exelastealer | a6fefc7e8870875849c51fec5cd0e7f6c5c7a698dfd9950d52c40e04d4e422c5

Resubmissions

24/09/2024, 13:21

240924-qlxgyswfmn 10

24/09/2024, 13:14

240924-qgxl6azbpd 10

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/09/2024, 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hellion (5.exe
Size

9.4MB
MD5

590541980dce6d68a1a8d6ad9143d90c
SHA1

231ff4afaf6d3ed80e801f96c51d73e1708ea6c4
SHA256

a6fefc7e8870875849c51fec5cd0e7f6c5c7a698dfd9950d52c40e04d4e422c5
SHA512

52745f7ff9c6545561292e0d9fbffa4713ec3889cb4e8d2126ebecba59c3c9fe286f3741035da1e7da830bbcc00dc9c702cd13f67c2654b65c5ede6f242751e1
SSDEEP

196608:ql0xzKISwLRXgWPmpzdhqiYB6yD+KdWrOI11:g0xzh5L1V8d8BR5V

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
736	netsh.exe
4148	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4564	cmd.exe
3696	powershell.exe

Loads dropped DLL 31 IoCs

pid	Process
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe
4560	Hellion (5.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2164	ARP.EXE
2280	cmd.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2816	tasklist.exe
3808	tasklist.exe
1732	tasklist.exe
2496	tasklist.exe
1056	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1060	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000234b9-46.dat	upx
behavioral1/memory/4560-50-0x00007FF9829B0000-0x00007FF982E16000-memory.dmp	upx
behavioral1/files/0x00070000000234b4-62.dat	upx
behavioral1/files/0x00070000000234b2-61.dat	upx
behavioral1/files/0x000700000002348d-73.dat	upx
behavioral1/files/0x0007000000023490-76.dat	upx
behavioral1/memory/4560-83-0x00007FF98CFF0000-0x00007FF98CFFD000-memory.dmp	upx
behavioral1/files/0x00070000000234ba-82.dat	upx
behavioral1/memory/4560-81-0x00007FF988B30000-0x00007FF988B49000-memory.dmp	upx
behavioral1/memory/4560-87-0x00007FF987AE0000-0x00007FF987B0C000-memory.dmp	upx
behavioral1/files/0x000700000002348c-86.dat	upx
behavioral1/files/0x00070000000234bb-90.dat	upx
behavioral1/memory/4560-91-0x00007FF982830000-0x00007FF9829AD000-memory.dmp	upx
behavioral1/memory/4560-93-0x00007FF9872B0000-0x00007FF9872DE000-memory.dmp	upx
behavioral1/memory/4560-101-0x00007FF9880A0000-0x00007FF9880C4000-memory.dmp	upx
behavioral1/memory/4560-100-0x00007FF974680000-0x00007FF9749F5000-memory.dmp	upx
behavioral1/memory/4560-98-0x00007FF9834B0000-0x00007FF983568000-memory.dmp	upx
behavioral1/memory/4560-97-0x00007FF9829B0000-0x00007FF982E16000-memory.dmp	upx
behavioral1/memory/4560-103-0x00007FF987880000-0x00007FF987894000-memory.dmp	upx
behavioral1/files/0x0007000000023486-102.dat	upx
behavioral1/memory/4560-115-0x00007FF982F60000-0x00007FF983078000-memory.dmp	upx
behavioral1/memory/4560-114-0x00007FF987AE0000-0x00007FF987B0C000-memory.dmp	upx
behavioral1/memory/4560-119-0x00007FF987250000-0x00007FF98726C000-memory.dmp	upx
behavioral1/memory/4560-118-0x00007FF9878A0000-0x00007FF9878BF000-memory.dmp	upx
behavioral1/files/0x00070000000234be-117.dat	upx
behavioral1/files/0x00070000000234bc-113.dat	upx
behavioral1/memory/4560-112-0x00007FF987270000-0x00007FF987285000-memory.dmp	upx
behavioral1/memory/4560-111-0x00007FF988210000-0x00007FF988228000-memory.dmp	upx
behavioral1/files/0x000700000002348b-110.dat	upx
behavioral1/memory/4560-109-0x00007FF987290000-0x00007FF9872A4000-memory.dmp	upx
behavioral1/files/0x00070000000234b6-108.dat	upx
behavioral1/memory/4560-106-0x00007FF98B270000-0x00007FF98B280000-memory.dmp	upx
behavioral1/memory/4560-105-0x00007FF988B30000-0x00007FF988B49000-memory.dmp	upx
behavioral1/files/0x000700000002348e-104.dat	upx
behavioral1/files/0x0007000000023492-92.dat	upx
behavioral1/memory/4560-89-0x00007FF9878A0000-0x00007FF9878BF000-memory.dmp	upx
behavioral1/files/0x0007000000023491-88.dat	upx
behavioral1/memory/4560-85-0x00007FF988210000-0x00007FF988228000-memory.dmp	upx
behavioral1/files/0x0007000000023487-84.dat	upx
behavioral1/files/0x000700000002348f-75.dat	upx
behavioral1/memory/4560-128-0x00007FF9871D0000-0x00007FF9871E9000-memory.dmp	upx
behavioral1/memory/4560-137-0x00007FF987160000-0x00007FF987171000-memory.dmp	upx
behavioral1/files/0x00070000000234ae-142.dat	upx
behavioral1/memory/4560-144-0x00007FF973F80000-0x00007FF974675000-memory.dmp	upx
behavioral1/memory/4560-141-0x00007FF983E40000-0x00007FF983E5E000-memory.dmp	upx
behavioral1/memory/4560-140-0x00007FF987880000-0x00007FF987894000-memory.dmp	upx
behavioral1/files/0x0007000000023488-145.dat	upx
behavioral1/memory/4560-146-0x00007FF9837F0000-0x00007FF983828000-memory.dmp	upx
behavioral1/files/0x00070000000234b1-139.dat	upx
behavioral1/memory/4560-136-0x00007FF974680000-0x00007FF9749F5000-memory.dmp	upx
behavioral1/memory/4560-134-0x00007FF987180000-0x00007FF9871CC000-memory.dmp	upx
behavioral1/files/0x0007000000023498-132.dat	upx
behavioral1/memory/4560-130-0x00007FF9834B0000-0x00007FF983568000-memory.dmp	upx
behavioral1/files/0x0007000000023496-129.dat	upx
behavioral1/memory/4560-127-0x00007FF9872B0000-0x00007FF9872DE000-memory.dmp	upx
behavioral1/files/0x0007000000023497-124.dat	upx
behavioral1/memory/4560-123-0x00007FF9871F0000-0x00007FF987207000-memory.dmp	upx
behavioral1/memory/4560-122-0x00007FF982830000-0x00007FF9829AD000-memory.dmp	upx
behavioral1/files/0x0007000000023495-121.dat	upx
behavioral1/files/0x000700000002348a-70.dat	upx
behavioral1/files/0x00070000000234b7-63.dat	upx
behavioral1/memory/4560-60-0x00007FF98D000000-0x00007FF98D00F000-memory.dmp	upx
behavioral1/files/0x00070000000234b3-59.dat	upx
behavioral1/memory/4560-58-0x00007FF9880A0000-0x00007FF9880C4000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4892	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3164	cmd.exe
3368	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
760	NETSTAT.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4308	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3704	WMIC.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1592	ipconfig.exe
760	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2016	systeminfo.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
4764	taskkill.exe
3652	taskkill.exe
1356	taskkill.exe
1472	taskkill.exe
2752	taskkill.exe
3048	taskkill.exe
3704	taskkill.exe
964	taskkill.exe
5088	taskkill.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133716577183858923"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	taskmgr.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4024	chrome.exe
4024	chrome.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
3000	chrome.exe
3000	chrome.exe
2628	chrome.exe
2628	chrome.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeIncreaseQuotaPrivilege	4360	WMIC.exe
Token: SeSecurityPrivilege	4360	WMIC.exe
Token: SeTakeOwnershipPrivilege	4360	WMIC.exe
Token: SeLoadDriverPrivilege	4360	WMIC.exe
Token: SeSystemProfilePrivilege	4360	WMIC.exe
Token: SeSystemtimePrivilege	4360	WMIC.exe
Token: SeProfSingleProcessPrivilege	4360	WMIC.exe
Token: SeIncBasePriorityPrivilege	4360	WMIC.exe
Token: SeCreatePagefilePrivilege	4360	WMIC.exe
Token: SeBackupPrivilege	4360	WMIC.exe
Token: SeRestorePrivilege	4360	WMIC.exe
Token: SeShutdownPrivilege	4360	WMIC.exe
Token: SeDebugPrivilege	4360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4360	WMIC.exe
Token: SeRemoteShutdownPrivilege	4360	WMIC.exe
Token: SeUndockPrivilege	4360	WMIC.exe
Token: SeManageVolumePrivilege	4360	WMIC.exe
Token: 33	4360	WMIC.exe
Token: 34	4360	WMIC.exe
Token: 35	4360	WMIC.exe
Token: 36	4360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3704	WMIC.exe
Token: SeSecurityPrivilege	3704	WMIC.exe
Token: SeTakeOwnershipPrivilege	3704	WMIC.exe
Token: SeLoadDriverPrivilege	3704	WMIC.exe
Token: SeSystemProfilePrivilege	3704	WMIC.exe
Token: SeSystemtimePrivilege	3704	WMIC.exe
Token: SeProfSingleProcessPrivilege	3704	WMIC.exe
Token: SeIncBasePriorityPrivilege	3704	WMIC.exe
Token: SeCreatePagefilePrivilege	3704	WMIC.exe
Token: SeBackupPrivilege	3704	WMIC.exe
Token: SeRestorePrivilege	3704	WMIC.exe
Token: SeShutdownPrivilege	3704	WMIC.exe
Token: SeDebugPrivilege	3704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3704	WMIC.exe
Token: SeRemoteShutdownPrivilege	3704	WMIC.exe
Token: SeUndockPrivilege	3704	WMIC.exe
Token: SeManageVolumePrivilege	3704	WMIC.exe
Token: 33	3704	WMIC.exe
Token: 34	3704	WMIC.exe
Token: 35	3704	WMIC.exe
Token: 36	3704	WMIC.exe
Token: SeDebugPrivilege	2816	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3704	WMIC.exe
Token: SeSecurityPrivilege	3704	WMIC.exe
Token: SeTakeOwnershipPrivilege	3704	WMIC.exe
Token: SeLoadDriverPrivilege	3704	WMIC.exe
Token: SeSystemProfilePrivilege	3704	WMIC.exe
Token: SeSystemtimePrivilege	3704	WMIC.exe
Token: SeProfSingleProcessPrivilege	3704	WMIC.exe
Token: SeIncBasePriorityPrivilege	3704	WMIC.exe
Token: SeCreatePagefilePrivilege	3704	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2432	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 4560	912	Hellion (5.exe	83
PID 912 wrote to memory of 4560	912	Hellion (5.exe	83
PID 4560 wrote to memory of 3040	4560	Hellion (5.exe	84
PID 4560 wrote to memory of 3040	4560	Hellion (5.exe	84
PID 4024 wrote to memory of 4052	4024	chrome.exe	89
PID 4024 wrote to memory of 4052	4024	chrome.exe	89
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4552	4024	chrome.exe	90
PID 4024 wrote to memory of 4924	4024	chrome.exe	91
PID 4024 wrote to memory of 4924	4024	chrome.exe	91
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92
PID 4024 wrote to memory of 3824	4024	chrome.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1472	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Hellion (5.exe
"C:\Users\Admin\AppData\Local\Temp\Hellion (5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:912
- C:\Users\Admin\AppData\Local\Temp\Hellion (5.exe
  "C:\Users\Admin\AppData\Local\Temp\Hellion (5.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4016
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:2552
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:1352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2156
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:1700
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3592
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:3652
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\HellionUpdate\Hellion.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:1060
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\HellionUpdate\Hellion.exe"
      4⤵
      Views/modifies file attributes
      PID:1472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:3436
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:4176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:3936
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4024"
    3⤵
    PID:432
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4024
      4⤵
      Kills process with taskkill
      PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4052"
    3⤵
    PID:1336
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4052
      4⤵
      Kills process with taskkill
      PID:3048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4552"
    3⤵
    PID:4784
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4552
      4⤵
      Kills process with taskkill
      PID:3704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4924"
    3⤵
    PID:1976
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4924
      4⤵
      Kills process with taskkill
      PID:964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3824"
    3⤵
    PID:32
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3824
      4⤵
      Kills process with taskkill
      PID:4764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1832"
    3⤵
    PID:2444
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1832
      4⤵
      Kills process with taskkill
      PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2028"
    3⤵
    PID:3580
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2028
      4⤵
      Kills process with taskkill
      PID:3652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3060"
    3⤵
    PID:3516
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3060
      4⤵
      Kills process with taskkill
      PID:1472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2096"
    3⤵
    PID:3464
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2096
      4⤵
      Kills process with taskkill
      PID:1356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:2748
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:740
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:4952
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:656
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1360
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3164
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:2280
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2016
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:1332
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:4308
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:2380
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4940
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:1480
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:3712
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:4144
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:740
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:3828
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:3432
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:4212
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:588
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:1456
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:2732
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:3176
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:1056
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1592
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:4564
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:2164
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:760
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:4892
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:736
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2220
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2992
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff98077cc40,0x7ff98077cc4c,0x7ff98077cc58
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1756,i,3055085496349407735,9204024110025082521,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1764 /prefetch:2
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,3055085496349407735,9204024110025082521,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,3055085496349407735,9204024110025082521,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2324 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,3055085496349407735,9204024110025082521,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3276,i,3055085496349407735,9204024110025082521,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3900,i,3055085496349407735,9204024110025082521,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4748,i,3055085496349407735,9204024110025082521,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3672 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5160,i,3055085496349407735,9204024110025082521,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:3732

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff98077cc40,0x7ff98077cc4c,0x7ff98077cc58
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2012,i,18029705850845871727,11309245553822955778,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2008 /prefetch:2
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1932,i,18029705850845871727,11309245553822955778,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2040 /prefetch:3
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,18029705850845871727,11309245553822955778,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2272 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,18029705850845871727,11309245553822955778,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,18029705850845871727,11309245553822955778,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4012,i,18029705850845871727,11309245553822955778,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4508 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4864,i,18029705850845871727,11309245553822955778,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4948,i,18029705850845871727,11309245553822955778,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4376 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4656,i,18029705850845871727,11309245553822955778,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3348,i,18029705850845871727,11309245553822955778,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5132,i,18029705850845871727,11309245553822955778,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4544,i,18029705850845871727,11309245553822955778,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3408,i,18029705850845871727,11309245553822955778,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4024,i,18029705850845871727,11309245553822955778,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5260,i,18029705850845871727,11309245553822955778,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3672,i,18029705850845871727,11309245553822955778,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4464 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3272,i,18029705850845871727,11309245553822955778,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:4676

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff98077cc40,0x7ff98077cc4c,0x7ff98077cc58
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,9046950470052387970,17417593742243280419,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1876,i,9046950470052387970,17417593742243280419,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,9046950470052387970,17417593742243280419,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2248 /prefetch:8
  2⤵
  PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,9046950470052387970,17417593742243280419,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,9046950470052387970,17417593742243280419,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4472,i,9046950470052387970,17417593742243280419,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3672 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,9046950470052387970,17417593742243280419,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4800,i,9046950470052387970,17417593742243280419,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4684,i,9046950470052387970,17417593742243280419,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5056,i,9046950470052387970,17417593742243280419,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:988

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3548

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1804
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba518741-a256-4dfb-b227-4246bc1ec584} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" gpu
    3⤵
    PID:4676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb914015-e26f-43c5-a155-9ac27af1899c} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" socket
    3⤵
    - Checks processor information in registry
    PID:3704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2904 -childID 1 -isForBrowser -prefsHandle 2928 -prefMapHandle 2940 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16f649fb-cd12-4657-a2f9-816ac7eceb40} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" tab
    3⤵
    PID:1000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3884 -childID 2 -isForBrowser -prefsHandle 3828 -prefMapHandle 3876 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a43c7be3-4435-4b11-9a3f-36e8aa9e3bcd} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" tab
    3⤵
    PID:1904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4764 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4788 -prefMapHandle 4784 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb7eecd3-bb8d-440f-9f57-62280508491f} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" utility
    3⤵
    - Checks processor information in registry
    PID:5240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5280 -childID 3 -isForBrowser -prefsHandle 5272 -prefMapHandle 5260 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9eef1282-eadf-4da3-953f-2728dec36452} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" tab
    3⤵
    PID:5536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 4 -isForBrowser -prefsHandle 5428 -prefMapHandle 5436 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74515ce0-d95a-41c2-8675-a3fb2962c9fd} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" tab
    3⤵
    PID:5548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 5 -isForBrowser -prefsHandle 5604 -prefMapHandle 5608 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0de84fe-2be1-4e42-ad0a-2bffe8294612} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" tab
    3⤵
    PID:5560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2832 -childID 6 -isForBrowser -prefsHandle 6128 -prefMapHandle 6124 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8424597-dd9a-4941-be58-c768c06d842a} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" tab
    3⤵
    PID:5968

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
eb942bdb6305f3315f94ae3c05f48dbb

SHA1
7674299d7f21d68d74ebbcb1de993f2c99ea6a1a

SHA256
e306a68470836c921619dbbd8ec7c697a25625402fc95add71250d41231787dc

SHA512
1509991d75b19506b3c4fbee4b75b5caee8e5f1ec7c810d4cbe21ef9ffc32b472851c25da616fcf8cdd9a4b4e57bc5625eafa3d1803f2e41c888d449a2972c4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7678a1f6-bb64-46a9-b0c9-97909c50abcb.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f2b330ae3cf89b01d7b29a859496fff0

SHA1
5ab67e254cda2336056a8e2d8006f90ef55393ac

SHA256
c573ad10176dd9f303f958131a1084289df11baeee512bc1796ba19a5c6372d5

SHA512
2634dd104be37471b51d8473531d57b79c316a9358c6d90f00397320c6ba65008d117cd69036734ae68e131f8d8fcc7dec6cfdb4c46229c10abd4b53fda53350

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
d1f604157b0745a40453afb93a6caa42

SHA1
3d5d77429b03674ebb0ba34d925ba1b09310df5e

SHA256
468456974fd86b33647942820dce7284879acfab9e9e6eca008e1fdcf9006fb5

SHA512
0644ce93724a57dedd8aec208e5a038e323a1b9871d5046d58a87c60479626693e6c8f25b7c7f7b60fd35aac133d2e660ecbd8f8d579ad1fc6703ae117a485a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
06d0c49676b3681f95b400df54ef56b5

SHA1
dab1057529f4288d4c05515253fa1600fb7f6c74

SHA256
b6e2c4c3a34247b95afb9c5626cdc41e464e350884935922719dd4deaf6ee368

SHA512
79838a41708528c9e96dc590e90204a018b13d3a5c46d02b0d27a6e33576577257a94101451d357b23fcfb3315ce3966feaa9de17700f6df63638bfbe285a2f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
844B

MD5
16396be176be4c8d2cf4d35cd9d8858d

SHA1
8b36aeda7673f2113bd0f6caa71d259dc40f22ec

SHA256
987495993bd51e2e08f61366f09b76f431fc2740bbf7d819428ae1a1d9c5ccde

SHA512
c1231a619d5343ec6d8adb440a03e4af6c9d6d7f1f4a687a7cb4d8d9acb9fd590f684641880a70797094e38d98a08ff1f76297848203c2c3ed6e601060b19ca9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
514feb37329d00af26b4ac2d1a9675e7

SHA1
11b74066acb3823bdccd3e2ec30449988e9ecee2

SHA256
b30054802c39b8956397af402dec4c5a6243d56dd97d5f583d5c246d91095e89

SHA512
6221bae130033428e7459caabcceca82745aa2f601d3bfff25a313a5a29932a7a5ce00c6d65a2663ba620341bb30774b292afeb5d9bc02a5fe56a6b252787b5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
639eba05c0ba68ed29fed252f06e9411

SHA1
a2f0eac11b68c57e90e4429afc2744383a6a1c4d

SHA256
e4104f9ee8489073eacae1c3f1a34042213df9e87da994d6f9c6af77c06f8741

SHA512
6da70efb4376fdcdd668f42642abf839c221c14af131c5b14340c54daf19dca1097c5e6b993bed75c583237051f4699821f60be28be7a2ecf0ba1b086b361be5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
276b36b3b570a22c1ede2b4a6eb3e05a

SHA1
476668f51a459eef4cf36c928031caf1772c6a32

SHA256
c8309481670fffb1efcd9b6b31b4ae46f4f2802739417d0392c005e9e09fb88d

SHA512
c782a4081604aeac09c23fdb1092ca6c19674ab40a153885d0a4843ddabb331195918af970233e59293ab3c7415d6123d86d819e3807b42b200fadbaf5126e2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
e259a20d39ace7e81aa452442fc1fd42

SHA1
043a8e80e289ee4fc82307e17b58b6cb30623918

SHA256
4c62bdde649bcdaf1941796373d2169ab5160d45989f127b8fa648b21e60b5d7

SHA512
145d530b923d3a271f876eaf818827e710e2e117c390cb54ff682204fc8695171c3b250c564e8237e181646c1c7f4b9f5076183e43bb693e4f16a1683cfee448

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
af0d8c583984c996ad9d60dd8ec631ba

SHA1
dd01478e859299e24abd801aebb9d791c1e8af2e

SHA256
b42a79f1c1ef6724ee6f7605fd834ac978e5067545b230f7ee025176085f6131

SHA512
0b1e9863238637d0a7290cd927577d6dd64046adc8f9c5ec4fd62986df4ffc4642f6383cf2a4d295b6d8d228d2ca8635ea820788ae76892c6e9afa2096104ccc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
6f234afd1ce5a1a60c8b17999ce580bf

SHA1
c249d274a68cb16b54dc4e3ea19e8d9a84e41393

SHA256
fabfaad387684eb707a60f864f4f03fd73f2e49bad3d027b0bb2971b55606f07

SHA512
211d33904d7708cdf884b7b0166422f76d4dcb0dbc765ae22f1fb7b5fe2fd5097bb4ae4d4f44c3496591bb7460dc2069fb357717ce5fb7b916ec17fe8f5425ed

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
bded45db9670ed8c9c09082d2583f97e

SHA1
c8d58f6713aa3275c1bde7612d525d8a32054983

SHA256
a3bae17ed5760e1186b4236b18e9942d44ba034dc541189b6df8447731eba2d0

SHA512
a79d25d92573f97096409d8c591841d7d014da97ac5b123e55739ee34c5135f69021176e3a7b7b2ab2b092d65ebb77d9d4cb0631203cf8d598dfb9c1ed2a8f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\_asyncio.pyd

Filesize
35KB

MD5
e7f550e558b8bdaf58703342df99c546

SHA1
d8b43ab5bca262bfd8dd11203a7f381a005deda6

SHA256
1ebc9d947287ff6754436630ab7d106ccf1f600c7a96f2fcfe75df5f8967dff4

SHA512
bcb8a5eb493b14103dd290c61f0fbed22e8622c74794f26f12d4c6bbb545320e7d81f37e352a8afe589627b28fc969d0839cbe565fb18d236cdea4bd3861bf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\_bz2.pyd

Filesize
47KB

MD5
abe536347eeb1308e17b6cf4daacef7b

SHA1
3ee26a2cd2f1552188cc48cf0be8b745bbe0d449

SHA256
d7b84a1e07853e8b80c88371c3edca409eab807340f552c3c209ce13b20a0c2c

SHA512
1ca648623137a893aeabfe6a93bd08971fb2c954f6830234432171a57a893bafd1f1547e00b45e7b3cc7042cfe4a185e45c46212ffc7c5a1c460958f64ae7fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
641e49ce0c4fa963d347fbf915aabdbe

SHA1
1351f6c4ac5dcda7e3ffbf3d5e355b4bb864eb10

SHA256
1c795df278c7f64be8e6973f8dbf1a625997cb39ae2dcb5bee0ca4c1b90c8906

SHA512
766b9adb5143e89d663177c2fb0e951afb84c0a43ec690ae2c477ee0bbe036df6f4161a6012430d42e4913fd5fbe7e49af6d13ac7c62d042a484861fc5a04616

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\_ctypes.pyd

Filesize
58KB

MD5
81313d2ce8fc6244113f81e69019c4c5

SHA1
4cb3cd0811e9a0a5dc02a0e182d9158d6d02e540

SHA256
f3500c6201277b711123c5d82e58ea9002eef4a4f3e3781460c744b74796cebe

SHA512
86ae6627dd7d29e8a2c8a90c4f763bcd9559bb03f1a191ab49de048a775f3858015cda5a3ff9c1f168f81674e307defbe3d375117525b7f8d30a30b3abbb3cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\_decimal.pyd

Filesize
105KB

MD5
6e008e41f8ecb064ce24111fac710bff

SHA1
3f68ec4923c219286c9f3cec481f8fc72218c351

SHA256
08f8aca4d96823941c9437b0cb52e14d37e785b01f33d701a238c1e92e89cbc3

SHA512
076573b1a164613487337b3fb88d6d8264dc1fc47ee77244c60daa6fa19e1a172e2ef5f9e4d1eec4a507112c25ae5c332e4a6b334a6265a9d6d861f5a789aba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\_hashlib.pyd

Filesize
35KB

MD5
b9764d54210e87924b53ccd59d4d3f26

SHA1
74c7531ce5fe7e43879106dcc3106610b0e6a05b

SHA256
c804be258c3f1a677b8a32681ebbf9b9d8fe43172fdfcfaf6666501093c0c934

SHA512
7938a80e5fa910134fa28549a26b42cd686d2511746530ebd81d296387a91ce87be11207a513756daed27de6d8e648d1121384478148e627f93e59953cdd26cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\_lzma.pyd

Filesize
85KB

MD5
c27338519cf2b57fc6a1c795ede673a3

SHA1
d29f42d658214de7413c3192c5fd01eb30a3dd07

SHA256
3c93fd2a5b852685ad9c06898fe3fd3a1e21a2950e7ab669407448b5fe7d5411

SHA512
01ad7e149d32c25894c0124f6b7a06154d0d32d0f55043fc89ee89d5c8bf62f9d73163a9a8c8c5c28a9b73a70f29905be6d0502e99047b49376992d7e82a2689

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\_multiprocessing.pyd

Filesize
26KB

MD5
dc14bfeb7f48ae49f534c6b6333ec7b5

SHA1
ae7c4ca9804137a1b7e4e64327d60d83c8d814ba

SHA256
fed67a2fa7c14d03b70d5dfa6a2ffe61a718badcaa4b394674646fcd2e181321

SHA512
97b54d2f3a2c939af8973ca15ef68f243d90abc2f586acc026fcfc7a2502a9fc2fe7fb5b549851b2ad196eeaac84a79e9173021b92da019a1fc1a54fd74b3670

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\_overlapped.pyd

Filesize
31KB

MD5
6cb62df83b6fa05f7db40458ecf61be9

SHA1
7246f08bf1c8a411b420765301e63a5b7d6416f5

SHA256
4510811ba999fb305da874dabf0864798f3cb09ecd256c43820e6606c777c816

SHA512
12c759c1f4c69a7f187bac769345281fe9adc4d6b9159adcbbfcdd486e695e5aa511594e1de7a2e850fe9492ade9a9c01876e1c98d4c57e6dbf69a401ec10bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\_queue.pyd

Filesize
25KB

MD5
86e57cb7237d33d354ee3a89153ad831

SHA1
52294a0a30f3ce77e685b7781205e4ba1f2027da

SHA256
b2233409e7f9dc2a82278e2dafac1fa57bb5f92bebed25515f12f1a25cd99859

SHA512
fef679bf7adec06c011c2f2c569976014ca8bf88c1b998145485481ee3d224368597ef67de6fb1f8d288094fe3b8fda4dd01144bb826b124abf435b46ec9bc37

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\_socket.pyd

Filesize
42KB

MD5
6d9594f73a6411e2969171dcfc2c33fe

SHA1
65d10268a6cb291f51f9d5538765bec6736debf3

SHA256
afa741381893c6cba26edfa92dcdf9c5bacc94a015ee6061e093a8074f6b5760

SHA512
7d4ab7e393b151543dad6058ef56f78d2820518cefdcd46c88ecf60db821f8a5628ffc85667909c466d8ef961759cc1a81524245e417323308f611c50d6412ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\_sqlite3.pyd

Filesize
49KB

MD5
6954a9ddde7304a13cfbb00490c46ef4

SHA1
8174f60a9f32f416df65ad101487e50af890f3aa

SHA256
3d60c602db3d32d7142c091c622c495969c330f2cbd01695105d4695446c1f06

SHA512
413a641de380a4e16b0b7abaf9cf9fbeaff07632f4efd42550c339285635990d7b35c27d8ced323bd19525d6e34b93f562f421fe0621b22f4887e711101aa9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\_ssl.pyd

Filesize
62KB

MD5
bd4f073fdbb11a5a35d1c9bd2a09fa46

SHA1
b023de06d1d40eea8d1e0ce9ab9883e272491123

SHA256
2154b99c1004de71b760c331754c04a9466736abf6074a42894bf9cdfe9ab1a8

SHA512
006218a19db2c97301c0656c598e61ad6be62768a08a2283e073083f88135b8102ea8e8e8015e407fd1c6bc5c1a5835e6881c5c4d85c3ca9c7c7e847d18ba0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\_uuid.pyd

Filesize
24KB

MD5
ecf3d9de103ba77730ed021fe69a2804

SHA1
ce7eae927712fda0c70267f7db6bcb8406d83815

SHA256
7cf37a10023ebf6705963822a46f238395b1fbe8cb898899b3645c92d61b48ea

SHA512
c2bf0e2ba6080e03eca22d74ea7022fb9581036ce46055ea244773d26d8e5b07caf6ed2c44c479fda317000a9fa08ca6913c23fa4f54b08ee6d3427b9603dfba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\aiohttp\_helpers.cp310-win_amd64.pyd

Filesize
26KB

MD5
79dbf6677f21a17c9561eb008cc2a987

SHA1
096ef929cd31638cdc3ec18883495e5999efd263

SHA256
bd1638d83bcc69d9cadc1812d5db298f67d1e1b2831cc7783587c0ac7cf9b595

SHA512
2d9d8814f0d69b56a7ff1e9bb4207d00f9259113bc8f3e20211341cffeed117829ba9b80d8c0fb9b2da9fc68910a2be039b0fcf1c7bb0de23efee6644d17e164

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\aiohttp\_http_parser.cp310-win_amd64.pyd

Filesize
80KB

MD5
16a2765d0487ee171c8f8761df29ddcf

SHA1
44fc0c0700039457095256f18702f56ec8ff743e

SHA256
285d9d527b2f1c70182d3060fee35a95b2c4e8316137f5f4dec806eb64e57af2

SHA512
f78c29c91eb08de69810a64e6a5025e24c692394b0f242f6e281c7bb59f88194ea22a2e33954c1a40adf00b34dd81164655674e496c552057a19b4780b968a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\aiohttp\_http_writer.cp310-win_amd64.pyd

Filesize
24KB

MD5
878a426eb61ebecdba1016400e8fe60d

SHA1
7ae2f28199cde86ce2cc382d6a1b87b373940d95

SHA256
53fc5a5371a69ec8a700dea681654483c2be301f584d9393789cb5a134ba6aa8

SHA512
d1297868c9400530733538947603e0c73722600c11dc5ce0d7d8371939a7ac840ac0b574b42d9a9a407c3cfbdd938672f73e5da54aa8317eea4053e66fcd6475

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\aiohttp\_websocket.cp310-win_amd64.pyd

Filesize
19KB

MD5
623862193e92582b732fcc4683bfb515

SHA1
ce0b2201938cb7e7ea18dcdd98d8ccc2fa28ef9d

SHA256
dfd68ae5add1c99e0e31820a676fafdf6a472dcab49362d9970c8a66f4121645

SHA512
5b7333af6b6e20aa33cce6561b9673ed590e942d58c48004a7203ff3b33eb6f21541398716b550fa602953c14c80a06da8a439f95bd3f004731ecc5c29e347b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\base_library.zip

Filesize
859KB

MD5
c4989bceb9e7e83078812c9532baeea7

SHA1
aafb66ebdb5edc327d7cb6632eb80742be1ad2eb

SHA256
a0f5c7f0bac1ea9dc86d60d20f903cc42cff3f21737426d69d47909fc28b6dcd

SHA512
fb6d431d0f2c8543af8df242337797f981d108755712ec6c134d451aa777d377df085b4046970cc5ac0991922ddf1f37445a51be1a63ef46b0d80841222fb671

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.0MB

MD5
2fcce5a4be27c1f03c07f28442c519c2

SHA1
720309702539887f00b604ef9482e6f4e90267fe

SHA256
eed558d5a0fe7cea03d6b52950594ec8a7c2e451daca1018118a7c640af4990a

SHA512
71629b36b48bb353b7cd97c23cef116a006a61582cb7064e38cfd6e0769a8f8edbb51e7e141e365c0be2dbb0985cb3ef3cc0f0d3fd4eeb32322f8c406352b4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\frozenlist\_frozenlist.cp310-win_amd64.pyd

Filesize
36KB

MD5
6106b4d1eec11d2a71def28d2a2afa46

SHA1
e10039eff42f88a2cd8dfe11d428c35f6178c6ce

SHA256
19b144f1bfeb38f5a88da4471d0e9eeefcee979e0d574ecf13a28d06bdf7f1da

SHA512
d08ba0cf57d533ce2df7027158329da66518fb1bf10220d836ce39bdf8bc0436dfc3a649cf937b3b3e2bb9ff0d3c9e964416e9ac965cff4b24bd203067f53d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\libcrypto-1_1.dll

Filesize
1.1MB

MD5
f82e744b74099c586a568ffeab9ab252

SHA1
b51cd9fca6c7e0a262fc3a0f66b95034b0c03a5f

SHA256
2d2c0a847d276b65a42b82ca92e466f33315d68a08a4ac25ee251b12c549b3e0

SHA512
f8512470f4325d33a1c881776877ec6cf2865430b04ea3eb86b61721a8c3b1daa724b7887411f7bc4842732f0441fc72990c39e1974fb986555c1e4c33cb59e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\libssl-1_1.dll

Filesize
203KB

MD5
9688c1b6b7d77fb1721168e4ba55f553

SHA1
611959e623906f6be155bbdb5ea4f2aaeb43c212

SHA256
e3f8264484e99c36c1a99aab96f7753f72da56c284ded7b1c802bc514bc9053b

SHA512
161ab9124bef12493a7ef232f089064e620203f77b1fa18812a8c51a8eaa6ca2436341fafaf24f0ac3840f395ed96a6600cb92b87ccb0ee31bcef7f636e1fba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\multidict\_multidict.cp310-win_amd64.pyd

Filesize
19KB

MD5
63bde95b30a0a336a979593dbe8fa907

SHA1
6386b0907b71fed8c764a53c7304529335de7c66

SHA256
e506c8fc0c21bbeb8872c7cf95f5a56da2d8f60ad4e605902a56538e6108520a

SHA512
0ae53a5157c4e68e9e8b602326c18c17ce570e48bfa27bbed3f7eab75cdffa35b08a6f3107f5479191109ed905ba0ee403fefc425bcb2b9409bc2494765ac298

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\pyexpat.pyd

Filesize
87KB

MD5
735e09d050251a638b6db323caa90f8f

SHA1
3560f491a3c36b0ddf2739f1d4d7bec54d371a62

SHA256
b249f553c6a4c9ec6c2501ff759a8cecafbc6f0f63e619474187e68cc9b388fb

SHA512
ad22ebc0c2804b318bb599db36672bbd136b4eedc45b22db9ee26e825564cc40db000eaf8da03c189c1044ce56217b11486183b2d27205145b3be807325191e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\python3.dll

Filesize
64KB

MD5
24f4d5a96cd4110744766ea2da1b8ffa

SHA1
b12a2205d3f70f5c636418811ab2f8431247da15

SHA256
73b0f3952be222ce676672603ae3848ee6e8e479782bd06745116712a4834c53

SHA512
bd2f27441fe5c25c30bab22c967ef32306bcea2f6be6f4a5da8bbb5b54d3d5f59da1ffcb55172d2413fe0235dd7702d734654956e142e9a0810160b8c16225f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\python310.dll

Filesize
1.4MB

MD5
259f0b7b6eed52d7766fa294ee0db193

SHA1
f158995508e460c47748666219a54ee575973397

SHA256
9b88ca9240770931a2041e6d05ad4508b391859f8ed3603303935dcc1e55c406

SHA512
7efd3402d4cbd1146444fdab5eeb4a8aab6fec04b718761da3e0fd417d67e9576fc354737b3453f9e9c12210f1930e6eadd7c0570242b0c8a548fdb92051360c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\select.pyd

Filesize
25KB

MD5
a1f4d04ea4c79562a2d2791ba1db1907

SHA1
4c84235d3d6789383cb15011e75579d6609d0260

SHA256
0e658f51cce6005d5696e30f650d06c9a9009b26905d849ad8782fb23787c02f

SHA512
72be07e11fe91004044863b322a66e264b989486f7f6486fb5e86b41dce501364fa5e9539ce4b65bdd52a944ae01c4b43d35f5d06fd1775439af2d85fbb4c4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\sqlite3.dll

Filesize
622KB

MD5
a33c23b2caf8bdc16f37d1434fb73800

SHA1
6bb103622bb3d6870f66b187a23b4bec824ad18f

SHA256
ed38b5b61ff3a4c39a3bc0bc08887bb3551096ba9e3bc2049fb1d61ab9531dbe

SHA512
e38a644b6539b53dbfc6a4739fa4327c3484f6cfe0a77599703a36115d58a52bfecc5d1ed6531c8830d5eaa11bbf3218d9cbe5eea69235b803a4255703e36ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\unicodedata.pyd

Filesize
289KB

MD5
c20515dbf782f33b62a980b44298a9c5

SHA1
a2eb80b3b285ac63207184559934960847b0a02a

SHA256
5d58205d1183b6ba27a7a4b2ef82be554aa906c8f898b528c8933bb6052b9050

SHA512
0b4496731746133b69c48ba87ffabd7560fd40ee47ec8b0e771a4bf6c7da75ac8b95467a0a3e16d23596d08fb8f331cfcc0446abdc3595692cee3387f2781890

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9122\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
32KB

MD5
4e8e23e41b7b60e2c6466f756d9b66f4

SHA1
f1aabeb96f17333c43e254e436c0ceb58e52f5cc

SHA256
4bd0f363f96b6b14b332ea2539566f7ce13df4929bfd64959a76e1be7fa80b62

SHA512
a704f0ef37a9d8f2869b3ae825350171fa44c2769f8f1d786d812e3746029cc574de827f3df6f20f9e84319c1ef7cc61e7157a7dd1e656227e85e6df52e3f63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_awt0i1tw.afv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
05d53da7eebaf41aee0d429f6f7c9c7b

SHA1
cd90e3edd3b01b6d2acc089a3ecb05507c836404

SHA256
c597dc4cb71a86eacf06c63d1542dbbc29340ca88e54adf31a6e28d944abd06b

SHA512
e824770f2b5eb0cd2c7d66976efa66dfaa127bf19b41a655ffb328d6e3fbabe057e9bd564600fa53946cfcc4f7fc7ddf97e7ba0c0acfea86189d15da1a59af4e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
49d58d22e315fb914bbd85f9c25d0c76

SHA1
bbc2b37f8b30ffdcd1b4e672171fc6fac8965d2a

SHA256
bf9623c94f3b52b433c45869735e33f1050b7d72c2b1acac99bee3facce93e64

SHA512
88e61c1f2125e0b884f5759cfae6a5fa3194fb71fcd4bbde7334d2e21ccce84bf0a4fed373d0b667cbc3cc284fd7b7f7e27db732d091c1dc36b8959a873156c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\349521b4-57cd-41d1-bd27-9d24186b39ed

Filesize
671B

MD5
b44293104127bcf16ae6897a47d8e994

SHA1
0d97258544e928e569539979c04746b8a436375b

SHA256
7d93e974107c19a345d9ef13c653b8118a4d957d9df58602ede5ab0a12d79a37

SHA512
5ea99f7081f274df837938105d0ad17a4447c9991a587c6ae47ad6df375b879c84311fe2d0c6b27c245cbd749fc40b1d4e0a8332e4125bc4251f95ff8da185db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\9b537925-b179-41a5-bffe-d6dd57f695d9

Filesize
27KB

MD5
cf97c86cce4e3621e9f9c0c597c7025f

SHA1
e5b5b9a8de689b9cc319c015f3e5eda0996e2543

SHA256
1ef7892d6b0d0c8010508d5b8085576266395479bcf0e8500dafe3a4ad2b7879

SHA512
bfa533da9ff0ebc662367883e82beba7c8ea259e1a0b74e3439d4ded7450bea37bfbec242ccb3439ea3347f13adfee0ec7a469c5e3ceb5d56443ec723211e927

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\b03c8064-f561-4e36-ac2f-b4c900d0b144

Filesize
982B

MD5
2ed02e945d5e2e689b39db117b4dcaa2

SHA1
8af79d27c09e5156d718e61903619d65720882d1

SHA256
9e39f588dc8ae790249d3fe8f33643d27d5a18aeaba4b8992ec3dda3e714792a

SHA512
c3a6d225b475aceef00de11a333bbea8cd8efa7dffc4e70292ef3ff259a9b2e4f8c40e1e73104d490a816fa65903b985a8e46ce41a2532b8639c52729d69391b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs.js

Filesize
11KB

MD5
bfc1b0062db99c7a25daa7f7985111ae

SHA1
353d3308825005b6578a190246676e9a3f349712

SHA256
5a4ccff78425ef2a22c31c679c92b6228f712bedd485396264fe7382e70b0ea8

SHA512
7ee1e6a23d9cc500c26332c82cfff652f0976be9a2a6923262009336789abc50a3f1cbd992b6862bfd2b42aed650848e70cd63654aa12dab655dbb34465f7a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs.js

Filesize
11KB

MD5
2830dc79b98d7af6af95d1321e87613c

SHA1
7bfecebedc056a819f4afaab674ca63cb8a269f3

SHA256
bc679261486743a2e50656cf03670f98cc69f019dfb4d916c34023df68224d48

SHA512
285ee381f315a7dfd651c123f32cf467db67837b53d83eac747cddfdf5ea16e04c4446a8c4caf489b5fa4d31c3d1f66bbdb7b75e48948d2dcd729bf1f375ea10

Download Submit
memory/3696-280-0x000001AF3CB00000-0x000001AF3CB22000-memory.dmp

Filesize
136KB

Download
memory/4560-148-0x00007FF987250000-0x00007FF98726C000-memory.dmp

Filesize
112KB

Download
memory/4560-112-0x00007FF987270000-0x00007FF987285000-memory.dmp

Filesize
84KB

Download
memory/4560-130-0x00007FF9834B0000-0x00007FF983568000-memory.dmp

Filesize
736KB

Download
memory/4560-123-0x00007FF9871F0000-0x00007FF987207000-memory.dmp

Filesize
92KB

Download
memory/4560-122-0x00007FF982830000-0x00007FF9829AD000-memory.dmp

Filesize
1.5MB

Download
memory/4560-133-0x00000226EDC20000-0x00000226EDF95000-memory.dmp

Filesize
3.5MB

Download
memory/4560-134-0x00007FF987180000-0x00007FF9871CC000-memory.dmp

Filesize
304KB

Download
memory/4560-136-0x00007FF974680000-0x00007FF9749F5000-memory.dmp

Filesize
3.5MB

Download
memory/4560-60-0x00007FF98D000000-0x00007FF98D00F000-memory.dmp

Filesize
60KB

Download
memory/4560-146-0x00007FF9837F0000-0x00007FF983828000-memory.dmp

Filesize
224KB

Download
memory/4560-58-0x00007FF9880A0000-0x00007FF9880C4000-memory.dmp

Filesize
144KB

Download
memory/4560-140-0x00007FF987880000-0x00007FF987894000-memory.dmp

Filesize
80KB

Download
memory/4560-141-0x00007FF983E40000-0x00007FF983E5E000-memory.dmp

Filesize
120KB

Download
memory/4560-144-0x00007FF973F80000-0x00007FF974675000-memory.dmp

Filesize
7.0MB

Download
memory/4560-147-0x00007FF982F60000-0x00007FF983078000-memory.dmp

Filesize
1.1MB

Download
memory/4560-137-0x00007FF987160000-0x00007FF987171000-memory.dmp

Filesize
68KB

Download
memory/4560-149-0x00007FF9871F0000-0x00007FF987207000-memory.dmp

Filesize
92KB

Download
memory/4560-128-0x00007FF9871D0000-0x00007FF9871E9000-memory.dmp

Filesize
100KB

Download
memory/4560-159-0x00007FF987180000-0x00007FF9871CC000-memory.dmp

Filesize
304KB

Download
memory/4560-85-0x00007FF988210000-0x00007FF988228000-memory.dmp

Filesize
96KB

Download
memory/4560-175-0x00007FF983E40000-0x00007FF983E5E000-memory.dmp

Filesize
120KB

Download
memory/4560-188-0x00007FF987880000-0x00007FF987894000-memory.dmp

Filesize
80KB

Download
memory/4560-200-0x00007FF9837F0000-0x00007FF983828000-memory.dmp

Filesize
224KB

Download
memory/4560-187-0x00007FF974680000-0x00007FF9749F5000-memory.dmp

Filesize
3.5MB

Download
memory/4560-201-0x00007FF973F80000-0x00007FF974675000-memory.dmp

Filesize
7.0MB

Download
memory/4560-186-0x00007FF9834B0000-0x00007FF983568000-memory.dmp

Filesize
736KB

Download
memory/4560-185-0x00007FF9872B0000-0x00007FF9872DE000-memory.dmp

Filesize
184KB

Download
memory/4560-177-0x00007FF9880A0000-0x00007FF9880C4000-memory.dmp

Filesize
144KB

Download
memory/4560-176-0x00007FF9829B0000-0x00007FF982E16000-memory.dmp

Filesize
4.4MB

Download
memory/4560-89-0x00007FF9878A0000-0x00007FF9878BF000-memory.dmp

Filesize
124KB

Download
memory/4560-277-0x00007FF9834A0000-0x00007FF9834AD000-memory.dmp

Filesize
52KB

Download
memory/4560-105-0x00007FF988B30000-0x00007FF988B49000-memory.dmp

Filesize
100KB

Download
memory/4560-106-0x00007FF98B270000-0x00007FF98B280000-memory.dmp

Filesize
64KB

Download
memory/4560-109-0x00007FF987290000-0x00007FF9872A4000-memory.dmp

Filesize
80KB

Download
memory/4560-317-0x00007FF9829B0000-0x00007FF982E16000-memory.dmp

Filesize
4.4MB

Download
memory/4560-334-0x00007FF987250000-0x00007FF98726C000-memory.dmp

Filesize
112KB

Download
memory/4560-342-0x00007FF9834A0000-0x00007FF9834AD000-memory.dmp

Filesize
52KB

Download
memory/4560-330-0x00007FF98B270000-0x00007FF98B280000-memory.dmp

Filesize
64KB

Download
memory/4560-329-0x00007FF987880000-0x00007FF987894000-memory.dmp

Filesize
80KB

Download
memory/4560-325-0x00007FF982830000-0x00007FF9829AD000-memory.dmp

Filesize
1.5MB

Download
memory/4560-324-0x00007FF9878A0000-0x00007FF9878BF000-memory.dmp

Filesize
124KB

Download
memory/4560-318-0x00007FF9880A0000-0x00007FF9880C4000-memory.dmp

Filesize
144KB

Download
memory/4560-111-0x00007FF988210000-0x00007FF988228000-memory.dmp

Filesize
96KB

Download
memory/4560-127-0x00007FF9872B0000-0x00007FF9872DE000-memory.dmp

Filesize
184KB

Download
memory/4560-390-0x00007FF987880000-0x00007FF987894000-memory.dmp

Filesize
80KB

Download
memory/4560-378-0x00007FF9829B0000-0x00007FF982E16000-memory.dmp

Filesize
4.4MB

Download
memory/4560-118-0x00007FF9878A0000-0x00007FF9878BF000-memory.dmp

Filesize
124KB

Download
memory/4560-119-0x00007FF987250000-0x00007FF98726C000-memory.dmp

Filesize
112KB

Download
memory/4560-114-0x00007FF987AE0000-0x00007FF987B0C000-memory.dmp

Filesize
176KB

Download
memory/4560-115-0x00007FF982F60000-0x00007FF983078000-memory.dmp

Filesize
1.1MB

Download
memory/4560-548-0x00007FF974680000-0x00007FF9749F5000-memory.dmp

Filesize
3.5MB

Download
memory/4560-559-0x00007FF987160000-0x00007FF987171000-memory.dmp

Filesize
68KB

Download
memory/4560-558-0x00007FF9834B0000-0x00007FF983568000-memory.dmp

Filesize
736KB

Download
memory/4560-557-0x00007FF9872B0000-0x00007FF9872DE000-memory.dmp

Filesize
184KB

Download
memory/4560-570-0x00007FF983E40000-0x00007FF983E5E000-memory.dmp

Filesize
120KB

Download
memory/4560-573-0x00007FF9834A0000-0x00007FF9834AD000-memory.dmp

Filesize
52KB

Download
memory/4560-572-0x00007FF9837F0000-0x00007FF983828000-memory.dmp

Filesize
224KB

Download
memory/4560-571-0x00007FF973F80000-0x00007FF974675000-memory.dmp

Filesize
7.0MB

Download
memory/4560-569-0x00007FF987180000-0x00007FF9871CC000-memory.dmp

Filesize
304KB

Download
memory/4560-568-0x00007FF9871D0000-0x00007FF9871E9000-memory.dmp

Filesize
100KB

Download
memory/4560-567-0x00007FF9871F0000-0x00007FF987207000-memory.dmp

Filesize
92KB

Download
memory/4560-566-0x00007FF987250000-0x00007FF98726C000-memory.dmp

Filesize
112KB

Download
memory/4560-565-0x00007FF982F60000-0x00007FF983078000-memory.dmp

Filesize
1.1MB

Download
memory/4560-564-0x00007FF987270000-0x00007FF987285000-memory.dmp

Filesize
84KB

Download
memory/4560-563-0x00007FF987290000-0x00007FF9872A4000-memory.dmp

Filesize
80KB

Download
memory/4560-562-0x00007FF98B270000-0x00007FF98B280000-memory.dmp

Filesize
64KB

Download
memory/4560-561-0x00007FF987880000-0x00007FF987894000-memory.dmp

Filesize
80KB

Download
memory/4560-560-0x00007FF9829B0000-0x00007FF982E16000-memory.dmp

Filesize
4.4MB

Download
memory/4560-556-0x00007FF982830000-0x00007FF9829AD000-memory.dmp

Filesize
1.5MB

Download
memory/4560-555-0x00007FF9878A0000-0x00007FF9878BF000-memory.dmp

Filesize
124KB

Download
memory/4560-554-0x00007FF987AE0000-0x00007FF987B0C000-memory.dmp

Filesize
176KB

Download
memory/4560-553-0x00007FF988210000-0x00007FF988228000-memory.dmp

Filesize
96KB

Download
memory/4560-552-0x00007FF98CFF0000-0x00007FF98CFFD000-memory.dmp

Filesize
52KB

Download
memory/4560-551-0x00007FF988B30000-0x00007FF988B49000-memory.dmp

Filesize
100KB

Download
memory/4560-550-0x00007FF98D000000-0x00007FF98D00F000-memory.dmp

Filesize
60KB

Download
memory/4560-549-0x00007FF9880A0000-0x00007FF9880C4000-memory.dmp

Filesize
144KB

Download
memory/4560-103-0x00007FF987880000-0x00007FF987894000-memory.dmp

Filesize
80KB

Download
memory/4560-97-0x00007FF9829B0000-0x00007FF982E16000-memory.dmp

Filesize
4.4MB

Download
memory/4560-98-0x00007FF9834B0000-0x00007FF983568000-memory.dmp

Filesize
736KB

Download
memory/4560-100-0x00007FF974680000-0x00007FF9749F5000-memory.dmp

Filesize
3.5MB

Download
memory/4560-101-0x00007FF9880A0000-0x00007FF9880C4000-memory.dmp

Filesize
144KB

Download
memory/4560-99-0x00000226EDC20000-0x00000226EDF95000-memory.dmp

Filesize
3.5MB

Download
memory/4560-93-0x00007FF9872B0000-0x00007FF9872DE000-memory.dmp

Filesize
184KB

Download
memory/4560-91-0x00007FF982830000-0x00007FF9829AD000-memory.dmp

Filesize
1.5MB

Download
memory/4560-87-0x00007FF987AE0000-0x00007FF987B0C000-memory.dmp

Filesize
176KB

Download
memory/4560-81-0x00007FF988B30000-0x00007FF988B49000-memory.dmp

Filesize
100KB

Download
memory/4560-83-0x00007FF98CFF0000-0x00007FF98CFFD000-memory.dmp

Filesize
52KB

Download
memory/4560-50-0x00007FF9829B0000-0x00007FF982E16000-memory.dmp

Filesize
4.4MB

Download