221944cf8cf33d706f1418545c2cc5f375743e0cb2db913ceda97b7eef31f776

Resubmissions

04-09-2024 18:54

240904-xkj9kavdjq 9

04-09-2024 18:42

240904-xcj9lawdkc 9

Analysis

max time kernel
1210s
max time network
1146s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04-09-2024 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sqlite-autoconf-3410100/Replace.js
Size

7KB
MD5

335ee30449b5d0d52ab314dbff93d52f
SHA1

02c67258801c2fb5f63231e0ac0f220b4b36ba91
SHA256

74ba0687a84c328df2836f73d7d36368099a5f5c1c360a84211e51fa71f1dfc0
SHA512

02f40bc955c833105811f78471e29f062c1cebfe4bd96ffba941670c0026ad5bbc81f336b7c2c6b9f804c67ed46c9dabab927ec0fb4c709bd7a049454f27073a
SSDEEP

96:lJC/3zjNPMMQIQBmajlyM3px6D3t1KO4vNoHyJ:l0iAM3vlO4vNcyJ

Score

4^/10

discovery execution

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133699502807773292"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1136	chrome.exe
1136	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeDebugPrivilege	4744	firefox.exe
Token: SeDebugPrivilege	4744	firefox.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4744	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 2456	1136	chrome.exe	85
PID 1136 wrote to memory of 2456	1136	chrome.exe	85
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 2996	1136	chrome.exe	86
PID 1136 wrote to memory of 220	1136	chrome.exe	87
PID 1136 wrote to memory of 220	1136	chrome.exe	87
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88
PID 1136 wrote to memory of 4588	1136	chrome.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3410100\Replace.js
1⤵
PID:2476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffee13fcc40,0x7ffee13fcc4c,0x7ffee13fcc58
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1856,i,3826236217653543986,2416297760527985697,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1844 /prefetch:2
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1432,i,3826236217653543986,2416297760527985697,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1788,i,3826236217653543986,2416297760527985697,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,3826236217653543986,2416297760527985697,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,3826236217653543986,2416297760527985697,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4532,i,3826236217653543986,2416297760527985697,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4448 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4684,i,3826236217653543986,2416297760527985697,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,3826236217653543986,2416297760527985697,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:3912
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x214,0x250,0x7ff603f14698,0x7ff603f146a4,0x7ff603f146b0
    3⤵
    - Drops file in Windows directory
    PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5064,i,3826236217653543986,2416297760527985697,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:3064

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1284

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1900
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1896 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0c44229-19d6-4eb5-84c6-8eb953ca4b34} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" gpu
    3⤵
    PID:2956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60dacfd4-5775-4fdd-bf20-77daac54679a} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" socket
    3⤵
    - Checks processor information in registry
    PID:2924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2980 -childID 1 -isForBrowser -prefsHandle 2836 -prefMapHandle 2840 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8e810b9-8563-4e7f-853a-6582ff71a858} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" tab
    3⤵
    PID:1028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3664 -childID 2 -isForBrowser -prefsHandle 3656 -prefMapHandle 3652 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83110d20-40e4-47be-a07f-4a69585f0191} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" tab
    3⤵
    PID:4572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4440 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4404 -prefMapHandle 4408 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6816da6-1fec-4b61-a8d6-00011b6fba0d} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" utility
    3⤵
    - Checks processor information in registry
    PID:2760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5368 -childID 3 -isForBrowser -prefsHandle 5356 -prefMapHandle 5208 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdfcb3eb-1fe3-486c-b428-e706910812ac} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" tab
    3⤵
    PID:2188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 4 -isForBrowser -prefsHandle 5604 -prefMapHandle 5600 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fb7753b-cad9-4d31-a668-ff6b4c5a000f} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" tab
    3⤵
    PID:4812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5792 -childID 5 -isForBrowser -prefsHandle 5712 -prefMapHandle 5720 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7db3974a-1e65-4426-b8a7-d969f729157d} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" tab
    3⤵
    PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\SetupMetrics\20240904190441.pma

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6a9e881288c726a12a1b1a888c7f5d88

SHA1
e9f450bcb66d168252136b348ac5019d05a89d64

SHA256
c22323aead04aeb037fb295416729c5dec705301767c54a2439a521039efe32e

SHA512
aeb2015c58409bcfb024223641f5b40c91b0df218d8643580c86fa2ab5d38b7be29f6275a280731b7fd1540af272f7381a883d6ea550f70641111fe187b0cd74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
2aac37c5d43ac0d54aa6ecb58c7aa48c

SHA1
896e54dff60daff4b287d53c1fd157fbabe02918

SHA256
24d63cafe981e9c08abcc5b34d5b2d1f0a678ae4200a5e4ca6d9fbbc83f09f03

SHA512
8b6db4a4a0327c2f871feda33a613a19b1eb2fbd91f27779592d135eb82391f29cf418e6ef2cb27cbf83aa8006a07c60ccf8b7ecbeed661a7d3dd96651987cf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4251ba08a182ab82422db376f71fb467

SHA1
44f4c81d184fde6716a3f863eac3f2dd784aee01

SHA256
2799d15afd7486213e4d80dd4e9641bb457d1b04011952265ab9898ffbcd343e

SHA512
56c1875a0a995f9b465119f2f5f5ec0a445a1c8371be0cf86ef8686cb026aa6b2569667a37acde80a12a1edfe59249ebc481821485c3c5dc05c9cddc10983e76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0803f2403a6a309b8c01c94491a3a70b

SHA1
981a2383af75309fd90502e22a3b9b904dcc92f1

SHA256
e4cfa1f2ed60f4a148a5ce73bdd02b1a220722ae8c64627bb20329be2f8fcdd0

SHA512
f3df7fbc4abd4cf54eee73107c9ee9eeb396799461a543f2cf6a6683a51a98af338b77f2f2c34370de359ed06081d3798640bf34579cf88cd6ebc1ba53509eda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4600633a7755435360049a45d1f4c7bc

SHA1
4cca6c472005f34e6a9941ebb863067d879d6aec

SHA256
b91c982e7471b2bddc9972dbbba9dfe125e533654265b59989789fc555109e0b

SHA512
e9c2c80503cb339aaa00cdb43bd56378f3c0ef2a99c5ca8f47b14a9c4e8201415f4d85f2d8596410c00df90af977178466c42d5c5016ea78975eb3aad8b7dd5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f01aae88d4f6091377b5b3ce8205bded

SHA1
5170f7b21c3f91aab83eaf9e3bdb1ee4c3c1b313

SHA256
16fd06baf7e0b154de69bbf4b4242cc4b9995e760386f2c963df2bb791f95325

SHA512
b68cdeac1cca149ea60f325b194985375293baa2ca475cb62a4082a7aa035a0fb4fdd96eae2e8c5f65fd66767d7589af6e06f6f3c4da4c77a49e5c97c936de85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
4408e1010f878aad1fa0949c5166cb03

SHA1
c434dffc13d989b6d81b5c31c90bde1ef0080e08

SHA256
269e26826b775496a47fc9cb5cf1e1a96b79bd1d76df424a17673734d42a47e3

SHA512
59ada17c6b4ff828abf2315fed1201aad6e37dea603c9750692b5ab090aed34f03be694c970ce137054ebce4567abce315e31c7d472995b5274d5a202164839e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
8a3b51b4965c704bb1f1744570401ffa

SHA1
e8cc853ac101511770ba06ce9e19a3f919a7b2e3

SHA256
ef098b11132b118a8875ac0f7e30decdde0bb2c35d523fa58468a6819d870329

SHA512
3c6ca7f99c5879dac72cf12f6f3978c7e3051178fe017ba737ffb40f3bebf1bf2a28323343999667df3c42b1afe3c72ab1c17ff726fab5ba298856adaf3ddd10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\activity-stream.discovery_stream.json

Filesize
29KB

MD5
5534a3436781affa91967dd10f79022a

SHA1
1f86cd0190701c8a6af4d5b5cae5af69e103b8b6

SHA256
be6a71fe6550a34976831f95b47368d1c364ec9d48ae816f32946af04989b824

SHA512
fe610321643671c8644aff9aad7b3702a810d9dd0eb7faca2110fa933ca23839808e5a3c2b3908c5186f93439aacd1f19d5c41efca1a6f5621dc8cc5f631aab6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin

Filesize
6KB

MD5
d51f4b8720d68073d727b95bd115ed29

SHA1
95a0b88b2a0f7ff2a63814a071e473c6e04da2af

SHA256
8ff75485c1831a0c9754e0f3158da7b52778191515e2569cf1ea673dc8005af5

SHA512
1300541966bdb28444f04052b985de1e2b107eaba633225a6e701fec85c6ee276c291aafc74d909ad7282a053f3815dc1469a7de4a55549085baa94016c7c8e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
87354843f024ac110a4483218bf2bbe3

SHA1
f6c57b98691a81da5193feee8601a33dde309ca5

SHA256
a29cae87d176f15eb067f4282c4e9ac4d4283c62d08b2f1d6bb1cb34850a3d8e

SHA512
55f370ed45f993d9577a78cbb60f0ad817eb191a3920c184149bcb106f0b228ff5c46027a14c7135ee14690a28eca4b6608c7982306d3fbbc8016904ccbaaace

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
89d3d38f63a641fe68657bc61b891654

SHA1
33bf642dc19dc57d314ade3fb6ffdf2d69d784bd

SHA256
de68b6cbb3bb6340144535be7d74393d55d504a1d2631e441cda8ff40d47c6cb

SHA512
077ba47d1c9ab86a0ac897589717a7256f46f9faae916db1d7fdcde4aea2b21ccffa50fdc10ecefbce1664e5740facf111274be0b41013eceff8fba0f56cef51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\7b21f5e6-24e5-4baa-afe6-297e721f8aa1

Filesize
982B

MD5
687dd6656d038cb6fe8a93ee0cf6369b

SHA1
5eb2d526a0adfd8c781c0575c3cca021b0d3781d

SHA256
aa952dac2c4fa72b7acc4e1fb81020c205b3dad7290db0a384d6d4d24d61c673

SHA512
1ce651dee73348fc28e64622ed73be622154e7cc79cfdf195e29355d421622006999cc7cc6a23c46c3aebad6395545d49ac93f572133d40633f5d4ee5f688e07

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\b6822022-ad20-4f01-a13d-b1419d30bffe

Filesize
671B

MD5
4d366d46d01dab7b5c893e4d6c2a1985

SHA1
913dbd44b71e9378badaff55b10b1f5771a60aad

SHA256
e5a3f482f10b5d3601987ac30613361c0cc7d9d353ba94caa822f1cac8ab2ded

SHA512
0cdd696aa340b4f89e491a3dac3669668b0c4b69d94bcb841c8b6767cded2d927c8c5dc79e71e1aa0411d47c2b50b5553e5714c8093cc6d203c17d6d136a1733

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\cbcefc97-c70b-4da5-b2b8-67b64141443b

Filesize
24KB

MD5
fc022c5bc17043975a415af2838fe563

SHA1
f01e8fc94fe5b93a4bb4839c37a039190befc0f4

SHA256
223c6aafa7a1fa0091325e32aa5c00a5a0c8e03d769257fbf8869e72851f7ebc

SHA512
3231d31ed754949e1031855415c46fb32b561a9e526b2b3112d76d14a2d1fe0775db0398c801cbba3ba377110a0673adb8b930f52f9a3c5ebc98c8f9ab1d7197

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

Filesize
11KB

MD5
a5b8db115d95f77a91c337a002e1f0f4

SHA1
5b7767a8a82489432c46e6448d57adaa471a392f

SHA256
38d16f982b6abe08777553a5d23bd8afb6f6b0651de4c7371259eb1c1f4b7bd5

SHA512
81576d71b4ad0941567554ee7055d608c044aaa26a76ba828dcde65a6b4a0faa4a0277c2b4934d57f760805086b410f6d14cecc923fa556d3e7857afd75338ce

Download Submit