hxxp://qrfy[.]com/p/XUAHF6P54w

Analysis

max time kernel
300s
max time network
296s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
11-05-2023 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://qrfy.com/p/XUAHF6P54w

Score

10^/10

phishing

Malware Config

Signatures

Detected phishing page
phishing

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133283218076627670"	chrome.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings firefox.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

404 chrome.exe
404 chrome.exe
4932 chrome.exe
4932 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

404 chrome.exe
404 chrome.exe
404 chrome.exe
404 chrome.exe
404 chrome.exe
404 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

chrome.exefirefox.exe

pid	process
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
540	firefox.exe
540	firefox.exe
540	firefox.exe
540	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exefirefox.exe

pid	process
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
540	firefox.exe
540	firefox.exe
540	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

540 firefox.exe

pid	process
540	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 404 wrote to memory of 624	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 624	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4092	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3720	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3720	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 3028	404	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://qrfy.com/p/XUAHF6P54w
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffdfc269758,0x7ffdfc269768,0x7ffdfc269778
2⤵
PID:624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1784,i,17511053539040953534,11840270843367752458,131072 /prefetch:2
2⤵
PID:4092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1784,i,17511053539040953534,11840270843367752458,131072 /prefetch:8
2⤵
PID:3720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2068 --field-trial-handle=1784,i,17511053539040953534,11840270843367752458,131072 /prefetch:8
2⤵
PID:3028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2716 --field-trial-handle=1784,i,17511053539040953534,11840270843367752458,131072 /prefetch:1
2⤵
PID:3768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2708 --field-trial-handle=1784,i,17511053539040953534,11840270843367752458,131072 /prefetch:1
2⤵
PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4260 --field-trial-handle=1784,i,17511053539040953534,11840270843367752458,131072 /prefetch:1
2⤵
PID:780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4540 --field-trial-handle=1784,i,17511053539040953534,11840270843367752458,131072 /prefetch:1
2⤵
PID:3436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1784,i,17511053539040953534,11840270843367752458,131072 /prefetch:8
2⤵
PID:980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1784,i,17511053539040953534,11840270843367752458,131072 /prefetch:8
2⤵
PID:728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4996 --field-trial-handle=1784,i,17511053539040953534,11840270843367752458,131072 /prefetch:1
2⤵
PID:552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5048 --field-trial-handle=1784,i,17511053539040953534,11840270843367752458,131072 /prefetch:1
2⤵
PID:232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4588 --field-trial-handle=1784,i,17511053539040953534,11840270843367752458,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4932

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3480

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2508

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:540

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="540.0.1846033373\1950984540" -parentBuildID 20221007134813 -prefsHandle 1640 -prefMapHandle 1628 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {155d5e61-70e7-48e9-92e9-879e824c51b9} 540 "\\.\pipe\gecko-crash-server-pipe.540" 1732 1f1c1b1cb58 gpu
3⤵
PID:1648

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="540.1.122999914\37936736" -parentBuildID 20221007134813 -prefsHandle 2072 -prefMapHandle 2060 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c712e5aa-3cea-485b-8d7e-1598098b18d9} 540 "\\.\pipe\gecko-crash-server-pipe.540" 2088 1f1c0913558 socket
3⤵
PID:1232

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="540.2.1655357279\85964465" -childID 1 -isForBrowser -prefsHandle 2636 -prefMapHandle 2812 -prefsLen 21052 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03b9e1de-e53a-4a2b-9c6d-09fce9fa8050} 540 "\\.\pipe\gecko-crash-server-pipe.540" 2904 1f1c4929d58 tab
3⤵
PID:3264

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="540.3.1827959250\1646310493" -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 3436 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {042a6fd9-f0e6-4408-ae8d-74161c5394a7} 540 "\\.\pipe\gecko-crash-server-pipe.540" 3484 1f1b5268a58 tab
3⤵
PID:3984

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="540.4.594289161\990988419" -childID 3 -isForBrowser -prefsHandle 3908 -prefMapHandle 3904 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a865056f-b4f1-4cd4-9f5d-acaee3c77019} 540 "\\.\pipe\gecko-crash-server-pipe.540" 3928 1f1c61b6258 tab
3⤵
PID:2200

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="540.5.647260187\44108571" -childID 4 -isForBrowser -prefsHandle 4792 -prefMapHandle 4776 -prefsLen 26781 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6efa5512-e90d-4e67-b731-a8ec75d9aae5} 540 "\\.\pipe\gecko-crash-server-pipe.540" 4408 1f1c6de8c58 tab
3⤵
PID:4420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="540.7.1895186243\1982775451" -childID 6 -isForBrowser -prefsHandle 5092 -prefMapHandle 5096 -prefsLen 26781 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2f06187-f0ff-45fe-9311-2cee8892536b} 540 "\\.\pipe\gecko-crash-server-pipe.540" 2580 1f1c701dd58 tab
3⤵
PID:4436

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="540.6.963531926\1221806419" -childID 5 -isForBrowser -prefsHandle 4984 -prefMapHandle 4980 -prefsLen 26781 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e490135-74ed-4570-90da-1b217d02990d} 540 "\\.\pipe\gecko-crash-server-pipe.540" 4992 1f1c701c858 tab
3⤵
PID:4428

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="540.8.154536519\1481748573" -childID 7 -isForBrowser -prefsHandle 3492 -prefMapHandle 3112 -prefsLen 26781 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb448872-94c5-4a04-a4d2-46e6b1ec7b74} 540 "\\.\pipe\gecko-crash-server-pipe.540" 3088 1f1b525be58 tab
3⤵
PID:5004

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:4700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
600B

MD5
84bbf0050f306a45123e634e90228b21

SHA1
1de48546d608b888421063e04540f5d1b3eef8db

SHA256
eeaa9693606b8cf75a9f75de1433b26aee44771840004bcc28ac5fc1f16bca72

SHA512
48bcacd251d2feb428743a48745706459a49eb2a68b4052f55c181ff745c8c98a5b499b30318cdce7c90efe62d034e387b0b48f47bf5619cd5e3f611f24ecafb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
baecc84fae20d815e1a07a0fefee4f40

SHA1
999d7ec17389cd114c833b0894278c9acc318a9f

SHA256
dbe1fecf02421bbd8200ea01f7d2e32cf6fe158429c39f32bd47351b3897eec6

SHA512
c001090beedb818b04c5f7fcd99e6179a1bc4af8a5765cd3e515b740b2e3aa0ed857f3862ba626e6dcacefda191d2f0cb76679c19fa8723e2c1ca96ec70b73db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
a8f4c2c9f8c2877721a60750e21f3b2c

SHA1
9fa5668329c4fb84a14447213c557d2f484f576e

SHA256
07505b7eacae1869cdbfd6c94ae85bc7f20b6ddd13bd738283a7dfee9601f6f4

SHA512
fc851016aa3adb94f87bdce3a01390dde4c10d1f98f474c4d07c71de14a66fb14dcabc13c1e13c0c7a3c634a63ebacb57224a00d21adcd101b69112c84191121

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
7be8787d29ec3bb1b5431624548cedb5

SHA1
95f8bf7fada829b22dcbcf99a0bcc8dbe0bc93aa

SHA256
36371b886082e1690174f1b63867e6d7473b010cb11e5eb5b410610d6448dca2

SHA512
7ec2943000b57a2f9d41c880282d431c325763171b38c7e4909450045085f386e2fea1658899ecafe565a173942a62bae6a2d48db709f8555e65f79a68321cd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
93f2cc9abceda03be7f436b7dcf13201

SHA1
d31b3b9077a28cebe2c7b36497bc0842f80f0a8c

SHA256
a91a4747b0d7c62749db7ebca11903852097f4a4dae9fd6d99063806b1c10c6f

SHA512
9d2e6cbfb480f1046a9b1ac4792b3067e2c3f2d4457833b8675e67f88c9a9acaa4777a924e85f6dd54c65b1522789de1324d55a57a251f6293446d3fbafc777b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
8cd0e7d51aaa0b08c0b357363f46de7a

SHA1
2ec7a9e7fa3c12b5df8348db16bc76fe10bb20e3

SHA256
260ae6133ab43a626523d5bd3cdf9a617d263f2e5855cddde3b5c2e5c53f0f9b

SHA512
f720399289ab1c372995fb1d2a51999fde044d2ffc0ded8db28802c6b9a305cd01ad6abcd3591e5c8ef857622f431adcb2d96c6f31c1fee9ea9e1287d5d40964

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
d83e02a0d3df1d4a05607c602e36d264

SHA1
563d0ec82bab1b8690b75097185ca30a67883ce1

SHA256
ae681adf001afbfad89450f36d624a3e2edac18aa681fb7e1a4ac35593668bc1

SHA512
1fc928db483f36786aebc73135406e60994ef3e63c31e85288f1d8ae6c2c79cf3bf12d24590021d65a7a88a7776e3eb135bd6a15e76ed98c2ef8e46b1d1d67bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
d344137ed9cc27a29b9e3625102ad32a

SHA1
ca6f78aaeea69efa1f143c664346e3839a541c9a

SHA256
89e51c1cceb684812b9d4b03d5e96ee1223c60528a873aacb95210671a263057

SHA512
37cc5e6ae8619cbfa893ea1dc136c3e6722079f77a0f71f0e729a7d41948075721a8324016563187c4f2b77441b43214eb13abaf388c52a23fc4ffe8c35703ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
2a8f15de4099ac3f6a778b5d5c7ad128

SHA1
944b696a6c1360ee8a6e47db4f979aeea3fe3c59

SHA256
ff50432034a5b015601d026c8c7d75d89e19eb19aed3cedcbf85feafa378a01a

SHA512
2a1db822b514173cf255c37b090307366938a0de9b3c949aa03f3378dad0cf22e829609ab18e26e7e5bc3269260056cd4d9986ab02b188a05c73d2a120cb2b1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
149KB

MD5
833ba57504064bfd5fc27e49ef5b1ccd

SHA1
d5806996122aac86320db7263934146a78dea581

SHA256
a75d12393ddac54f10749785a821397818eb2d263e211d8e1e0d74b18300ca76

SHA512
635e208743498f9219b2cb479f0651745396682325f4b11c25f51de9b49de0375ad91847f02cc1b6cdcd09ac033d1dbf95a6cc0ad29617fc084a490fd2cf9143

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\activity-stream.discovery_stream.json.tmp
Filesize
146KB

MD5
07a5f132e7daafd5e095c7939735d7e8

SHA1
ce41074133aa147f4fe72ebd540fc226a677b282

SHA256
b2f6756434d8211aee6f4c121ab8752d66f6d836d54bdd30fbbb5097c7f93115

SHA512
98e91444bd7d8a2781f0fefadb381437334589c638f36214332a928c900a91bdd369aa93c54a830430207a1a327603bc15e876cf4ad6a084da5f83d3c41c5f4e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\cache2\entries\994997A6C561836B929FD01C572B1EAD168BF087
Filesize
796KB

MD5
02364861a7e282c8f654b76ae84c8b9c

SHA1
95c1e14975ca0e7d2d65d30deb270fe6a7125b12

SHA256
69fc62c9abf778dfbb8c8eaa0a9d832d8260d1d2bd2ac284110491428ea57853

SHA512
ec9b286deb367731aab39e93d7f1d2653892d20b188b37f5ae5f8033cdddb6fd20a8a2bd4134f96f5487934305f8b254addc71bae91984c82001d1d84146a6d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\prefs.js
Filesize
6KB

MD5
fc03769491e92557713bff75b3dcae44

SHA1
a4f4687575dba8a950a014c93d8f9f086a2b68d6

SHA256
3e943e423e8dd73d3afd2444234e9c1ca4eebd430da878f5bcc15e2141da7375

SHA512
8e2266f0af8f7833397b36b31482a43a4bd798693e069f8aeb823d12b767bcdac3aed772ce10b8907fca777436e4efc39ecb5172e81d2672f1165a2427b709b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
7f8ff1840b280574f614ca8b879672af

SHA1
7d591f9b20d1bb7f03103e0986c22dfcea6ddb34

SHA256
48114b8bbcf40b87fcae3b72c11597fcda5a97b577633753e68e259b3da0e7a3

SHA512
89091d71b07d11bdff419cfc8b23cc90ce3466c9d2cffb89ccab19d0d7276c95198889aa90393a1569c685ac8e162e5c1dba7149edce842b9d00096302fae139

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
8cfd506e91b2b0e3c5bc778ebe5746a2

SHA1
68fc435330ecac22ff54aefa24f721ccec31f6e6

SHA256
8ce795ff7e2d7d0b2206cd41d0dac0fd020afd44650d61bda71a85a3c581bfc9

SHA512
072bec48c8b6fae891bdf3e604e0dfca7bb29c82a15c52c7f38f414f7a4baeedbfdb6a4074eeaf1d3bc895768bea31e8f87a47311340254cc6f948ced1e57dce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
2868ade33b3fc157edc3d0e6b6b88d96

SHA1
2fbc5d21e4b5b51b85aa242c5f1094b78b42f06f

SHA256
463716a72dce3b7c34a12818ca051fc044627890946b4437b6998bcc24a20534

SHA512
0756622f5ab9deb31b5cb909c570b236b58fd594d9ff52b92a670761f1b447a1f15f9032a50dce0bbd9b176a761fe7a5f2095938c1642bfe04b93ba83147ee0d

Download Submit
\??\pipe\crashpad_404_DOCBVTISPHUNDNYA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit