hxxps://drive[.]google[.]com/file/d/1h4mL-IQWi6fxy7Lbw1urXpi8N9L1P15m/view

Resubmissions

02/03/2023, 17:19

230302-vv9k4adh98 6

02/03/2023, 17:10

230302-vp7vbade4v 6

02/03/2023, 17:07

230302-vnbeqade3w 6

Analysis

max time kernel
161s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2023, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1h4mL-IQWi6fxy7Lbw1urXpi8N9L1P15m/view

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d3273793ae45d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "383689859"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60405deb6945d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0a008146a45d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2ED33B3E-B925-11ED-9F77-42C2EBB090FB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DOMStorage\drive.google.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{3C69D694-3EA4-4B24-BB07-479DD9536DE9}"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30e8e7156a45d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038a9e23718fe574b84afdc36f043bb4c00000000020000000000106600000001000020000000669dfd22d2540b69ef7f4c0ba48b1cf1a24470fa0df66d291b9e0a6d460ca0c8000000000e80000000020000200000004f0680fa6474507ed20d59a8227aaf1ec5afcf431bf1e5ab7218a2506b33f29c200000001a565f507c60fe196874b43ea6c1aa32bfc9d214cb205c39416f8e4a511a6e6d40000000ff36105864baea5adf69705c31aa20aad7c3a3581888019a5abe56c4501e274b41da87fa4803cf7f6d0447cc8f90d4abd099dc2540516a6a7c6fe00f7d84c92f	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\drive.google.com\ = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\drive.google.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038a9e23718fe574b84afdc36f043bb4c00000000020000000000106600000001000020000000316b2cbdbc968afbd61a532762d796c34cc504c4abe492bd10f9a7ef66f29d56000000000e8000000002000020000000921dbe1acfd31fe76d9f6be8dedbaa2cdb04e346e9b3373fcb0edea575f0188f20000000c77de730d28a6c520639f03160cee70d67da7ffc269d7c715a27468b327a59f4400000008d78ed274cd8bcfb5f808d3816473b594b7c9a7c6fde0dadcc5b2eed13e3428986ef65df11c55a44cc2582827fc34ed7214d273891eac10ec37b55973ea2c63b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038a9e23718fe574b84afdc36f043bb4c00000000020000000000106600000001000020000000eb4f3081f2ee1fdab8525511680276ae9c0059df8d46b6084fc35a538f00b9b0000000000e8000000002000020000000fb710472419cb1db13c262eaf04b721c81e669f83d2f152c1ca7aa58b392f01b20000000990914fd5e2d51cc27e70806444db4d0dc01cffa971d5d5e0785d8d63c2c5bce40000000ec83240e6a32104b9832e903968704f3a2ab2872ccef38089beb15bee9239d9c736fdce11432d412a5fe893e01460d0097387bad950d22d68393253e8ae056f6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b02843eb6945d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038a9e23718fe574b84afdc36f043bb4c00000000020000000000106600000001000020000000807569d22fc9d12a721b3c82a6f6a1789d7414160d212703f931ce098c4f9997000000000e8000000002000020000000b5ff9e42fd8a67354f135e52ce17a9c85f8b25c37cacd05c50ad94b73830f6cb20000000b4de7fdff37992cd7e940f84c43945e47d44fdb87bd6af8d6f773e4ac1d3b36640000000e4d3c4b5140abac456403f5aa20f969fdf4efb0da8ac6f9b898056f73b7445bfef3523fc8e9aa4b6742c6eb615c5dd93c36ed441f97cc00317ad0a04478b7d51	iexplore.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3756	iexplore.exe
3756	iexplore.exe
3756	iexplore.exe
3564	firefox.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3564	firefox.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3756	iexplore.exe
3756	iexplore.exe
5036	IEXPLORE.EXE
5036	IEXPLORE.EXE
5036	IEXPLORE.EXE
5036	IEXPLORE.EXE
5036	IEXPLORE.EXE
5036	IEXPLORE.EXE
760	OpenWith.exe
760	OpenWith.exe
760	OpenWith.exe
5036	IEXPLORE.EXE
5036	IEXPLORE.EXE
3756	iexplore.exe
3564	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 5036	3756	iexplore.exe	84
PID 3756 wrote to memory of 5036	3756	iexplore.exe	84
PID 3756 wrote to memory of 5036	3756	iexplore.exe	84
PID 4164 wrote to memory of 3564	4164	firefox.exe	104
PID 4164 wrote to memory of 3564	4164	firefox.exe	104
PID 4164 wrote to memory of 3564	4164	firefox.exe	104
PID 4164 wrote to memory of 3564	4164	firefox.exe	104
PID 4164 wrote to memory of 3564	4164	firefox.exe	104
PID 4164 wrote to memory of 3564	4164	firefox.exe	104
PID 4164 wrote to memory of 3564	4164	firefox.exe	104
PID 4164 wrote to memory of 3564	4164	firefox.exe	104
PID 4164 wrote to memory of 3564	4164	firefox.exe	104
PID 4164 wrote to memory of 3564	4164	firefox.exe	104
PID 4164 wrote to memory of 3564	4164	firefox.exe	104
PID 3564 wrote to memory of 2104	3564	firefox.exe	105
PID 3564 wrote to memory of 2104	3564	firefox.exe	105
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106
PID 3564 wrote to memory of 1108	3564	firefox.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://drive.google.com/file/d/1h4mL-IQWi6fxy7Lbw1urXpi8N9L1P15m/view
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3756 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5036

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3412

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3564.0.1738913135\1966971658" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {36eb3e4c-ff3a-47e0-b643-d5ee918d30d0} 3564 "\\.\pipe\gecko-crash-server-pipe.3564" 1900 1dd0e691b58 gpu
    3⤵
    PID:2104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3564.1.209599681\1187560220" -parentBuildID 20221007134813 -prefsHandle 2288 -prefMapHandle 2284 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6b2aa53-5e7e-4ff2-b018-ae7c5feb2d3f} 3564 "\\.\pipe\gecko-crash-server-pipe.3564" 2300 1dd00670d58 socket
    3⤵
    PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\DIY2AU3Q\drive.google[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\osplltc\imagestore.dat

Filesize
1021B

MD5
05a82491a1bdc857ef353df1e3a5413c

SHA1
60e63ce00f2d94665d6c1fcfb87404650d088b59

SHA256
92b0df8a1c4cc0f019140e48c77a5da55bf602a2c6e851c4476b08ecc6f4f221

SHA512
df105581d27e30786dcb9bcc873ff6d160bfccc164931e1517b69a3035288d08b2a7344f8bd9fe1790f2f21dd9c2a05ab01836b96b37a3f8b1c2a7f1b7f7a5d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\osplltc\imagestore.dat

Filesize
9KB

MD5
cacad454d132574e259868d22682a277

SHA1
447fbee29f7d900e9d3b237ccdb184364c1c9d42

SHA256
4a9b7ff034d3561ba39d7de13253033c020c451f52442f5d185cb3c4172c9ec5

SHA512
cbc879b626d0425e5cc11331f7ece9ba78398cb6b2cb4dd11fa68dfd798480f230d62218e2b6c6c6261db609c2eda9a103b429055aee44ea6c804c4a1f0d066a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\osplltc\imagestore.dat

Filesize
9KB

MD5
cacad454d132574e259868d22682a277

SHA1
447fbee29f7d900e9d3b237ccdb184364c1c9d42

SHA256
4a9b7ff034d3561ba39d7de13253033c020c451f52442f5d185cb3c4172c9ec5

SHA512
cbc879b626d0425e5cc11331f7ece9ba78398cb6b2cb4dd11fa68dfd798480f230d62218e2b6c6c6261db609c2eda9a103b429055aee44ea6c804c4a1f0d066a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\osplltc\imagestore.dat

Filesize
11KB

MD5
07c298cc6b78a1bfa316cc290cf090c6

SHA1
7a5d1f8b9776b44ee9275bddf731cbd21249c602

SHA256
9284cfc37ee57c7bfc45d0c6665a8b10a0a20e6e50f0f58a76c130e34d2aea4a

SHA512
cd4f5d92131253df1f02ec433769e4219f9871e2f354ef4010406825d60b75d92a17ee2ae12f41216158aad409e507d01fc767b9b9f93fc3e4871cbfedf90599

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\Areena%20Riverside%20Resort[1].rar

Filesize
4.5MB

MD5
8754ea8695bc5db00924af50b9306e2b

SHA1
e5cf4c79e1378d09b68c767bf06b173b44df1134

SHA256
fcb7a445c40ba527b888301826881c447ba9cce7360f282db8327fba558a451b

SHA512
a77b4463571d5973edad0700375364fd57326fa145928d77ef105fda77d11dd3209e691bf36ed0a1ec4f3d00350e74dc63427b4903672d2dec46deb90025a81b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\cb=gapi[2].js

Filesize
70KB

MD5
7c5be8bd74fa69afcbf7d14bfa057a19

SHA1
167cced15add6eaada7a1e677bde55208a1608d2

SHA256
1cc44005ab735a11fccc1f38e4a6937a355a50ae0c7ab1e9bae9d9f7ca726c05

SHA512
e979100027ad447422fbd9a707cb5072ef7fe523bf00159a0f48d6ad0b12a838591bdaf2cd64f3a25aab1d1afb288bf4908033ac64d67336b8e1867c9401dd13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\qsml[1].xml

Filesize
534B

MD5
91872a18ce91a89db2e7f921cb3a4028

SHA1
b8f5ef647e7aeec9c6d177f10254c1addf85fee6

SHA256
2a6a16b6c3b9a081ba53e4d13ada55786513e55591ddefa24c317b432b6ce3bb

SHA512
984b320a2af457c4713cd065df8c246f70746bf25d76e97b3b9c25691d99a65f3cf11128c6a7ebc17f68620ad63a67a2f507ab72e5424ec65ac7410af35caad8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\Areena Riverside Resort.rar.g5i964f.partial

Filesize
4.5MB

MD5
8754ea8695bc5db00924af50b9306e2b

SHA1
e5cf4c79e1378d09b68c767bf06b173b44df1134

SHA256
fcb7a445c40ba527b888301826881c447ba9cce7360f282db8327fba558a451b

SHA512
a77b4463571d5973edad0700375364fd57326fa145928d77ef105fda77d11dd3209e691bf36ed0a1ec4f3d00350e74dc63427b4903672d2dec46deb90025a81b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\composedPath.747e02b4db7d3b22a19fd3efd2303663[1].js

Filesize
252B

MD5
551ad64c21200577a3af115dc4f704b8

SHA1
e2b6c36786109bc3a5fef6b6750fefc03b4399d5

SHA256
99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1

SHA512
2d822ad5c5accfb3a8ccc5d3acb410e71a7e841818ec3001e09092234145793ca5cdaa59d24cecf83e4758a8b5b98670dd11a27a4f11cd30d7379b56abab0a11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\favicon-trans-bg-blue-mg[1].ico

Filesize
4KB

MD5
30967b1b52cb6df18a8af8fcc04f83c9

SHA1
aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588

SHA256
439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e

SHA512
7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\qsml[1].xml

Filesize
515B

MD5
bbce80b4f961742b5602d7301d0cdc1a

SHA1
791b97f97c3607ee06f9f51c091d68b5fd3d5260

SHA256
99f932a2bbe0347304e2ab9c256f2dcd12d32526d22dd0eb4b7fa699cc426d6b

SHA512
f1ecd7c1515eec1124544764410cca54e593e19f3959a7466ff5e59a47359bdd9c6442fee6e72ef35a43be90fc98787f15e648d68f1ff857d0849f44dfc664fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\shady-css.e1693e8462f7567cc71f9b893e8e1e20[1].js

Filesize
136KB

MD5
4e9d95156d75a4fc4870c0e310f97de5

SHA1
2240728b13708dc88878f93ee7e9b533ab93137d

SHA256
d13585401c3e5ff6678cacafcc42ae674296b0d9551d2ee03af5b8aab89743a1

SHA512
5727aad8d5e593454cd5e1f95c37fe2f77cb747982ac1ee649c4aa380e93ac1ad336ba8b9f13176aacd8e2c158c61ed1dbe267f0d668d1c0c63bcb90581f1455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\core-js.743054a088626b13bb851b7d26724fb5[1].js

Filesize
199KB

MD5
19980b875da17a01b3cbe56e3bb4022e

SHA1
900535f9c2267098591880bd790175875dcaa635

SHA256
40e1be5d6122627da16ad51b5e4859c8912869f154869ddf50db229e273c8380

SHA512
c5df298aa50b8afeeba4b7a1f0831da229f11c8b3e71d65d4bec76c0c9e4353621fa984a8c173a499950f9920ff8b875ab301cf684d147d4271b355b516430df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\drive_2020q4_32dp[1].png

Filesize
831B

MD5
916c9bcccf19525ad9d3cd1514008746

SHA1
9ccce6978d2417927b5150ffaac22f907ff27b6e

SHA256
358e814139d3ed8469b36935a071be6696ccad7dd9bdbfdb80c052b068ae2a50

SHA512
b73c1a81997abe12dba4ae1fa38f070079448c3798e7161c9262ccba6ee6a91e8a243f0e4888c8aef33ce1cf83818fc44c85ae454a522a079d08121cd8628d00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\favicon[1].png

Filesize
1KB

MD5
ea5b82d1d0d83deb394aa8a5f0973530

SHA1
d94764657d0d75c8dc3b4c65d15a3a10d3418817

SHA256
6e96941253dcc6fc33f075418147c17054397384c4e1c7fd5c956e5cabdb2983

SHA512
2131c08071fe436bfec13a36c12bdd391c6769b75263b4bcfa9980c5be03c64d84e133ee8f591fd5aaaecbbe882200219bbe2b7bafc8bd152b867472edd718d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\fetch.a1ad5fb96dc0cb61b9454244c9bd7fe6[1].js

Filesize
9KB

MD5
9f292b53ba5b57783d407eb5a61aba83

SHA1
e6f20058e0a0c429a8116ebece108a4eb298814e

SHA256
223cc0c3d2c5e4834994571da73b15d261a93d71c03ecb388a993bd63edd5215

SHA512
900acb1361b95029e10ddbd5cffa6930b4b8ee2e4670325f768eb3c339c1d163d4e669b2639fd69ffccc9a77a5b7df9b42c6490056bc31eda45285fc2aea903a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\qsml[1].xml

Filesize
470B

MD5
aef4d0b07f95e0d94ad8cf53419293fb

SHA1
c68bb6fb47dd5590057c5be6a97d8d6de0d4a3ca

SHA256
cccd91f92bedcf33fbdea587aa74052aa2f4db07a5737532b725e72cc119c846

SHA512
fd1e545411e9457aa1c5e2288dc2d67b011cdac9a6b1178c4259aaea084101ebabdf986d1281400679cbf7554e6df48d566d991892bf0d96fade6a2fcbd9ea71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\qsml[2].xml

Filesize
525B

MD5
50a772d1f9423e21f21cf25f799017ff

SHA1
cb56c22462e7725e4a78f37837cd02bd765c0149

SHA256
bbd7651a26ef8792bb8d5f1bf2e2c1d83fd090c84d60d6a25a70320b48280c5d

SHA512
659dd2694352d69d9950bc6634a59d693172348421782f0a946d6c305bdc854628ed5447500424f5f53f3df782f1d2b1b2c8d5ee89dd017b61a1316d2a24786b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\qsml[3].xml

Filesize
540B

MD5
0468bf152432806e5091120df57e739a

SHA1
743cc5898eccd54286eb067eb44fb4c27f6c4f7a

SHA256
51bfc80e61576fabd280629da79ff4c13264da11a56a5754d600e4b74d1eefe2

SHA512
41e92a7a09f2d4f4684aa93dae0758222b2f9f77f01bc95a89921ac89feb2d14d50a0642177c5e9e658c4383603365a65bf56ce3eb2e24c9e237906be484b48a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\regenerator-runtime.95dc763885f05111a2f88232a2d0cf2d[1].js

Filesize
6KB

MD5
2b97956e0416f86ebda5ed3d4a75a127

SHA1
822c7aa67ba595ee504411fbf9b6ebc6749e538a

SHA256
ffb233e9e2af858fafba9637abbc5a73af39fdd88fd31c5a8fb7cb63cd17f454

SHA512
5ad19641a50e4c59e76eb32578ca0ac85aa59f8000e8663900ee4557c3dba0ec979b8745ffe1e886f340cb91a0750024f87b6fd23e6ed40de629638c09a438fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\api[2].js

Filesize
855B

MD5
5f66a0989a66c7c5918fa35253f2fce9

SHA1
a9be34816395a3c4881dc32bbed5c8f3278ed6f1

SHA256
1eb134e57fc151fae3eecfd2187af3697edeab7f305b268ef364a821f1c6f122

SHA512
68a69119023ac75d30f888b3b63474cdf9a14f2986802bf693317a598f53fb14dfcc3c154f9b641c837ee7bcb37ce788ed124e992c4eac5ab602a6341f391300

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\main.46c52b24299baf13de57[1].js

Filesize
3.6MB

MD5
43647d04b3726c33e991a71258812164

SHA1
3e6b4ecd43d452539deb1c147e4a738f4654a0d8

SHA256
01ee2d04ba44c4abc315477c7fc2fbd8e4d1473ce0dcaa4f45256cd862608a7f

SHA512
c746ec9f28cba89a72c66d618fe0c10f9f1faee4fdd268b44dbb3204deab80aae3d0c9fb3e3c43c9b3f5092d135a3fdaa19b4f8d2c0dc74c94fdc57c643506a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\recaptcha__en[1].js

Filesize
405KB

MD5
fc58191abd3c514a822c509e9be701ff

SHA1
991c99fb8f9214a921397ad74513696440d9bc0f

SHA256
ff4055198c989e026a212f803ab8f5f967e3319fb0d9b02b9ebba28e14537683

SHA512
70b5cab0e6630138314acadd0ee954eabbbd3d9635d3ee409fce046524780b3746e1a7f4a52f0df2dcdea05da6cde29759a2175a3135153869df78de062a5d9d

Download Submit
C:\Users\Admin\Downloads\Areena Riverside Resort.rar.kbfufxa.partial

Filesize
4.5MB

MD5
8754ea8695bc5db00924af50b9306e2b

SHA1
e5cf4c79e1378d09b68c767bf06b173b44df1134

SHA256
fcb7a445c40ba527b888301826881c447ba9cce7360f282db8327fba558a451b

SHA512
a77b4463571d5973edad0700375364fd57326fa145928d77ef105fda77d11dd3209e691bf36ed0a1ec4f3d00350e74dc63427b4903672d2dec46deb90025a81b

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads