4ba50be2c056423d1788cc6f2e7e1444e069684c14a302d1486725bc736d30c3

Analysis

max time kernel
63s
max time network
64s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
04/12/2024, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_84_1_0.crx
Size

135KB
MD5

3f6f93c3dccd4a91c4eb25c7f6feb1c1
SHA1

9b73f46adfa1f4464929b408407e73d4535c6827
SHA256

19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e
SHA512

d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4
SSDEEP

3072:AQ++ZdS5+fnwcxO+XwquyeNnmraugZ/1DOoncWD/5q:AQ++/PZmlyeNnh/1SmRq

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133778224717987820"	chrome.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\.crx	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\crx_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\꧟ȥ\ = "crx_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\潬灯s\ = "crx_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\crx_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\crx_auto_file\shell\open	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\crx_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\潬灯s	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\秋‟	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\.crx\ = "crx_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\꧟ȥ	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\秋‟𐀀\ = "crx_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\crx_auto_file\shell\open\command	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4276	chrome.exe
4276	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4468	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	392	firefox.exe
Token: SeDebugPrivilege	392	firefox.exe
Token: SeDebugPrivilege	392	firefox.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 3448	4468	OpenWith.exe	90
PID 4468 wrote to memory of 3448	4468	OpenWith.exe	90
PID 3448 wrote to memory of 392	3448	firefox.exe	92
PID 3448 wrote to memory of 392	3448	firefox.exe	92
PID 3448 wrote to memory of 392	3448	firefox.exe	92
PID 3448 wrote to memory of 392	3448	firefox.exe	92
PID 3448 wrote to memory of 392	3448	firefox.exe	92
PID 3448 wrote to memory of 392	3448	firefox.exe	92
PID 3448 wrote to memory of 392	3448	firefox.exe	92
PID 3448 wrote to memory of 392	3448	firefox.exe	92
PID 3448 wrote to memory of 392	3448	firefox.exe	92
PID 3448 wrote to memory of 392	3448	firefox.exe	92
PID 3448 wrote to memory of 392	3448	firefox.exe	92
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 1972	392	firefox.exe	93
PID 392 wrote to memory of 2340	392	firefox.exe	95
PID 392 wrote to memory of 2340	392	firefox.exe	95
PID 392 wrote to memory of 2340	392	firefox.exe	95
PID 392 wrote to memory of 2340	392	firefox.exe	95
PID 392 wrote to memory of 2340	392	firefox.exe	95
PID 392 wrote to memory of 2340	392	firefox.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_84_1_0.crx
1⤵
- Modifies registry class
PID:5040

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_84_1_0.crx"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_84_1_0.crx
    3⤵
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1884 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0ecb8d9-636e-483d-94d0-316be9e11ca7} 392 "\\.\pipe\gecko-crash-server-pipe.392" gpu
      4⤵
      PID:1972
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 24601 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {577ddf2e-e37a-4fb7-9ebe-24305bfe2455} 392 "\\.\pipe\gecko-crash-server-pipe.392" socket
      4⤵
      Checks processor information in registry
      PID:2340
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3132 -childID 1 -isForBrowser -prefsHandle 2720 -prefMapHandle 3140 -prefsLen 24742 -prefMapSize 244658 -jsInitHandle 920 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3023fe03-e33b-46c9-a4a4-712b418010b0} 392 "\\.\pipe\gecko-crash-server-pipe.392" tab
      4⤵
      PID:2924
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3572 -childID 2 -isForBrowser -prefsHandle 3560 -prefMapHandle 3640 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 920 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {745268bc-8065-4c34-9626-89dd06bfe598} 392 "\\.\pipe\gecko-crash-server-pipe.392" tab
      4⤵
      PID:1392
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5024 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4988 -prefMapHandle 5040 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0845778c-dc46-4c3a-b91c-71ae04ed093f} 392 "\\.\pipe\gecko-crash-server-pipe.392" utility
      4⤵
      Checks processor information in registry
      PID:3772
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5276 -childID 3 -isForBrowser -prefsHandle 5308 -prefMapHandle 5304 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 920 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d21dc73-6ef9-490f-aa69-06e196105387} 392 "\\.\pipe\gecko-crash-server-pipe.392" tab
      4⤵
      PID:4804
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5448 -prefMapHandle 5452 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 920 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2667351c-73f2-4ec6-8129-4799910e07a0} 392 "\\.\pipe\gecko-crash-server-pipe.392" tab
      4⤵
      PID:2144
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 5 -isForBrowser -prefsHandle 5668 -prefMapHandle 5672 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 920 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f408e55c-9aa4-460f-9853-65194af0a0a4} 392 "\\.\pipe\gecko-crash-server-pipe.392" tab
      4⤵
      PID:3036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7fffd3cbcc40,0x7fffd3cbcc4c,0x7fffd3cbcc58
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2076,i,958638520191695084,6635772751587370469,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1904,i,958638520191695084,6635772751587370469,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,958638520191695084,6635772751587370469,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2400 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,958638520191695084,6635772751587370469,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,958638520191695084,6635772751587370469,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4592,i,958638520191695084,6635772751587370469,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2276,i,958638520191695084,6635772751587370469,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,958638520191695084,6635772751587370469,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,958638520191695084,6635772751587370469,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4932,i,958638520191695084,6635772751587370469,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4880,i,958638520191695084,6635772751587370469,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5028,i,958638520191695084,6635772751587370469,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4792,i,958638520191695084,6635772751587370469,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5208 /prefetch:2
  2⤵
  PID:3996

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b631330b022fc005406db01b7a8aac57

SHA1
0703c5b59c515e4dd25a9cd2234c62c687216aa1

SHA256
b49c9bd95e6f5740e4887c71bd8a01b313f13974c730098dfeca6201d010bab3

SHA512
cff6e058f4331fc20544e572fd75f9c52184a92472924145e6d7a66328b850c31b82d929cc306392bea51974bf9cffd36c47bac781c6ecdb37826e207fdea852

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
32a143a1e98acb77a3b1bbe0e80cd7bd

SHA1
27ed46dc398fcb359e40185dc276736678ba7555

SHA256
126c54aa593faad8a067b074a8a81cb9865ce817874e32ee602ff55e86655c79

SHA512
60121b9505a48291d69c3d79ce449457ac4a5a54732bed95d5aac424dcc5d9c7255649130827e250e338dc3cbb3753c1ad6804fa170b3b5248c1fadcb62a6c77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
cbb6d09929075260eac73589de9ff968

SHA1
08e9e8874eb745e0a9fe50a73575ad4677a2daa3

SHA256
5286cad5f09c112d5eb44a0f23786464392116d63e842b8a67997b702f149830

SHA512
77afa87c0202100dfe6e97cceef63e2d696a857b6c5de195c985ea123dd72b7ecbea34cbd9222b188134ac9d10e45b94a2f9fb5b03bf72d8e9388f4e085bdadf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
795c40d53594ff29a49a79201b68cda8

SHA1
b0790eb13e8702c29e3c8145bfbc94a8908a1a10

SHA256
49262e947ce04c5cf2123c6ca07a988f88d47d6fa154a3b637e1e4364c47dd80

SHA512
c03e452f0c626e4155b038c67de862cefc5ce905a678eab8c09af47f64b5182f204732084e16430e725118558be86f488a6c0bf02329944fbc229002077f8584

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1e68b1a0392a00ff2a24c1c831ca58e5

SHA1
92ca217eed96b0bdeccd100ac4b352badbcc9f51

SHA256
c2d4b9082a199f839de3605344a5cfa0ca8e4043da5fec6fc67dc9abeb79c28a

SHA512
f95d58953c3233f09933bd206203c778c1730d4867d1f53fd1b52f7708fec19c88fbbbfadd03bf73ebc07326e902bf34c12d2de775f051c5d014699e7ca10cc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
380598ef8f3e7c464a74e6e4631f052d

SHA1
b211bccee90a8372e28a97c9fb78da8f77b273e5

SHA256
8bd49c9843ba7c48d080135bd0c3faf2de42d5911bf50e865732ed33483d2c19

SHA512
6df464d3d0901d7e2719cb088292835ea6b7e4b3fea4a77dd51e2a203ea27901dff9b949aab1c84507395f9b9be7f83d0c87ea8deb0feb6054828e7462d76bf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
2a4c6412a68b4e393be7f5b85b98555e

SHA1
72ceb2a0daef524b860d4463e9b04647a04bd1e7

SHA256
0f452549ebe9c75d3d48204143ab868a02c7f2830a6e6a6f7b524703ce41a736

SHA512
a80d322452feafff2600ea16276b3d071f745d9a510b6ddd74f72da2d00a2f642736dd9ec981f2167dde11da8411d8c3a5970831ffedd7d901c13a649df8dfd3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e2dtnzpu.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
ed7617c705839f2b070f1d2c48d2bba0

SHA1
c68f92e8a3237cf44b4e7705d9e51419a85c29c8

SHA256
a0e9aeade7ea304892f8cfabd10c44ff7434af7606aea7e92326ab9efe5a5b4f

SHA512
08a439f30a4e7a5752be4a1fff911f50a4e1cd941f97c003017a23b11719bd7df5ba0972e5213a92cf33e8b5a3e8dfd884b358a101c57b1e2f5882be7056b089

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e2dtnzpu.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4276_1699084698\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2dtnzpu.default-release\AlternateServices.bin

Filesize
6KB

MD5
ece301795f1bf71d3058791f54a3f54b

SHA1
61f55ea7992fc6b68db3d96f368b65cbc8c695db

SHA256
6b3a5dfb4d10f6c879f6af310dc748be677e000b9ac5da76f2be3ee1eb2bc25c

SHA512
a3a370ceaf28d04180f240780cb49ef5f25283fdf4f47be3da95837d2bff034ecfeab77f5501281e3d4209fc2d42c28b4df9c1e4aa8e4530e4d20f3c98a65fbd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2dtnzpu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
1a066b94a12905a54fa4c83360f3c69b

SHA1
cb2bfa6f209635e5bfaa3279da2000d4ec28799f

SHA256
f5bf2488642ff09aed0d8c11807ab89a8180c6b44807013fd541cd353bef8e82

SHA512
d64c31bf2a4016cd8f4a5572cfe164058ad266c24505a5dcce6cc9d2c5445c219e242aae7b313f2267c4fb01a689aa7c1a2831ef963def956a1314be70389c86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2dtnzpu.default-release\datareporting\glean\pending_pings\2a5c1c8f-b98d-488e-8e47-f12a312865ee

Filesize
25KB

MD5
5aed7a7c20e629ca5c7be8e128790bfd

SHA1
3079a2a02a7dbbc5c11410801f28ca6e68e427f9

SHA256
60445c0cd0a668db31020ee82696540844306c5f473167aa8deab676a0b1af22

SHA512
a4440ac4acc68aca1518e12a10c794bc10cf56dc819b9f270d0eb60bbaab21c23c75fb5c2c60604c5677f7a30c418619acaf7c601a6a3f9681b8af417a0c0103

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2dtnzpu.default-release\datareporting\glean\pending_pings\72b52010-ddfc-47e6-a626-f3b38f28373e

Filesize
982B

MD5
5690241e8c2b9aa9f2b5ed6026441d82

SHA1
640078587bbda76d37d084e7177349cd367a64ab

SHA256
0a8426d53e9bd48719de09a65784d6ddbf8e28e0ac5d5cd821f43d3b70a8b395

SHA512
35ec3080d05cfd8dfa76a68e3144ff7b7234b077d101dd55ee9e6253126ae515d5b66f2bdfdf19c5f0a75d5ef510ca9112c8b664681f25704e9a9e32acce7818

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2dtnzpu.default-release\datareporting\glean\pending_pings\edfe53dd-236d-4729-a6fe-c62ad4da3fe0

Filesize
671B

MD5
65ed04dde8a8fe62ebd9d3fe644e938e

SHA1
4d91942291e11c10d253d2ac72ac652f9b1831a7

SHA256
29ed4405e09ee0be489c65ac45a8cc74803b87b472e0f958bd508398197f463e

SHA512
fcfdc0f9da843b5dca5b6e7c08961f5ac69a684b627466c0dfa975af72bf8e1c3d54bfbf5991c6888ccb1bd7ce2fc626c656c5a1fe5ed0b49313905e1af3ba89

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2dtnzpu.default-release\prefs-1.js

Filesize
10KB

MD5
1c2f69ad833aa2affb30d48156dd8570

SHA1
79ea72b1590d55f9c27359407337b933d9c4b364

SHA256
fee457511c7373c579793862cad04370804e24c39a9f8865c5f8e04b6872faab

SHA512
c27e890306974efe40e1f935402d0cf812c2238989c5f656130944d7f00bb3d4257112ad3d2bac20b33580d06e8a8d482bafe92bdb01b290ee3d6d636ed5b8d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2dtnzpu.default-release\prefs.js

Filesize
10KB

MD5
139820988c4379bcf7169f86f2443646

SHA1
df160337ed79f8fd1f87064707bce703c196cb72

SHA256
6c828d03de620c6917dbb0fdbc2b1ca13e3cd311dc0057d3df3044033cc42ac7

SHA512
742d9525dc82024e8be901d087bfaf7516ce3edd5336a67de7e9dbd0207c19ac08e212d06ab0aa7bf33122ac7b6d8c3f338afd579d7034c5ed574279fdc13984

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2dtnzpu.default-release\sessionCheckpoints.json

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\Downloads\pDoq1q1W.crx.part

Filesize
135KB

MD5
3f6f93c3dccd4a91c4eb25c7f6feb1c1

SHA1
9b73f46adfa1f4464929b408407e73d4535c6827

SHA256
19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e

SHA512
d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

Download Submit