea89c58 socket
    3⤵
    PID:1764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.2.316389676\334053561" -childID 1 -isForBrowser -prefsHandle 2936 -prefMapHandle 3032 -prefsLen 22318 -prefMapSize 235121 -jsInitHandle 1100 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56e8aa9b-e178-41bf-a6c8-232d343464c2} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 3040 1ea3e0f4558 tab
    3⤵
    PID:2140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.3.2109586010\361330100" -childID 2 -isForBrowser -prefsHandle 3704 -prefMapHandle 3700 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1100 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21536595-e724-48ee-aded-c42899699046} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 3708 1ea4038df58 tab
    3⤵
    PID:4596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.4.1845975884\131797468" -childID 3 -isForBrowser -prefsHandle 5032 -prefMapHandle 5028 -prefsLen 27771 -prefMapSize 235121 -jsInitHandle 1100 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68dda73d-848e-4a40-85b6-c3d23e75a2d2} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 2688 1ea426aa658 tab
    3⤵
    PID:1852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.5.678521613\255904103" -childID 4 -isForBrowser -prefsHandle 5112 -prefMapHandle 5144 -prefsLen 27771 -prefMapSize 235121 -jsInitHandle 1100 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c52b4839-cd6a-45e3-aa25-8d13541dee11} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 5136 1ea43b25858 tab
    3⤵
    PID:2648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.6.149837285\1087036416" -childID 5 -isForBrowser -prefsHandle 5344 -prefMapHandle 5348 -prefsLen 27771 -prefMapSize 235121 -jsInitHandle 1100 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9075d1a-a27e-4834-9626-fe20056f85f8} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 5128 1ea43b26458 tab
    3⤵
    PID:3336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.7.963749291\1612649139" -childID 6 -isForBrowser -prefsHandle 5612 -prefMapHandle 5608 -prefsLen 27771 -prefMapSize 235121 -jsInitHandle 1100 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93da528b-c7a0-4a0b-b1b3-d626b36f4046} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 5624 1ea437c9358 tab
    3⤵
    PID:3348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffecae8ab58,0x7ffecae8ab68,0x7ffecae8ab78
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1560,i,939756535227912013,1108442250542467642,131072 /prefetch:2
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1560,i,939756535227912013,1108442250542467642,131072 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2328 --field-trial-handle=1560,i,939756535227912013,1108442250542467642,131072 /prefetch:8
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1560,i,939756535227912013,1108442250542467642,131072 /prefetch:1
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1560,i,939756535227912013,1108442250542467642,131072 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4340 --field-trial-handle=1560,i,939756535227912013,1108442250542467642,131072 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4516 --field-trial-handle=1560,i,939756535227912013,1108442250542467642,131072 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4652 --field-trial-handle=1560,i,939756535227912013,1108442250542467642,131072 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4440 --field-trial-handle=1560,i,939756535227912013,1108442250542467642,131072 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1560,i,939756535227912013,1108442250542467642,131072 /prefetch:8
  2⤵
  PID:5784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1560,i,939756535227912013,1108442250542467642,131072 /prefetch:8
  2⤵
  PID:5884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4804 --field-trial-handle=1560,i,939756535227912013,1108442250542467642,131072 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1560,i,939756535227912013,1108442250542467642,131072 /prefetch:8
  2⤵
  PID:5344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 --field-trial-handle=1560,i,939756535227912013,1108442250542467642,131072 /prefetch:8
  2⤵
  PID:5376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3124 --field-trial-handle=1560,i,939756535227912013,1108442250542467642,131072 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2556 --field-trial-handle=1560,i,939756535227912013,1108442250542467642,131072 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2640 --field-trial-handle=1560,i,939756535227912013,1108442250542467642,131072 /prefetch:1
  2⤵
  PID:1236

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d736eaa32d787b66f697c17c95269935

SHA1
cd9ec0e92871ca7f934b63e87f359cbd0df20a42

SHA256
cb5592799782cc04ef754b7f8dbbde55ab1de7327e8cfd6cda3633ed4c148275

SHA512
4af5966bc8f928d961ccd7cea0cbc42620c70fa2a155dde815ce5322a04c89d4fd1e59cab2408e6567eba2211ce4693f752f52a3b4e98ced8af134aef703fff4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
049909860c3c616d410774e454e7c02d

SHA1
ae70eff2b6dd2c2506290a531c094d284754880c

SHA256
d67e2ffb8b27d581fe52fa7527e0fb4c881fa59d16f32c7d2f2a6f5452d45994

SHA512
ae786c37e5f5b9d11fa4d1fe8f04afef471d01dcb5122f073086fd493353304a47482c074ad2218c022530f358692609de0cece79bb4971905e742c77c0b7a41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
4ad08b07b4257f0cc8bdfb1943480dff

SHA1
515ee0b114723a5707e75fb945cd23a0819d5709

SHA256
a57f24bd588199ff4c64679970a7d4e88a9dfb287b37ea75c5dc00caaf84b6e0

SHA512
a59165867a273ffe8269c3d13eb04d9e395018682c028c6936700f16bfe364550dfe3ada7d462897225174b79e4908e1fa03626ca1934e88b29d345eb4f5f7e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
92KB

MD5
6bafd9f5695b45747c01038a648c822b

SHA1
c3902345d6173a7a99c5675b300b882a2ee0b9ca

SHA256
28ab82367acf3c4f484eeb40e44b8ad7a104bb9e1cbba2ca8324b88fe911a0fd

SHA512
82c623d082763e581a9af9a5977b3aaff0b5ccd33a153852d5cb553eb4f2c07729c043ce021749a090e60cdb15f4b17e4ca41d3f962be1223b6b89a55290bd4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5887e8.TMP

Filesize
89KB

MD5
4baa3562b6bbc8fb7ab6beb49e7bfa10

SHA1
d47f0950774cab2c9df6c57d1d9f03d86e866056

SHA256
010d68a420b5929250f6d58b84785c92204b598feaeeaa4096ce3ce8253af711

SHA512
7526268a47d276d3f6b517dee7c4db3043675ce89a762ae319c1ed583af20169e4ab789364e186849218f6ca89ea6c94ff8d91aac1de541fde65b81cdfad7446

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp

Filesize
27KB

MD5
0cffff6e312deaa9d3794f6eb1576bcc

SHA1
df81d8e28278e02a4906abe22165f15ff92aa2b1

SHA256
baa330739342960ad4f04c486985b4356c5c23c781e01e6eea99fcc380e73acc

SHA512
e137b475ad3c59a0ecf94a034a8cfcfd7f6e083627399354ad06e8969f899457b90d888f1dc50a4d1b8e3f74bfc243ed49f0f8bfc0a8ddf977767051b5df27c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

Filesize
8KB

MD5
14649a99ba8171832b4c3aa4641b20af

SHA1
28de0e1f0f56de6e8314348d63a746ec0733a450

SHA256
2e8cba7192ea410c90a1426243c521b0580a22fc1bb5df06f468766e805c85df

SHA512
925f89502de2add561e4b38d13f2146ae394e516ac14b95fd1cbec876fcaa865d3241bb4d3495614b0b70dfe769e1d815e347ba507be68711add13613b413aab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

Filesize
7KB

MD5
94b24ca00b54fe71d2fe1a418f0fe026

SHA1
3b9834310c63376f936d0275ac8ca5f2b5879ffd

SHA256
c246414451cdc919f094b5e9144a72bd92a06fdef9043886613cbe23e1d298f3

SHA512
ebb3cae7d44d412272f5540b3fcbcbedc8042345d886096e93624a3663d68b83f5ccc9a179cd2aba06a00476fc582c61acc558c9a0f5196d3d1f00f9d5e9a126

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

Filesize
7KB

MD5
93dd5915e8ce396271242769c9958807

SHA1
6bae14e1ce9c86f4c801db9aecd567c5e7c65182

SHA256
e11b3e718a4effa91125fa7803adce4d457ba5233e90e10c2808f00022006c12

SHA512
b6873f9b97adf98b3e498c347f7cc51281c7a3115cb3be21428cf4a48b40d5ad26db5fc116c1d90955a633aeca2740a3c806ec470bacd266c9c3cc08c54f01b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
b1a74f6fd1dac58364a003a400dbeb67

SHA1
49d9da4c33e870be387550b8cf977e1b4f7c1804

SHA256
6c4e56f57b59ae802049f431fa628cf2249b36defad13419196cd6af15291cee

SHA512
86343b329731d8d0d95f060945a32c55ca0cce88e5e6f363b65090e313a570c4cb7bbb2d55aafc7e8f518f6bea53e278ec642dcec00498315df30f9554752d80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
402edee383e486d8f4ee2c653411636c

SHA1
f0538ea15ec83ebbe90279a08e8355ff1d5d90a0

SHA256
21de519ee3d897f7102fd17687056505a84a4336a0a1390cd623455cb4995b5f

SHA512
1f9f96383f63521de01442e643dbc1d313006804061331041643ee2e6ec031b45fae02168c24000805d2c5d9f73f97cc654290bc1f92141c7f81136bc90ebe92

Download Submit