hxxps://nt[.]embluemail[.]com/p/cl?data=8d9cg%2BSyaNP%2FaRwH0uUoq0p%2FUOMcKb%2FlnNafQmcO2U7h7k790gBhUSpjU2Cc5aJ%2BJL%2F8Q9Qe0SwNUiD20GnvLai5u9vMEKGwxhAyvrDtC4s%3D%21-%217j6gn%3A%21-%21https%3A%2F%2Fwetllands[.]org%2Fi%2FZXJkZW0uYXlkYXNAcmFib2JhbmsuY29t

General

Target

https://nt.embluemail.com/p/cl?data=8d9cg%2BSyaNP%2FaRwH0uUoq0p%2FUOMcKb%2FlnNafQmcO2U7h7k790gBhUSpjU2Cc5aJ%2BJL%2F8Q9Qe0SwNUiD20GnvLai5u9vMEKGwxhAyvrDtC4s%3D%21-%217j6gn%3A%21-%21https%3A%2F%2Fwetllands.org%2Fi%2FZXJkZW0uYXlkYXNAcmFib2JhbmsuY29t

Score

6^/10

microsoft phishing

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4620 2188 WerFault.exe iexplore.exe
Detected potential entity reuse from brand microsoft.
phishing microsoft

pid	pid_target	process	target process
4620	2188	WerFault.exe	iexplore.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3819317849"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0ED33219-42C1-11EC-B34F-F66057313890} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3835255565"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30922445"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002b5b008aa2024f4581a8e5e30df850c300000000020000000000106600000001000020000000bc69d1cc694da09551f4f08fb5afcfa77518f3c6e463e59b92ca481cabd37968000000000e80000000020000200000004825daca63f1a9f21378389e5016508852295b5590995c757055f0b7da750e2420000000bec6d103437a360f0eaa00997fd4cab644473875f49484b915ee095d4a8dd210400000004901b1d98f814f26b6075823b1b389dc9be853902315169fd8ecca75c62e0bfeca015b233a297169cf77eaa6f126c72671d6ff703ffa113c5347b3ea6b750f18	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "343397320"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3819317849"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30922445"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 101c8cf1cdd6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "343380725"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30922445"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002b5b008aa2024f4581a8e5e30df850c300000000020000000000106600000001000020000000732196d56ee83cdce9f05beec0d9dc2ac0b4b5d1de0b153c4229745a62abc5b4000000000e8000000002000020000000585679795fa59587215524e71db77dedffb2401dcc6920caeb05c7418184fd97200000008c3bdfb2e051b1bd52a0944c1f252d0775ee0ffb509dc82fc006a247048981e64000000057c5680a2dff9ce3ecd2103b1340911b152528c112f09c0307fe7de0671aef13ba97f367e232aeb7f5c5ac6beae1a951df40c1e06aaaa0c354ef72e489afb82a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20f084f1cdd6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "343429311"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000000700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009acbbc286be63c4682a409f320de94d7	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000000700005e010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

pid	process
4620	WerFault.exe
4620	WerFault.exe
4620	WerFault.exe
4620	WerFault.exe
4620	WerFault.exe
4620	WerFault.exe
4620	WerFault.exe
4620	WerFault.exe
4620	WerFault.exe
4620	WerFault.exe
4620	WerFault.exe
4620	WerFault.exe
4620	WerFault.exe
4620	WerFault.exe
4620	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 4620 WerFault.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exefirefox.exe

pid process

3556 iexplore.exe
608 firefox.exe
608 firefox.exe
608 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

608 firefox.exe
608 firefox.exe
608 firefox.exe

description	pid	process
Token: SeDebugPrivilege	4620	WerFault.exe

pid	process
608	firefox.exe
608	firefox.exe
608	firefox.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

iexplore.exeIEXPLORE.EXEfirefox.exe

pid	process
3556	iexplore.exe
3556	iexplore.exe
4384	IEXPLORE.EXE
4384	IEXPLORE.EXE
4384	IEXPLORE.EXE
4384	IEXPLORE.EXE
4384	IEXPLORE.EXE
4384	IEXPLORE.EXE
4384	IEXPLORE.EXE
4384	IEXPLORE.EXE
608	firefox.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

iexplore.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3556 wrote to memory of 4384	3556	iexplore.exe	IEXPLORE.EXE
PID 3556 wrote to memory of 4384	3556	iexplore.exe	IEXPLORE.EXE
PID 3556 wrote to memory of 4384	3556	iexplore.exe	IEXPLORE.EXE
PID 3556 wrote to memory of 2188	3556	iexplore.exe	iexplore.exe
PID 3556 wrote to memory of 2188	3556	iexplore.exe	iexplore.exe
PID 64 wrote to memory of 608	64	firefox.exe	firefox.exe
PID 64 wrote to memory of 608	64	firefox.exe	firefox.exe
PID 64 wrote to memory of 608	64	firefox.exe	firefox.exe
PID 64 wrote to memory of 608	64	firefox.exe	firefox.exe
PID 64 wrote to memory of 608	64	firefox.exe	firefox.exe
PID 64 wrote to memory of 608	64	firefox.exe	firefox.exe
PID 64 wrote to memory of 608	64	firefox.exe	firefox.exe
PID 64 wrote to memory of 608	64	firefox.exe	firefox.exe
PID 64 wrote to memory of 608	64	firefox.exe	firefox.exe
PID 608 wrote to memory of 2500	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 2500	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe
PID 608 wrote to memory of 3344	608	firefox.exe	firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://nt.embluemail.com/p/cl?data=8d9cg%2BSyaNP%2FaRwH0uUoq0p%2FUOMcKb%2FlnNafQmcO2U7h7k790gBhUSpjU2Cc5aJ%2BJL%2F8Q9Qe0SwNUiD20GnvLai5u9vMEKGwxhAyvrDtC4s%3D%21-%217j6gn%3A%21-%21https%3A%2F%2Fwetllands.org%2Fi%2FZXJkZW0uYXlkYXNAcmFib2JhbmsuY29t
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3556

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3556 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4384

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3556 CREDAT:82953 /prefetch:2
2⤵
- Modifies Internet Explorer settings
PID:2188

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2188 -s 2508
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:64

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:608

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="608.0.2086475630\1410689435" -parentBuildID 20200403170909 -prefsHandle 1556 -prefMapHandle 1548 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 608 "\\.\pipe\gecko-crash-server-pipe.608" 1632 gpu
3⤵
PID:2500

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="608.3.584958744\1240526803" -childID 1 -isForBrowser -prefsHandle 2336 -prefMapHandle 2352 -prefsLen 122 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 608 "\\.\pipe\gecko-crash-server-pipe.608" 2372 tab
3⤵
PID:3344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="608.13.363234966\540176544" -childID 2 -isForBrowser -prefsHandle 3468 -prefMapHandle 3464 -prefsLen 6979 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 608 "\\.\pipe\gecko-crash-server-pipe.608" 3472 tab
3⤵
PID:2604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5F9ACEAA0635610A452E366DB4EF30F0
MD5
63f7aff352f7689a856c243fa50bb8f7

SHA1
3bebd5d81f50525d3c25d1d3fb89990108631518

SHA256
6698420aaf00d8791b8863b15b0fd8b8f242074577d4f7801533aa7e4ad6bb3c

SHA512
185d9a09e03da9f36b38443c31c6517223369c92a08526390ddd5534363d23f044f8d456e31a3db7ce77befa643130fda390685aa7e77ec007ecd63ec4986d0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
7279549cb9c270108e61e0a461f92996

SHA1
b28d739260cb7b1ae843ac475c0f986ae34e6271

SHA256
d616083e2ac2f75365a601bdf2cb09963b4aabef3e0424da3dd84ace4425b666

SHA512
6bf2a27b2823711c5850657f4bd545de2323aad2a0da3effc6d74f37aae7939443756a53288394337578b8edf34139358092aab63822c7f3abfe187cf02499d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
7d5bbb331f48cac883e5cffef3cfbca3

SHA1
2b066d3addc699cfc0e6247cdcb311badd472fa8

SHA256
91152b7f5bc5475acf0fbb93af1471e975ca35c45ff73e8728d704c85e0abbe3

SHA512
0a919651bb33e3cebb1ffdc3166b954b15361039de0f768c7f9bd4d0d3fb3ad170feb1858c8937903f303f8ed418aa42ac5a56ef74be53b2ba964debd3316f61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5F9ACEAA0635610A452E366DB4EF30F0
MD5
915eda8a61548dc83c40e0336af518c9

SHA1
30def6389287b9cabf9118a704ea388072bdfc56

SHA256
4ae0518a232b60cff8990d169b13e549fd27b423825eeba2014eb4ca50a1a218

SHA512
702fb149e5be045e96a60f0935ff12d655d2e72ff55e91a6d5961c6963df478a614b8a02310d49b6077b06ea586d67b4bf5673591ee21f3f0809ad3120ca7310

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
29e9956027d93d0a7259a75d58a54f58

SHA1
146ee1abf20c2800c8143bd42f6ea2d175a97d14

SHA256
2e0af1c0436d0ab9cda12f5b2c490676ff61f7a7e20d9e42f91c41a9dcc7c0fd

SHA512
c24ebe32ce6367baa77a20a377c8c8987e39ab1ffa0e68b2e091439c1e5e6bb987afd9a37958436b0987bf21897f339eb410421417c85b92fd48d1e4a48c0b8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\6NPUC6CA.cookie
MD5
9c2b0786d45693a508c4bcd7e9f2ee1c

SHA1
9f9f8295a8ec3b824a65aaa8a2cf9bbf2455c503

SHA256
5c241bc28d6761309fe23e3a64fbc6cfc0ecf52f4ef905e3e24225e00ef3620c

SHA512
f0159789360c074fbc477935c07b6d5ae382a72b08268ff0abf97057d1799e6a1b16950a2edc4d195c5432029b44709ddf9daa917af9b1d9c17e196396780086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\JMSDJHX5.cookie
MD5
00b2433df59aca91eb10d8a8e647fe0e

SHA1
2fede95cba628cd3bf284d82ed20d2fb0d0f0015

SHA256
74211a9a1100ff7d6c473afb97a5ecf75bc057f02c4c23984dd211b3f5e71fd4

SHA512
dad10cc1ac031c7baf15e91413bb2bdc7eda613d58aebd5b0a42b55783afce1527caa8d999c7a7d1b943204dd3421a1cd5329dd8bd436be27532a666592929b3

Download Submit
memory/2188-193-0x0000000000000000-mapping.dmp

Download
memory/3556-147-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-153-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-126-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-127-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-130-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-128-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-131-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-132-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-134-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-136-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-137-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-138-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-139-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-140-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-141-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-144-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-145-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-124-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-148-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-150-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-152-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-125-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-154-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-158-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-159-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-160-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-166-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-167-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-168-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-169-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-170-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-171-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-172-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-176-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-178-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-182-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-181-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-123-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-122-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-120-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-119-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/3556-118-0x00007FFAAFFE0000-0x00007FFAB004B000-memory.dmp

Filesize
428KB

Download
memory/4384-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads