hxxp://45[.]207[.]168[.]170[:]7744/

Resubmissions

15-06-2024 16:28

240615-tyqrqaxbmb 1

15-06-2024 16:02

240615-tgvz4swfjf 1

15-06-2024 15:59

240615-tfeazazeqj 1

15-06-2024 15:48

240615-s85syswcpg 10

Analysis

max time kernel
600s
max time network
592s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://45.207.168.170:7744/

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133629409538827533"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
5672	chrome.exe
5672	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe
5020	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2308	2236	chrome.exe	83
PID 2236 wrote to memory of 2308	2236	chrome.exe	83
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 3152	2236	chrome.exe	85
PID 2236 wrote to memory of 1532	2236	chrome.exe	86
PID 2236 wrote to memory of 1532	2236	chrome.exe	86
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87
PID 2236 wrote to memory of 2724	2236	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://45.207.168.170:7744/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff850fdab58,0x7ff850fdab68,0x7ff850fdab78
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:2
  2⤵
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:8
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2868 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2876 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4476 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4812 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:8
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5048 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:1
  2⤵
  PID:732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4432 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4908 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3176 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3248 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:8
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2908 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3176 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3948 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4728 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2396 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=1908 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:1
  2⤵
  PID:5844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=1460 --field-trial-handle=1924,i,10064606944694252065,12952771565121571236,131072 /prefetch:1
  2⤵
  PID:6032

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2552

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:732
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5020.0.1718274329\1649848774" -parentBuildID 20230214051806 -prefsHandle 1804 -prefMapHandle 1752 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2aec3f27-2b77-4f49-b2ac-30f873bc8cf7} 5020 "\\.\pipe\gecko-crash-server-pipe.5020" 1884 2770b024d58 gpu
    3⤵
    PID:4368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5020.1.587627791\2097675587" -parentBuildID 20230214051806 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35d1ab23-c71f-4bfa-a84d-b260bd9bd652} 5020 "\\.\pipe\gecko-crash-server-pipe.5020" 2452 2770b46b158 socket
    3⤵
    PID:3340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5020.2.1954015213\148685677" -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 2972 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02ca18c1-14bb-44c0-87b7-14c94d795ee9} 5020 "\\.\pipe\gecko-crash-server-pipe.5020" 2988 2770dd09558 tab
    3⤵
    PID:4696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5020.3.176004870\852992075" -childID 2 -isForBrowser -prefsHandle 3856 -prefMapHandle 3884 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0fec5f6-d9e3-42c8-8d8c-6e1886eb5a33} 5020 "\\.\pipe\gecko-crash-server-pipe.5020" 3896 2770ff7ae58 tab
    3⤵
    PID:2152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5020.4.1426216020\1272634624" -childID 3 -isForBrowser -prefsHandle 5020 -prefMapHandle 5004 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a05daeb2-ff1e-444e-b60c-b66253b27aff} 5020 "\\.\pipe\gecko-crash-server-pipe.5020" 5016 2771222f558 tab
    3⤵
    PID:5176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5020.5.45148647\172584313" -childID 4 -isForBrowser -prefsHandle 5176 -prefMapHandle 5180 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2eb0f95e-fbfd-4a39-9578-a87c5a0cc6e0} 5020 "\\.\pipe\gecko-crash-server-pipe.5020" 5168 2771222fe58 tab
    3⤵
    PID:5184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5020.6.1128506051\280605595" -childID 5 -isForBrowser -prefsHandle 5456 -prefMapHandle 5452 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {335e8159-0592-43e7-8088-7051b90cc361} 5020 "\\.\pipe\gecko-crash-server-pipe.5020" 5372 27712259858 tab
    3⤵
    PID:5192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5020.7.1597431765\2057833310" -childID 6 -isForBrowser -prefsHandle 4056 -prefMapHandle 4052 -prefsLen 27771 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0216f01f-c099-4810-9e8a-47fbc5e9433b} 5020 "\\.\pipe\gecko-crash-server-pipe.5020" 4148 2770ff3b458 tab
    3⤵
    PID:5912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e7927eeed62e2b6199c4426b86e71a7d

SHA1
a845a83daf50d191a97d2cba90ddc07dbfb62bb4

SHA256
bb9cfa953b74fa41707567900bf17355c485fc2a2a4397f7692ea2fd708d9cf5

SHA512
dc82d31748b2db3f73462ea0dd435d0f3a584db78c61e32402f26942e0abfc7a2db4f2a417cd0668ac7f16b6a255706720574beb4c8609fe5423ae53bcc661bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
9e36b75d39a12992bb1338d226bee6cd

SHA1
28edd3925b692408fc5534d7994fb8dd6bff36e3

SHA256
52ac157c348141e0ce7bc3d4f48e697ef8cc30f909774b45dec12e158e441669

SHA512
7511b1ae966b1889e11982d39bc3f9ef24f851e48ba4d4026f6c5bebcfef10445c2913afefe839161b9efe46c9ef3ba69af76850ee304cfafedb8124071870ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
106c2b307f329bcda02346e3b4332740

SHA1
bd0df51ecf944e1d1d249b572a71b30ac6dd815c

SHA256
ac772eeafaa505a24ff1f2dcacf3fc6611dd1dd5693a3dcbb79ff8aca1dff0a3

SHA512
da626aaee5001756eeec9b4bd1ab9d1397b853377d4b880b4b4367388ba015c41123054b28e467a3e3037dc72b7c89d190fa38b9d9b8e15c457eda884f52f844

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
c3ca88da223daf46ea13cd841976e4c5

SHA1
63d50a5e9c969772a0d896a3a8a53460d2c4e4f5

SHA256
c1136d7bcc1e6c8266d1b25d2ab062fd834b45c0ee61c65e17d1d3972bef5a08

SHA512
a1799a52cdda89020739f1537608d046ed23b143af05dbd9a50846e850c075e631db2e7fcac5bdfe4c1cdb022220afd94df7343385a55eb92bca15a291940bb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
6b5430267ae7a9bc86e0d746eff86fb0

SHA1
4105a434fb505911234f2f61ef5326151f150c31

SHA256
6d68c09efdc2f234ae5ec311a810250b29bdec106e6459af649b56b29d77d8e9

SHA512
2d60fe194e47470e731e8acfcf6520a35c5a50b7e2e5307057b9d653d4f73401723f129346548f9d661d96589277be83b8a280e99062ece6fbf96270f7f0a1b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e465.TMP

Filesize
88KB

MD5
da119e889e24eb7ab4949c335427fef1

SHA1
ab05300417374a372124c37e2443a07fdc537d08

SHA256
e85f7640d33e6c97cf09f481a86e095572989dea9a8034f9874ce34a189af1f9

SHA512
af88850d9e905b87e24b69dd50e245251d525ca4c619f43b04d4c198abc93520f1d87d2cfe6e4a002baa7deb14505fb180d981ecdd956decc01876657861eaeb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
8ee70374ddebd89ff29bc03eb1a0d700

SHA1
a91b99007b98778ab021379a544f4f53d7908b81

SHA256
c95b5bb0a0119c8b1de3ca60080acda393c45c5fb962d53651a7e2f6e7cbc8fa

SHA512
161034c0ce908fd5464aeb8e456f879516294a5b0f4a62fc0739280194784e0b1e800805b16f113d3072875092cd4d9398c6404d0061861e34be2ddc5ed1447b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
007c9599f1e5902d47a32b67d41f4459

SHA1
2092b81061f86dbafc263c09c03c3f17aa14244b

SHA256
f938fb4826984e59a4ea42f2e9d19e08eb3f95b85518d3e1ccd8c386209ce097

SHA512
48e13aed1ab29925dafaa38a3925ba4d1a12336ca68c862563d1c48e2974ec75243e2a76b6b7f12f16a3720d182447c653e14b222367fe5fd98073d58a0e5a66

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\bookmarkbackups\bookmarks-2024-06-15_11_sEInrcbjNuQU78LVjPjgjw==.jsonlz4

Filesize
997B

MD5
438e9000da555630c15edc578fc888c3

SHA1
bd773d897b3740a635cc9b5769c53ea2b4bc8fd1

SHA256
bf7e59f07dcb198444cb7c15c5ebceab10b0153cd4878019df4b8196edc36909

SHA512
632de477ff13d808ccf79c194de42c47114fa4fd2dc0b695efaabccf2d4deb575e23bf20b04e94b7437d9538b8dcbd8b63b3e57503ed5e2e3c9a7f1c54088ce9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\broadcast-listeners.json

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

Filesize
7KB

MD5
36e1e85c75c65fa39734a129a455ce1f

SHA1
b39f8c5d83cba277b1e473cd4d6d8fa1102de723

SHA256
d0b2762a2b57a73da8bd4d34219fcaa4cfcfbf75becb31093f73044fa9eabd9c

SHA512
9efcae58fdc989fde441006d536775e43efe8171da0b15737c6fffdd6a91b8f8cc06a2ff717d42dc28fc762a42c87b0d3e6b4fbffe247c48787ead7316900bb2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

Filesize
7KB

MD5
9db636aac2a6a59fdecfbd682bbd7bbc

SHA1
e017fd48979b163ab44a082b40d5e9320539e117

SHA256
e2b2cadaa0c2442a3867fb39895ccfd72339f7c6684e58ce5c8ab8258210e28a

SHA512
f00d13e03694d14ee70540a972599cfc573215cd00698db858a5a50c8ad636178ed532f4632f071a3330e00e9d4ba304f280141ef45edd1ab3d7e581a7a06150

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

Filesize
8KB

MD5
ef1e10ea8625fe19ef55badc274d77bc

SHA1
5e82194378cfe9d2d26c1e0a44f46000043a9e5d

SHA256
c1033bee80a8f730c6a82f8d05b7967f6eb7391f2f776616f4b15d7b09d580f1

SHA512
5d146e773f1532616d5ffcbbac1d67a35953a1c4b23f8fb30c158afc3a7ea73cb5e0f2f008e18953dbd01fd07ddefec74a0589732ebce1132292eae7788e7c91

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

Filesize
8KB

MD5
a16ed8cfaf674696338b823a8af7d0b1

SHA1
aa624e83971307dd1fe84243a91484b891c63119

SHA256
71b6f047ed49606a09095835f0cf770332068fcabd066e58a85be18e6a397d80

SHA512
6e4e362c12a3cd56cfba5494981551a7cec95ecd4ea927995036c3ea2de2ea4c1473b92bb897c3cdf3217ca9886ef23ca62c524a7e2a0b6b0a762de9c4beb565

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
8bfbde2e573a7a1c999e5451e83d9da6

SHA1
d84c2a6a2fc87bdfc968771ad5a880a4e393797c

SHA256
9474582bba4ab86224a4629d583124c19f638187b37144554897dd5da0e6b695

SHA512
d94dc674b5c6cac164f66e9a53c6271e6b0d5e77aae37b2305a3f95d842ce3a2e92ca92278721b581c810738ebf636d0711a99c4c254cf1f6f7a140ede4a7b48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
ceabbcda09d4d3c918c5491154e40a8d

SHA1
4fcbc3f6138c9d9aadadb7e5b27a7dc07e0c0742

SHA256
751c9352ee6cf1637290f5275b6b53e184933177e236c447037c38f00185cc90

SHA512
985b56a6f2830accea202fec3c968450867f72d9ea501b2b75d31e70b3a05a8f2a34cf8176d5a1c09800e10066514777bdfdaca9337a6b0b0dba5aab8569a6d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
709efcb236a801ee7c936120584a621d

SHA1
f520a015a08bbee47edb0c57313ecd79e9ceeac6

SHA256
644de90e86ebf74df47f15d3e56d9ee51c9bcccddaa2244f3b17df7fc5b45ea0

SHA512
5d9ea407847bda389a0c95919f8035132797a8c6e9c5ad127414d65281af91b0d8bf72c5edd764c0b8b5937f427a11c17e9256b77bd75eb758c35ae1bb70cb52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\targeting.snapshot.json

Filesize
4KB

MD5
87647d262e3f6262c8e87f7aee010602

SHA1
8c68b7a7c5df5ddeb784bc121f8d1351e8191801

SHA256
58b429ead992244fbe8a74e7cfa10a1585146465363ba49e12abf6bf29486a19

SHA512
004ff84e3a6a5a4d51f4e2d431d312896683bdf3b6cec8651317a475aca75137975fe499d25dced6f554ce81d95cbffc68974931161a762d862447cfea28a69c

Download Submit