ad141e276acfa68d81e34195160e54ecc73f3e28de1dce88ffebfe73e94a32f3

Analysis

max time kernel
150s
max time network
152s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19/11/2024, 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pcsx2-v2.3.19-windows-x64-Qt.7z
Size

18.8MB
MD5

0e91c3825c85114730095b0516d036e7
SHA1

8ad5167edb94064527657e0f54242306b471b869
SHA256

ad141e276acfa68d81e34195160e54ecc73f3e28de1dce88ffebfe73e94a32f3
SHA512

98dc49b122de81438f9e3174f5c03607f3b6a47ed5917ccda16f09bfc73a7b9a843a593f98219b62ecadc8c034e5951c12cdf97542c52b95929120d959785cbd
SSDEEP

393216:pgA3DlE676zRTrADl3uiFY9fcIQNsXMD61yvPLj8K6JCb:6ATlEJrqhnmfXQPLYK6JCb

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1136	pcsx2-qt.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133765044702257471"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4476	chrome.exe
4476	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4896	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4896	7zFM.exe
Token: 35	4896	7zFM.exe
Token: SeSecurityPrivilege	4896	7zFM.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
4896	7zFM.exe
4896	7zFM.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe

Suspicious use of SendNotifyMessage 52 IoCs

pid	Process
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1872	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 1136	4896	7zFM.exe	91
PID 4896 wrote to memory of 1136	4896	7zFM.exe	91
PID 4476 wrote to memory of 3460	4476	chrome.exe	95
PID 4476 wrote to memory of 3460	4476	chrome.exe	95
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 4760	4476	chrome.exe	96
PID 4476 wrote to memory of 864	4476	chrome.exe	97
PID 4476 wrote to memory of 864	4476	chrome.exe	97
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98
PID 4476 wrote to memory of 2148	4476	chrome.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\pcsx2-v2.3.19-windows-x64-Qt.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\7zO023C9958\pcsx2-qt.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO023C9958\pcsx2-qt.exe"
  2⤵
  - Executes dropped EXE
  PID:1136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffb0b85cc40,0x7ffb0b85cc4c,0x7ffb0b85cc58
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,7499797481217043254,8443700964298087955,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2184,i,7499797481217043254,8443700964298087955,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,7499797481217043254,8443700964298087955,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2592 /prefetch:8
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,7499797481217043254,8443700964298087955,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,7499797481217043254,8443700964298087955,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4588,i,7499797481217043254,8443700964298087955,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4888,i,7499797481217043254,8443700964298087955,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4892,i,7499797481217043254,8443700964298087955,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4736,i,7499797481217043254,8443700964298087955,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:3212

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2304
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {632bf91d-81f4-40dd-8da8-9e8a6692295f} 1872 "\\.\pipe\gecko-crash-server-pipe.1872" gpu
    3⤵
    PID:4436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9f84fa9-7360-4f50-ba92-c312f37505f6} 1872 "\\.\pipe\gecko-crash-server-pipe.1872" socket
    3⤵
    PID:4608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2908 -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 2896 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7fc4edb-cdb1-4c7b-85ee-55580c92f107} 1872 "\\.\pipe\gecko-crash-server-pipe.1872" tab
    3⤵
    PID:2456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4380 -childID 2 -isForBrowser -prefsHandle 4372 -prefMapHandle 4368 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c9fb242-0cc3-4f90-ae1b-ee7f768e851c} 1872 "\\.\pipe\gecko-crash-server-pipe.1872" tab
    3⤵
    PID:3904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4872 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4860 -prefMapHandle 4844 -prefsLen 29198 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c237bd2-bfb8-465e-ab00-b40081ad08fa} 1872 "\\.\pipe\gecko-crash-server-pipe.1872" utility
    3⤵
    - Checks processor information in registry
    PID:5528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1656 -childID 3 -isForBrowser -prefsHandle 5400 -prefMapHandle 5396 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {087ca091-a10f-4293-b75f-f4f59597a878} 1872 "\\.\pipe\gecko-crash-server-pipe.1872" tab
    3⤵
    PID:6052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5580 -childID 4 -isForBrowser -prefsHandle 5500 -prefMapHandle 5504 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86e4110c-b729-4664-a29c-77d643557e04} 1872 "\\.\pipe\gecko-crash-server-pipe.1872" tab
    3⤵
    PID:6064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5768 -childID 5 -isForBrowser -prefsHandle 5688 -prefMapHandle 5692 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bb63710-3183-4190-975d-4fdfdf3da8d0} 1872 "\\.\pipe\gecko-crash-server-pipe.1872" tab
    3⤵
    PID:6076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 6 -isForBrowser -prefsHandle 5712 -prefMapHandle 5716 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e041188-930f-49ef-a979-e8accec863c0} 1872 "\\.\pipe\gecko-crash-server-pipe.1872" tab
    3⤵
    PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
605e3ebbd14dabba3e482c3f97132640

SHA1
651e87a94a9da87d6111df06159499350c1833e8

SHA256
d461dc6a5f7af9ffce80fa1181b1781c6f2bfa794d24078a6448d2ea6816841e

SHA512
903bd531e686ad2b34625f674c9aacfe809eb7559e5be2c07f4d09e414d49ae88476fe7672929cdd36ed54164a8d039a2b91ee015f9cb48114f7df45b176bd8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
0bfaa2d323ebd992621cc2afd7559b9a

SHA1
e8011ee212ab582a47f92f1aa6e92c7226ada55f

SHA256
3103a32bb96321b46ae4dda2a59649ca70aa72d009bc08876e0c29a52e15eb80

SHA512
4e2b10aa339617816bb856a7efe4ea3f35a96c9c09315e57744812ed1eeb1159c196bc7b56eac4caf260de2f7a6b77bfb6a9bbbb24694a751f8b83c01e3bfc12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
c81b6bae2f3ba82b79d4121c5125a0b8

SHA1
4129bd328743adecd0544c10f1c868a4db254da6

SHA256
6a6b9d316b7e8990a1a4d3c40b7e24dada5fe6da39e4229d3a08e054c2690a65

SHA512
92d3b62c75bddc7d3f7223ba15844ef827efed76ee31888203b9612103690f33bdb32fe4636317dacdeb61f9d81a1e23c1bdba980a6fc0907d508e275f5f961e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
6e7074a44e7bab6e62cbc6c16521cb24

SHA1
38a2123bad604f5dec45eac402023138ef2bac1c

SHA256
dce2b9b85c56f46085b07e337769a7690df0fa8410c69f869223828e9f932f04

SHA512
3f324f45b1f323f684e5fbfc397be45639ab1925b0dd7011ba75798202b78c00d64f350d9327f7375bd94db6766b6b6c44e26190f1ff059b88fee9f7703c2bc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7f440a3cd63213cd06e85da857b70a72

SHA1
84dfd0488ea49970a8556fff59efa2cc0494ff90

SHA256
ae1db5990095e5ad0628fe70942fe476adeac6df0b93fccebfe5d37738e6683b

SHA512
35d65de978e3d33a1372316148aa5d71ef175deb3e0f9d827cd778ba830014f630fd15d7e2ad77f7c46981aff3376881899357ef1c405068ae6b3c966280ecce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2eff822c7e3823aa29458b3f3aae0075

SHA1
f8825b4a2d179eb505eb2c8c78d788dbb1c0accf

SHA256
3b6290239247e37ba4bbdccc6e2a801fd50641042ff5ffb9c6cfb2ed2a5d3ce5

SHA512
df6149bdf9edb492546b6d20fe677ec644492adc508f1d4cd14b47654cbd5199089a108d4af7edbe735bc2f0ccd1b439e8a2bddf5fcb256efef744f83ef49504

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ed57b6f108e33e8bb64be283c8dc17fd

SHA1
1ec167c10c85ae58b52a1d081762038f3b219dd5

SHA256
813d58299c4763964216879d0d821de5edb2970841e69de4dfa76406b2eff746

SHA512
9114cd243e4c47b420899b180fec32ecb3751669ae1d6d49bdaf60e1d0474459614e758fb9c21360e8ed34af34d274e5cba2a35de8a22fe9c2a49811110888b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2e64886c069cf094754116ea1ad56969

SHA1
7281738e64a07f630a03dd510919b0e82c9fed5b

SHA256
3c5e762034f2590b8c9219612fe18ff1f6086beee9ca0c8fd81f697f04fb29f8

SHA512
940405dcbd4ec1bfa369088b29ab1ad4373c8f6a65a5eef987287d2ac12a6e4fcf9d517e829bdce8da8c926dfc4ddcadc9fccd71575a7a047822418739bd302a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
220c596fdac23c418521d84b3c49fa23

SHA1
e93ff4d4d7a753a6750ad93cd253dc80c9f0e8b1

SHA256
1960fc3235bf94178d92b459240ca2b48503033006763feaa949d64032b54d66

SHA512
e90c377804ba093430aea5a967a4b76e85219739d86a18a6f9158226611b58282aca80f6db6208dd24eb761013db896fee9f73b2ac40c8b800708285e036f8db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b1918481bd5f81b272224ad3243a4aa3

SHA1
e93b115933df326f00f7518cf5f976e8766caa01

SHA256
7fbd3923ad151f72542a3915f01f603958890a1990f9e5d04c9de0446e60a1aa

SHA512
04bb63d6579db380cc8f5be0c7f416a6bb38b51fdb5a7197a2ca62a11990c937501e38480165a3b79141b6cd7398a73e19cbdc275a6ccec74900c4e7bf93799e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
aa6da2e89f3fb583ef23a95cc9c7916c

SHA1
f32f42c58a44e005e1927c5f4fd379a861b91075

SHA256
fa255d6e1d74d468ae4cd55757fafd9c4b22c6017ed3e2662a55b3d83d000b1e

SHA512
6385e55e08895a2349f99ac8080ff09aae8932acc8019445d6fda78bcd4165f9cc36535114c75e867ad8ec0c935d5e7a783f8c7446cda5ac85f68e9339ed40cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
3456ecf01980713a35a72d9adfb06a58

SHA1
0833276b883a1721e97aa65a67085971e63257e4

SHA256
37f0343e802b4a8d97f4ea5b3aee59c81c89a0a80b184c7f582f169957de1ec9

SHA512
834bd6e96fac70614b5a537cdd81930033be77eb7c1a7942a1c1bd65fe7f37d1b04211cc3c97c2807daa871e19f3e10bc2a4c0656f8ad3ca6593631ddf60832c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
47e730199c60a62ceb663b317a05e5ce

SHA1
0bb4a3fd61bda22085c864a001766a997d7cbe56

SHA256
f85bf442d69be12ffca63ea643a143e899eab855afb8dbf68f0c5a0a3eea74bd

SHA512
0d052c9fb19a50cc8889174c35f2521699d9244960a3723b8956cf78fa36f85e2a5b4dc9fffef321c60b1016c2a3a02d53e2959f562f8fbb342709714f91c115

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\activity-stream.discovery_stream.json

Filesize
18KB

MD5
c2786d0a64b50a620658ad2553a511d4

SHA1
1ecc7c60399d581fa21a3cda5f3504822b43ecd3

SHA256
29c2ec24af050c36654106831fcfaf6e4771ee789d77e7b0d79fce7808a13bda

SHA512
c07e14ea7b1c3440fae9f6f7ea5c1c4ed722a6b2c1f61795ef3763304aa67e3785fe74d8c5e63202599f84107ab72a5a1c290243e433fb87b55a37924961aebb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\cache2\entries\AE6C91A7A94F8219B78F6FB4AEBCFA5DD3A78D91

Filesize
49KB

MD5
a09ffdbb31471804058743ca3faddcb3

SHA1
89703ee5512ebfda7f37a5e921bd5e6dcd94f9ce

SHA256
7d344fbe7735c0d6643dcca947f8397bbee4624f312c65671494f4e65bb680b1

SHA512
52fa4b647c62b71b257bdb00ac00aa10c604c5c06c124b0ec074a7e779f6264decee73cc2b2fe360643fa413d51a64652c77b70d3a562e88987bd4b86646e6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO023C9958\pcsx2-qt.exe

Filesize
12.4MB

MD5
e7ff6f2eddaf8a80ba33995850eccfbb

SHA1
8716198efb4f73767f50df6cc4c424742b0c4b67

SHA256
5f990238824d974744b7cfcce89426794c1b50a52eb94d398e2780880b6a954c

SHA512
a951ff1a623187835b817dceb35758e3404c6f75e6b72788ee2014e96b2821aca7548ea81dd3f349653edbaeecf176b57ba9d17fd85bc1d47c3149eed8746c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\AlternateServices.bin

Filesize
7KB

MD5
4ec81c6c3796d3c9ae273c48bdbc9aab

SHA1
422ecfa8965b914d1fcac787e418e16a7d274ba6

SHA256
3da6e70e5b834f13efd5e8cb701291d42e52ca422827b0f0a333a0265cc8a0bc

SHA512
5dc95e0031cba00c654a0e9c477662e6caaf29e398fc70f86a94d3e31bdaa73a33d86e30a5f9b5f7b983926b11c913fa5f10bc0f59ad123fe8154b55b6bcd66f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
cdff5c242342b1ecb985be0feb5003d3

SHA1
3b4a540c222f34b0859f64f02fee4b91d0f66e36

SHA256
99257a68b43eb2317a2bf0c2474fd3c1c94d088dcb16b0d6e5a052364e9a58cc

SHA512
dd41a6beb1673dc4f888a5095bc6248344ec89c154bc63d2d81fc8eda9c87aa139ac4f5eb79e9308015f4b530802d38e4ea7cbe79880167fffbc045e416c258d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
31601953ef8c99cc0b315965da00e108

SHA1
e9c06d30506a181941a329785f3a7919e67478b2

SHA256
c2e78722b9d8e61658a8040e40cd26928c9640b6bd819c9d1cc04d6db2c2e35e

SHA512
ddd547c922d59e01552088d793b0981f0db0c5820a9090a66614cb9e0000730b4ad2c9e54ff309d6207a7a8a821c2a85f6341be3aa91ef71e74a3a448c79aba7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\pending_pings\45b304ba-4cc1-4bad-be36-6f5a4b1ae08e

Filesize
26KB

MD5
6b950dc8276f2d4b4f72dfbc11aa9fef

SHA1
33877a6a6499105848c3f509ac535668c0d0cd59

SHA256
ea0f51980b50ca8e71ef98803eddfb32a5bdea932d559337b140076d92a32bc4

SHA512
1b264a9485a552acf78a0d3de87b3b67e6345ba1b5049c756c6a7270b8c126b7157013aca88db8a1deb6703858cd7302d136c14834c5ff45622c843eb64fbaae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\pending_pings\4bf2346a-b77e-4a1a-84ee-981cc2dbde66

Filesize
982B

MD5
21c2229dbadd24196f688d917d0d3fce

SHA1
fd94d85517dc8d4e3b6304cc0483afe33cb947b0

SHA256
eb70711a5983a3f9a9bedf495533a9b8acb79c031c83d8ceacd958aab91cdbd9

SHA512
53a7394d7d8fb3c93e15318394f44f7ca9279aa6204632ac9febe2bdfcfaec29c898f3e0c6313b2ac8cbcb92d4f53f3cd6d1667934371c863df13bd0ff7adb08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\pending_pings\9e6460e9-9285-4d45-8b78-7015c8599def

Filesize
671B

MD5
e18f2cf6fdc315036d7f75f33f599aff

SHA1
091694d76029b524fee9b437c6ae206c6c57dfb0

SHA256
573173b13b146b23c1881a159314f349a4694a6c4c63dab94583705bc5e30f12

SHA512
04fe2875a4fa3870e3234ee131ec23728ace29ed3466e70cd296db646dae7fc88eff5737ff3ed807528bfb463e8d19cc0c452e2969bb509fb25aed1242009935

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\prefs.js

Filesize
10KB

MD5
bb1cfa95dc395602fd5a085cb5bf07a5

SHA1
29593e6de58e8a9f8972a11d5426877cf19e04ca

SHA256
dd3c1eb141347989f38438b8f8d6d35d1f2c925e4cb8c057752aa721107f45d0

SHA512
78f99e80f085691a1e2353288c6f242088f4c795166c974d5a9df511f988e504ec0775f5bad2558d7088113d27e3da67c3a46def9f475c827ebffa86d59032e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\prefs.js

Filesize
11KB

MD5
036a7d6b3f6a60c403161f17eee9a519

SHA1
75ec67c9c6c17bb577c9bfea413adf5374b807a0

SHA256
60c05b1075b73e86502d959eb20f37869c6ab64df3aad41afc6d33ff705787c5

SHA512
b9f7bb0ffbc93e87c4e7902ab81c53a408297ac966a05c0a8eea3196c78afa565216c27a64765fac7953c66c0a47a56fc4fe024fdd15215b8b8b8d2564e4d34c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
0143644c4024fac6784d4ce66241c840

SHA1
065f6ddd7d2d9eda66e2de3e34ef5dfc29ab4555

SHA256
70cbf40881c1ad7102d0bd2ae67e77283fc5ee0e38f6f7cca29bb8f68adeee70

SHA512
1d5360c863d775b77f4a59af9aa090d26e44deec3e30fc0d2de996f3010a4ad2222bbf8f219cc76b8766fbf099a86b6f2eade880c7a5f8ed6fecefd99c06f36a

Download Submit