hxxps://emp[.]eduyield[.]com/el?aid=2nmsdda0e6c-1865-11ef-80aa-0217a07992df&rid=33766156&pid=771868&cid=497&dest=google[.]com[.][//][//]amp/s/bioesolutions[.]com/dayo2/qnqgw/bWFyay5ndWRlaHVzQGRlLmdlc3RyYS5jb20=$ã€‚

Analysis

max time kernel
111s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://emp.eduyield.com/el?aid=2nmsdda0e6c-1865-11ef-80aa-0217a07992df&rid=33766156&pid=771868&cid=497&dest=google.com.////amp/s/bioesolutions.com/dayo2/qnqgw/bWFyay5ndWRlaHVzQGRlLmdlc3RyYS5jb20=$ã€‚

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133688672085360496"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5652	chrome.exe
5652	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	firefox.exe
Token: SeDebugPrivilege	2144	firefox.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 2144	3356	firefox.exe	84
PID 3356 wrote to memory of 2144	3356	firefox.exe	84
PID 3356 wrote to memory of 2144	3356	firefox.exe	84
PID 3356 wrote to memory of 2144	3356	firefox.exe	84
PID 3356 wrote to memory of 2144	3356	firefox.exe	84
PID 3356 wrote to memory of 2144	3356	firefox.exe	84
PID 3356 wrote to memory of 2144	3356	firefox.exe	84
PID 3356 wrote to memory of 2144	3356	firefox.exe	84
PID 3356 wrote to memory of 2144	3356	firefox.exe	84
PID 3356 wrote to memory of 2144	3356	firefox.exe	84
PID 3356 wrote to memory of 2144	3356	firefox.exe	84
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 3352	2144	firefox.exe	87
PID 2144 wrote to memory of 2852	2144	firefox.exe	88
PID 2144 wrote to memory of 2852	2144	firefox.exe	88
PID 2144 wrote to memory of 2852	2144	firefox.exe	88
PID 2144 wrote to memory of 2852	2144	firefox.exe	88
PID 2144 wrote to memory of 2852	2144	firefox.exe	88
PID 2144 wrote to memory of 2852	2144	firefox.exe	88
PID 2144 wrote to memory of 2852	2144	firefox.exe	88
PID 2144 wrote to memory of 2852	2144	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://emp.eduyield.com/el?aid=2nmsdda0e6c-1865-11ef-80aa-0217a07992df&rid=33766156&pid=771868&cid=497&dest=google.com.////amp/s/bioesolutions.com/dayo2/qnqgw/bWFyay5ndWRlaHVzQGRlLmdlc3RyYS5jb20=$ã€‚"
1⤵
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://emp.eduyield.com/el?aid=2nmsdda0e6c-1865-11ef-80aa-0217a07992df&rid=33766156&pid=771868&cid=497&dest=google.com.////amp/s/bioesolutions.com/dayo2/qnqgw/bWFyay5ndWRlaHVzQGRlLmdlc3RyYS5jb20=$ã€‚
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5d476d1-d61f-447a-a93c-a8bf8d018c14} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" gpu
    3⤵
    PID:3352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2440 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2284 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fc5428b-562d-4bc6-a3de-77f3ca06093b} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" socket
    3⤵
    PID:2852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2644 -childID 1 -isForBrowser -prefsHandle 2648 -prefMapHandle 3160 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {beeb5afa-9fb9-4f12-8892-386e3838a8f7} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" tab
    3⤵
    PID:644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3612 -childID 2 -isForBrowser -prefsHandle 3548 -prefMapHandle 3532 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f8d8ac9-e7ba-4d0f-be84-68e5b61061cb} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" tab
    3⤵
    PID:4968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4280 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4220 -prefMapHandle 4272 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5006b43a-ced6-43bf-a192-224781aea1bf} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" utility
    3⤵
    - Checks processor information in registry
    PID:1640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5216 -childID 3 -isForBrowser -prefsHandle 5236 -prefMapHandle 5252 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba33a799-81d7-4aed-935a-2002a1489b02} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" tab
    3⤵
    PID:2880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 4 -isForBrowser -prefsHandle 5436 -prefMapHandle 5444 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {557fe1b6-7695-411c-9e7e-1e65abaa7755} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" tab
    3⤵
    PID:3664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5088 -childID 5 -isForBrowser -prefsHandle 5624 -prefMapHandle 5632 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2865b664-d9ce-4528-bf42-827ed795f0c3} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" tab
    3⤵
    PID:4356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3020 -childID 6 -isForBrowser -prefsHandle 3056 -prefMapHandle 3060 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ec2a406-02b5-4523-8c25-df6d436dc403} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" tab
    3⤵
    PID:4992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6104 -childID 7 -isForBrowser -prefsHandle 6024 -prefMapHandle 6028 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d6345ef-54d9-4e7e-a33c-ef19a419d03e} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" tab
    3⤵
    PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffaab37cc40,0x7ffaab37cc4c,0x7ffaab37cc58
  2⤵
  PID:5720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2088,i,5637116691272204210,5594493489110142372,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:5492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1984,i,5637116691272204210,5594493489110142372,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  PID:5540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,5637116691272204210,5594493489110142372,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:5948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,5637116691272204210,5594493489110142372,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:6116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3232,i,5637116691272204210,5594493489110142372,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:6084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4552,i,5637116691272204210,5594493489110142372,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3748 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4848,i,5637116691272204210,5594493489110142372,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5056,i,5637116691272204210,5594493489110142372,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3884,i,5637116691272204210,5594493489110142372,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4692,i,5637116691272204210,5594493489110142372,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:5620

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8bfe1b20bca83e9af92e6138373293ca

SHA1
2fe30f884ed658855bc1f5b6a90753c321024a06

SHA256
ff4f79b0ae47bc2e65ee9b3aba52a3b5d22685c17e3367b6072f844fed7b809c

SHA512
81f9581dc45dbb60e0321c524a311edfe905c7e842a4d43e64d885f3a474f234af2c9f2803ccf788fa794ca67e1ce39b08e27a04fefc31f81c197f75a69e6b09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
2257803a7e34c3abd90ec6d41fd76a5a

SHA1
f7a32e6635d8513f74bd225f55d867ea56ae4803

SHA256
af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174

SHA512
e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9d6d89095a27faef43d40502cf903971

SHA1
c408738a2cc4a689441521482eaf16fd9168cc56

SHA256
90a1e7f3641c29b9f0217cc5782359d4949c1f5ece3800afb680028adc82817b

SHA512
a96cb94e952b87d385a0c03f88725086c6442715a607cc5f5096645e1a05159ecfc03e733283e28a4c8a39c005c899d047a76199b8ee55f9aee56b2322e31c6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c19de2b8fd4e050265d235a8f8a163d4

SHA1
d4c884b0204ecfe2bf590ef8ea5fa2b0fb56bf91

SHA256
4813faa86d6b9efa96793b79c2323b512aab2b975f51b858200d06f5f4637f77

SHA512
58b69c01bdaec4aa7e3072cdd48c3d6f70936f096ae45ea386cc91f3cca121c53d4a1c08b8796fb7d002a050c08a9e7aa0b9d099a5d5a5c841b9091b882b0037

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e74d9889b370f416de2d5d99b1b76e62

SHA1
70ef03cab5123e45c1716940d97ec2f396b11a3c

SHA256
f94851179dabe13ac3900b9bd5ceadf13be5e1a5d2cbda183d3708dcb9600074

SHA512
867ef8661cb08de39d8e2132c708972499aa7104956c288a8b9119b8cdf6931aa10734b8ac2a924a198bc29560e1d7ebd4bf0dcca0d28f425e693ac1d689273d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c5ab5f9a2c1cf1d86d6718be5516620e

SHA1
8d9433d92a735b1d5b7c48badddd357fa99eb722

SHA256
926e5743be25c4d86d984c0dec24d359067eb15240ba8e061761b8949721255a

SHA512
f2d69894371c25603520228c62368385033e598a102d8905af8179a52c9b2c7d897c3ceaa0b979c0630391b94ffd7dccf882555baad1456f80732e26e9bcf7c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
197KB

MD5
3be50d2723787babc3ffa695acc6b6d5

SHA1
2a93be2a7337ca3c85df551cdd3cb304ad47d43b

SHA256
341cf7bce4ede90e948747f1fea7eab5171990bde32613afbf7f0d907a97caf7

SHA512
38f5f2e17ad1447295e72ae4cb935d9453624725f59a88c4c5d1625417eb2572c58a37b32367bb77ae0314791e3ed104f69e6f139bd2eb509263bfd3ea1cb816

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

Filesize
7KB

MD5
f63dab87e7208e0d949412dbdcb70ae0

SHA1
488a35147ff4472e72c742166ccb6baf116a4296

SHA256
6f40d12b1f46e1c4d20b786a46e9a7f0049fa79b0567160158a19b8a098c71e1

SHA512
76a65d08093dd5ebd0003abfa45ddc4e371a035ff4eff73cf5c1e650f3585f315eb5d8ef8ba0dbd2351dc57c0b1b51f160d5a81b625f859d8ef0e7de7af4ec96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

Filesize
12KB

MD5
25a83c1f01ae68146bafa4708739c77f

SHA1
f648ca1693708af2a63ffc8cc4ad43fe05bbc816

SHA256
a37cf7373dbf2d7f3aeb11763df14fb63de8c0a6aae6b0ef420c3fb4344e0a2c

SHA512
1b06bcbc8c4fb3c53127eb53ccd3da0c237f211ce7fb15300099ab1ecae97b6aec870230048c41fcac0b45937c63f08d1e5f657937796d6ef53dca12428d3e2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
6a84d3c21ab4ce1a4014f657790bdc5e

SHA1
225c1b4141120d573866313cdd9e9df011a25c78

SHA256
e328497621c9468a0e88f611243cca6545d68cafa4bd4f9df6f0521cc2251cc7

SHA512
1a4f6864e83f0d07945897336e6c7aa0cc06952e69b77816ea26716d9a5940924bc68a406622478cb8e8c042b9677df61e306dec028ba0dab325e95f08de5164

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
ef7e4f2db7ed60824ed4eaefbbd3d902

SHA1
0929272cc632c978a9a8a031d5dbc1fcf9f1279a

SHA256
d49280e6bd3a354098b37333c0bbb6b7490646f08b15b1414bcb62779840dbc6

SHA512
8a6bda994a0af605eb36e34d9da8aa4b2247376ad34731adbc7b31cea22723e89b64da44c03de1d5e9b0b310bab6a6bb5dc73e6659552a857e03cfda98051dc3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
727cd15afe162fe78d77eaaaffef767e

SHA1
84e5659b4865410433b47e5cc1352e2dfad9a2e0

SHA256
92c97d47b534e9675d69e760b31784fd87ef7c9cfe11517e32390b633cbe32fe

SHA512
8a7c0e0c826866988cf50941ac7c7931b8a5876bd7f2c27ac5027965066c2f2870cbc272436c8a254ea2ed22707ec449d5bf1e5bdf9206005214332cac2b7bf8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\42445872-1b19-43b8-b98d-6f4f90065271

Filesize
671B

MD5
83b6555adb0d6ddb351009ce7915395e

SHA1
3e58c1ebe60ec1a6f5d8ed9724b01e020f907a5f

SHA256
dad412e7577e9f6a967ec72b82cfa77465fddadeec2ef1c5c8ad7cb68e2546c6

SHA512
d74fdae05936d898fdc34fc5deb8df28da319eddd4bc49fb007c82dde639c586796e0a6b59622b881bd82c0a5aa7ecc4c40a7354b48f35869c4b20cae73d479b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\5c09b70c-933f-4924-95a5-7b6c9798d6a4

Filesize
26KB

MD5
7b3a72aeac5c524f212d8179e27ecf98

SHA1
051a7d19e599192a5c6b4a1e72977afc2c248822

SHA256
3c4ec66674b4f6b9834424f4612a5e9d4c2de82f29c3e0dee67d8a79a6ff0436

SHA512
2394595b4e60758c9e18765a69b50bd009c96b887076d5fae580252dc61097462cec32bd95a46bec75213825342a561b6fbda86b4a6f27ce577436a5f59d5735

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\dc618c9c-28ed-48da-a95b-a4e42dcffb8d

Filesize
982B

MD5
2d02e466561e00aded1f586e4b2c8b50

SHA1
47eea74b384b124fe7251cc99ef61d3c300d43b4

SHA256
44ab8eb5fcd39e8643a76b764855607a103b7f38643dd5802813592e85554ee2

SHA512
fe894951175a9867244be2c4cd10ee875f1cef5b7adb47eaedcd82129e0875ed5f5f85eb1e0bf7112eb54962c8869daa8889190b18b5ee614c4542a31004c161

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

Filesize
12KB

MD5
8848623a4a0e8628c004e33b6935c6da

SHA1
1ccde16009ab3e4ed4314b14a33b5619fa22990a

SHA256
befb8d0f8091eb10bba3260c19e1192fb8fc0c7f636c763b941d5dc19e7597c5

SHA512
963da9e6471b42d788765203ffb7fe8358c78a546c6f72357a265078d23d50d1876c473954b1ac889995122764abe4c346c451853b180068ca08f2a12a770950

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

Filesize
11KB

MD5
f8d5ec37c7dced9cee7c87a4a7a34d9a

SHA1
97af36646565e9ece964e42faf129e29dc1d1c68

SHA256
1256d692589757c1885b552667a90b8f1dec957aa2e60517446dfd439b2fda49

SHA512
03b290fd5839ca3b65875fbb3a6b7d800ecd655e65dc2a672a1804b981534278216d9919be9f3ec2848320d959c09a7b3920752cc03ef92f70492eca66db85ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
1a650d2bd8505f0a63a324f4de2fd99b

SHA1
51593e47af1cf120df1fa78dd05ff1452aff3af4

SHA256
9d0289a7ccccc69b71f9fa89ae7ece286548000b065fae7a7c3d9b38dfdf8ff7

SHA512
534d52873804e3f21383506d5a2b9c05f128fa4768f43860ad9d352a5732a0a39178b77e29ba2f3186acf216e43b222fa9595ea4bcd1152191526073d4a6bf94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
eab23f41595e717b08cf72828c8c3596

SHA1
c5342cd6d7c317ba21cc2d56fb0c52630d86a5e2

SHA256
d8453811074da8df8f78f9e83f59aa8f733cd3d55c45f9cd58dfb7ee1b6cf1b6

SHA512
6ec661543b4d7471125623515ff3be6a401d4bc7ebd12ee0f1511711e32498eefa97cd40d50397cc70f7a47efa0f5b8a191a8bc76f878131a538172086a81f99

Download Submit