hxxps://wa[.]me/639263247921

Analysis

max time kernel
146s
max time network
150s
platform
windows10_x64
resource
win10-en-20211104
submitted
22-11-2021 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://wa.me/639263247921

Score

5^/10

whatsapp phishing

Malware Config

Signatures

Detected potential entity reuse from brand whatsapp.
phishing whatsapp

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DOMStorage\whatsapp.com\Total = "21"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "103036741"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DOMStorage\whatsapp.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DOMStorage\whatsapp.com\Total = "27"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3112FF61-4E49-11EC-B34F-4EA15105BFBE} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.whatsapp.com\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0d78e1b56e2d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.whatsapp.com\ = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30925398"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.whatsapp.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "344665257"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "103036741"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "344648661"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "111450212"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DOMStorage\whatsapp.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.whatsapp.com\ = "27"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30925398"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "344697248"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "27"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30925398"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002b5b008aa2024f4581a8e5e30df850c3000000000200000000001066000000010000200000008c6fcb68698cee68c0f12c994a46ba578c9863405f59b9f475240390b2d941ed000000000e80000000020000200000004d73e12f234d7d184ac65df42796a05449611280010efffd37a2293da00befaf2000000097a66017ceead8c60ea0039ebf2163c32adfbacd130c5ccd916b2600727bf2d04000000060a74fd790426e0674943d2c3019cf7eb12014b50cc89f0d05f6cfb6e89addd5c5a0f8930670242f1b55a7a6db563f6be25efe9166aa58fa70a1549988474334	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Modifies registry class 2 IoCs

Processes:

iexplore.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

iexplore.exe

pid process

3064 iexplore.exe
3064 iexplore.exe
3064 iexplore.exe
3064 iexplore.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

2864 OpenWith.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 1568 firefox.exe
Token: SeDebugPrivilege 1568 firefox.exe
Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

iexplore.exefirefox.exe

pid process

3064 iexplore.exe
1568 firefox.exe
1568 firefox.exe
1568 firefox.exe
1568 firefox.exe
1568 firefox.exe
1568 firefox.exe
1568 firefox.exe
1568 firefox.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

firefox.exe

pid process

1568 firefox.exe
1568 firefox.exe
1568 firefox.exe
1568 firefox.exe
1568 firefox.exe
1568 firefox.exe
1568 firefox.exe

pid	process
2864	OpenWith.exe

description	pid	process
Token: SeDebugPrivilege	1568	firefox.exe
Token: SeDebugPrivilege	1568	firefox.exe

pid	process
1568	firefox.exe
1568	firefox.exe
1568	firefox.exe
1568	firefox.exe
1568	firefox.exe
1568	firefox.exe
1568	firefox.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEOpenWith.exeIEXPLORE.EXEIEXPLORE.EXEfirefox.exeIEXPLORE.EXE

pid	process
3064	iexplore.exe
3064	iexplore.exe
1176	IEXPLORE.EXE
1176	IEXPLORE.EXE
2864	OpenWith.exe
1176	IEXPLORE.EXE
1176	IEXPLORE.EXE
2212	IEXPLORE.EXE
2212	IEXPLORE.EXE
2212	IEXPLORE.EXE
2212	IEXPLORE.EXE
1756	IEXPLORE.EXE
1756	IEXPLORE.EXE
1568	firefox.exe
1176	IEXPLORE.EXE
1176	IEXPLORE.EXE
4836	IEXPLORE.EXE
4836	IEXPLORE.EXE
4836	IEXPLORE.EXE
4836	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3064 wrote to memory of 1176	3064	iexplore.exe	IEXPLORE.EXE
PID 3064 wrote to memory of 1176	3064	iexplore.exe	IEXPLORE.EXE
PID 3064 wrote to memory of 1176	3064	iexplore.exe	IEXPLORE.EXE
PID 3064 wrote to memory of 2212	3064	iexplore.exe	IEXPLORE.EXE
PID 3064 wrote to memory of 2212	3064	iexplore.exe	IEXPLORE.EXE
PID 3064 wrote to memory of 2212	3064	iexplore.exe	IEXPLORE.EXE
PID 3064 wrote to memory of 1756	3064	iexplore.exe	IEXPLORE.EXE
PID 3064 wrote to memory of 1756	3064	iexplore.exe	IEXPLORE.EXE
PID 3064 wrote to memory of 1756	3064	iexplore.exe	IEXPLORE.EXE
PID 3548 wrote to memory of 1568	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 1568	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 1568	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 1568	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 1568	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 1568	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 1568	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 1568	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 1568	3548	firefox.exe	firefox.exe
PID 1568 wrote to memory of 3944	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 3944	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 2000	1568	firefox.exe	firefox.exe
PID 1568 wrote to memory of 3724	1568	firefox.exe	firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://wa.me/639263247921
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3064 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1176

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3064 CREDAT:148481 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2212

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3064 CREDAT:214017 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3064 CREDAT:214020 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4836

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1568

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1568.0.1041211429\1981343507" -parentBuildID 20200403170909 -prefsHandle 1536 -prefMapHandle 1524 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1568 "\\.\pipe\gecko-crash-server-pipe.1568" 1616 gpu
3⤵
PID:3944

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1568.3.1830246894\609621855" -childID 1 -isForBrowser -prefsHandle 2264 -prefMapHandle 2304 -prefsLen 122 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1568 "\\.\pipe\gecko-crash-server-pipe.1568" 2140 tab
3⤵
PID:2000

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1568.13.1076617017\1231010788" -childID 2 -isForBrowser -prefsHandle 3288 -prefMapHandle 3280 -prefsLen 6979 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1568 "\\.\pipe\gecko-crash-server-pipe.1568" 3352 tab
3⤵
PID:3724

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1568.20.1085093591\2107148799" -childID 3 -isForBrowser -prefsHandle 4676 -prefMapHandle 4692 -prefsLen 7907 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1568 "\\.\pipe\gecko-crash-server-pipe.1568" 4244 tab
3⤵
PID:4304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\35DDEDF268117918D1D277A171D8DF7B_35B7D08D939839F84EB742452BE22663
MD5
c8950b9a0dd8318945ea9f9ef1ef95f8

SHA1
98be1fa0e344244217fca251435d58026644a41c

SHA256
c4c818144e22ab3ad515f03481b873d75386950ea7776bc90877f00086f6f75e

SHA512
34a2d9c3b0fb0793eacdae0520209a93ac46b87b7df9f5e945cd7ff30ecb9932a9162e6191d65ada375581978eeeb54013dce76fa09bc28e0810143c313d2b64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\35DDEDF268117918D1D277A171D8DF7B_E56BBC53E65697C52F4ED9D30CD416D2
MD5
6ed5cf858b681357901d6b3226a18d6f

SHA1
898ccf6b442457a70fff0501beded12f07c0afec

SHA256
cca4a13f94b7645968d4edf2855687493148447eb363dfe6253e8ca60722e676

SHA512
e43f416de6389181f5a71f9b6a305b72b032b227c479d52c3fc89218bfa39a3f2d720eea8f597911f93900cce11ab394073c85eda4c098bd929df083fd76a75e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6A2279C2CA42EBEE26F14589F0736E50
MD5
8b153254225cf81983baa0400492b53e

SHA1
d2c94319c1a6d580325de5bb9921ef6ae85f0b06

SHA256
a3eb96967c5f501b5e14cf4e0a2bb4b9dfa8933352c973a1eae89c321804bc25

SHA512
8a20f17ddfc5de2aa2c535edecb63e4b6c44c94ab29032f5123cac42e8715e261bf259ff4a801ef65c2b0788bb8df25bbad9cc70c8c527911d6010e7f6e439aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
ae419a1e481a10b18d134b7e2d735dfa

SHA1
601cd52cbf87993a95bdb7ed85e00e9bcb94920b

SHA256
1d31e8a404674604d4cb4abe0c8a47e766951572da1ca7ba2c42d70e46364433

SHA512
4dfc521e1f8261d74d9aba3bbe291d670430751ba29faf4df53d4df2c341e94577c4b06ece8bd846eb4a30a583b3b1052eebf14820c7f71ec37769a7392f202a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F
MD5
cd7a11fd081181fb05b0cecf71b282e8

SHA1
58d7d63363ecc59811f94504ce04f872a13190c2

SHA256
a339de84ca77fe7d15b355ce3f5a2b48bf85f9e6d1cf69d78abcce1f4ad89bdb

SHA512
e6d5010ccc87e0800f3557a1e746dee7a5b8c17ab374e9b623ad2611be9e4d55fdedc4bdc783c3d3581654564c2487d2cee6231e4d68f4d6238d82e86991a0d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
MD5
0ba5c39b4a0d52f6701dccadd3060778

SHA1
774d55e65f5d9e66bf41184192b84e0f8d4d9ce6

SHA256
f83bb1a0a8314a5b186885e629bc0dff167e012efd38c65e822a6e614b016ec3

SHA512
2fc77270553516b55042bb822f550a79f60a5cc733c52ace2e86cb22a38542dff1cc840d66d9346d48fc3b16a75cde1c9283b8d646e577958ad568b2785c949b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
MD5
e04573dc60081c5147ecd86361990f55

SHA1
b82d2025b4c93eaf77a9dc818b8f9931fc4bdb54

SHA256
f62b5eb01fc641be396489a1c8baba8375a9960273ab4431d2a17e3d52f55ff2

SHA512
5460560ce45f6c6b33c992fc4579cd579e2528334acc0ac31303e84f48a58b5d491cb9fe7d002effbc7701c43e5b36d2939f6da3658bb84478b4dce5c0ccc364

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
2cb98dea5bf63530a256d2abc5227170

SHA1
09f6549b44ed0a18547bbb11a3875fc77e02a3a3

SHA256
8b9e552a76a5e694ebdb8712617b222643cd4479caaa150e8f1cb632624a57ea

SHA512
c77e3215a7ad338443e538ecf6cb363af744c42b78a267f0ec184af3a7e2e783c9520aa95e1e52c6e4e0c7e4b1ec38b5fd12612ceb007b1275e5606f5a394c81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_35B7D08D939839F84EB742452BE22663
MD5
b32c2b78f0dff590c11bc731a8bc4d86

SHA1
dfe07ed1e09b55ab606539b6c24ae3db3fa9b999

SHA256
b638f73ebfbf87d5d257f1151778844a229fddf1d71b76be5ad7d138a6742d2a

SHA512
35e5cfcddc1229ce215e4a0f022bbdbe0f59d3c0e9ef6ffa7fd57cbe71fb5a5ea8a3f3b634fc4c590b6ddf86bc7d5c94289e01761ac80b6873993f3fa5c439fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_E56BBC53E65697C52F4ED9D30CD416D2
MD5
7ceca8cca356de0939239016bd4b0539

SHA1
c6bf1a6c73ec4cfa98aa25f62c9e1bbe5dc20d50

SHA256
d92cc39219215e25e6dc3768851d850fcf7ba6330faeb3dea084ba7353add3ff

SHA512
8fb62b8efd7372b33742b899fb21c1bf622e870a71c7ba6759a6ccef21e5e1f7f319d878803bd77284f3a0e8e55e7ccbe5e233ffc66c3a7a03e742ef8d255a5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6A2279C2CA42EBEE26F14589F0736E50
MD5
d31122296f736e557f1888f089345ecd

SHA1
5c4c42409377cc01cdeca4059bf5cd7dc1f25d78

SHA256
885d1fc556f7dd7f16f431762c490d80319532faf3425f79a61862ec8ee7a8cb

SHA512
5c80e23caf8521108046d58291cdcb376be463a40d8adbd178e3a279af94e096cfc500c0c659625afd872c87aa5f7d2aade4565f677ae8f794a9bef7268e5ca9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
49938a1634c15c9e5eede0413f9b0e74

SHA1
d9949bda357067bf64a1caa591c78493780bbe6b

SHA256
9ab521a46d730c48bda3f91db98d3c6477d39078a38c781105ff7a7c662458f6

SHA512
d9c80dfa33ab7f4be28f7145686d047e314943343e446cadb38c13787c1caa86c14f2e72868bf00f56c3626ac1d2f07bfc3f5d86ffb29c4b8f0e30175caffffb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F
MD5
0c6deadbd83865ca11c7ed6ed087c6d5

SHA1
f68713fa17d1640b23b7f0abd5eccc9fa65930ea

SHA256
bfbc045761cd9f7f74a2658b1e7f43c363f375291eb2610353f041f91cf9566c

SHA512
e0366d796fc336c8e8afcf66e02bb288782eae9611d733767fb35c70a3e075e763cb716cf644689e6535b5a0aefeaefd7ad275afcd5f34fe8d12a7cc6d842437

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
MD5
76f8ef2362ee2e80bbe2891aba723250

SHA1
738026f07acad50215dc88e04a8e3efa89454365

SHA256
22bfec9346f14ca1f2dfac6692c87b4eebb4cb16fa8cd2b8648f85e9e86bc82c

SHA512
e42f4ab075da8d448215d91564304ef148882497a3bea18778caacf511f2789689415220de626a8c52671e782f54fb1680378dde3d1e4d3c5297076cef70079f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
MD5
a2ccab4732a9890c2e30b8fa81956513

SHA1
a8da1f6e547a14336981efdef80c5ad70ba1f969

SHA256
317a0d6ad6b9197bd0cc1b4411cb11fa6006d534f20a248e0bc60081daae04b6

SHA512
9cd2467fa8c629fec90e4c94a4d282519f90f3f9a97300b551882455d33deaf634586e379a1f9cd5e11f04c7b654d18a721c5728b4db3e5492878b604b0dfbcb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
677163597ae6d8d256fa7aa5ed0804df

SHA1
a142465851571d0157b05beae9d4cf645c380fd5

SHA256
db79c175268301185cb32d1531d78d9db80abdd9058350e9ccbba258580e99c2

SHA512
2069e13188bdcd2e9293c830f1dd3750bea161db53151d1d60938d25cf1d255d6ef3ca0e62f0c2fe2dcbad4e64848610201f0e44454a8efd10342ff50556d4e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\LVK4OSB1.cookie
MD5
e89c3fef8936fe82aa30bc8d8a926cba

SHA1
595d5f307075805242ee23a8a03f891f4a5cb7d7

SHA256
528749a8bc24bf78a7dd86d75cdde2acdd7b1d5de557c50828959db65e3fcf6b

SHA512
4d86cac35294808d8c47839c0a2147620d729ebdd425edd4a187fc80d462730ccee6155c50e30f543db2d9204b190899433bff2323280519aef6b45400d71cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\M4DE0QPG.cookie
MD5
d639225d9cbe96251f645388b2c52324

SHA1
cf819cfade2ec729b68078884ef9f37b623c0bb9

SHA256
02ed1aa78234fd75f6d1cf29434fa1f5a06c9cc1405be0b08099d75ffb5cd9a5

SHA512
9117d2a9f2276d0bf4f1999ee499d68adc97fe027c9bd30002580bec23fb27c0e8d3cf6c271a3be24837ad593e66c33239b203df34bd304fd6ca2e04ed0e572c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\NIVL1R2K.cookie
MD5
28db7189a2b37bfb91c611131a824a56

SHA1
ddf393c1eb4e6daed91d6a2dd8aafb17a8265af3

SHA256
1fabf7feac03f13d924c8d22bd0a058ad3f34f46ea3859734e2d350356aab7e4

SHA512
57c7758a1697dd0ae4fb856aae2f02f3121627ca5404e497fc5f1e5e61791bc92014976987f2d083943b9d1eb3702a3759e0044e61d174e51a0a9b5b423149d9

Download Submit
memory/1176-143-0x0000000000000000-mapping.dmp

Download
memory/1756-204-0x0000000000000000-mapping.dmp

Download
memory/2212-199-0x0000000000000000-mapping.dmp

Download
memory/3064-137-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-179-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-148-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-150-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-152-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-153-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-154-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-158-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-159-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-160-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-166-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-167-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-168-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-169-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-170-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-171-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-172-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-173-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-174-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-175-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-177-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-147-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-145-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-144-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-141-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-140-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-139-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-118-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-136-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-135-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-134-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-132-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-131-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-130-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-128-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-127-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-126-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-125-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-124-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-123-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-122-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-119-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/3064-120-0x00007FFE22980000-0x00007FFE229EB000-memory.dmp

Filesize
428KB

Download
memory/4836-223-0x0000000000000000-mapping.dmp

Download