hxxps://tinyurl[.]com/mwx6ybec

Analysis

max time kernel
145s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tinyurl.com/mwx6ybec

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133627954658248222"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1356	chrome.exe
1356	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1356	chrome.exe
Token: SeCreatePagefilePrivilege	1356	chrome.exe
Token: SeShutdownPrivilege	1356	chrome.exe
Token: SeCreatePagefilePrivilege	1356	chrome.exe
Token: SeShutdownPrivilege	1356	chrome.exe
Token: SeCreatePagefilePrivilege	1356	chrome.exe
Token: SeShutdownPrivilege	1356	chrome.exe
Token: SeCreatePagefilePrivilege	1356	chrome.exe
Token: SeShutdownPrivilege	1356	chrome.exe
Token: SeCreatePagefilePrivilege	1356	chrome.exe
Token: SeShutdownPrivilege	1356	chrome.exe
Token: SeCreatePagefilePrivilege	1356	chrome.exe
Token: SeShutdownPrivilege	1356	chrome.exe
Token: SeCreatePagefilePrivilege	1356	chrome.exe
Token: SeShutdownPrivilege	1356	chrome.exe
Token: SeCreatePagefilePrivilege	1356	chrome.exe
Token: SeShutdownPrivilege	1356	chrome.exe
Token: SeCreatePagefilePrivilege	1356	chrome.exe
Token: SeShutdownPrivilege	1356	chrome.exe
Token: SeCreatePagefilePrivilege	1356	chrome.exe
Token: SeShutdownPrivilege	1356	chrome.exe
Token: SeCreatePagefilePrivilege	1356	chrome.exe
Token: SeShutdownPrivilege	1356	chrome.exe
Token: SeCreatePagefilePrivilege	1356	chrome.exe
Token: SeShutdownPrivilege	1356	chrome.exe
Token: SeCreatePagefilePrivilege	1356	chrome.exe
Token: SeShutdownPrivilege	1356	chrome.exe
Token: SeCreatePagefilePrivilege	1356	chrome.exe
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeDebugPrivilege	4492	firefox.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
1356	chrome.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4492	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 1400	1356	chrome.exe	82
PID 1356 wrote to memory of 1400	1356	chrome.exe	82
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2772	1356	chrome.exe	84
PID 1356 wrote to memory of 2752	1356	chrome.exe	85
PID 1356 wrote to memory of 2752	1356	chrome.exe	85
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86
PID 1356 wrote to memory of 5104	1356	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://tinyurl.com/mwx6ybec
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa05d5ab58,0x7ffa05d5ab68,0x7ffa05d5ab78
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=268 --field-trial-handle=1952,i,11707754365071098640,16423172832207489870,131072 /prefetch:2
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1980 --field-trial-handle=1952,i,11707754365071098640,16423172832207489870,131072 /prefetch:8
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2272 --field-trial-handle=1952,i,11707754365071098640,16423172832207489870,131072 /prefetch:8
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1952,i,11707754365071098640,16423172832207489870,131072 /prefetch:1
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1952,i,11707754365071098640,16423172832207489870,131072 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 --field-trial-handle=1952,i,11707754365071098640,16423172832207489870,131072 /prefetch:8
  2⤵
  PID:736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 --field-trial-handle=1952,i,11707754365071098640,16423172832207489870,131072 /prefetch:8
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4584 --field-trial-handle=1952,i,11707754365071098640,16423172832207489870,131072 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4116 --field-trial-handle=1952,i,11707754365071098640,16423172832207489870,131072 /prefetch:1
  2⤵
  PID:4476

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1256

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2320
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.0.1213263714\2057440952" -parentBuildID 20230214051806 -prefsHandle 1804 -prefMapHandle 1796 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ae9f62e-e5e1-4a3a-9828-d6a086763326} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 1884 24845018a58 gpu
    3⤵
    PID:808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.1.751945299\1287634244" -parentBuildID 20230214051806 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73a65c9c-6282-4ae2-a39c-6c7ee31cf180} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 2452 24838389c58 socket
    3⤵
    PID:2436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.2.839172590\1108334767" -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 3032 -prefsLen 22318 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e25c859e-66a6-4bd4-ab78-d3decd658040} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 3044 248478f4e58 tab
    3⤵
    PID:1548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.3.2124233295\1707602211" -childID 2 -isForBrowser -prefsHandle 4128 -prefMapHandle 4124 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34ff445c-fbbc-4bd5-983b-110c27b64d2f} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 4140 2484a113f58 tab
    3⤵
    PID:2188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.4.942910402\833083720" -childID 3 -isForBrowser -prefsHandle 4688 -prefMapHandle 4860 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9af6fd71-852f-4ecf-94c6-c6486756f95c} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 4880 2484c049e58 tab
    3⤵
    PID:216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.5.1451686943\664386644" -childID 4 -isForBrowser -prefsHandle 5100 -prefMapHandle 5096 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c815911b-acdd-4bfa-a18f-f6099e2a357c} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 5108 2484c047158 tab
    3⤵
    PID:1500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.6.1669123589\1744345958" -childID 5 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b40ac7f3-98eb-4827-9eda-4d9217922c12} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 5208 2484c047d58 tab
    3⤵
    PID:968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.7.1139171553\276785336" -childID 6 -isForBrowser -prefsHandle 5628 -prefMapHandle 5624 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0780c6d7-6ac6-4617-8f89-7164039c7b39} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 5640 2484d363758 tab
    3⤵
    PID:416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.8.1661210235\1866290453" -childID 7 -isForBrowser -prefsHandle 5040 -prefMapHandle 5564 -prefsLen 27771 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e758c8bc-449c-464e-a8d2-4ab33c220d4f} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 5384 2484a111b58 tab
    3⤵
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
811B

MD5
6a042c22f2ed8436b027d8a229230956

SHA1
86ae4e7e85ab568796a412dd8b7eb810d43e53c8

SHA256
a44eea7805a641e1b1da9219d1f6236a36e7cf58699cd2277e537782c2f8e501

SHA512
c0ecc883c4be74098854f0d5687ae7db17d6f5d05602def195e491000ddcd9b7d0a61958f8fb2e3fe73ab78b3cb6c7563bd0795a9e39bfc71200e1a221e02d3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f3a5405b0b482da3163acf8f6ecd4f51

SHA1
8b4ef049433ef7ca6c54accab93d7fc0c353204a

SHA256
531f7771a546d19883fc6fd0dfe0610896c8e40090936fafc7095a7db43b5b30

SHA512
b280c7cce0ee1952e9ccb9125be07ff5c8dbea5e91e561fea2276279448017d7744dbde80dff6ea21d6d92e6d60a706b51f61c754c14b45f7400e636761d907d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
142879976bb95411e68ae5b2c88ea963

SHA1
745348565673b2fc5b4346d8561ee835dd11932a

SHA256
f384f2912699a192fade2dc93a1de3bd909ecf2bacfe3126bac74960d11796fb

SHA512
ac2dac4e0ffeb9d317a1de796d6c0d463c2c160b11660920f747d579f32fa46eb34c5ff25d4adc44300270db1dda5900cde2ebd9f57415361c2c65e0f248387a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
b20517ac5407ed3238cde29f73006722

SHA1
2c0f049e31ad533756ca47181f37a1ac7e3c99f9

SHA256
3aa1c5ca2c60b529537a1727371f72eca964cdf71f93c53fa4eca710e7efa61d

SHA512
cbed1583a9a3a22fd3bdec907b7a9a8e58da1f23791083bc33418b3c97a6a28ac4ce0c0b7ab88397522967c4d15d6d75b612b77b6bced87da0075996227551b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
e65c8d0f61b0731f39ecb61f99512400

SHA1
be1a5bf9b42bdbd28d45371bad5748004c65bcdd

SHA256
66e9b68c56fa6d5249dd1eb5abab93d07e0e8baaa801b27bb921e89b7bb29284

SHA512
7ef33f72a80e1d5c3350b80aa26e5e332d9dbc688e49ebae86bc9483c843fd5478966c0f7b3eab4c92b3e4ab5e71f7d04eb796022a8e89c6b47b3bb53f18e15e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp

Filesize
27KB

MD5
0cffff6e312deaa9d3794f6eb1576bcc

SHA1
df81d8e28278e02a4906abe22165f15ff92aa2b1

SHA256
baa330739342960ad4f04c486985b4356c5c23c781e01e6eea99fcc380e73acc

SHA512
e137b475ad3c59a0ecf94a034a8cfcfd7f6e083627399354ad06e8969f899457b90d888f1dc50a4d1b8e3f74bfc243ed49f0f8bfc0a8ddf977767051b5df27c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

Filesize
7KB

MD5
ee8048d47bf951e436216f4148c39f43

SHA1
cb166dfae9385c14daf52f5aec25f0d8b8468ed3

SHA256
7e497f27e6b9631c2b9d2a81338c8b8338e35ceeb7d035ffa1f06848f67fdc4b

SHA512
0f65ac9d3e99423c38138a8c85636708dc766106a4fe703bdc8df408431ee271552c366b06bca3a4a97b355a0e3dad95236ae19a63816861f3bf056557e21f7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

Filesize
7KB

MD5
3a178736bd57c8abef8e960dbf369fac

SHA1
a8891fa4d99434b80cba629980910c3fe4971464

SHA256
2014399a9a11e5714ddcc3ec3d67234a92bd463c692d8b550e6721e6db1672e1

SHA512
b249e0a44140bf62b13d3636e950a0b9116014607fa3ac72b61f4c1fb1c7547cc8b3475b6bdcb89be85d133cc442503e35c14ea185430a78805a5acf46227e49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

Filesize
8KB

MD5
9640ad881a2c167e27087b44cddd4794

SHA1
d407d72f106586dc88e0969a6440c2800fcf5cfd

SHA256
ac93a4eb241d8fa2a59d14dabd69f85e0fa2900524e876141c5d68f80e2252ca

SHA512
1395326cd44ba4013dc0447ff0deae6eb9eafbaa19f3a491800a544cd93d2592efeadbd02dbe76bfb2114fbe609ee66695e39b7235136c9f9b93cdd51ab9bc9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
ab24f174c231b0df2650dc4c8c300a3c

SHA1
362227e9e225e7c8bf20e135340791aad441c83b

SHA256
658d930f5b37d2e7f93d437d8b1ed5b786fcf7c0e61a9441b08b435149932a40

SHA512
efa2163286c0dca9faf72774c59e8e4787ea630040b55e2f4ce91cc376f231a473e23897c633ff0e102c984b71c19fb28c47ee05f50a35911d15b82eda1504b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
985db4efeb3ddfff59006fd287af2648

SHA1
795fdc3b5d48f0bb6607d164d35f5926bf35aa2b

SHA256
b8bf6bc8e1fce62e5159d4fc3ddedd0fd33820c28bb54f5033c2cc93a05f3fcf

SHA512
23776d5a9db9286dd7ea66196906e69b8c8fd2e2ad6095ccecb4a4c0ffaa650a3447e1866322e2b925ac9d19503da33a114819bdf1d1e123e2b60adc08e126c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
5a8f658790a2748ae5e174a71c66e4ad

SHA1
90b41e805a96ec71d641e326e9872759755b0ed9

SHA256
e14d9f25b650c3b7960aadb6bdfd0f841d4a4de7cf7886a25f12c1791822e88f

SHA512
ff143b15fe3120e3c86afffb81a033d601628b894e805ac7ac0f6a429fb6b9a6bdcacf88ad12afc701fe13db72ca463fd6bde35562c511911d00893119c5db71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
13f950f49dd8d9da941743d2a28a5a51

SHA1
a0e5e43657e1d03393afbafefeec4a0a698fe7b0

SHA256
075d946b11fc58b15335f71175af74dd1067dec5579a2fc1452305755caa2491

SHA512
fe82c64617498a26791b10caeace6e8f0ce6e243a0af294c0498aa7047205a624f4e66106beaca4c327285fa14f9a768fe3dc0de9c6775aba5d2c50cad68f914

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
71d7b39a4b0d23f7f73ace119e770ec6

SHA1
cd282ad60beeb84c7e3844b2d35fcd705952fc48

SHA256
7923706b364653eb1c3c6d3ad39b52cd6249914e9f5cfbba8c2a9ac0dd5dcb7e

SHA512
1c0d987c4d47bb8a7cd5973ec60388cca9bbb6b330063faf0cbce2d19bc157a175842e8ae04618fd0be7c4ecd2d3679a1453652b0816c7dfdb9aedb8b2be514a

Download Submit