6085da1807b2fc08d6d5a7da5b77167a2fc15bc78d8469001716e4a0830b94b3

Analysis

max time kernel
299s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22/07/2024, 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6085da1807b2fc08d6d5a7da5b77167a2fc15bc78d8469001716e4a0830b94b3.exe
Size

89KB
MD5

17a31a048a792b2bead376b46d2c01f4
SHA1

bdca10afe7eb58ed89be409aa687297f616af515
SHA256

6085da1807b2fc08d6d5a7da5b77167a2fc15bc78d8469001716e4a0830b94b3
SHA512

7e205c097b3e17476f21155d8afd9135bdc4743ae6ad57da2977eacd89f91f27aacfead55045e9c55a89a058c2d55ac4d7914b18040eed70e5b7b32f969fee1a
SSDEEP

1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfjx9Oq:Hq6+ouCpk2mpcWJ0r+QNTBfjB

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133660985578752265"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3384	chrome.exe
3384	chrome.exe
5892	chrome.exe
5892	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	firefox.exe
Token: SeDebugPrivilege	2704	firefox.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
2704	firefox.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
2704	firefox.exe
2704	firefox.exe
2704	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2704	firefox.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
2704	firefox.exe
2704	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2704	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 4896	4988	6085da1807b2fc08d6d5a7da5b77167a2fc15bc78d8469001716e4a0830b94b3.exe	72
PID 4988 wrote to memory of 4896	4988	6085da1807b2fc08d6d5a7da5b77167a2fc15bc78d8469001716e4a0830b94b3.exe	72
PID 4896 wrote to memory of 3384	4896	cmd.exe	75
PID 4896 wrote to memory of 3384	4896	cmd.exe	75
PID 4896 wrote to memory of 4272	4896	cmd.exe	76
PID 4896 wrote to memory of 4272	4896	cmd.exe	76
PID 3384 wrote to memory of 648	3384	chrome.exe	77
PID 3384 wrote to memory of 648	3384	chrome.exe	77
PID 4272 wrote to memory of 2704	4272	firefox.exe	78
PID 4272 wrote to memory of 2704	4272	firefox.exe	78
PID 4272 wrote to memory of 2704	4272	firefox.exe	78
PID 4272 wrote to memory of 2704	4272	firefox.exe	78
PID 4272 wrote to memory of 2704	4272	firefox.exe	78
PID 4272 wrote to memory of 2704	4272	firefox.exe	78
PID 4272 wrote to memory of 2704	4272	firefox.exe	78
PID 4272 wrote to memory of 2704	4272	firefox.exe	78
PID 4272 wrote to memory of 2704	4272	firefox.exe	78
PID 4272 wrote to memory of 2704	4272	firefox.exe	78
PID 4272 wrote to memory of 2704	4272	firefox.exe	78
PID 2704 wrote to memory of 2780	2704	firefox.exe	79
PID 2704 wrote to memory of 2780	2704	firefox.exe	79
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 2736	3384	chrome.exe	81
PID 3384 wrote to memory of 1720	3384	chrome.exe	82
PID 3384 wrote to memory of 1720	3384	chrome.exe	82
PID 3384 wrote to memory of 4836	3384	chrome.exe	83
PID 3384 wrote to memory of 4836	3384	chrome.exe	83
PID 3384 wrote to memory of 4836	3384	chrome.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6085da1807b2fc08d6d5a7da5b77167a2fc15bc78d8469001716e4a0830b94b3.exe
"C:\Users\Admin\AppData\Local\Temp\6085da1807b2fc08d6d5a7da5b77167a2fc15bc78d8469001716e4a0830b94b3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5E0E.tmp\5E0F.tmp\5E10.bat C:\Users\Admin\AppData\Local\Temp\6085da1807b2fc08d6d5a7da5b77167a2fc15bc78d8469001716e4a0830b94b3.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
    3⤵
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3384
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x7ff98b469758,0x7ff98b469768,0x7ff98b469778
      4⤵
      PID:648
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=2248,i,2064909121566826993,8788081411429590018,131072 /prefetch:2
      4⤵
      PID:2736
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=2248,i,2064909121566826993,8788081411429590018,131072 /prefetch:8
      4⤵
      PID:1720
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1868 --field-trial-handle=2248,i,2064909121566826993,8788081411429590018,131072 /prefetch:8
      4⤵
      PID:4836
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=2248,i,2064909121566826993,8788081411429590018,131072 /prefetch:1
      4⤵
      PID:4572
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=2248,i,2064909121566826993,8788081411429590018,131072 /prefetch:1
      4⤵
      PID:4296
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=2248,i,2064909121566826993,8788081411429590018,131072 /prefetch:1
      4⤵
      PID:4540
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1004 --field-trial-handle=2248,i,2064909121566826993,8788081411429590018,131072 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5892
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=2248,i,2064909121566826993,8788081411429590018,131072 /prefetch:8
      4⤵
      PID:2260
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3340 --field-trial-handle=2248,i,2064909121566826993,8788081411429590018,131072 /prefetch:8
      4⤵
      PID:5528
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4660 --field-trial-handle=2248,i,2064909121566826993,8788081411429590018,131072 /prefetch:8
      4⤵
      PID:5828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.0.102191136\587269451" -parentBuildID 20221007134813 -prefsHandle 1648 -prefMapHandle 1636 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6550f09b-4fda-4a15-9316-5509dc540084} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 1736 212f96d0358 gpu
        5⤵
        
        PID:2780
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.1.591823409\767542523" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {393431e0-23b0-4c64-831f-8a130f246717} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 2152 212f9603858 socket
        5⤵
        
        PID:3168
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.2.1050125215\1377378129" -childID 1 -isForBrowser -prefsHandle 2876 -prefMapHandle 2872 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1056 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d7e61ee-83bb-4129-8994-ee88c67719c5} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 2888 212fd9db558 tab
        5⤵
        
        PID:2948
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.3.1101060978\320373514" -childID 2 -isForBrowser -prefsHandle 3496 -prefMapHandle 3492 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1056 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cc351f5-b14b-479e-afbc-30a700d82d77} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 3508 212ee66a858 tab
        5⤵
        
        PID:4948
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.4.244081650\580218685" -childID 3 -isForBrowser -prefsHandle 4016 -prefMapHandle 4788 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1056 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dc0b0bf-b191-4c9e-9a08-7264e838626a} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 4748 21300514b58 tab
        5⤵
        
        PID:2024
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.5.783802256\1258889030" -childID 4 -isForBrowser -prefsHandle 4900 -prefMapHandle 4904 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1056 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5932f27e-bd4d-48d8-bc52-e41b1010fc58} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 4984 21300515d58 tab
        5⤵
        
        PID:3008
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.6.1787566048\1661394534" -childID 5 -isForBrowser -prefsHandle 5088 -prefMapHandle 5092 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1056 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7a71280-671f-40f4-aeec-427f69672fa7} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 5008 21300739258 tab
        5⤵
        
        PID:2668

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
6238d25a3d0bb5bf3aaa3a291d9c7ff9

SHA1
bb556ca900f120c94b01fb7e54cfdaedbc68a93d

SHA256
665ec155ee187df126b0f43a1e9448470aef229c22c587ddb3cb7f4d0c3e93c1

SHA512
f1872c7b304c1d78da37afc0be466a7973dc4affdb0c22e4bd0cbfd7e273622c6062f9c406e2f7fde38150e4394b3da3850da732bdf5d56801d24b9ec57c3dc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
39fbc9aaee964f5ff480f37d98b32e4f

SHA1
bcf0669c7635622e6dcf44f9c0296ad220780a62

SHA256
ecf6c26d8982314e3e44534dcc80a17af38c356d0f5516c9210c555d8942d65e

SHA512
22dbd0537a1a47236a6321eb5e7b67c93ed3b967859976c9cceeaa1c2adff92c1a687e133a0adc5a4a6b478b3a86a3ea7e0fd8419cff4d78bbc9d7fa2d279ea5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2bfb82323a268a131e212a745046b0aa

SHA1
cb9cd51c52bc06098eb3378fe039ce6da5d51203

SHA256
5a0e9c582404313cab92be6b334d1fa4505bcc86369b4190e52dff0a78a9a4e7

SHA512
3c05afeae9b7729fa72053f7d5dfb1906dd39fdfe55945a00f66593b4efd455fe25679727a336d8e6e7e4af194151e29998cf20e59676d13b2e4ae7bdacf1944

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9c4f6186e1312dafe9a10cb64161c76c

SHA1
c13bf0008bad4899f2b750a3e0da60b17c84d5af

SHA256
9eab16e7645bb7a9ecad3428d4bdaf7c268202bf78aa5fa2c9206b2582936b58

SHA512
31d5d55972314c69c198c3b8b968e8a91165357b4b7de78e02f5e875226f7183c94879c04f43475ab339af3ece15e8bbc70644b0446ad0c17ee1676dab298568

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
34e8babce2ef392a2a243d5b4d1bce38

SHA1
d3fd393514abc43aec56df30b8a3e3f49d8e559f

SHA256
c9dc73c2887dea315b9b648e2462306e87677c49b68a8b23f967b4a9137fbe52

SHA512
46780ef5c675b577cf754c166867acc6019ebde3fbe1714fafe905e844d760700db43a9039f8fea2e5e8ed1c7cba8017490e101bf13f0d9f6edf517e370c4584

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3ec280ba64c77b9f7e50d5fd564c7116

SHA1
c606850d5a052b22e3392b416464b82c1da8cf3f

SHA256
598be4b9dbe31c5a44cc9eb06623fbf608e54b606232937a300fff884bab638c

SHA512
08ea7387c86108858edc05acd9d38ba4f32701a2a74d29cd46784cfa6d6b3fdbfeb0016e8d28e88233643c42bc3336690075e182b872d2f67d2af05c8a561b5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1e74227806938a1a68cbc91d69892481

SHA1
0dd9c96f584fcbe14f266ba6b404f75448f6f8b1

SHA256
2a5f5ce32bf97a2a1c99cafd53f2b2f7f6df5cb03e0b2c0f2284499a65047f85

SHA512
cde7db364cda2781561ba84fb42cddb45814bfa43fc76e8d1ff64945acf38bfa65a4896172f403c4ab1cfd462bf179f01015b65f53a4ef749431ef30e61dd114

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
dfe68cb2b5ac4fc2ad92015a094c12d8

SHA1
de9c15926f83481fb1cda15b015d6a7e0e13e391

SHA256
fb70e01a8c11ef8cd982377f4db13b17fb1c16bc4b43ad5190d313e1870bfef0

SHA512
5da4a0c637d15ede1ace0aa293b393d45ecb73c35bf490198ef0e0e4c1d1331949d81212dd95a5f8cacdcd0355051fcf6b943752e1c5e37c6d2dec80fb643315

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a08f6a97-2437-429f-933f-2f8a46d57690.tmp

Filesize
6KB

MD5
8344cce7ed30780a989dec69273b3e0c

SHA1
ca995a8ab1fb01c8d6800984bb93b10b2657f28d

SHA256
58e52365657637302600619181462744d31da85f9cd31687ed284899ada135a6

SHA512
f008b81326e32db486dfc2092ffa3a29b8f657eedf2439b76a9a6fc5005d6184439ab2aa5e0ecefe8a224b0aed7c463af7ce237e43ed4e717f67847f9bf46310

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
290KB

MD5
5ca6df378aa90429c28da926096a9aaf

SHA1
bdf378d98a925a689cf22998b728876155d60784

SHA256
66d7a6105ba704c3c58fc0621861f3c24d08c39b05e1112411a9200d231e1500

SHA512
53c587aa587caf23d4e9b6e47a103929925f4194c1282942893d3b2010c7108029250a37d307a52497e2bbeb919c8384493638bf29c6646861f12019bee5ce05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E0E.tmp\5E0F.tmp\5E10.bat

Filesize
2KB

MD5
de9423d9c334ba3dba7dc874aa7dbc28

SHA1
bf38b137b8d780b3d6d62aee03c9d3f73770d638

SHA256
a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698

SHA512
63f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
965e02d25d5a2f1bb8b20fd5aeddcb45

SHA1
8238e3b5d889b8994c7edb3330e3eec696491892

SHA256
5aa454171c22684c169d6ef5b2694ac250ab691e4a0b1205d8f15f73272d42b2

SHA512
fde19eb0f849b52d43aff491c143d277e7222321bfddd94d899d633da4f70e6c89f81803cb55b6b2bdb5a4801f34c962b0da6a2687c43fa3a3c1e75a081019de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
6b8b6b4b3fc820862b044adf72b087bd

SHA1
d8bd434937378e61ba56803da65360d9d4ee5d51

SHA256
057015c6bef65fdd74fa9ffa8dff1400d1cf5603f95535719d02f94311c12ef9

SHA512
5f5dda9fd166a5d76040e9b0e076136b191f651fdb446f90d4ce1e84aa49fc2ea5394af419323d12931c59f1521edcbf3f73a31a575e5e76875ac5bbf215296f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\2763873a-53fd-49d3-8b39-c84732b750ed

Filesize
746B

MD5
0fd82153949944981f37b23bcfd4d4f2

SHA1
d4d3140e1d57c6d3bba6f0c7d0afd6345e1b1541

SHA256
1d7d700ca743f1c6de3c7da768f32672d6f984d651580a59e389b84f4be8c71e

SHA512
c20139743a6a133be2d9968874c92ebb8e390554d6a6ec1d94cd75364243412440e8b90ecae88dd12c151c911fd67a90bbe4351f54e20ff53a8b9c98949ef098

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\31c3d94c-f518-4481-974b-7fd9171899d1

Filesize
10KB

MD5
c533a3f70e026155afd69756be20ba0d

SHA1
c794eae9b9656af634afa657cd4f0af3a11a5bb9

SHA256
b60552879998865816213597432c01f8596782be53c6096454a647e71cf136ab

SHA512
875f81760c03f61dced4970ca0f758f3479acc11f6c302268c42967060a7c088aac5501d49d7216219a51d88e68a2e8ce10c651a90df6c337a205ef51bdb33b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
904c3d7b6e7f3bc9a222387016622be0

SHA1
5d5d3ce3399913e218ef00e7ea222d875cedd04c

SHA256
d3ff746c092673accab0608eb17b714fd1a9fff0aef1f7e703aae8cb2f1debf1

SHA512
0cfe9b62e90ec1aed1ef64be79f278ae0ed5362fac8d8501ecce5aef51dda4681a84c41903f37510fe7b19504f3545771c93f2209d6150a59371d0f29cd65cf7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
7KB

MD5
4ce93e61294ce653ccb22554e694680b

SHA1
394437cf2fcaaa2646c905b8d4885781c41d605d

SHA256
1c1416d14fb01523485bdae223a4257cc7d4b47ac8de0d72cb075a35df47cc39

SHA512
b6dab05d49503f2463df18c41665822fefe1189a3238f8f15d1864bad95e02a3e94faeb977b837cb8bdcf5cf61ddf4b1988b87632571e52486cb4f7ef2f8373c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
3cf8b94848ac8ea4cfe8f649c9800c28

SHA1
2c9b3cb9e3e3a7a27204f23caa83cdf1b56b86f5

SHA256
e18756cdbe66fd364f0d9bf693681641b3a5c3bed22b7810cd98c22755a1ed58

SHA512
d0446873b59ca030ecc83118ce28c69a5412eb9d22eeb470baf8f14f5137fec46d6a9905522a0f4de90765d2b95c0cb2d2ac58d3b61ff2e163400174ec1fbd10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
ea2996e5f730005127b32eadfd68bfc7

SHA1
c72165c85b2a9de02d7054ee4fb3b35206c5c6b1

SHA256
a00f10df0981d75f5e3148b4163734d8b516227fdcffae3724cde44f3ce3c289

SHA512
7ede8d674d0d6fdc2ed095a18101e849d5dc89eddb4058103633c958e0a2063a99c927108fd48c853e60902a4b5eae911e20036c21537f6e18faeee27ab2c65b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
cda98c830bf0a40e543d5c75f9f8da27

SHA1
8af226ab93b09038a6f52b36d35e714c5a994ef2

SHA256
16bda387a0cc082cdd61ef1ba1f8ef61a38a77cad233bf6626b381542eb8996a

SHA512
a19e79140ecf5073081e1a742ddf0eb6ecc20b70ecb1bbc8ef42d013ff78c387b0d77eac0a0e62063dbc33b3352aa0e3c5b5cebaed1b645d62a03e58f576e25f

Download Submit