hxxps://linkedin[.]com/slink?code=eqmxyGVm#am9obkBmYmNlbnRyYWxvaGlvLmNvbQ==

Analysis

max time kernel
84s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2023 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://linkedin.com/slink?code=eqmxyGVm#am9obkBmYmNlbnRyYWxvaGlvLmNvbQ==

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133353928899131753"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4664	msedge.exe
4664	msedge.exe
2172	msedge.exe
2172	msedge.exe
3700	identity_helper.exe
3700	identity_helper.exe
2088	chrome.exe
2088	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4368	firefox.exe
Token: SeDebugPrivilege	4368	firefox.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
4368	firefox.exe
4368	firefox.exe
4368	firefox.exe
4368	firefox.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
4368	firefox.exe
4368	firefox.exe
4368	firefox.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4368	firefox.exe
4368	firefox.exe
4368	firefox.exe
4368	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3664	2172	msedge.exe	26
PID 2172 wrote to memory of 3664	2172	msedge.exe	26
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 3008	2172	msedge.exe	87
PID 2172 wrote to memory of 4664	2172	msedge.exe	86
PID 2172 wrote to memory of 4664	2172	msedge.exe	86
PID 2172 wrote to memory of 116	2172	msedge.exe	88
PID 2172 wrote to memory of 116	2172	msedge.exe	88
PID 2172 wrote to memory of 116	2172	msedge.exe	88
PID 2172 wrote to memory of 116	2172	msedge.exe	88
PID 2172 wrote to memory of 116	2172	msedge.exe	88
PID 2172 wrote to memory of 116	2172	msedge.exe	88
PID 2172 wrote to memory of 116	2172	msedge.exe	88
PID 2172 wrote to memory of 116	2172	msedge.exe	88
PID 2172 wrote to memory of 116	2172	msedge.exe	88
PID 2172 wrote to memory of 116	2172	msedge.exe	88
PID 2172 wrote to memory of 116	2172	msedge.exe	88
PID 2172 wrote to memory of 116	2172	msedge.exe	88
PID 2172 wrote to memory of 116	2172	msedge.exe	88
PID 2172 wrote to memory of 116	2172	msedge.exe	88
PID 2172 wrote to memory of 116	2172	msedge.exe	88
PID 2172 wrote to memory of 116	2172	msedge.exe	88
PID 2172 wrote to memory of 116	2172	msedge.exe	88
PID 2172 wrote to memory of 116	2172	msedge.exe	88
PID 2172 wrote to memory of 116	2172	msedge.exe	88
PID 2172 wrote to memory of 116	2172	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://linkedin.com/slink?code=eqmxyGVm#am9obkBmYmNlbnRyYWxvaGlvLmNvbQ==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff9fd546f8,0x7fff9fd54708,0x7fff9fd54718
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,10037186295615019684,5963375104484153521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,10037186295615019684,5963375104484153521,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,10037186295615019684,5963375104484153521,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10037186295615019684,5963375104484153521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10037186295615019684,5963375104484153521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10037186295615019684,5963375104484153521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10037186295615019684,5963375104484153521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,10037186295615019684,5963375104484153521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 /prefetch:8
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,10037186295615019684,5963375104484153521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10037186295615019684,5963375104484153521,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10037186295615019684,5963375104484153521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10037186295615019684,5963375104484153521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10037186295615019684,5963375104484153521,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1900,10037186295615019684,5963375104484153521,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:4360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2468

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5088
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4368.0.684367882\1498502701" -parentBuildID 20221007134813 -prefsHandle 1896 -prefMapHandle 1844 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {009a9717-68d9-4ea5-b974-86e5bfb523c5} 4368 "\\.\pipe\gecko-crash-server-pipe.4368" 1976 265c45da558 gpu
    3⤵
    PID:3440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4368.1.929716603\1813594947" -parentBuildID 20221007134813 -prefsHandle 2364 -prefMapHandle 2352 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ff0d6e4-f277-42ab-bab6-57267503792d} 4368 "\\.\pipe\gecko-crash-server-pipe.4368" 2376 265c4031758 socket
    3⤵
    PID:2760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4368.2.579161334\1383584502" -childID 1 -isForBrowser -prefsHandle 3224 -prefMapHandle 3220 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1244 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46fc8a63-12b7-4d7c-9016-521c9b96e843} 4368 "\\.\pipe\gecko-crash-server-pipe.4368" 3236 265c8624258 tab
    3⤵
    PID:5156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4368.3.268505356\968476468" -childID 2 -isForBrowser -prefsHandle 3696 -prefMapHandle 3692 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1244 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d3f6699-77f3-48f4-a216-4a7f8fd7f34b} 4368 "\\.\pipe\gecko-crash-server-pipe.4368" 3716 265c8b7d458 tab
    3⤵
    PID:5264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4368.4.185002529\378740423" -childID 3 -isForBrowser -prefsHandle 4160 -prefMapHandle 4156 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1244 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b668959-4986-41a8-adf9-baf4a79e22c4} 4368 "\\.\pipe\gecko-crash-server-pipe.4368" 4172 265c9a29058 tab
    3⤵
    PID:5368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4368.6.1908370889\889393095" -childID 5 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 26656 -prefMapSize 232675 -jsInitHandle 1244 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02d68929-4721-4c42-bd9c-8c76c304fba3} 4368 "\\.\pipe\gecko-crash-server-pipe.4368" 5208 265caaecc58 tab
    3⤵
    PID:5908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4368.5.1949072274\1054051973" -childID 4 -isForBrowser -prefsHandle 4888 -prefMapHandle 4608 -prefsLen 26656 -prefMapSize 232675 -jsInitHandle 1244 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62f49411-64cc-4051-b64d-037fd5c32655} 4368 "\\.\pipe\gecko-crash-server-pipe.4368" 1728 265c45da258 tab
    3⤵
    PID:5900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4368.7.1476961223\1373001052" -childID 6 -isForBrowser -prefsHandle 5272 -prefMapHandle 5276 -prefsLen 26656 -prefMapSize 232675 -jsInitHandle 1244 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {318642d2-a84d-45b5-9174-71f5f934720e} 4368 "\\.\pipe\gecko-crash-server-pipe.4368" 5476 265caec8158 tab
    3⤵
    PID:5940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4368.8.1766042007\446123845" -childID 7 -isForBrowser -prefsHandle 5868 -prefMapHandle 5864 -prefsLen 26831 -prefMapSize 232675 -jsInitHandle 1244 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10d77816-9c74-4c12-a718-34eb388b9fee} 4368 "\\.\pipe\gecko-crash-server-pipe.4368" 5876 265cc5f9858 tab
    3⤵
    PID:5688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff8fe99758,0x7fff8fe99768,0x7fff8fe99778
  2⤵
  PID:5952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1972,i,7781903764406896839,7903472847815344545,131072 /prefetch:8
  2⤵
  PID:5484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1972,i,7781903764406896839,7903472847815344545,131072 /prefetch:8
  2⤵
  PID:5704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1972,i,7781903764406896839,7903472847815344545,131072 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1972,i,7781903764406896839,7903472847815344545,131072 /prefetch:2
  2⤵
  PID:5656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1972,i,7781903764406896839,7903472847815344545,131072 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1972,i,7781903764406896839,7903472847815344545,131072 /prefetch:8
  2⤵
  PID:6188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4796 --field-trial-handle=1972,i,7781903764406896839,7903472847815344545,131072 /prefetch:1
  2⤵
  PID:6224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4932 --field-trial-handle=1972,i,7781903764406896839,7903472847815344545,131072 /prefetch:8
  2⤵
  PID:6292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=1972,i,7781903764406896839,7903472847815344545,131072 /prefetch:8
  2⤵
  PID:6388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5212 --field-trial-handle=1972,i,7781903764406896839,7903472847815344545,131072 /prefetch:8
  2⤵
  PID:6396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5168 --field-trial-handle=1972,i,7781903764406896839,7903472847815344545,131072 /prefetch:1
  2⤵
  PID:6576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3188 --field-trial-handle=1972,i,7781903764406896839,7903472847815344545,131072 /prefetch:8
  2⤵
  PID:6768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4456 --field-trial-handle=1972,i,7781903764406896839,7903472847815344545,131072 /prefetch:8
  2⤵
  PID:6888

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
965ba532807d930398d76040c9f530de

SHA1
fbb70c53e527f46545492232292835c73c3e6ef0

SHA256
ad93238bf5f08d5e1e266a01ff0093cf6ac658419cddb294d708f3f55bc64834

SHA512
ace9430b9e85f7000b9709383990c1788ba23954fe2651af5fcc657eafc64386aef3191cece4c2fa4ff259b4c394ec771f26899001a71c7433ddad285bf2bacd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f0907bfd7c790c64347c23ce49e922ad

SHA1
1590c65c6b3f0197a41db908cb0f38d58e9db663

SHA256
440ea873cc941a0f7860dbe5eac3ddb35f08f8e93b121410c24451238a53a160

SHA512
6d40ebf389730b3fbbbc822ad87baad34833a1a9a5a229d3eb8fb2d85a49834f181cedecff9de31592c48aea3dc3b4ebebca23c1ae0e663d14d59d94502e194b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
176KB

MD5
77180ede6cc2eac15ba802bb36283e09

SHA1
43a142a7f82bfe7210f9b859e4d62835595a4fcc

SHA256
da8aee5777e4bd654be6bad6a1488274e520fdf313faa0f75ff9a0bc5eed3f90

SHA512
7a329dcb1436f3d26a03ce5eae2a2ea9e7115552d132d5da88cdcd0168da3d4eba618baacd850ff5bf0ac50861bc914df747d22c17cbe50869260f7ad681b129

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b950ebe404eda736e529f1b0a975e8db

SHA1
4d2c020f1aa70e2bcb666a2dd144d1f3588430b8

SHA256
bcc60276d7110e8d002f24d66ebb043c5761e2a4b6ae7854983cef4beacd9bf4

SHA512
6ba228e5b6464c9602db81de8e1189302d0b2aed78a8b06248ccd9f095ede8621fc9d0faed0a7d079b8c7f4d1164b2895c4d0ef99c93cb95bbe210033e40295a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
540B

MD5
04effa801f08a7fec0a8d501f3783445

SHA1
ece303ba3244a806d0e980c25fbd6f0ca0b4a38c

SHA256
0aecc4cab169324a5c188b6c3dbafb808eff60b09d268502fd21b1d0df6db911

SHA512
1ab41d75cd013658ddc29ff5ddd9d8d65a6e78c1c8b47ff135f209e5bef282eda2c561cf862e6adbab2877a4048bd384e1d517b68793d01a66add09ffd029226

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6d70e51fb2b7d20039bedc703a4bc735

SHA1
445f6a6d3f9edec05d042a28b1190c28a9db8549

SHA256
52ad5df643040547e594875777903c2bbb0e440e5c3ca2b868a9e0746fb07aa1

SHA512
c89fb7d8833963e30e96ea5696091291049e5d6ef9b32bc9b476405269309ab3cb9a7f04fbcd084627e8dd0bbcbffb23d78fa93700767f9a39495b4c8b1d6f8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
04d59e51ccb8476f889169d21cb74211

SHA1
8961efb78721e3bb0cfa8b81d31128096a6aebec

SHA256
a86a8331430a10dbdb06f9045d3c0648af096fadbd126e5452ebb191f9d92782

SHA512
8d6a368bc6e6f0664a727a9387c46894d25a7ef457542a1bbb7c00d03fc3b086cc4ba1d929e82b32da3152e21455b18eb82a18695b016d67b1001700d1373c3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5a87ba49dddd7fabe20a657b18271a74

SHA1
2fd78a3a46f674c174bd053fa91b6de5bd2fa7e8

SHA256
ca4f07ffbfdac46acb44c2994d7d0ab91d21c9a1401ba9fe849cb93bac0bf0e0

SHA512
6a7b67eda19f253357f5512d8c536461690a935158ed24cda448c6555c7b22091ff3a1cf19030d36204bef3532ef364454d49e358fe37e25c0c8970720c632ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ad7fe89573991ef207f37ff381dd97cf

SHA1
db94796bb3df90b434ae65d142dd90fdcc70e9fe

SHA256
b1772797091a7a9594c0575131263b983907c219ecc2fbc613173bc7a9783dd5

SHA512
b0339e196c3a1e0ea0bec920cd337a7ae14f94a1a57882ebc4c2348640d137ecc983d176f6f21a3b39eb9b111a0e53e5c273e815edd8c475ffa226a8ab65a9cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4dcb40c2ef3eb8836d0d06706fed3115

SHA1
d28362422dddc834716bccc9d604c43cdc5d38a5

SHA256
7913ab5be49187fdabe7eee3a6359241dc5da06f4011b74ab6258162bffd2937

SHA512
fb98fd295756b71ab4725d5b7b0660b9b9e3746cebe9eafbf93f0ae6f81dbc8aecead35f5d121c577406f998f5ee816f10e53630fbfd68d373af33c9a2d5c7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ca36933e6dea7aa507a272121b34fdbb

SHA1
3b4741ca0308b345de5ecf6c3565b1dbacb0fb86

SHA256
fd14449eb781c58e6e7196a384caf25cba0c59ebdba3b10f8ca0ecfd0c076b5d

SHA512
5a9b186ecf085765caee97a2910008dda926ce412001042e165184083a52fb5fb70f05ca781cd2f7740ecbd938895c77c5aa0f9eb8d812b92f412f336212720e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
e2a4ffbdef591734f12202809213dc9a

SHA1
3bbd36d1994fffb19ab1461e92728fc0e3d1d631

SHA256
d71104d38764dc114ad37005ded2802c6da676b26aa7e1e2851b87eda6e4ee7c

SHA512
a758a7c7c0f7b4f1a296bed8e9df69962d24da612ad5bac53ed3114224a56ac1381d493e4fa5d2e854924bb6128abb691485ebb20b4753ee71e758b95597f389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
238c50e323fc56a20f94d405b1382754

SHA1
fa35e517672549bee9f3a8c2e9b0f36d09cdddd2

SHA256
ea0ce30eaa297501a88bd90dc21b562c1c342df6f907b555fba71765f516bd7f

SHA512
f61c5e470310226de4b766d3925e896b5e4ccd6bf56d2b37e87398144c3968b15fbe4c2bb33da1eef840a69328cdadc295695d3742a3006c2431f742d6379d0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1a308daa5c8d11a99eb3c141a413e888

SHA1
100bf97b09a0290a48b4c8ca095dc02d911c02eb

SHA256
93bd36c0f606a806bd517f0cf071c80039df3bec9193654b494c96c7cb862157

SHA512
dd6ddcc36210010cdea7db36cb34df6f26de627d91341bf185e770556751f55417ff8ca85212d1c290c9031e3882ed8c5a0f09accbc286c331fa54676a5da6a0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vjiou3c0.default-release\activity-stream.discovery_stream.json.tmp

Filesize
163KB

MD5
f33ec8b27ed837269ca61eaac9f7c1f6

SHA1
2f163927d744e78083168a3f18f0e6b2301ebcf9

SHA256
b9eb50e21a55c310c49ff7ddeaeb1cae896b8bb7445ddbb670c3bd452266f8f3

SHA512
7f24050889dbf2650a5198c474cfa87e76271a73c9e7d7d5abc98db3bdee7762e91edce9d752162aab8d03afb4162e64eb0ce963fd6fe05962d06d65d7bf1789

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\prefs-1.js

Filesize
6KB

MD5
a9cbce15303d2651d3c984ea7f7728f9

SHA1
148d3ea8d99a5380978859e4f96586b0b47a9835

SHA256
c37c23b6cbb6f1cc2d05017eddb4133810b67303c77bbedc421d63b2db10131d

SHA512
ce57a2239a6dd7b1b756e535afd399f48bbe83c0e5196399ade27465f48e9ebd61ab8b65d184d530e80acf304c9b2ac1f007d1ac08df8fcfc8818477b2f85bc3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\prefs-1.js

Filesize
7KB

MD5
4fe417e4040a476506f3afc6ba7b19df

SHA1
edc1a785735c57a932b275c3bc794f378a5ac6b9

SHA256
b9b118a24663ddebf826d5c5c732668014abd9211a048764ff4faa2d1fe3df26

SHA512
0633c22996038eca8ff3d9b41505eb14635f91e4d0a86046bd15678c13e188fc63192dc02cc08acf5a169033659db467601c6821940c9c6e8c0f6129772dcfdb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\prefs.js

Filesize
6KB

MD5
f095afb5b928abf7f4accec77a878655

SHA1
4151b144b53650c69181537d52875f8650d30cf4

SHA256
a1d443d36035c6804781549cdea90594e86ad7421d403ccf247a1c1840a7f05f

SHA512
24f73a5fffdf876bb8f512f57f5406f92c3e2bfc985ad6eba8e3c7b5b4cb11e2a6784e4630f42786596869861392329079cc1124129df0db1bf28726ec47860a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
f5c688a18614fa5d2363a117534056e7

SHA1
ef5b99bcf7a3d0b5594b8eeffb37adf480227fc1

SHA256
686c1729b47dfc2abec65fb512310ab224417496a91c05a260f9cbeab96dd232

SHA512
586aae822e3bad59d3f41d886167128d88b5d1f0a3208a26110c839caf922b47dce3f36bc95f1b7583e1708c1c8671dea1a104d27766abfd0c50d423d7f96469

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
01c44b6b1213e129895c77f070d832be

SHA1
1bedcf39ce3fcb0b4b5e3dfe7896916605118c95

SHA256
bdf0cf4210372184f7b25611037f72e3530a8f16883f5e44550a53dbe59e8497

SHA512
1e301369ea13dc3684493ebe0a2ccd130aa145ddf39d4e855e068237afddbba3768bac07f5c478f1126c369fd8da7d22e87ae483121946c482e44a2bed82fdfa

Download Submit