52b286618143f7c53495944a4bdc85f58ef2b5c43c92b8ff4d2c83a4ca1598d4

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 13:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

52b286618143f7c53495944a4bdc85f58ef2b5c43c92b8ff4d2c83a4ca1598d4.dll
Size

6.8MB
MD5

b4c10ef302f11762eaae2db4fec2d671
SHA1

64373ba3a6aad6e942321e9eb4dbacfbd6d45be1
SHA256

52b286618143f7c53495944a4bdc85f58ef2b5c43c92b8ff4d2c83a4ca1598d4
SHA512

fc5b94e7e36a2d11baf029b90f0a53eeef2354e160281b5897f0a2d4653ae3033ad9b998aef7ab333d0b8d7eeba239a36a03e349adb9379c0b473c7df81d34a3
SSDEEP

98304:WsEIBSY4yVRN6bxJ9fJPUTrHzvod0TXSwClOAi1:WosY4yVREbrUvHzoNE

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4728	chrome.exe
4728	chrome.exe
5304	chrome.exe
5304	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeDebugPrivilege	3080	firefox.exe
Token: SeDebugPrivilege	3080	firefox.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
3080	firefox.exe
3080	firefox.exe
3080	firefox.exe
3080	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
3080	firefox.exe
3080	firefox.exe
3080	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3080	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 3616	4952	rundll32.exe	81
PID 4952 wrote to memory of 3616	4952	rundll32.exe	81
PID 4952 wrote to memory of 3616	4952	rundll32.exe	81
PID 4728 wrote to memory of 4248	4728	chrome.exe	87
PID 4728 wrote to memory of 4248	4728	chrome.exe	87
PID 4060 wrote to memory of 3080	4060	firefox.exe	89
PID 4060 wrote to memory of 3080	4060	firefox.exe	89
PID 4060 wrote to memory of 3080	4060	firefox.exe	89
PID 4060 wrote to memory of 3080	4060	firefox.exe	89
PID 4060 wrote to memory of 3080	4060	firefox.exe	89
PID 4060 wrote to memory of 3080	4060	firefox.exe	89
PID 4060 wrote to memory of 3080	4060	firefox.exe	89
PID 4060 wrote to memory of 3080	4060	firefox.exe	89
PID 4060 wrote to memory of 3080	4060	firefox.exe	89
PID 4060 wrote to memory of 3080	4060	firefox.exe	89
PID 4060 wrote to memory of 3080	4060	firefox.exe	89
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 376	4728	chrome.exe	90
PID 4728 wrote to memory of 2156	4728	chrome.exe	91
PID 4728 wrote to memory of 2156	4728	chrome.exe	91
PID 4728 wrote to memory of 5028	4728	chrome.exe	92
PID 4728 wrote to memory of 5028	4728	chrome.exe	92
PID 4728 wrote to memory of 5028	4728	chrome.exe	92
PID 4728 wrote to memory of 5028	4728	chrome.exe	92
PID 4728 wrote to memory of 5028	4728	chrome.exe	92
PID 4728 wrote to memory of 5028	4728	chrome.exe	92
PID 4728 wrote to memory of 5028	4728	chrome.exe	92
PID 4728 wrote to memory of 5028	4728	chrome.exe	92
PID 4728 wrote to memory of 5028	4728	chrome.exe	92
PID 4728 wrote to memory of 5028	4728	chrome.exe	92
PID 4728 wrote to memory of 5028	4728	chrome.exe	92
PID 4728 wrote to memory of 5028	4728	chrome.exe	92
PID 4728 wrote to memory of 5028	4728	chrome.exe	92
PID 4728 wrote to memory of 5028	4728	chrome.exe	92
PID 4728 wrote to memory of 5028	4728	chrome.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\52b286618143f7c53495944a4bdc85f58ef2b5c43c92b8ff4d2c83a4ca1598d4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\52b286618143f7c53495944a4bdc85f58ef2b5c43c92b8ff4d2c83a4ca1598d4.dll,#1
  2⤵
  PID:3616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcf992ab58,0x7ffcf992ab68,0x7ffcf992ab78
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1944,i,11152867289842084371,15616493993306342848,131072 /prefetch:2
  2⤵
  PID:376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1944,i,11152867289842084371,15616493993306342848,131072 /prefetch:8
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2064 --field-trial-handle=1944,i,11152867289842084371,15616493993306342848,131072 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1944,i,11152867289842084371,15616493993306342848,131072 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1944,i,11152867289842084371,15616493993306342848,131072 /prefetch:1
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4200 --field-trial-handle=1944,i,11152867289842084371,15616493993306342848,131072 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1944,i,11152867289842084371,15616493993306342848,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5304

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.0.845817424\1146411815" -parentBuildID 20230214051806 -prefsHandle 1728 -prefMapHandle 1720 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a77874a-83e9-4022-adcb-bc5a50bbb1e3} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 1820 1623f30ee58 gpu
    3⤵
    PID:4004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.1.773152787\486909396" -parentBuildID 20230214051806 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c383373a-04e2-4ac8-84ea-0f88f60b376a} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 2452 16232585658 socket
    3⤵
    PID:4036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.2.1282554782\1810726623" -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 3008 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c445e077-f554-48dc-8977-12e8c250044d} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 3024 1624211cb58 tab
    3⤵
    PID:1032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.3.862124375\1662074147" -childID 2 -isForBrowser -prefsHandle 4152 -prefMapHandle 4148 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0551a5f7-b242-427e-98bf-78451dc02f94} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 4164 16243c0e458 tab
    3⤵
    PID:4440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.4.756285809\1875864629" -childID 3 -isForBrowser -prefsHandle 4892 -prefMapHandle 4888 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {243c2ea2-fe72-4101-ac37-3a0d1dde2b64} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 4900 1624583e058 tab
    3⤵
    PID:2672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.5.144468798\557461560" -childID 4 -isForBrowser -prefsHandle 5036 -prefMapHandle 5040 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec008a37-743b-4688-b301-aba4e9e4ea87} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 5032 1624583e358 tab
    3⤵
    PID:4528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.6.2114613318\1023476931" -childID 5 -isForBrowser -prefsHandle 5232 -prefMapHandle 5236 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dbfc38e-c980-46c8-b5ad-1f4920ab2f7f} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 5220 1624583ef58 tab
    3⤵
    PID:4580

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
67a45175dd5254637fdf2c0527417184

SHA1
38296857b08552a97bef589140f64cd98d1275f2

SHA256
56c3992ee6eb22f2336625558233c0d118eb21407d795a7f058a177b8cb2bd53

SHA512
14656448b21ff8411170a3cffad26fd8ce4159b779d8ed235f87badcfb441c3571c77199df1f74ce30419465651a9343989e5ca03a249a4c7cf3f6088a16a594

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
c44004930f20472f36b78faad9dcd166

SHA1
403ac1c8b47cbc3063f4ec199ed65caac92b29da

SHA256
527f1b75e33762cdf76fb80501d2d8117e298c46b1cd19b784ff58a7c3b27156

SHA512
e3f76f2f1ed4b0ab1b2a381aa21374b91d78d4cf0c8e69e101548c25a44f178f138bf43106d0848ebd9d42003911796e420e8dbbacf844c46e77a2cdab965904

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
0d06c2daa3cd60b56b2238d3fc64af1e

SHA1
c9d977d8cac013bcecb8e00c7b0999c1fa2362ce

SHA256
fa135239ce63951634538a554bb32d1b11e7eb1ad2254478f2744a25c48bb3ac

SHA512
8a82ea28c05e4277d88e535556a4fb1cef85e7733b1ec1c4f1f07fed9cff559468c971e67ac8e9f65576c5596ee3153cdae8f8e3eb78ed15322631cf25e9e98e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\prefs-1.js

Filesize
8KB

MD5
166db0879023405751b6d9efe409df11

SHA1
822a602224854b7f5d232b43fe1949b7b7c05929

SHA256
b64225a66b4cb98011ebefde77e5f70647cbdf6f8048aadad7eea5605c12c53e

SHA512
4cc0b38f753d7e714d72737135e98fd7a16bde7f6f058e5ce36a4a7dace2c77d71f3dd8fd4001ee9e14f4fe8985f9b16bf3eca422f63cc10895530c19348e3b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\prefs-1.js

Filesize
7KB

MD5
ae3c9292d63bfb97c845f23b2eb6b34b

SHA1
79d5044d3569a1e5748619ef38778c86cd163de2

SHA256
54af751889a71a2a5ede6a70ff4d52f10eba797827d29decdff6ae0673787a9d

SHA512
cac07bdeb4126f6ad1be337efb485b61f2f8690c3debb877fd897ada3c211df30b17b6a3ea5ff9e27fdd832867cc354e978ca22388acf699960f09c297790268

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
67df8b56382d0bd32b9de6be9198a25d

SHA1
fe55f9d16d6456da6644ef2fa7878493b77b1d0b

SHA256
f1ac4094a57e22e6d19879a655a2782596fa9350b66b064cd2af550b95835ae7

SHA512
42501ff6081e68affdb118935ed92bd8e0103363b99134bf79c1163e4bb5c14e768f15925dac9ff4d0d2189b3e5b236d16b6ab6d8946a832e36b082c962b7b08

Download Submit