hxxps://crt4[.]karcfik[.]bio/1F3EDEC19E16501DB2AFDC94E7A85C3B[.]w11?source=2&email=cmFwaGFlbC5wcm92b29zdEBzZnIuZnI&p=15266

Analysis

max time kernel
145s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2023, 16:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://crt4.karcfik.bio/1F3EDEC19E16501DB2AFDC94E7A85C3B.w11?source=2&email=cmFwaGFlbC5wcm92b29zdEBzZnIuZnI&p=15266

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ecdfbd00d7a57c48bc7ad5a1cbcdb01f000000000200000000001066000000010000200000001965349b361bda9ab5e3e6785cd860d00886192995c001a2a9a95b30c4f98975000000000e8000000002000020000000b226252d4ab92ab9d5431699e6d58f8c134ddd307f1051d8f56cdab4bf0cb58b20000000b88ea9c4316cc0b907fbc74b7f68e0db64586d8a3dda2c99fd7eeda42d002d0940000000af644fa72e7f843f67c40f2c0038ddf6eb0a13a07305db26b7ec1e338e60f068d563d8acb37300a6a7015b67706a89f34292c28c5d423106801719306c8e9c09	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "391710613"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D9913D84-FA4F-11ED-8FFF-6A765FEA1DF2} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034972"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d03a7db15c8ed901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2927966952"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ecdfbd00d7a57c48bc7ad5a1cbcdb01f000000000200000000001066000000010000200000002e7a195a985e6189f6ae7f86809b9b66fb577587115334a0dfab7124ee56a94b000000000e80000000020000200000009277de260836c8d7bfb9cb0b101d5c262b78099db37cc5c7398073f4a99f3b8b20000000f3488603aa8034e4596b583e5ad98d145c1a1ceec096d600c3f7a72ff7b89e8c400000008862e68a3155eacf608eaf8f75608b81a3a9a7fc6a1d4ac4fb1920119d69f69f17084509af4e1d62cf315ae09196bab720a42e63879ccf43f1b03d272671f685	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31034972"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2939162077"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2927944725"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 901669b15c8ed901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034972"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5780	chrome.exe
5780	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5780	chrome.exe
5780	chrome.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	firefox.exe
Token: SeDebugPrivilege	2928	firefox.exe
Token: SeShutdownPrivilege	5780	chrome.exe
Token: SeCreatePagefilePrivilege	5780	chrome.exe
Token: SeShutdownPrivilege	5780	chrome.exe
Token: SeCreatePagefilePrivilege	5780	chrome.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
1384	iexplore.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1384	iexplore.exe
1384	iexplore.exe
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 1764	1384	iexplore.exe	85
PID 1384 wrote to memory of 1764	1384	iexplore.exe	85
PID 1384 wrote to memory of 1764	1384	iexplore.exe	85
PID 4424 wrote to memory of 2928	4424	firefox.exe	88
PID 4424 wrote to memory of 2928	4424	firefox.exe	88
PID 4424 wrote to memory of 2928	4424	firefox.exe	88
PID 4424 wrote to memory of 2928	4424	firefox.exe	88
PID 4424 wrote to memory of 2928	4424	firefox.exe	88
PID 4424 wrote to memory of 2928	4424	firefox.exe	88
PID 4424 wrote to memory of 2928	4424	firefox.exe	88
PID 4424 wrote to memory of 2928	4424	firefox.exe	88
PID 4424 wrote to memory of 2928	4424	firefox.exe	88
PID 4424 wrote to memory of 2928	4424	firefox.exe	88
PID 4424 wrote to memory of 2928	4424	firefox.exe	88
PID 2928 wrote to memory of 4236	2928	firefox.exe	89
PID 2928 wrote to memory of 4236	2928	firefox.exe	89
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90
PID 2928 wrote to memory of 1324	2928	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://crt4.karcfik.bio/1F3EDEC19E16501DB2AFDC94E7A85C3B.w11?source=2&email=cmFwaGFlbC5wcm92b29zdEBzZnIuZnI&p=15266
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1384 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1764

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.0.1734722880\1187721991" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cb781d5-a7d8-4fef-90e7-f723e4a875e9} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 1932 29013bec258 gpu
    3⤵
    PID:4236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.1.812060911\1831465480" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2288 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f117b97-e93d-42d5-a72d-b57d4a7aa69a} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 2332 29006c6fb58 socket
    3⤵
    PID:1324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.2.51423263\1510671939" -childID 1 -isForBrowser -prefsHandle 3128 -prefMapHandle 2864 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1d9d873-4920-4f90-b038-2c855322def4} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 3096 290178e7b58 tab
    3⤵
    PID:2724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.3.1867958397\353183142" -childID 2 -isForBrowser -prefsHandle 2468 -prefMapHandle 1456 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e29bb733-79a9-49f2-9207-f9c655ef92fe} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 2472 29016590958 tab
    3⤵
    PID:1888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.4.361202232\312701748" -childID 3 -isForBrowser -prefsHandle 4176 -prefMapHandle 4172 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e13c191-78ca-4069-9192-24bc2870b3ee} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 4188 29018d49258 tab
    3⤵
    PID:3020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.5.1113965045\832148392" -childID 4 -isForBrowser -prefsHandle 5028 -prefMapHandle 5012 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36b56599-2e8d-4059-9736-d0cb2854242d} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 4944 29019b80858 tab
    3⤵
    PID:2488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.6.165584205\66800129" -childID 5 -isForBrowser -prefsHandle 5040 -prefMapHandle 5036 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23c0a8e0-197a-491a-8273-7967901aaf3a} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 5052 2901a04b258 tab
    3⤵
    PID:1092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.7.2144556183\1475882565" -childID 6 -isForBrowser -prefsHandle 4976 -prefMapHandle 5052 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d22097f7-4bda-4886-a457-fa2b0c7c6efe} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 5200 2901a048258 tab
    3⤵
    PID:3144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.8.187443085\33614560" -childID 7 -isForBrowser -prefsHandle 4700 -prefMapHandle 4340 -prefsLen 26832 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e841a626-aa38-4f30-84e6-6ee50f92bdac} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 3524 29006c6fe58 tab
    3⤵
    PID:5424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc392d9758,0x7ffc392d9768,0x7ffc392d9778
  2⤵
  PID:5792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 --field-trial-handle=1840,i,11861155023468594445,2548855125452933126,131072 /prefetch:2
  2⤵
  PID:6020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1840,i,11861155023468594445,2548855125452933126,131072 /prefetch:8
  2⤵
  PID:6056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1840,i,11861155023468594445,2548855125452933126,131072 /prefetch:8
  2⤵
  PID:5188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3240 --field-trial-handle=1840,i,11861155023468594445,2548855125452933126,131072 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3268 --field-trial-handle=1840,i,11861155023468594445,2548855125452933126,131072 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4580 --field-trial-handle=1840,i,11861155023468594445,2548855125452933126,131072 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=1840,i,11861155023468594445,2548855125452933126,131072 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1840,i,11861155023468594445,2548855125452933126,131072 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4880 --field-trial-handle=1840,i,11861155023468594445,2548855125452933126,131072 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1840,i,11861155023468594445,2548855125452933126,131072 /prefetch:8
  2⤵
  PID:5476

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
3fbb8ee33354096d9f116c557a402d14

SHA1
f75756c42d45d1047eb04fa54bd7702f5560df4b

SHA256
13e2696561dd0955e1d61f7e18166c8bd7a02faf1dbfe04e738b5d68cc2ca57e

SHA512
cc21e56f9278282b3c15964b5618d42bdfda83b245d7bf01d12550aabd69a9747d1deaa5a9a9830e6d6a47465f580e21e0a7621cf992b56244ad4bee8779c338

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
2169333d407bb3622d5c7b62b772ffc3

SHA1
db5cff01228ff0d533f55ed8987b70f4ddf00b06

SHA256
dc8e8f02e2fa4396ee2afe4be518bce97b26af67dc53f8a0afb017dfb924618e

SHA512
f83bc623e6cd1fb5927e4627d53ef0881b3e0433f825f197d7db85740241552dc00668265c75519c2dd3e35240f7175525241e8aac6598bdf10cae6bdc6c1b69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IULL1L\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\activity-stream.discovery_stream.json.tmp

Filesize
150KB

MD5
ef30d22086989d283d60502190eaefca

SHA1
0eca6cd5f70e3adac3db6ee99f085f48d996e016

SHA256
71a9db54fdc29ffb4fb8352bbe5bc53dc3099e7b07dac813b598343ef9c818e7

SHA512
b9be85226265ce88dbc8a50d931d71ec71192f4cb3283782b7a84f73fb5237202c3e765f32b82f94cefd4b3cc6fbd0261eabc44abde12585f01fe7cc641ffdb8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
6KB

MD5
540d5eb88dac503b49d35fd3219e5b39

SHA1
7dd3c235da19955513f79754f7eb0c0ca4d9398f

SHA256
c8a49722d394adcd57fe0f0e94ed3a4499cfcfb772b082b8fdb6654362af7591

SHA512
7b4adc774c7867987e20ffef4c8f06429a58278e0bcfdb0b382f7d08685c430d43a16fb6a65caebd802d70d024ae98258eea46d0dcaaf56267ff1992a5a4a1a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
6KB

MD5
a684a615c304b7746690ba32c010e9de

SHA1
f9aed95565736d2fa6ae9ff007a59a6d784d0203

SHA256
1e80f375a0d13a0e0e7cbcdf5091cb323149b12bcc8e716dcc750abad4934d62

SHA512
d6c7cdf94904597070deffaac4cade31cee23803793f4ff27a934e9ed34dc0776f9e894e3b3f046b02f1fa39adf815a7f4f92c812b59d248ed5661cc05247d5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
7KB

MD5
95684a209ebf3db985382c02c23ad20f

SHA1
a9a5d99c0389db865dd0b8ae8c790165d411818d

SHA256
c86b1cb6e5ac9d57457e1cbff91e6d715689324a04b89cf7df58aa8812e9b986

SHA512
861aeb5048a5fb2d0f69c38aff896c61557900c6963738a7f6c8692af0d95a14e750717e65e702989581d0240c2a54e609f5072940a4ce4985df362c4de705e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
7KB

MD5
6cb79b26ca10b7f106d60a7c53da1a8c

SHA1
0695f8be7ddc54d94772bce1409dc2782cb95a85

SHA256
482e46f462f1b1facd5f1950a306e44d31b7de758fd21f2929875e5ca27efd89

SHA512
56ad3b4293acb9f1a78dca4f88c4e5b74b03a541fc577e2b61a8f755423f6a04708814b52eecb3b155324da4ad19e444d563f2b4c9f657ef49e45aebe1b2daa5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
6KB

MD5
e4ef49e526eaff60b0f82e26bd165a3d

SHA1
0a41b2184a3cf015e7c766fe4f56999891c82a7a

SHA256
d6eb3929555b6cbea447718641c8e8b7dd515c077cfd3f7a3fb392a6e6b0b47d

SHA512
d0b782301369d2cc73e446bc69e6d6d0ac8bc6231989e0ff8f5bdd8e521e435d7af60c50426c367ca5ea4ec8e9b6e6da67d5a5af1e8fb05fd72df5c72ee15a2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs.js

Filesize
6KB

MD5
f73e52d124620d05267ba934f3b312d3

SHA1
34121aa291d9f88b3e8e3a2fa37cb1c06cac2d30

SHA256
fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7

SHA512
4ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
bc3e7e54c64c2b24b41c87b096f89930

SHA1
c0d1f58b2ca0647b8e8c9fc48d53b8fc03ef29c4

SHA256
3400961bbc1aea0c324aab08c5d18d61d58d2c467b09ebd1fe259b44a2aec428

SHA512
5d97fe7fff52dd6b947dea995be979e4f8e41fd4fa73914c19746770769a0d29875de29c7b19d6b45fae9f72d07adf9b2c8b344b588a08379de6436768348820

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
1e25bc32c9495cf36cc96f3cceb2753f

SHA1
ef1f14d1a065161afc315eb5e252f997eebe1acb

SHA256
6d2bf89ec3a7a626936c750d4b000b894475ae3c9d3069a438adbe0b65b66b72

SHA512
99b0725b7c28b13ec2a465deac6c4b207652207e09d7caba67dc01a9151fb46616b174c892b4494cab6475fe10bf7e344f0f2ae058ac183298fa92c21e49ba49

Download Submit