8a5658fe5aae0d3c0d9c882a2c212ec855f6059a438ca9382430f06ab7ea08fd

Analysis

max time kernel
1799s
max time network
1732s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11/09/2024, 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qyd priv.rar
Size

52.9MB
MD5

5e42ae42fd9f077310b3499d2a2958c7
SHA1

b100d4824f45696294f74cd0f344cb1937b63316
SHA256

8a5658fe5aae0d3c0d9c882a2c212ec855f6059a438ca9382430f06ab7ea08fd
SHA512

8c4032d4b5d2b02aaf9f732eb09f9b8301ed47627f1f994d83e34a1cc7de26ddafa00d6b65594e56fbd205f76d5bbd6de33963783c5636ac28f907f7518756db
SSDEEP

1572864:xKdZhPvICyqLtk2Id8abVfhUdo8gcwuM72q+whGZnV:xKBnYolIdPbVpuo8gB2q9hGJV

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133705520385514245"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1632	chrome.exe
1632	chrome.exe
4752	chrome.exe
4752	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3876	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4128	firefox.exe
Token: SeDebugPrivilege	4128	firefox.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
4128	firefox.exe
4128	firefox.exe
4128	firefox.exe
4128	firefox.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4128	firefox.exe
4128	firefox.exe
4128	firefox.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
3876	OpenWith.exe
3876	OpenWith.exe
3876	OpenWith.exe
3876	OpenWith.exe
3876	OpenWith.exe
3876	OpenWith.exe
3876	OpenWith.exe
3876	OpenWith.exe
3876	OpenWith.exe
3876	OpenWith.exe
3876	OpenWith.exe
3876	OpenWith.exe
3876	OpenWith.exe
3876	OpenWith.exe
3876	OpenWith.exe
3876	OpenWith.exe
3876	OpenWith.exe
4128	firefox.exe
4128	firefox.exe
4128	firefox.exe
4128	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 4744	3876	OpenWith.exe	75
PID 3876 wrote to memory of 4744	3876	OpenWith.exe	75
PID 2312 wrote to memory of 4128	2312	firefox.exe	80
PID 2312 wrote to memory of 4128	2312	firefox.exe	80
PID 2312 wrote to memory of 4128	2312	firefox.exe	80
PID 2312 wrote to memory of 4128	2312	firefox.exe	80
PID 2312 wrote to memory of 4128	2312	firefox.exe	80
PID 2312 wrote to memory of 4128	2312	firefox.exe	80
PID 2312 wrote to memory of 4128	2312	firefox.exe	80
PID 2312 wrote to memory of 4128	2312	firefox.exe	80
PID 2312 wrote to memory of 4128	2312	firefox.exe	80
PID 2312 wrote to memory of 4128	2312	firefox.exe	80
PID 2312 wrote to memory of 4128	2312	firefox.exe	80
PID 4128 wrote to memory of 2180	4128	firefox.exe	81
PID 4128 wrote to memory of 2180	4128	firefox.exe	81
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4308	4128	firefox.exe	82
PID 4128 wrote to memory of 4928	4128	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\qyd priv.rar"
1⤵
- Modifies registry class
PID:2752

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\qyd priv.rar
  2⤵
  PID:4744

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.0.610184930\1174809360" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1672 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6699f37-c1e9-4049-bfcd-54adc8558a19} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 1764 28f910da358 gpu
    3⤵
    PID:2180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.1.1952109950\1588440265" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb39727d-5d67-4d8b-b4fd-36bbe711e285} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 2120 28f90c3fb58 socket
    3⤵
    - Checks processor information in registry
    PID:4308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.2.1437874347\1177806885" -childID 1 -isForBrowser -prefsHandle 2924 -prefMapHandle 2864 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90bb0d00-59b3-4301-a320-4a50a1423abd} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 2828 28f95194558 tab
    3⤵
    PID:4928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.3.535532998\1263677883" -childID 2 -isForBrowser -prefsHandle 3312 -prefMapHandle 3304 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {826e2ac6-b53d-4100-88ba-3b63866fa8cd} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 3352 28f959b0c58 tab
    3⤵
    PID:2916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.4.310665387\1320734695" -childID 3 -isForBrowser -prefsHandle 4432 -prefMapHandle 4428 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40c73c8b-786b-4dc1-adce-b4952be07618} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 4444 28f962e8b58 tab
    3⤵
    PID:2036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.5.205568611\1836604160" -childID 4 -isForBrowser -prefsHandle 4820 -prefMapHandle 4856 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {46d7a035-8762-4900-b5fd-827b5c7f7228} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 4824 28f962e5b58 tab
    3⤵
    PID:2136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.6.1753726866\1823004892" -childID 5 -isForBrowser -prefsHandle 4976 -prefMapHandle 4980 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92f8dc33-ada8-4f50-9cc4-a706934affc6} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 4968 28f977d4558 tab
    3⤵
    PID:4584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.7.138383171\1976733240" -childID 6 -isForBrowser -prefsHandle 4632 -prefMapHandle 4428 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd8e52e2-b8cd-4cde-a7dc-1f751dcf3a93} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 4824 28f977d3f58 tab
    3⤵
    PID:3156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffe1c99758,0x7fffe1c99768,0x7fffe1c99778
  2⤵
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1828,i,9223204291768551693,15585294089048019112,131072 /prefetch:2
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1824 --field-trial-handle=1828,i,9223204291768551693,15585294089048019112,131072 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1828,i,9223204291768551693,15585294089048019112,131072 /prefetch:8
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2936 --field-trial-handle=1828,i,9223204291768551693,15585294089048019112,131072 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=1828,i,9223204291768551693,15585294089048019112,131072 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3960 --field-trial-handle=1828,i,9223204291768551693,15585294089048019112,131072 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4452 --field-trial-handle=1828,i,9223204291768551693,15585294089048019112,131072 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 --field-trial-handle=1828,i,9223204291768551693,15585294089048019112,131072 /prefetch:8
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4672 --field-trial-handle=1828,i,9223204291768551693,15585294089048019112,131072 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5116 --field-trial-handle=1828,i,9223204291768551693,15585294089048019112,131072 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3924 --field-trial-handle=1828,i,9223204291768551693,15585294089048019112,131072 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5100 --field-trial-handle=1828,i,9223204291768551693,15585294089048019112,131072 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=164 --field-trial-handle=1828,i,9223204291768551693,15585294089048019112,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4752

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e259d466c1b7395203f672b00f67e1ff

SHA1
34546ac6fc208eecdf379299fcf250f553ef3804

SHA256
5bd4eadc55fa51bb48632a95768282583eb1d7b35acf5086dfe0db5d3151bd6e

SHA512
7a19a2946bbba6151ae52b96376e157602eb668290d4fd3bb3d0629e0af838e2262d0630c618a13c7ac4166ad02538746664f40c65d26bcf516f741595eb464d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
602B

MD5
eda3eac8df7029720d9e32d229e4d485

SHA1
8981ea66073b98952081738f12ba0e037c1a71e8

SHA256
f5da106cf93942faa203ff83b6f5edd9e864682b6cffb9fd7a803689aa577828

SHA512
499357dfc93b2b10a16d8fdf3eece3115a872870c80a3d4388acfbc9d700fe054339ba3bde38ef873b37e1573630a3331461812399c8d0a23433d2095d11b101

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5510f502ddc494a89851ae37037d0059

SHA1
da031fd69b8005964abd2b84443483e1d3881231

SHA256
c9f6eab9fd87b9b196417ce0bb21e876ddd33e1adabea40e7dec97e765475307

SHA512
80b351aebaea84d9d600561c784e4cdc2fc5e901cfa7260957ee5d08bd9e91e14ce8f27a8b9c895a0149f5ffbbb4dcafc216f411eb6b5471aff04d5c2bc3f038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
89a1ccd6e6970ba9e34625e91db25120

SHA1
b53b47d65f7d442db40cc02d1f93965c3a4ce6f3

SHA256
61a886faa8cae2f8381cd8e1cc837fe25e06c79c51222a7f0b22debe818a86e7

SHA512
e4aeab16d6587acaea42abd2bf3db0e337d8748b8a1e68ccab59fe2650be7316f52388821cd156015912f9d5d7d0416767535022b36398bb6963820f953531b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c26d665ced362d0e38e4b925adb6830d

SHA1
256fd513a9d8e7ac005146d29738724d4624709a

SHA256
01f28fcb68f7d0f37122d4eab94ff8e93880253cc95719970fffb98a0f87c176

SHA512
ee473bb4113ad38be47d11a26b14c89563982e87e7c4843c396ddde422a81ed5a45c2f632b576bbfe72a5edbe6bd91a3bb052ad6ac8d2c7284e0ab54c1a1e9f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
48c97bac6bbe6d766b65023391190bfd

SHA1
822f895f1c32b20a4560d50df486e16ff737c450

SHA256
9972b585d9cb85592430d8edace2f0c1a352dd7dff4631372bdb817fcc138086

SHA512
dae5ccb392839440ff638a20aab502fb886b11479a431d08962539b50f7fa8213730f34e7f6a09dd57b1d61953f67117f036e7ffd77fd23148a6bdd21912bb63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
44406a9970a8918fe88cdd6405bc90e8

SHA1
782014557385283f5caa67025adda7c41068fe14

SHA256
5e486c4715085d3151b74232f63a848fb9f93a3e0e2952fd81551cbf8246e829

SHA512
2742d2849327b9ca5f9bfaee99b09feadb6becb0f860b05077ff19b73007615600b9265f18e6567923854ad17d56bdb30fd298e8b1f7e08dd1e6d5bdcb3ea054

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
304KB

MD5
21d62096e3fb377bc54c6485d7fbc69a

SHA1
a4caafdd62e8244bf3ac2123dbb367a729465fcf

SHA256
69ca3e782f4f9e15b7dfb622e8c66e57e4c7e7380e228eac15f2d9516b34079a

SHA512
1f033999775caadebbec59d88b9aa36227a285724333b65b00e465bc8a2538f1d4e87e4c58b587e9472054ed26931962e91c037a99ee48a1f81859ede1cc0024

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
304KB

MD5
7194c58766d763ce8add9ffbc384a726

SHA1
dba9fd43b75db51284b06bb49add2943c4345a53

SHA256
d5bc1750ba1beed50672e27ea1314376c40b6ac3537145dd6e2e4e14d235339a

SHA512
58bdb1fa3c9cc7fb92fecdfceaca9a913ee094febea0d1cef47f136df391531998671e306c97d6636c9fbaa49ca3abf63d034a9b58c1ffe394941183dc8e4f09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
375de633aab1695ffff56fa00a300344

SHA1
986c1961d38a7cc2572bad95fc69c58f3a769458

SHA256
b267ec4b3c33181426783739be243f0a51af6987d7c89425f059a2274d9765ef

SHA512
08fa238092adc2f73be80545e6eaa5a9feb63b44294478f1ab48e8532cc67b8bd019c8e3e34e9f9ccfca2bd51fd02f4f17e40ae577209da156635eb0f5ce723c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\923b887f-3617-4baa-81a5-121555391c20

Filesize
746B

MD5
862e1fc6284b1e55106981dbed4b95f5

SHA1
f79c7f871ee1d64f624aaf804f58f52e080e034e

SHA256
874b17218a7f32da14a4459e78a6c99ec49cd2a6541ca04b76531a8c74033101

SHA512
07be09d5249ad7a6e76b647e7a4382583c597efba64d95550b720131e3a1ce0d7400dfa176d59be0678864e6a93641883c8bf85504c75264c5489e75add71652

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\b54c65e4-1d03-4648-9bbc-bc0b7395b4d4

Filesize
10KB

MD5
e52c92653224e45f2e3f77995bb8f8b4

SHA1
6daa9e6e1c7c33c71b0b44b44ed33fcef8d8bbcc

SHA256
bd21ff5e9a12b3bf635ae8a2000b0a3163df8250a574e86c7dde41875b4a054d

SHA512
57862d126074a5f34c1b8b5e5d71cb5ea97b573de3efb4eb2116e3e67e08d39884fe4326673d3ad67b6d31a4835a51e15cc0b38b04565b17d7a04f384147252a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

Filesize
6KB

MD5
38ec564fda58509afec39e32d447d6ce

SHA1
7e160097d6d94e2a64d14208b44cab6eb679b9e6

SHA256
4944d33b232da00a9348a8547d732cedb72989dab78d545862e1481243a91d1d

SHA512
afa46e353b3c6606df9780a0f5e26435ca5c7cb487ff6d5ff54dec2177b010e17633c8c5895655a79da8e09ade1dfe764041fba0b97bd52b2e3a9d64e482adb2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore.jsonlz4

Filesize
883B

MD5
aa31c443c080b59c7092f210248a8a9f

SHA1
f6dad8c4e89500cfd129d6698da821d6982d1154

SHA256
dd54c14518f9dc7df9581876be2e77613477ea3f4f64d048ebafa9497afc7ad5

SHA512
2a368ec2ab4ac23686df39a929718295985ca9fcb1e89bf438452a672914670e32290b44baecf11daec3aca98849d82d5d0e6189b09d50aac10e01e83d0af079

Download Submit