Analysis
-
max time kernel
300s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-fr -
resource tags
arch:x64arch:x86image:win10v2004-20240508-frlocale:fr-fros:windows10-2004-x64systemwindows -
submitted
13-06-2024 18:07
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.mediafire.com/file/ll6owes66maaxk0/cheatgpj.exe/file
Resource
win10v2004-20240508-fr
General
-
Target
https://www.mediafire.com/file/ll6owes66maaxk0/cheatgpj.exe/file
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exechrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133627756846612049" chrome.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exechrome.exepid process 3536 msedge.exe 3536 msedge.exe 4068 msedge.exe 4068 msedge.exe 2932 identity_helper.exe 2932 identity_helper.exe 2104 chrome.exe 2104 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
Processes:
msedge.exechrome.exepid process 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 4068 msedge.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
chrome.exefirefox.exedescription pid process Token: SeShutdownPrivilege 2104 chrome.exe Token: SeCreatePagefilePrivilege 2104 chrome.exe Token: SeShutdownPrivilege 2104 chrome.exe Token: SeCreatePagefilePrivilege 2104 chrome.exe Token: SeShutdownPrivilege 2104 chrome.exe Token: SeCreatePagefilePrivilege 2104 chrome.exe Token: SeShutdownPrivilege 2104 chrome.exe Token: SeCreatePagefilePrivilege 2104 chrome.exe Token: SeShutdownPrivilege 2104 chrome.exe Token: SeCreatePagefilePrivilege 2104 chrome.exe Token: SeShutdownPrivilege 2104 chrome.exe Token: SeCreatePagefilePrivilege 2104 chrome.exe Token: SeShutdownPrivilege 2104 chrome.exe Token: SeCreatePagefilePrivilege 2104 chrome.exe Token: SeShutdownPrivilege 2104 chrome.exe Token: SeCreatePagefilePrivilege 2104 chrome.exe Token: SeShutdownPrivilege 2104 chrome.exe Token: SeCreatePagefilePrivilege 2104 chrome.exe Token: SeDebugPrivilege 5728 firefox.exe Token: SeDebugPrivilege 5728 firefox.exe -
Suspicious use of FindShellTrayWindow 58 IoCs
Processes:
msedge.exechrome.exefirefox.exepid process 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 5728 firefox.exe 5728 firefox.exe 5728 firefox.exe 5728 firefox.exe 4068 msedge.exe -
Suspicious use of SendNotifyMessage 51 IoCs
Processes:
msedge.exechrome.exefirefox.exepid process 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 2104 chrome.exe 5728 firefox.exe 5728 firefox.exe 5728 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 5728 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4068 wrote to memory of 3160 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 3160 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 4092 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 3536 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 3536 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 1308 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 1308 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 1308 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 1308 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 1308 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 1308 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 1308 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 1308 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 1308 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 1308 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 1308 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 1308 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 1308 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 1308 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 1308 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 1308 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 1308 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 1308 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 1308 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 1308 4068 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/ll6owes66maaxk0/cheatgpj.exe/file1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9361a46f8,0x7ff9361a4708,0x7ff9361a47182⤵PID:3160
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2284,4632871963433095543,5138435624502152160,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2292 /prefetch:22⤵PID:4092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2284,4632871963433095543,5138435624502152160,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3536 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2284,4632871963433095543,5138435624502152160,131072 --lang=fr --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:82⤵PID:1308
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,4632871963433095543,5138435624502152160,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:12⤵PID:2248
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,4632871963433095543,5138435624502152160,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:12⤵PID:4644
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2284,4632871963433095543,5138435624502152160,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:82⤵PID:5096
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2284,4632871963433095543,5138435624502152160,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2932 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,4632871963433095543,5138435624502152160,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:12⤵PID:3848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,4632871963433095543,5138435624502152160,131072 --lang=fr --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:12⤵PID:3108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,4632871963433095543,5138435624502152160,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:12⤵PID:4060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,4632871963433095543,5138435624502152160,131072 --lang=fr --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:12⤵PID:1880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,4632871963433095543,5138435624502152160,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵PID:1540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,4632871963433095543,5138435624502152160,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:12⤵PID:1960
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2284,4632871963433095543,5138435624502152160,131072 --lang=fr --service-sandbox-type=collections --mojo-platform-channel-handle=5360 /prefetch:82⤵PID:4260
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,4632871963433095543,5138435624502152160,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:12⤵PID:4320
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4432
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3900
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2104 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff92355ab58,0x7ff92355ab68,0x7ff92355ab782⤵PID:4852
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=2036,i,2496481244014855698,8434680171199360306,131072 /prefetch:22⤵PID:2532
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1888 --field-trial-handle=2036,i,2496481244014855698,8434680171199360306,131072 /prefetch:82⤵PID:5044
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2276 --field-trial-handle=2036,i,2496481244014855698,8434680171199360306,131072 /prefetch:82⤵PID:3900
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=2036,i,2496481244014855698,8434680171199360306,131072 /prefetch:12⤵PID:1028
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=2036,i,2496481244014855698,8434680171199360306,131072 /prefetch:12⤵PID:1620
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4380 --field-trial-handle=2036,i,2496481244014855698,8434680171199360306,131072 /prefetch:12⤵PID:5364
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=2036,i,2496481244014855698,8434680171199360306,131072 /prefetch:82⤵PID:5512
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=2036,i,2496481244014855698,8434680171199360306,131072 /prefetch:82⤵PID:5628
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4744 --field-trial-handle=2036,i,2496481244014855698,8434680171199360306,131072 /prefetch:12⤵PID:5708
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4968 --field-trial-handle=2036,i,2496481244014855698,8434680171199360306,131072 /prefetch:12⤵PID:5736
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4124 --field-trial-handle=2036,i,2496481244014855698,8434680171199360306,131072 /prefetch:12⤵PID:5900
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3276
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:5416
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5728 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5728.0.1837880620\940837622" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {119766b2-50c4-4f6c-a2b5-4ca45a76bf7a} 5728 "\\.\pipe\gecko-crash-server-pipe.5728" 1852 265b540d958 gpu3⤵PID:5224
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5728.1.1772805946\1094032889" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be347825-65ff-4c38-80eb-03e603427eb5} 5728 "\\.\pipe\gecko-crash-server-pipe.5728" 2420 265a8786558 socket3⤵
- Checks processor information in registry
PID:5840 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5728.2.1090926191\1065328178" -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 2988 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd205bb0-d596-43eb-b63e-0570db76d3eb} 5728 "\\.\pipe\gecko-crash-server-pipe.5728" 3004 265b7bf8258 tab3⤵PID:1004
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5728.3.1142685408\1882975705" -childID 2 -isForBrowser -prefsHandle 3980 -prefMapHandle 3976 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c53a1ce-dce8-4b7e-a9f8-de33f0ccd2dd} 5728 "\\.\pipe\gecko-crash-server-pipe.5728" 3984 265ba37c558 tab3⤵PID:5796
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5728.4.1166794464\107330795" -childID 3 -isForBrowser -prefsHandle 4928 -prefMapHandle 4924 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e853a94-626b-4097-9ea2-0609691dff52} 5728 "\\.\pipe\gecko-crash-server-pipe.5728" 4884 265bc360b58 tab3⤵PID:5072
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5728.5.2076998465\1724635797" -childID 4 -isForBrowser -prefsHandle 5044 -prefMapHandle 5052 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {567dec83-7e63-4317-9756-69fcb0314a42} 5728 "\\.\pipe\gecko-crash-server-pipe.5728" 5032 265bc360858 tab3⤵PID:4884
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5728.6.1527371461\1501912322" -childID 5 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa97d822-c899-4c18-91e5-674b067bbbee} 5728 "\\.\pipe\gecko-crash-server-pipe.5728" 5228 265bc35fc58 tab3⤵PID:5636
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5728.7.1690600141\424571573" -childID 6 -isForBrowser -prefsHandle 5644 -prefMapHandle 5636 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5746da4a-8067-4df4-9717-7957348ac86e} 5728 "\\.\pipe\gecko-crash-server-pipe.5728" 5656 265bd37b558 tab3⤵PID:2512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
811B
MD5a07282d1474cf77e171b795c2e241f5b
SHA145d3910d7f0790a554146e93910bb03941b3f405
SHA2569e5c39ee190069c6dea6e952329928503bfed3bf8b7a9b9fc89e8fa695c36a56
SHA512fee9020395da3134b71449408fa69e232d3c66467dc07b9e5820891a03452b08366be585f2e976fd681ea39a4c1b68c3fdf6e8acbfad81f7b6ad43126b5178ec
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
7KB
MD553bbd0dbe8c55ffa5b36ae7a55709a2e
SHA1e1ed1f880feaa964f569c1d5071f06299189f252
SHA25665ec46ba6c17d614c44ff87efa0b365cbe27693a64bb6f4795ed32c8278fe821
SHA5127ea8beaf256334bd3195b18d0dd7100227a4fc7ffadd8973e26d5848e476df452434f30ef53357ef7bc00d6477e1feb19f3c219666aca464101bc1809adf3eda
-
Filesize
255KB
MD5c7f2ba7cf971c5b76e828428535ee546
SHA14a223acdb69a62f06c36f8934853bdc9a174845c
SHA25612621f4cdbb1f7d4921af6e52e75ebfcf0d6746f8d16c073817a0925799ab7f8
SHA512ebbe394f25090ef15d6b3daa6a80cdd1c26f0ad8ee1edd4acb1d43d04b3e85f7a67ff6c1fa4036af817b09adb87b2eb52cdc747501d2ed2eebeb333503d50b1c
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
Filesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\270dc90a-711d-4c81-90fb-133c4d82f29e.tmp
Filesize6KB
MD50140982b8cb2a55f7451b050fdd69f16
SHA1fa91c5714f4a8a206a75c3b4892671a5a68f1587
SHA2568705acc304a7bf3d4d8cbaa508255fe14be5ce05352386295b48d3aab02ddfa6
SHA51285c96c18e6b43129d8f0789ff1e74836dc2ed6c7b6f8913e8447d50e617b8edcd3148bf960e8f9e0c14c474dbfff7e8efe294e4858fe482e680fd286e261fc5d
-
Filesize
6KB
MD5faa5474d4bc038e520b3442d62e3df76
SHA1a9888b02f7f24dff98b20460298a69a2c4329e87
SHA256cee17416299c9cdd3f270409128478bca5ab56889c71242cb124b32b86d03779
SHA512e26c9d9d2a2c3ac88e6442d828bfb325739e3d8cf633a2d03803ffadb07e4450982ed8cec96aea9f4cf3888198f69575da7d532e55304da611086daef57bb012
-
Filesize
5KB
MD557ba48ef6f90403a166df5fdb5405c74
SHA12eaa8dc308b97a29e830412739c2338d8503ed55
SHA256fd09aa0ccf0fc5fe7f105bfa616db26ae3a99388d5c22cf8b3848cb00e663242
SHA5126aa9a1d9768a188c44197ec9206d51b7b98a257403a114c1e21e6cebe7cd7bd15506cb6af827523d2358db2b660ba71b76d0c133b54773db577f775b1b78268d
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
8KB
MD55f31a80c902e7cedf7e4f5f4727e9d89
SHA150e338501085fa6cfe11f15319098c657e784f27
SHA2564c88f23d6952e79f0ad7f458cd1f3c2d9e8273879ace5a0fd358dd07327a8452
SHA5120440c1a3182beb224a7282bd17576cf756a0029f2f58864a81171e03f2ba231da32e06ba43857d0a7d95d96488dcddc12e76af25a443462ec2f41a9a93f2cb76
-
Filesize
8KB
MD5fbd2a8e15df2ba466ee4574b3ae816cc
SHA1470660d69e14d940e247045f68dedc6641dc7760
SHA2562bc3bdad02305ab0f8a8f88df663c0f6382d6375d44e07aa6e53a3ead429305e
SHA512f65dca4d234eb1224ef0e22edacfdc924444d408232df02126bdfa90f34e562c02efee815f1939cdce41bbc726fd9b5a52c43be55df997e944b7f7eeeb826cb5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD5ecb2f4b60e06e49fb3baac5773214231
SHA1e152f7160f4b96036a474b3197e893b1a8adb0f5
SHA256323e83e4f0c925cf0b89debfa122d89b0b6d25127a6e858c884d02e8dca03039
SHA5125d7b58c9abca1afd2516e00e6b0956833779fccc3b3e16d12e3fe09027c1813ded368deeccb8426c12e6ea470c7e1ed5476be3ead023db451b3331a176378f94
-
Filesize
7KB
MD558e85701bae51b0f0d66041a25370d6c
SHA147e33a0f06f9e5450ef02b6a0ba5d57bfde331e3
SHA256f09c487801281e76ae9d0b932e4aed82d615f60fafedef481364a9b314192903
SHA51232d57d10b81bf853dc11638d0f8a97d38aa3575a774229e5e594ced5fc0f48a6241ad62c16fe5c69610b56fa3106429a247d2539d3a40a5ae99d479d942f03f3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5c944a45542d0d36dddd6e7cfbc91df7a
SHA146cca3c0b6bcbd2c0eac95ba94ef6022e81ff232
SHA25626cd87f35b8fcfdffa1f18c3d1f5dbc64f8a13dac148e685d6ee82d121c4a5ce
SHA512d740f0f40c79e8acfe9ab78d0c6e3c10ad64ed0acd2d757908df8a9607af770334e03420729badfe9dda371821d30cd199ed67ff020eb8beae55ccf61ebc0b7c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore.jsonlz4
Filesize1KB
MD557f7afa49a8dfb94a4eb7a59fcd9c093
SHA1a932a957999dc15ff0b928ba75686065b2d12ad8
SHA256260f7b6abd9e2cb396056f4342f6f2ec58cc6d0ea394e39e54be260929a049e9
SHA512cb956f2c493894841bef4a55095c0429e79b2133e2985b99f287b67e305f679b9e20aad757bffafee082e68e3b332b879c7e806332a07acf872dabeaf7285b3a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e