e10f9d22cdbc39874ce875fd8031c3db26f58daf20ee8ae6a82de9ed2dfc7863

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CryptoTab Browser = "C:\\Program Files\\CryptoTab Browser\\Application\\browser.exe"	setup.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}\ = "CryptoTab Browser"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}\StubPath = "\"C:\\Program Files\\CryptoTab Browser\\Application\\125.0.6422.113\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}\Localized Name = "CryptoTab Browser"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}	setup.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	browser.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\BN	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\AZ	browser.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source2988_937098720\Chrome-bin\125.0.6422.113\Locales\sw.pak	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\UA	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\MW	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\MF	browser.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source2988_937098720\Chrome-bin\125.0.6422.113\Locales\hr.pak	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\NR	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\LU	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\LC	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\CV	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\CR	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\BG	browser.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source2988_937098720\Chrome-bin\125.0.6422.113\vk_swiftshader_icd.json	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source2988_937098720\Chrome-bin\chrome.VisualElementsManifest.xml	setup.exe
File opened for modification	C:\Program Files\CryptoTab Browser\Application\browser.exe	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\NL	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\ID	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\CW	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\AU	browser.exe
File created	C:\Program Files\CryptoTab Browser\Application\125.0.6422.113\Installer\setup.exe	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\ZM	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\VC	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\PT	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\NC	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\KR	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\IN	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\CH	browser.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source2988_937098720\Chrome-bin\125.0.6422.113\Locales\bg.pak	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1759095678\manifest.json	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\TD	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\GG	browser.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source2988_937098720\Chrome-bin\125.0.6422.113\chrome_wer.dll	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source2988_937098720\Chrome-bin\125.0.6422.113\Locales\ko.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source2988_937098720\Chrome-bin\125.0.6422.113\MEIPreload\manifest.json	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\MX	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\JE	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\CA	browser.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source2988_937098720\Chrome-bin\125.0.6422.113\d3dcompiler_47.dll	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source2988_937098720\Chrome-bin\125.0.6422.113\Locales\th.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Application\chrome_proxy.exe	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1313855754\manifest.json	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\PW	browser.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source2988_937098720\Chrome-bin\125.0.6422.113\libGLESv2.dll	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\YT	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\TV	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\TG	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\KG	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\GF	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\EG	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\DE	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\BO	browser.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source2988_937098720\Chrome-bin\125.0.6422.113\Locales\sv.pak	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\MA	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\LS	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\LI	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\KH	browser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2940_1334688439\BH	browser.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source2988_937098720\Chrome-bin\125.0.6422.113\125.0.6422.77.manifest	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source2988_937098720\Chrome-bin\125.0.6422.113\chrome.dll	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source2988_937098720\Chrome-bin\125.0.6422.113\eventlog_provider.dll	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source2988_937098720\Chrome-bin\125.0.6422.113\Locales\en-GB.pak	setup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Executes dropped EXE 58 IoCs

pid	Process
1908	ctu6D95.tmp
2988	setup.exe
4876	setup.exe
2288	setup.exe
2672	setup.exe
1048	browser.exe
3596	browser.exe
4328	browser.exe
3444	browser.exe
2772	browser.exe
2920	browser.exe
4432	browser.exe
4704	browser.exe
3088	browser.exe
1036	browser.exe
5084	chrmstp.exe
1284	chrmstp.exe
2740	chrmstp.exe
4784	chrmstp.exe
1264	CryptoTabUpdater.exe
3120	browser.exe
2940	browser.exe
1136	browser.exe
4584	browser.exe
3644	browser.exe
4268	browser.exe
4548	browser.exe
4132	browser.exe
3236	browser.exe
204	browser.exe
4932	browser.exe
2792	browser.exe
2272	browser.exe
5040	browser.exe
652	browser.exe
1304	browser.exe
64	browser.exe
4452	browser.exe
688	browser.exe
3692	browser.exe
4988	browser.exe
4564	browser.exe
4752	browser.exe
2488	browser.exe
1036	browser.exe
3524	browser.exe
648	browser.exe
2628	browser.exe
6020	browser.exe
5716	browser.exe
5988	browser.exe
1832	browser.exe
9340	browser.exe
9988	browser.exe
2860	browser.exe
4932	browser.exe
1948	browser.exe
1068	browser.exe

Loads dropped DLL 64 IoCs

pid	Process
1048	browser.exe
3596	browser.exe
1048	browser.exe
4328	browser.exe
2772	browser.exe
3444	browser.exe
2920	browser.exe
4432	browser.exe
4704	browser.exe
3088	browser.exe
1036	browser.exe
3120	browser.exe
2940	browser.exe
1136	browser.exe
2940	browser.exe
4584	browser.exe
3644	browser.exe
4584	browser.exe
3644	browser.exe
4268	browser.exe
4268	browser.exe
4268	browser.exe
4268	browser.exe
4268	browser.exe
4268	browser.exe
4268	browser.exe
4268	browser.exe
4548	browser.exe
4548	browser.exe
4132	browser.exe
4132	browser.exe
3236	browser.exe
3236	browser.exe
204	browser.exe
204	browser.exe
4932	browser.exe
4932	browser.exe
2792	browser.exe
2792	browser.exe
2272	browser.exe
2272	browser.exe
5040	browser.exe
5040	browser.exe
652	browser.exe
652	browser.exe
1304	browser.exe
1304	browser.exe
64	browser.exe
64	browser.exe
4452	browser.exe
4452	browser.exe
688	browser.exe
688	browser.exe
3692	browser.exe
3692	browser.exe
4988	browser.exe
4564	browser.exe
4564	browser.exe
4988	browser.exe
4752	browser.exe
4752	browser.exe
2488	browser.exe
2488	browser.exe
1036	browser.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	browser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	browser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	browser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	browser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	browser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	browser.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	browser.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	browser.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642451262349684"	browser.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79BB07C6-6A3D-4F93-ADB6-841FA449207F}\TypeLib\Version = "1.0"	CryptoTabUpdater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ChromiumHTM\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E3DE9E9-0248-4FAB-AC1C-01B86CF9790E}\1.0\FLAGS	CryptoTabUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79BB07C6-6A3D-4F93-ADB6-841FA449207F}\ = "IProcessLauncher"	CryptoTabUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E3DE9E9-0248-4FAB-AC1C-01B86CF9790E}\1.0\0	CryptoTabUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79BB07C6-6A3D-4F93-ADB6-841FA449207F}	CryptoTabUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cryptotab\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromiumHTM\Application\ApplicationIcon = "C:\\Program Files\\CryptoTab Browser\\Application\\browser.exe,0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E3DE9E9-0248-4FAB-AC1C-01B86CF9790E}	CryptoTabUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6F2834-1FAD-4CCD-BD5E-3510C46A91E7}\LocalServer32	CryptoTabUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32\ServerExecutable = "C:\\Program Files\\CryptoTab Browser\\Application\\125.0.6422.113\\notification_helper.exe"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xht	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79BB07C6-6A3D-4F93-ADB6-841FA449207F}\ProxyStubClsid32	CryptoTabUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromiumHTM\shell\open\command\ = "\"C:\\Program Files\\CryptoTab Browser\\Application\\browser.exe\" --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromiumHTM\Application\AppUserModelId = "CryptoTab Browser"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ChromiumHTM\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D133B120-6DB4-4D6B-8BFE-83BF8CA1B1B0}\AppID = "{D133B120-6DB4-4D6B-8BFE-83BF8CA1B1B0}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\ChromiumHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cryptotab	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79BB07C6-6A3D-4F93-ADB6-841FA449207F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	CryptoTabUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\ = "Interface {B88C45B9-8825-4629-B83E-77CC67D9CEED}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E3DE9E9-0248-4FAB-AC1C-01B86CF9790E}\1.0\HELPDIR	CryptoTabUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\TypeLib\ = "{B88C45B9-8825-4629-B83E-77CC67D9CEED}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.html\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\1.0\0\win64	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgIds\ChromiumHTM	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E3DE9E9-0248-4FAB-AC1C-01B86CF9790E}\1.0\0\win32	CryptoTabUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\ = "Interface {B88C45B9-8825-4629-B83E-77CC67D9CEED}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cryptotab\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds\ChromiumHTM	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E3DE9E9-0248-4FAB-AC1C-01B86CF9790E}\1.0\0\win32\ = "C:\\Program Files\\CryptoTab Browser\\Application\\CryptoTabUpdater.exe"	CryptoTabUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6F2834-1FAD-4CCD-BD5E-3510C46A91E7}\ = "CryptoTab Browser Updater"	CryptoTabUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cryptotab\URL Protocol	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromiumHTM\AppUserModelId = "CryptoTab Browser"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ChromiumHTM\Application	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromiumHTM\DefaultIcon\ = "C:\\Program Files\\CryptoTab Browser\\Application\\browser.exe,0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromiumHTM\Application\ApplicationName = "CryptoTab Browser"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xhtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E3DE9E9-0248-4FAB-AC1C-01B86CF9790E}\1.0	CryptoTabUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6F2834-1FAD-4CCD-BD5E-3510C46A91E7}\LocalServer32\ = "C:\\Program Files\\CryptoTab Browser\\Application\\CryptoTabUpdater.exe"	CryptoTabUpdater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D133B120-6DB4-4D6B-8BFE-83BF8CA1B1B0}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{D133B120-6DB4-4D6B-8BFE-83BF8CA1B1B0}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79BB07C6-6A3D-4F93-ADB6-841FA449207F}\TypeLib\ = "{5E3DE9E9-0248-4FAB-AC1C-01B86CF9790E}"	CryptoTabUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromiumHTM\ = "Chromium HTML Document"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.htm	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79BB07C6-6A3D-4F93-ADB6-841FA449207F}\ProxyStubClsid32	CryptoTabUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cryptotab\shell\open\command\ = "\"C:\\Program Files\\CryptoTab Browser\\Application\\browser.exe\" \"%1\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromiumHTM\Application\ApplicationCompany = "The CryptoTab Browser Authors"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\ChromiumHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.html	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79BB07C6-6A3D-4F93-ADB6-841FA449207F}	CryptoTabUpdater.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	CTBrowserSetup_tb24gG2Gfb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	CTBrowserSetup_tb24gG2Gfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	CTBrowserSetup_tb24gG2Gfb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	CTBrowserSetup_tb24gG2Gfb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	CTBrowserSetup_tb24gG2Gfb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	CTBrowserSetup_tb24gG2Gfb.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1048	browser.exe
1048	browser.exe
2940	browser.exe
2940	browser.exe
9340	browser.exe
9340	browser.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1908	ctu6D95.tmp
Token: SeIncBasePriorityPrivilege	1908	ctu6D95.tmp
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe
Token: SeShutdownPrivilege	1048	browser.exe
Token: SeCreatePagefilePrivilege	1048	browser.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe

Suspicious use of SendNotifyMessage 49 IoCs

pid	Process
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
1048	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe
2940	browser.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe
9796	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1296	CTBrowserSetup_tb24gG2Gfb.exe
1264	CryptoTabUpdater.exe
1048	browser.exe
1048	browser.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 1908	1296	CTBrowserSetup_tb24gG2Gfb.exe	74
PID 1296 wrote to memory of 1908	1296	CTBrowserSetup_tb24gG2Gfb.exe	74
PID 1908 wrote to memory of 2988	1908	ctu6D95.tmp	75
PID 1908 wrote to memory of 2988	1908	ctu6D95.tmp	75
PID 2988 wrote to memory of 4876	2988	setup.exe	76
PID 2988 wrote to memory of 4876	2988	setup.exe	76
PID 2988 wrote to memory of 2288	2988	setup.exe	77
PID 2988 wrote to memory of 2288	2988	setup.exe	77
PID 2288 wrote to memory of 2672	2288	setup.exe	78
PID 2288 wrote to memory of 2672	2288	setup.exe	78
PID 2988 wrote to memory of 1048	2988	setup.exe	80
PID 2988 wrote to memory of 1048	2988	setup.exe	80
PID 1048 wrote to memory of 3596	1048	browser.exe	81
PID 1048 wrote to memory of 3596	1048	browser.exe	81
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 4328	1048	browser.exe	82
PID 1048 wrote to memory of 3444	1048	browser.exe	83
PID 1048 wrote to memory of 3444	1048	browser.exe	83
PID 1048 wrote to memory of 2772	1048	browser.exe	84
PID 1048 wrote to memory of 2772	1048	browser.exe	84
PID 1048 wrote to memory of 2772	1048	browser.exe	84
PID 1048 wrote to memory of 2772	1048	browser.exe	84
PID 1048 wrote to memory of 2772	1048	browser.exe	84
PID 1048 wrote to memory of 2772	1048	browser.exe	84
PID 1048 wrote to memory of 2772	1048	browser.exe	84
PID 1048 wrote to memory of 2772	1048	browser.exe	84
PID 1048 wrote to memory of 2772	1048	browser.exe	84
PID 1048 wrote to memory of 2772	1048	browser.exe	84
PID 1048 wrote to memory of 2772	1048	browser.exe	84
PID 1048 wrote to memory of 2772	1048	browser.exe	84
PID 1048 wrote to memory of 2772	1048	browser.exe	84
PID 1048 wrote to memory of 2772	1048	browser.exe	84
PID 1048 wrote to memory of 2772	1048	browser.exe	84
PID 1048 wrote to memory of 2772	1048	browser.exe	84
PID 1048 wrote to memory of 2772	1048	browser.exe	84
PID 1048 wrote to memory of 2772	1048	browser.exe	84

C:\Users\Admin\AppData\Local\Temp\CTBrowserSetup_tb24gG2Gfb.exe
"C:\Users\Admin\AppData\Local\Temp\CTBrowserSetup_tb24gG2Gfb.exe"
1⤵
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Users\Admin\AppData\Local\Temp\ctu6D95.tmp
  "C:\Users\Admin\AppData\Local\Temp\ctu6D95.tmp" --verbose-logging --system-level --enable-autorun
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Users\Admin\AppData\Local\Temp\CR_91A21.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\CR_91A21.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\CR_91A21.tmp\CHROME.PACKED.7Z" --verbose-logging --system-level --enable-autorun
    3⤵
    - Adds Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\CR_91A21.tmp\setup.exe
      C:\Users\Admin\AppData\Local\Temp\CR_91A21.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --annotation=plat=Win64 "--annotation=prod=CryptoTab Browser" --annotation=ver=125.0.6422.113 --initial-client-data=0x230,0x234,0x238,0x20c,0x23c,0x7ff64f2249c0,0x7ff64f2249cc,0x7ff64f2249d8
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      PID:4876
  - - C:\Users\Admin\AppData\Local\Temp\CR_91A21.tmp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\CR_91A21.tmp\setup.exe" --system-level --verbose-logging --create-shortcuts=0 --install-level=1
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Users\Admin\AppData\Local\Temp\CR_91A21.tmp\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\CR_91A21.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --annotation=plat=Win64 "--annotation=prod=CryptoTab Browser" --annotation=ver=125.0.6422.113 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff64f2249c0,0x7ff64f2249cc,0x7ff64f2249d8
        5⤵
        Executes dropped EXE
        
        PID:2672
  - - C:\Program Files\CryptoTab Browser\Application\browser.exe
      "C:\Program Files\CryptoTab Browser\Application\browser.exe" --from-installer
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1048
    - - C:\Program Files\CryptoTab Browser\Application\browser.exe
        
        "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\CryptoTab Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\CryptoTab Browser\User Data\Crashpad" --annotation=plat=Win64 "--annotation=prod=CryptoTab Browser" --annotation=ver=125.0.6422.113 --initial-client-data=0xe0,0xe4,0xe8,0xbc,0xec,0x7ffd42d3fbf0,0x7ffd42d3fbfc,0x7ffd42d3fc08
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3596
    - - C:\Program Files\CryptoTab Browser\Application\browser.exe
        
        "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=gpu-process --no-pre-read-main-dll --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --metrics-shmem-handle=1592,i,5027790120090668135,9637922867493507196,262144 --field-trial-handle=2152,i,13836880558302914178,13031781531085800683,262144 --variations-seed-version --mojo-platform-channel-handle=2144 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4328
    - - C:\Program Files\CryptoTab Browser\Application\browser.exe
        
        "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --start-stack-profiler --metrics-shmem-handle=1640,i,567889977849095827,9605265121552706529,524288 --field-trial-handle=2284,i,13836880558302914178,13031781531085800683,262144 --variations-seed-version --mojo-platform-channel-handle=2184 /prefetch:3
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3444
    - - C:\Program Files\CryptoTab Browser\Application\browser.exe
        
        "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-pre-read-main-dll --metrics-shmem-handle=1888,i,450133542632821513,1032227040199314803,524288 --field-trial-handle=2300,i,13836880558302914178,13031781531085800683,262144 --variations-seed-version --mojo-platform-channel-handle=2292 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2772
    - - C:\Program Files\CryptoTab Browser\Application\browser.exe
        
        "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=renderer --no-pre-read-main-dll --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --metrics-shmem-handle=3132,i,4143961855352258402,8789002980037024309,2097152 --field-trial-handle=3184,i,13836880558302914178,13031781531085800683,262144 --variations-seed-version --mojo-platform-channel-handle=3180 /prefetch:1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2920
    - - C:\Program Files\CryptoTab Browser\Application\browser.exe
        
        "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=renderer --no-pre-read-main-dll --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --metrics-shmem-handle=3140,i,17686245413404700920,9583443992440301596,2097152 --field-trial-handle=3348,i,13836880558302914178,13031781531085800683,262144 --variations-seed-version --mojo-platform-channel-handle=3240 /prefetch:1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4432
    - - C:\Program Files\CryptoTab Browser\Application\browser.exe
        
        "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=renderer --no-pre-read-main-dll --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --metrics-shmem-handle=3636,i,13622748183509867400,14819184326056695264,2097152 --field-trial-handle=3672,i,13836880558302914178,13031781531085800683,262144 --variations-seed-version --mojo-platform-channel-handle=3668 /prefetch:1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4704
    - - C:\Program Files\CryptoTab Browser\Application\browser.exe
        
        "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=renderer --extension-process --no-pre-read-main-dll --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --metrics-shmem-handle=4432,i,8087354840500423913,16690227311119812312,2097152 --field-trial-handle=4456,i,13836880558302914178,13031781531085800683,262144 --variations-seed-version --mojo-platform-channel-handle=4452 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3088
    - - C:\Program Files\CryptoTab Browser\Application\browser.exe
        
        "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --metrics-shmem-handle=4824,i,4946258987799345935,4041050592783898470,524288 --field-trial-handle=4840,i,13836880558302914178,13031781531085800683,262144 --variations-seed-version --mojo-platform-channel-handle=4780 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1036
    - - C:\Program Files\CryptoTab Browser\Application\125.0.6422.113\Installer\chrmstp.exe
        
        "C:\Program Files\CryptoTab Browser\Application\125.0.6422.113\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
        5⤵
        Executes dropped EXE
        
        PID:5084
      - C:\Program Files\CryptoTab Browser\Application\125.0.6422.113\Installer\chrmstp.exe
        
        "C:\Program Files\CryptoTab Browser\Application\125.0.6422.113\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --annotation=plat=Win64 "--annotation=prod=CryptoTab Browser" --annotation=ver=125.0.6422.113 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff7b39d49c0,0x7ff7b39d49cc,0x7ff7b39d49d8
        6⤵
        Executes dropped EXE
        
        PID:1284
      - C:\Program Files\CryptoTab Browser\Application\125.0.6422.113\Installer\chrmstp.exe
        
        "C:\Program Files\CryptoTab Browser\Application\125.0.6422.113\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\CryptoTab Browser\Application\master_preferences" --create-shortcuts=1 --install-level=0
        6⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Program Files\CryptoTab Browser\Application\125.0.6422.113\Installer\chrmstp.exe
        
        "C:\Program Files\CryptoTab Browser\Application\125.0.6422.113\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --annotation=plat=Win64 "--annotation=prod=CryptoTab Browser" --annotation=ver=125.0.6422.113 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff7b39d49c0,0x7ff7b39d49cc,0x7ff7b39d49d8
        7⤵
        Executes dropped EXE
        
        PID:4784
    - - C:\Program Files\CryptoTab Browser\Application\browser.exe
        
        "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=renderer --no-pre-read-main-dll --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --metrics-shmem-handle=3244,i,8668767860804552063,12707289478560471734,2097152 --field-trial-handle=4316,i,13836880558302914178,13031781531085800683,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3120
- C:\Program Files\CryptoTab Browser\Application\CryptoTabUpdater.exe
  "C:\Program Files\CryptoTab Browser\Application\CryptoTabUpdater.exe" --install
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1264

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc
1⤵
PID:2132

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:3616

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:4240

C:\Program Files\CryptoTab Browser\Application\browser.exe
"C:\Program Files\CryptoTab Browser\Application\browser.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2940
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\CryptoTab Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\CryptoTab Browser\User Data\Crashpad" --annotation=plat=Win64 "--annotation=prod=CryptoTab Browser" --annotation=ver=125.0.6422.113 --initial-client-data=0xe4,0xe8,0xec,0xc0,0xf0,0x7ffd42d3fbf0,0x7ffd42d3fbfc,0x7ffd42d3fc08
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1136
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=gpu-process --no-pre-read-main-dll --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --metrics-shmem-handle=1596,i,11641820040811336626,2450207561333538276,262144 --field-trial-handle=1900,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4268
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --start-stack-profiler --metrics-shmem-handle=1820,i,1609765127132362002,4054201837184523069,524288 --field-trial-handle=2036,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=1936 /prefetch:3
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4584
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-pre-read-main-dll --metrics-shmem-handle=2120,i,14066189458332546010,15083234155227656607,524288 --field-trial-handle=2144,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=2140 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3644
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=renderer --no-pre-read-main-dll --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --metrics-shmem-handle=3088,i,4423644632451852529,254227717059336838,2097152 --field-trial-handle=3100,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4548
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=renderer --no-pre-read-main-dll --start-stack-profiler --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --metrics-shmem-handle=3380,i,15241299104187180815,7653994217253469589,2097152 --field-trial-handle=3404,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4132
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=renderer --extension-process --no-pre-read-main-dll --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --metrics-shmem-handle=4180,i,3296844828011852947,6805108795838655351,2097152 --field-trial-handle=4208,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=4204 /prefetch:2
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3236
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=renderer --no-pre-read-main-dll --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --metrics-shmem-handle=4652,i,17293390752494936146,8223493954060779537,2097152 --field-trial-handle=4612,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4932
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=4800,i,8715112883941059662,16464080622055551488,524288 --field-trial-handle=4808,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:204
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=4764,i,3795299696164080697,11377554146155056596,524288 --field-trial-handle=4876,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2792
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=4896,i,17655930822269324925,337478667445579046,524288 --field-trial-handle=4924,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2272
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=4956,i,8781758167909867265,421056202768199184,524288 --field-trial-handle=5200,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5040
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=5360,i,7614631936858732456,15435272909077148478,524288 --field-trial-handle=5376,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:652
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=5404,i,2677888768203331056,15008740548819263497,524288 --field-trial-handle=5608,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1304
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=5512,i,13521466502165340024,3712109605383353143,524288 --field-trial-handle=5208,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:64
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=5504,i,15636880586365718661,14707779616376258734,524288 --field-trial-handle=5604,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4452
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=5692,i,13907259244739829746,3675940569696581748,524288 --field-trial-handle=5624,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:688
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=renderer --no-pre-read-main-dll --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --metrics-shmem-handle=5648,i,18403896203291911963,4770629441648825975,2097152 --field-trial-handle=5644,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3692
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=renderer --no-pre-read-main-dll --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --metrics-shmem-handle=5732,i,12713929238995637304,12351624036107531730,2097152 --field-trial-handle=6100,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4752
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=6048,i,1043281932102250792,8007163026732731309,524288 --field-trial-handle=5812,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4988
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=4584,i,12121285377817697640,14296027246139062528,524288 --field-trial-handle=5456,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4564
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=5364,i,345876847253705880,2416869419349876448,524288 --field-trial-handle=6388,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=6384 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2488
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=5948,i,17546126695860622242,7899804067353333861,524288 --field-trial-handle=5804,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1036
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=6220,i,1207352170674531617,8957499906690981199,524288 --field-trial-handle=5752,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=6276,i,3421730440700558285,1473933260263891543,524288 --field-trial-handle=6636,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=6632 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:648
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=5792,i,4415346007662158511,5165179756284620518,524288 --field-trial-handle=6612,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=6304 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=6620,i,1809501632127425718,14498082243540108445,524288 --field-trial-handle=6844,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:6020
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=848,i,13153454108804280345,15836267711763491434,524288 --field-trial-handle=4664,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:5716
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=3460,i,7460616893834253611,14244365465368426651,524288 --field-trial-handle=3520,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=3532 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:5988
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=4740,i,14039416699150950458,7535252966748101230,524288 --field-trial-handle=4228,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --no-pre-read-main-dll --start-stack-profiler --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --metrics-shmem-handle=4568,i,14512917501957849491,14146526934727073381,262144 --field-trial-handle=3096,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=3068 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:9340
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=188,i,12967520161072107259,3385205506081717434,524288 --field-trial-handle=5400,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=3116 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:9988
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=renderer --no-pre-read-main-dll --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --metrics-shmem-handle=6976,i,1418471058728819047,7301543901620573781,2097152 --field-trial-handle=6768,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2860
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=renderer --no-pre-read-main-dll --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --metrics-shmem-handle=6444,i,2988022929066572917,11242292343551560875,2097152 --field-trial-handle=6200,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1068
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=6800,i,3503804181916204190,11679991985523418948,524288 --field-trial-handle=6176,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Program Files\CryptoTab Browser\Application\browser.exe
  "C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --metrics-shmem-handle=5484,i,1029129426125630533,905050782989798657,524288 --field-trial-handle=5224,i,6493440514968558712,3812033927793382977,262144 --variations-seed-version --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:1948

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:9796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery