09e65a661e85c3a3ab0e848809e44f20332b9f46cf5da364c7c8d3992c957f85

Analysis

max time kernel
79s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/kernel.dll
Size

7.5MB
MD5

3addcb27ffbfeecf0cf1f4980e0b0baf
SHA1

dde794a1bb1fba39d30334b0abce6010092c5d27
SHA256

15c2a89dc69cc532d59c40946f4764aeff284fd01734c2f5783efd60ce14f40a
SHA512

3f2ed545f5f913f645506829192291098a7981afdc761f5cb996c299abe0cd5befc1585b0bafd189a5505b3543cadb340df50fbf9551de4c84b9d193628a082b
SSDEEP

196608:4uoz1uHMDYjG4mJmvoG7nAbyrxpetNvjr:4uozPoumvozbyOr

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642229969213518"	chrome.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings firefox.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

rundll32.exechrome.exe

pid process

1804 rundll32.exe
1804 rundll32.exe
1804 rundll32.exe
1804 rundll32.exe
1804 rundll32.exe
1804 rundll32.exe
1804 rundll32.exe
1804 rundll32.exe
3492 chrome.exe
3492 chrome.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3492 chrome.exe
3492 chrome.exe
3492 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	firefox.exe

pid	process
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
3492	chrome.exe
3492	chrome.exe

pid
4
4
4
4
4
656

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

chrome.exefirefox.exe

description	pid	process
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeDebugPrivilege	3080	firefox.exe
Token: SeDebugPrivilege	3080	firefox.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

chrome.exefirefox.exe

pid	process
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3080	firefox.exe
3080	firefox.exe
3080	firefox.exe
3080	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exefirefox.exe

pid	process
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3080	firefox.exe
3080	firefox.exe
3080	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

3080 firefox.exe

pid	process
3080	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exechrome.exe

description	pid	process	target process
PID 3756 wrote to memory of 1804	3756	rundll32.exe	rundll32.exe
PID 3756 wrote to memory of 1804	3756	rundll32.exe	rundll32.exe
PID 3756 wrote to memory of 1804	3756	rundll32.exe	rundll32.exe
PID 3492 wrote to memory of 1068	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 1068	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 3756	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 1428	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 1428	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe
PID 3492 wrote to memory of 4900	3492	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaa9f4ab58,0x7ffaa9f4ab68,0x7ffaa9f4ab78
2⤵
PID:1068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1964,i,6228128765857461599,3222731156436408462,131072 /prefetch:2
2⤵
PID:3756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1964,i,6228128765857461599,3222731156436408462,131072 /prefetch:8
2⤵
PID:1428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2312 --field-trial-handle=1964,i,6228128765857461599,3222731156436408462,131072 /prefetch:8
2⤵
PID:4900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3128 --field-trial-handle=1964,i,6228128765857461599,3222731156436408462,131072 /prefetch:1
2⤵
PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1964,i,6228128765857461599,3222731156436408462,131072 /prefetch:1
2⤵
PID:3252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4380 --field-trial-handle=1964,i,6228128765857461599,3222731156436408462,131072 /prefetch:1
2⤵
PID:5300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4504 --field-trial-handle=1964,i,6228128765857461599,3222731156436408462,131072 /prefetch:8
2⤵
PID:5344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4520 --field-trial-handle=1964,i,6228128765857461599,3222731156436408462,131072 /prefetch:8
2⤵
PID:5352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1964,i,6228128765857461599,3222731156436408462,131072 /prefetch:8
2⤵
PID:5532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4344 --field-trial-handle=1964,i,6228128765857461599,3222731156436408462,131072 /prefetch:8
2⤵
PID:5592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1964,i,6228128765857461599,3222731156436408462,131072 /prefetch:8
2⤵
PID:5672

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2404

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5156

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3080

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.0.1066501252\1769320155" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63abf3b6-9145-499a-93ab-385021e03e8c} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 1856 1f38140db58 gpu
3⤵
PID:5420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.1.717728175\51225741" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed7ba940-7881-4be8-8af8-fda580be2efa} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 2404 1f381988b58 socket
3⤵
PID:5012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.2.1192830674\209006661" -childID 1 -isForBrowser -prefsHandle 3356 -prefMapHandle 3352 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {725bed98-e04c-490c-80b5-8530dd6566ea} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 3368 1f380494358 tab
3⤵
PID:5876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.3.620252569\1623726722" -childID 2 -isForBrowser -prefsHandle 4080 -prefMapHandle 4076 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8eeffd65-6968-436a-ae3f-2bb868f879fb} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 4092 1f386558058 tab
3⤵
PID:6068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.4.1606560566\785468589" -childID 3 -isForBrowser -prefsHandle 4932 -prefMapHandle 4920 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89cc390f-942e-4786-8d73-b649403aa6c7} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 4948 1f3878dab58 tab
3⤵
PID:4544

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.5.1946809385\1150654358" -childID 4 -isForBrowser -prefsHandle 5036 -prefMapHandle 5040 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e70658b3-844b-4761-96a7-830f1f42e02b} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 5024 1f3878d8a58 tab
3⤵
PID:3008

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.6.964740172\1869893814" -childID 5 -isForBrowser -prefsHandle 5232 -prefMapHandle 5132 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e5e564a-09d9-4801-beaf-2d0790e10f99} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 5336 1f388426b58 tab
3⤵
PID:5204

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.7.1108408212\171297324" -childID 6 -isForBrowser -prefsHandle 5848 -prefMapHandle 5844 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb3d2e06-300d-4127-a0f4-778cbfa36c38} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 5856 1f38a1da458 tab
3⤵
PID:5452

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
7c5ac0c0960593fb90767ff35021b183

SHA1
433e1f402d4de6fc9c7f4a5bf953d778904a5348

SHA256
5f7b655a693f15aff990850b817860481fba183eed3649c0582c6510ee887e76

SHA512
b87b1de9b1565ddcc56194f89178b2ce09779a2f606cbce17794b8f48d52bf0aa13f29192f605db58f99c921105b74a18d65809ea9a2e88c58c1a52f08050882

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
b2b8088f33e5cf8f548caff4f8ce3af1

SHA1
a368abfe99bf32ed8c7ac6d14fb27d4aab4c6f78

SHA256
8547a48ee15d8e6663ef0528dff0dd5199a30778cb28bb24fa0004202f7d74ac

SHA512
8531846942c1a39a700f27ee88fc65a8e125ffc5b6829b58abfc1e99e125a370cc898e22ffcda45d90569e0093aaf7174590f16e68e422983d9de122e50dba54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
daf0ea90dfd4c3571f137a429268abac

SHA1
5433bfa2f0ece03ad0e504feb17f569e345f07bb

SHA256
5e0c6e44d962b836efeda8b8a66394ce8b640c7f407f78e9216e8443e9d45b7b

SHA512
2812dc648613304c7c06dd9214fc7564013fc69767f36cb9188aba985df6495539c67b29a85e9832aa241fe0ff5d2be4978f34f9284a4d2033218bdeb5f673f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
5c456e36f8cd3dba17709ff36a8ca60c

SHA1
9b67bdd31b3e0b7f691dff30b2f4f4aff212cf6e

SHA256
1e7217bd1d151f3a4dadeb848720c56253b5d2e820084147412a7c485fc51c80

SHA512
6665640cd0afd0bc2288fedb8c8d8a961d71b35023ca62c105d3a248f1c15f5a50b6879131aef8f75725a8cf34da04d9ba71bfc0178f276c4debf0b88db9d72a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
281KB

MD5
67bab986f2c585b4aff5585e1c027bfa

SHA1
664b468c1ae9009992075aafe7bf00ae23a354ec

SHA256
4470c757976b3034ff8112ed4575b197f3420f50ba64a81acd5feba775daadbe

SHA512
35eb18d63faf95e3a51eae0e049c29e4424779489beb1c122126219ca75a817f2e13c1b7bdcf5c88197529ae5c784a9cb4203a619b6825f3098724a4a205a361

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m5gevmzl.default-release\activity-stream.discovery_stream.json.tmp
Filesize
32KB

MD5
f39c6c94c5fb1d3e532a4de4ed883b57

SHA1
f8307dd0f73e6290d99cc9e4773483aaa20e842e

SHA256
d6eb9295f52fa25017cad8a094a3f5c5edce9613dd8e5b7e8870b78f76ac3fb6

SHA512
02c77580a93f0251d7fde5c562bcc4067f8900bb87d676895dd2b98d1837789f9c2de5339bcfcefe668923fc78338088f1b4da74a6769cb5979f0fc92e936aa1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m5gevmzl.default-release\cache2\entries\C6A6389A9162CEB2E1F41436B370871FECA58F75
Filesize
60KB

MD5
7279173f39a8a09cd45f7a032fc31ef0

SHA1
d3b4043417cc07ac213811f4a49697d14057d19e

SHA256
3fe105cc0964dee30c2a34e582f4292b496d7930963e11355a45c606121e7760

SHA512
dbebe49f90675eba5c70c619d120f8fbf081a08ed82eac984197658f6de1f0ddabe69cf627d78f8ebb6f0bee8d77a7772aac3b0a9673be480ebc608d7d9af1e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\prefs-1.js
Filesize
7KB

MD5
c12c30eb03adf5a152b78cc08bc9bfe1

SHA1
268b2c7871a08a7050bd31d0645f84c2ef99b6b9

SHA256
7ff939a636ddad4ebba60d14d2d62839d2fc24f694e78ad8a757452932991e10

SHA512
70e1f96005c54f6ed49d317e8170651d677b8531d801fdfddf1549475a47781e344a700fb6cb46376d85527255d6fc21de028514d98db71d0cad1244d6463946

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\prefs-1.js
Filesize
6KB

MD5
8859011fdc480c4cda64bcfa09bc6e39

SHA1
9644a77a8ce7dd44a2b24a770684e189f70c73a0

SHA256
9513da9b96d4cae2ac323e6d12997b517843f11044dd36c6a52fb6df6fa99ef4

SHA512
617f3c21c53433f0e19f2df7f33ad721f855c5f5678647d20203066c8776b195972c520821f849f4ee6f7c65e53ba2f5b2e49b6e49189f7c6d0467dd2968dd61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\prefs.js
Filesize
6KB

MD5
52c47f57c6a8158ba130aea73dd30214

SHA1
a1b66acc9280d05a15a4a7815d5e05a2b6278808

SHA256
4329d17d7ee8f9c6bd4e2989ec4426244c8f5062a2de83e9787f391a3daafe13

SHA512
a5298dd8f3c4f10971cce4cc1aacb0b6661dbb00b96d91e8e2e7f6f96f54603c93be033c02113027bec8842ba7e6d423538ea9c23a54f29b6ef8fa54e9d1fa81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\prefs.js
Filesize
6KB

MD5
791abb7370d679a1c6877619cbcb1a58

SHA1
fa78fc56dbe9cfaf188565e28e0e35b932849502

SHA256
dea1af39b7ea4a54a0a90d12705fee59b5457e925178a8fb98bf12be96b10e52

SHA512
1e665fac81ce140d27822788547e47283f68c4314649bd5b2722a5e04773736dd5ecd375b82b0f8198f763c27db518e90a728e5277bc95c80a5dcacffe07d321

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
4bf8f831253e3414420f1a17749a8083

SHA1
5b7ffcf8e88274e21b3c0a17eac5e1ff9ae89db1

SHA256
f1da0c279a14cf948afa1bc78ec0909214786caa39a06da0589dcfa8a677cac6

SHA512
f852113ee61241ef9f371ac14caf5040d2d507f174e77089194e618bb240c1102ac1b90712476bef4b25e38b6b1fe2c90380ccda7ba1ce4e67008e952b1780d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
4ba74aa8d78c08ef5561b78f1e7aebc4

SHA1
f4152855f91bab37b1a74cf1b282d8ac9cf3a7cd

SHA256
3b4166b885400258d9e330711a848be6f115c3f045abf6f986acbcf45e79ca8b

SHA512
445bcefcd010e3d5a56748b71adbd75201baea10ec49b8d3b4964ed38037ab9b5b120b9eb17b70ccb3edd6b5fe3677042f490e81cbba2d10f3e18b10fa3d8a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
944a1cc0a39a05d98a9c8fe277f26596

SHA1
cf1c348f831086eb18a27f4d25da5eeeda92f7cc

SHA256
8a35ce925c3817af483d8429872f0efe48d488ed3a5b9a541a8bee799ab93922

SHA512
a25e16ace3000aeaf041efea5a96079c7c787fe649ae40ac0b6a71b491b579c07c2335b519c758b7a9090e581d22015642ecba73b5928bc431e5903eff001f9e

Download Submit
\??\pipe\crashpad_3492_WOERUQGERJBYQXIG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1804-1-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1804-3-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/1804-4-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1804-0-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/1804-8-0x00000000744B1000-0x0000000074B05000-memory.dmp

Filesize
6.3MB

Download
memory/1804-2-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1804-7-0x0000000073E60000-0x000000007528C000-memory.dmp

Filesize
20.2MB

Download
memory/1804-11-0x0000000073E60000-0x000000007528C000-memory.dmp

Filesize
20.2MB

Download
memory/1804-6-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1804-12-0x0000000073E60000-0x000000007528C000-memory.dmp

Filesize
20.2MB

Download
memory/1804-5-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download