fe13d90d6b687cd2f5ef09f5442ba7771f576cf8814542f252c62940625e9bac

Resubmissions

05-01-2025 15:27

250105-svzd1szngr 10

02-01-2025 15:39

250102-s3ysfswrgt 10

02-01-2025 15:36

250102-s19f6swrbw 10

Analysis

max time kernel
109s
max time network
111s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
02-01-2025 15:39

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

2025-01-02_f13196fb4909a242e615ac12ec069b2e_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
Size

5.0MB
MD5

f13196fb4909a242e615ac12ec069b2e
SHA1

780cb0f18b61462e2589ad43e07f7d238777ef8e
SHA256

fe13d90d6b687cd2f5ef09f5442ba7771f576cf8814542f252c62940625e9bac
SHA512

fe86652e792708676b3010e4ae6900d4cc7808d18c4d7379823670d99b0b7b45667e1d25b95f8f3deb1f6180a9ee34f5fa7c32f62ccdd675148b2dcddebad6c8
SSDEEP

49152:r56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6liK1uOCeXvpnz:r56utgpPFotBER/mQ32lUR

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-02_f13196fb4909a242e615ac12ec069b2e_cobalt-strike_cobaltstrike_poet-rat_snatch.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133803060762044336"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2084	chrome.exe
2084	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	firefox.exe
Token: SeDebugPrivilege	2052	firefox.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2052	firefox.exe
2584	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 2052	4972	firefox.exe	80
PID 4972 wrote to memory of 2052	4972	firefox.exe	80
PID 4972 wrote to memory of 2052	4972	firefox.exe	80
PID 4972 wrote to memory of 2052	4972	firefox.exe	80
PID 4972 wrote to memory of 2052	4972	firefox.exe	80
PID 4972 wrote to memory of 2052	4972	firefox.exe	80
PID 4972 wrote to memory of 2052	4972	firefox.exe	80
PID 4972 wrote to memory of 2052	4972	firefox.exe	80
PID 4972 wrote to memory of 2052	4972	firefox.exe	80
PID 4972 wrote to memory of 2052	4972	firefox.exe	80
PID 4972 wrote to memory of 2052	4972	firefox.exe	80
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3032	2052	firefox.exe	81
PID 2052 wrote to memory of 3660	2052	firefox.exe	82
PID 2052 wrote to memory of 3660	2052	firefox.exe	82
PID 2052 wrote to memory of 3660	2052	firefox.exe	82
PID 2052 wrote to memory of 3660	2052	firefox.exe	82
PID 2052 wrote to memory of 3660	2052	firefox.exe	82
PID 2052 wrote to memory of 3660	2052	firefox.exe	82
PID 2052 wrote to memory of 3660	2052	firefox.exe	82
PID 2052 wrote to memory of 3660	2052	firefox.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-01-02_f13196fb4909a242e615ac12ec069b2e_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-02_f13196fb4909a242e615ac12ec069b2e_cobalt-strike_cobaltstrike_poet-rat_snatch.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:236

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00529e4d-96e3-4e04-9c64-1eb823055571} 2052 "\\.\pipe\gecko-crash-server-pipe.2052" gpu
    3⤵
    PID:3032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1dc5635-22b3-4b29-bacb-91226f0138d1} 2052 "\\.\pipe\gecko-crash-server-pipe.2052" socket
    3⤵
    PID:3660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3004 -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 3028 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e57b1b1f-1962-41bc-b39e-8d3f65481645} 2052 "\\.\pipe\gecko-crash-server-pipe.2052" tab
    3⤵
    PID:2600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3840 -childID 2 -isForBrowser -prefsHandle 3832 -prefMapHandle 3828 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00c6de6d-7dfa-4d28-bc43-7c945db01dcb} 2052 "\\.\pipe\gecko-crash-server-pipe.2052" tab
    3⤵
    PID:3772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4664 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4496 -prefMapHandle 4680 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e965126-cbe3-4d36-9f16-9ea2bba4b8f2} 2052 "\\.\pipe\gecko-crash-server-pipe.2052" utility
    3⤵
    - Checks processor information in registry
    PID:1960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 3 -isForBrowser -prefsHandle 5284 -prefMapHandle 5176 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6278e23-b889-4779-8b76-5574e7dd3532} 2052 "\\.\pipe\gecko-crash-server-pipe.2052" tab
    3⤵
    PID:2612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5436 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9c5a93e-d58c-4b86-9e04-1fdb784d74f6} 2052 "\\.\pipe\gecko-crash-server-pipe.2052" tab
    3⤵
    PID:4808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5616 -childID 5 -isForBrowser -prefsHandle 5624 -prefMapHandle 5628 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8fb8436-8eeb-494d-8485-82723000063c} 2052 "\\.\pipe\gecko-crash-server-pipe.2052" tab
    3⤵
    PID:1436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6176 -childID 6 -isForBrowser -prefsHandle 6172 -prefMapHandle 6168 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5f42ddc-4224-4a85-8b3b-18d6f4c6c602} 2052 "\\.\pipe\gecko-crash-server-pipe.2052" tab
    3⤵
    PID:1700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c030cc40,0x7ff8c030cc4c,0x7ff8c030cc58
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,15687012152805196572,2828759837091900597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1720,i,15687012152805196572,2828759837091900597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2060 /prefetch:3
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,15687012152805196572,2828759837091900597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2380 /prefetch:8
  2⤵
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,15687012152805196572,2828759837091900597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,15687012152805196572,2828759837091900597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3752,i,15687012152805196572,2828759837091900597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4760,i,15687012152805196572,2828759837091900597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:5116
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6da974698,0x7ff6da9746a4,0x7ff6da9746b0
    3⤵
    - Drops file in Windows directory
    PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4780,i,15687012152805196572,2828759837091900597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4912,i,15687012152805196572,2828759837091900597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,15687012152805196572,2828759837091900597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,15687012152805196572,2828759837091900597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4560 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5208,i,15687012152805196572,2828759837091900597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5444,i,15687012152805196572,2828759837091900597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4660 /prefetch:2
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5356,i,15687012152805196572,2828759837091900597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4248 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3240,i,15687012152805196572,2828759837091900597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4400 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5712,i,15687012152805196572,2828759837091900597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3328,i,15687012152805196572,2828759837091900597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:5772

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3148

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a14855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f0995eaa6ad0d3316058705962b1f77d

SHA1
41f94e0adbd3c98f0a2cb294c9ddcba0b4c9919e

SHA256
e4ae557aed199ab2840032ef6afae5156caa776e8f8a3ccce9478abc07554613

SHA512
5a0104435469cf03613b8cbd605fe3d8a6e683a82facd3f8fe02b9a9a08ad2264c44176ad827f29fc92f3f63da2c3b6a5b3bf2e166f42035800375175a1ad765

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
41KB

MD5
ca9e4686e278b752e1dec522d6830b1f

SHA1
1129a37b84ee4708492f51323c90804bb0dfed64

SHA256
b36086821f07e11041fc44b05d2cafe3fb756633e72b07da453c28bd4735ed26

SHA512
600e5d6e1df68423976b1dcfa99e56cb8b8f5cd008d52482fefb086546256a9822025d75f5b286996b19ee1c7cd254f476abf4de0cf8c6205d9f7d5e49b80671

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6acece65613bb9356aed4a0ad8fbe188

SHA1
06e8276da9371e1e965afdc2288015d6f0e8620d

SHA256
a7e021b73d2ed33d953c341915a8d0ba50562594eebdc280eea5836979ac6851

SHA512
dcbceca28279582a67a9d6c0f16d6337bdccd7cfe84d5bcd27f2712132be4db308271920b90d7d0f52b239469135b038c32ef3a5653fc51d8fd01878f9c8ab69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
28b01f141234850906ad82e7d1100685

SHA1
950ff1462c19c555c251292086e5c25588c6dcd7

SHA256
9189cd3037c71d73def3fdea60c3018d0af0204c6306edb6d49f908c5f2d62ff

SHA512
8d67bfb5f4aac3e5f2efc689af60ecdc883a94da775b2ef9dc3ac05022f31417acfa01cbf106517bd153e5256df90862d42020c129bcfb117c1b9c2d0492e343

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b2aee7c4551a7ade9f222b1c73c39b0d

SHA1
149c824fd586a34485efd53fe76595c0033d8ef8

SHA256
170a9358b253b6e4b09d236ddb70f7710e7f188064c84d59b4ab412a512f3e94

SHA512
568bcad9bae239290cdd2bc4007b5190ba777e579bbe7b3910efc5609ab9284b96fb7009be41a1cca80c18aa3d3813b0001199579d6426848ba620ac71e7a93a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c0e74795c95ec53169ad75a35906d3cb

SHA1
5a412d75c22acc163c3cfb454572553cc6b1c7c2

SHA256
acb2e1b65553cf1d8b50c2c6f97d3d14d154f54f4ff36bac541de20560f91663

SHA512
c3bce2d59c292df1a88e241da7f115a90c6b6ba4418ea07064e9e84f12951b120a5a076f9a388ee932d2da1dcd3a25ef75f5c353fd50a337d5a04938665fdd78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3c01d3a2f194b22dfbcadfa7d482c9ea

SHA1
2c004e18d3add44e3f1630c66bdfc4dd53efe788

SHA256
f4143baa110430861b261df8149d2d8b498d825f0e21200924fa5c0e620173b4

SHA512
95ff73b3d31d05e77ca645cb96b2f1c47a65a237965216547812e675ae865c53a3b535163eb10ea8a1b693f79f19f2e9e07ba61800804f2b31cbd3c90b6136a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
5615d16b70b3414bc704a11f0b75afc6

SHA1
215d0b9025eff0456ed405911e7c6954ef51e7e0

SHA256
6faf0e099b8f6b49ede45127579a88e709a9dc4c02a321c3cfcc2af8bdba4f57

SHA512
02f158ac0632c67170f36ef917758ad5996fd9562d4b6a6a3b7d78e628a5fa23e5e94f03c1869fba43a20a7669e3f41dffd5d5caafba9f5ed73c37c6c476d415

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
dc3568c0659e37b3ea91a7f9bc210428

SHA1
2124444681fcf04f5824a92b0bf89d5cb84583e1

SHA256
6f25bcd4ac9e15b79b1d77ef9372c89898261ccecf5dfdb00d1c7a85793f16b0

SHA512
ab18b3d80ddf0b002db1a213dd3b4d0d10777adae05a618c75d3a527f4edaa529a7a3b35d0fe4e14212c03fafd3a949adaa2e0a28b93e0f0e967b0b8a620a948

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
8a8c62a702d8b3e0721e1f42a0c1a40f

SHA1
60a8d657e8afc8195cda201716443ae54a37e8f0

SHA256
39202e70aa379f210c8f1b713e6aa9e8abf69361bb3cb31cce7ad0053d8854b4

SHA512
e7b9b3509d601257a16e8777eff7fd5c2d465c5b238da6ce1a24638bcf3ceb3ce283d5c9bb572fde8b12e737c4b44ed714f4d064f1851c5b8dec8de2bf65b7fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
f2e42a2ee3120434d84866e5ce31b1e9

SHA1
6bae35812cdd6a8fd57113c3468dfca5cf00376a

SHA256
79553700d090e658b7af10157ec70c6d27070e04af999222dd8db53db26400cd

SHA512
0cd4178effe21d14a940ad115f23e7e70bc1379a943826ccb608498b6531ae2f60e4c93bae2fc00e7830f60dfb8798bf8b7aa372b36285140742e1e55e6018ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
f7ddd13149f1e5a22f36deef28f8265a

SHA1
d525f43f0a2a9f82efa5241adc9bde37f090f7fd

SHA256
d545223d9bd9ad41917b420d4af18196f6613cc8d35fe60bb5cb10e3e9b6763a

SHA512
dd209f2bb74c3991f9234e6c56c25c4f098c2d6cae29441f2edd483166453280ffd17e1176e02443727ae678a3ac02c0e70578b5202a5033a11ce5f39d5d0903

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
63f96d863cbab0882afbcbc5eafde7cb

SHA1
ffcbd34d266147d3afac98b47a4248e0abb5dea4

SHA256
54626652b31ba90efad3906a6e5480f64781758615932d9b461efd3f7e12c9a7

SHA512
5756fafdeca1a4ba1f8a37db70e6d4a3c1f323be649db31641ad2459b04740c4cdcb42b779a20d405a135328af43b505ad58a8fe3f657fcd3d342a8b6e8998e0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2084_1783125915\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2084_1783125915\a6be834e-13e0-4f7b-9095-9f341bf78841.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\AlternateServices.bin

Filesize
8KB

MD5
6057f247607f7907752fe081267f4847

SHA1
ea7950f5849f78115b8b6957c3dd3579645530c1

SHA256
cd9024eb19129a942b7e729a5c17f20bcac1cf15721e565fe1bdde455de17bba

SHA512
3ae8944693c4c2427de26f133a1f45f913bdf9b27ab91bb58bb3f6105ad8faf1265d2b2e7e3c2f082c8bb7abe85ac1a2f961ccc14e838c26fe837c3d7a748536

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\AlternateServices.bin

Filesize
12KB

MD5
5c32fdc21b3c5d6ad0c432448ffa0f3a

SHA1
a75110dc37040eb694b2151a1598769d0b629d86

SHA256
aa965ff910774b5dcde517528984b79df9377a0b597474ea45f9ee9f0ada694a

SHA512
af217bc9d939765d69dbdf787c7cadaad9c8c80d8dd40da8662655984f38e668500c5a60b337b856fde475f3a3f23c8950e09cdbf85f483c307df25c86f17f78

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e68ddf12a7580b8b71c6c7bc4f232f03

SHA1
c021f5991f53cef8feee284a4b8e5513fe3441b7

SHA256
9f7e2d6d11e2d0293a9ddf8cf631ed813c21b6b9a0831c3dbb7e5d541d28c380

SHA512
2c54fa146da3c1f287c41ec61ee89c049ad2f2535955ea571e09aec2af627425f2f3fad2129a9af336880f4e00fbfaadd291228d302b1b25128c7c81785030e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
1b3088d50099a82c326a4390a865bc54

SHA1
39198c1d02c9bfcd9ae62968c5c31b28b4cac71d

SHA256
32f4fce9a79e6ac2c378bb11b8f88f58cdd4e0765603ff315bec3e33314e0857

SHA512
09864fb6e74d0e2cbe57d050ad9268ac91338d8bdd262d3f96c9ee24bbd78311378a31903d23a4691aee7f8bdd88bd7f72c2629f701a6913904b2f33d6d74366

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
b488d388be31bf6b5b31b91b123e2fb7

SHA1
26a9d39169baa05286bb1ee54a5566adf2c8956b

SHA256
c98b77a6e21285550c5c221686601d8f7c28cc6e2da7650709010aba16bc531b

SHA512
f35fba14e6e4e2faf34ba257f8ffaa16ecf408e37afaeb38bc1b67b406321c42daa3d876fa51a40eb7ddde0c03a0272791bb29a153838675fc438341d57a93f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\pending_pings\278dbf4a-582b-4ab7-9439-a8d81b794fd3

Filesize
982B

MD5
dee4b7e2165101652acf8b40da12f27b

SHA1
472a21c6a78972617d298f816c70fe4bb2e45343

SHA256
27f5dda16def6e28bed892b22c9bdcfa5fb8748ecda46ffaa6cb39b6ab8eedcf

SHA512
a45700741946cd4d6b9209855dc621e6693650ad666b78ad62dd975493a62b53814361c76b69e4d85429bd75add8a182053c18eb2a9c419a124e750e54d6ec7b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\pending_pings\6c9ca76a-fca5-4a92-80d7-e81eadba8e72

Filesize
671B

MD5
705ced1a75d5da3908c4fbf3ec9b9627

SHA1
af19b32b48d2e3ee52df70b8910ebcbb1d33265a

SHA256
73985f8eded0c4f346b094c539c714a87af8fb8dbdb2af0077698fa94cbc3901

SHA512
de7fc571116e087da6276b234b7966cdb8124a22286de00fc89af6d265bc2b7b9c87f13464c7050b00295c3c287d8fda6c2d3eac7d65faa272d4bbf425334df4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\pending_pings\e1273d00-ab51-43e7-af3d-41302f9695e3

Filesize
24KB

MD5
5bec25377ab88f409957ceaf661b455d

SHA1
b4d50e64b23058245c4dd4eaabb288625df640ba

SHA256
eef6f74d1320c2fc4dc1f1537f9cd56f99ac7dd87846c6307a67b078d566ac16

SHA512
38e205d1f1a68a28f3c1437507c1597faf0caefd69c0b1b5a0a6cf28d80492ff164b80e3bea49fe5e12c0d0cf9ce90ba4359854b43097f41e5baaef4de368bac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\prefs-1.js

Filesize
10KB

MD5
8294e2e7897d8afaf3275505157a0342

SHA1
05e1ae22a527c0b92c3f86e85d7543cacda30e75

SHA256
1f6e04c30c943bc28c2bc692b272358c00c857a4447c0e48b110245e4c2a568a

SHA512
4d3b5bfde4e71767c34b066f44afb35fb7333eebd10b8e754cd9ce9760096647f635e06fad90ae0b09f10f97fb24bf75b02c49c68e3f63b508a6a2cd6e0201e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\prefs-1.js

Filesize
10KB

MD5
f92e73b14e791dc51d7cb28ebbbe81b5

SHA1
e372f6d3843948a053e3344f7c5bea303a04fc90

SHA256
e743d6e151ef6597ea1bb7f5f52767ef9815feb149cfadb088b746ccc1760a78

SHA512
809f2ca1dde10f1437f11719b67d85315007578c3858e9d08e1142bd464da669bf4266691c7ffaa84e906a1f4d76dfeb6427816268dffed9bdb74d48964f10fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\prefs.js

Filesize
10KB

MD5
d00c5a3bb98af0dd84999740e0bd8a85

SHA1
17d1d3bbe23ff323d86c88e7b923397e8248dbcf

SHA256
06ebc5c084335f9b856cb4bd149afc89e26d00d4fa9e8e29dd22ba1cff35df0d

SHA512
dbfd348af8ca069bc42fb1447d26a2a11d9291798883849f9835bf88e9946bb79b8dd88e08456478ed27aa0536f9c916e9595caf6d267658b51ebe3502b9d170

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
96d0687358c9480bbe9daf2e406fea04

SHA1
ce73746c9189a2b4a84ca05dcaed1530999ded06

SHA256
c1d420a792cfd24cad40c62038d72dddcad216ae5d2fa0e17cfa2d80b69658cc

SHA512
799429963ea674ef91796513d045c3311a6429ed473cb65a5123435ba3f5c603526da3182cc09dba34a60552ee8c5e04f8cb57c050647cff9e16d165568787ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
26e62a0b8619df06068f3d42e4633396

SHA1
e875400143538e80179086a9dfdbd70dff98aacc

SHA256
998a0df580d2d5ee9b1e77dd3c7e06a4c8b530a42c7b76687eadcb77bb5bf5b4

SHA512
7803d4f49c801deb16089b3ed3690da97ebe7c72ed4ebc79cb10eede8b3a6a0b0dc4569c042114c2d982f3dd76afeec4bc45250700cd243cbe06d4c426aecb09

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
f4a4c9c0e6095487f5255a09fe59bcfc

SHA1
053b910cce3191b28e68d20fa6b1dfe2d7aaa178

SHA256
e1831c22965dba00c6fbdd6067524c8da3d94c7112cca1dd61010f7512f05042

SHA512
c4d7cf16d21261369d5ec48c6d665eb92b60b1ca1efeceda277514ea816f53ef2a3daf06600eb7f6ef1351a2f35fcce9b85c2c541c4597aff1b4289a7ba20452

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
61ef62ff6209b17916e898157aadfe42

SHA1
e459f87acc8b24e47837021b555fbbef63205536

SHA256
4f363fd779af39bae46aab453b596d0c20bf71f280f371791e6c6ad6b727ba2e

SHA512
1dcc542ebd7efd2531dbac003564fa7c69a372fa33869f66d74038bc7d8826b0866d833d54ef848373a0da5c010ede4888040b172750f3396d57155094778a05

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads