hxxps://www[.]dropbox[.]com/scl/fi/l5x5n1z6wm1pauhcqsy3j/Type-something-to-get-started[.]paper?dl=0&rlkey=m8e5pjwmge2ptjzp6ak859aq6

Resubmissions

22/03/2023, 16:00

230322-tfrajahg86 1

22/03/2023, 15:46

230322-s7v75ahf96 6

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2023, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/scl/fi/l5x5n1z6wm1pauhcqsy3j/Type-something-to-get-started.paper?dl=0&rlkey=m8e5pjwmge2ptjzp6ak859aq6

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b076b8a9a145d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0ea35b9a145d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b000000000200000000001066000000010000200000004031638a5f4afdd9ae0ea43a480963d6735a15865fc59a1192e967061f5bd8fc000000000e8000000002000020000000c4420da6980783adb2bc3b1404fb2b885fdfefc42ae262d8069c27597506956520000000a36b738415a716a1a2c6e410abc8155308a844259d952009e2c30ffeae8d37b440000000ef04398fa9c6e30d09b79b78618e3ac0d6df6f0821fd39ae6c8a62add1ddb29a73379352f3d5c1225fe72dbbd8499ddcf42101554bc69788eff58e53afd9582a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b000000000200000000001066000000010000200000000ccfcccd8f2545f4d373b573043f97b1e15207ed23c05684f35558924b099211000000000e8000000002000020000000c72a64a5545db6c0c337d17d92dff7adbd906e74f6ce426b45d21f58891cbe9920000000e54ed8df4ce7a7b47f61d9b6ed4b3d965e341b144e6b2f8bdf79e7a10fbd6bae400000000ff65aec1b6e8cc6e957d9545feb528b07fb6196143cc929f020ad6902639b63de5299a7aa4fc1b9e650734a7ef7df9c7b22cb77814ae467f7f41dc40261dcb3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0aa29a6a145d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b000000000200000000001066000000010000200000004b0c657c70e87879af88aa1c71516a1b052aff24748ea242504c8f4268c47c0e000000000e80000000020000200000000f82c545fb7038c62f468c16d02d4598bf0fd91f223c4cd7a9d6b93dd36189a120000000db408159d21c8ace749b577c23861c1aa7db8c72db42d1c16a306a85695a8ac840000000969ae6665284edd3f4d5736f12ae923d2ddc8c63015a18696bc1df08e6dd616f9fcfc9188a4cb6ee1d0608ded9c03e41917dad03748df5267a9903ba493ace29	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "383713738"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b00000000020000000000106600000001000020000000ac9c071237183e602e27ff1bbb08cea597b5ee9b386415991863b3716d4e2e19000000000e800000000200002000000089e051daa6c23451851031779dd878656f1dd15b140bfa46387b015836e33c912000000074de2cdab5d1b3af6072e9647c46d2b5ce5a535577ec61a39bd4e951622e4bff400000008728ac652d84bc1cee7bc2fe394fde967042f1d6ba1445678f7c8898ff649a1b33d7de8023a115331e3775fa5e8d178e7139294b5823914ce25984d4f807992a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b000000000200000000001066000000010000200000009b678d1b40b2b40da557d4c27a177ac4eb963d0e5008929a1d993475f6476d54000000000e8000000002000020000000f1bb42ca33396b3e3d87213f4805b474b47685c17907a5d328303bcfaf281f76200000000d3923e1d96c93c7a025749a1be612e66af85cad11c722c98230e0db020dcd1a40000000c0311f7359269085b364ce8841babac753971a551df5c47f8041c2c2d3480726d3ba7c6846d48638df84d3ca962c816a87201645edae902b2540cfce3fc9d69c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e04b9383a145d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30a4b1bca145d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0AD1B871-C8D3-11ED-8227-6655A42BCB16} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b000000000200000000001066000000010000200000006d975a03f2aa8570fc5599df65138d00f5caf29d0e641c208587516ef3c6fd81000000000e8000000002000020000000d179c6675c9d4d74dc47765aeaa9591f42cd1cebe6a6c2758a054a17b649a82e20000000a5912db76461b8cf2110379c696d0078adc9cbcbcf8abc2737450e5a49b6d1994000000051d3759a350b339617e541a802e840f4ca7f6b4d83ee477a262bd53fb6547685a4fbd65ce68ca53b0a61a10ef03f52bb210319a3354ef46c2f90185a93ca0333	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b00000000020000000000106600000001000020000000a26fc61c45a384581a884d85ddc425bb126803304314dfba91ac340080b2b9a7000000000e8000000002000020000000cf938f20f982a4f8958b3f6f24758d5500781e9df4dd372b440f7baf8d2a8e9ac0000000d67c8e5f1d290613e66ba5d54a1156d5d462603acbf0bc5cc8b4d670613851de40c7431b6acf392832ebdb9570cdaa73d2dfafe2a12c2327c26579a642587bbfd49f2de0e9b3c7ce19b4d668fe6bd92df61f98676d5f2980e1a577778482ca8e44e859f039ba59f53bbc014410541892d9a9ee23aa8db7155f687f61fbd04df0ed6518db27a8d7f508155f67532e44f52fcf0bdeefd5770038331b5785f879751453839a9200c76603b7a9d6b853c8a353e413cb8d6f74b0f2e2ac2434225e0340000000426d96b80b87dab3512dba7091aebdfd5510245d2169a28b59c65596376658897db169476ddf4a64194815026c5d7aa45eaef4fe722f03231426031a163a9a8f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30347983a145d901	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
960	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3556	firefox.exe
Token: SeDebugPrivilege	3556	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
960	iexplore.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
960	iexplore.exe
960	iexplore.exe
4648	IEXPLORE.EXE
4648	IEXPLORE.EXE
4648	IEXPLORE.EXE
4648	IEXPLORE.EXE
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 4648	960	iexplore.exe	81
PID 960 wrote to memory of 4648	960	iexplore.exe	81
PID 960 wrote to memory of 4648	960	iexplore.exe	81
PID 2740 wrote to memory of 3556	2740	firefox.exe	98
PID 2740 wrote to memory of 3556	2740	firefox.exe	98
PID 2740 wrote to memory of 3556	2740	firefox.exe	98
PID 2740 wrote to memory of 3556	2740	firefox.exe	98
PID 2740 wrote to memory of 3556	2740	firefox.exe	98
PID 2740 wrote to memory of 3556	2740	firefox.exe	98
PID 2740 wrote to memory of 3556	2740	firefox.exe	98
PID 2740 wrote to memory of 3556	2740	firefox.exe	98
PID 2740 wrote to memory of 3556	2740	firefox.exe	98
PID 2740 wrote to memory of 3556	2740	firefox.exe	98
PID 2740 wrote to memory of 3556	2740	firefox.exe	98
PID 3556 wrote to memory of 1804	3556	firefox.exe	99
PID 3556 wrote to memory of 1804	3556	firefox.exe	99
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100
PID 3556 wrote to memory of 3808	3556	firefox.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.dropbox.com/scl/fi/l5x5n1z6wm1pauhcqsy3j/Type-something-to-get-started.paper?dl=0&rlkey=m8e5pjwmge2ptjzp6ak859aq6
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4648

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.0.1722449504\2119274379" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9197fe37-a862-4abb-a612-9fbe18291d7c} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 1900 27b246a6d58 gpu
    3⤵
    PID:1804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.1.481357521\270462182" -parentBuildID 20221007134813 -prefsHandle 2288 -prefMapHandle 2284 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd006a85-d575-48b0-851c-cbb43c0f40c8} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 2300 27b16671f58 socket
    3⤵
    - Checks processor information in registry
    PID:3808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.2.13830643\1811608089" -childID 1 -isForBrowser -prefsHandle 2928 -prefMapHandle 2944 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aab9a113-d359-4096-b994-23904a41c8ba} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 2788 27b272fa758 tab
    3⤵
    PID:2516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.3.1477141197\1978121576" -childID 2 -isForBrowser -prefsHandle 3892 -prefMapHandle 3896 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d043f641-9f9e-4ea8-86ea-4358651cad88} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 3920 27b16662858 tab
    3⤵
    PID:3948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.4.956838898\1640165275" -childID 3 -isForBrowser -prefsHandle 4128 -prefMapHandle 4132 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db88fb78-e70c-4209-abe5-a9f753ff7b85} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 4120 27b16661658 tab
    3⤵
    PID:4612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.5.1101214398\320532484" -childID 4 -isForBrowser -prefsHandle 4912 -prefMapHandle 4936 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a6309c9-52c6-4c91-90f2-24f2fb1f23e7} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 4924 27b29a45158 tab
    3⤵
    PID:1676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.7.347973475\1802913623" -childID 6 -isForBrowser -prefsHandle 5276 -prefMapHandle 5280 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d0340cf-dbde-4e0d-b49e-26fc9abe818e} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 5268 27b29a47858 tab
    3⤵
    PID:4564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.6.1103750365\1731273578" -childID 5 -isForBrowser -prefsHandle 5068 -prefMapHandle 5072 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ed62fea-4d09-430d-baed-c37e08be91d0} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 4932 27b29a46358 tab
    3⤵
    PID:4916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\cz9baam\imagestore.dat

Filesize
881B

MD5
c685121b83cdc4b9640ae0d937f4ff4b

SHA1
b73e463154fe8dca79cf521b7bae3de136254a78

SHA256
5b45e1332f848aaf7725e01d5cefcdf03106ca5b2d004678825e9495995fa027

SHA512
f8edd78dd82dc81909a29ec7ef134566e1148ec533e1b00693c33034a20e8ca96f17661a32d879152337a503dc5364f600b9152e1f4658ae1189b9100a2f5cc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\OpenSans-Bold-webfont[1].ttf

Filesize
162KB

MD5
b0dbbe03fa8b4030610973e2fea5d232

SHA1
fdc8bae8ce8d311d410c520a1364f6af3067694e

SHA256
b6ce56ee32c81ddff0f724f95bf0347f9e7a886496beddbcc8f3cd2fa7042971

SHA512
a6221daedd953d3b71544bdb1d9977b475863eb8a86216e88e9a4c8efb9bde7e9caa43295308d7c8de1561eac9a2424e7a6527d127a8bc382035af5565e437c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\OpenSans-Light-webfont[1].ttf

Filesize
156KB

MD5
b202959a841a37b5bfb12fe69b6bf0d1

SHA1
7d93db5cd86efd91cfb9c61ff66b210d049d5014

SHA256
01e40ebaa4275bc99729d90b4ea47b977b88b8d734850eae816b9037a32c825a

SHA512
cb9cc946a7284cb29658ddf9b1000f4ca9c36dcf65d25ff93e58a664f59cec6659fdfd60b68e7b3933534c6ff9071ac3893b4dcfdc9c54a758d8c7ec7c80b360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RPW4GWWI\OpenSans-Regular-webfont[1].ttf

Filesize
160KB

MD5
3cbf4d3ed22e458af0d14d76cb4777d3

SHA1
8571ae75f6dbb4055ec2b61d4dabd03b38e03764

SHA256
ab6dda86c87f61e7ad1af2e733e04ca83fdcd43edbd57f88e35acc1878078223

SHA512
51e6c58dff331d5c3e16f327a7b0bc5b5578980e47bb3ea072678fbd8a695a7559c283e4c7c3a623470ff811dfdbd37c83ef0c5ac72b2b9c9b60dc7d60621fb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RPW4GWWI\OpenSans-Semibold-webfont[1].ttf

Filesize
38KB

MD5
b32acea6fd3c228b5059042c7ad21c55

SHA1
0b72db51c3db686963fdc5e8c05b92645d0161b5

SHA256
9f8567ea7c2d954377d5a3c26bdaf666ff993dd6a2d4e7e6931917a0286514a2

SHA512
95772dc94425e7801c90b4f98ff069f2c423fa86d096b5043d0cc8b3b43935b9da12eea00d0894706ff0c7bc522b5ea62528f591a0297bcde20c5b6efb00b019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\error[1].css

Filesize
39KB

MD5
88b097b205e9e375871af5b3794601e4

SHA1
e9f39259db44649e8d5c82be62036de7f4360fb7

SHA256
c117fa946c4fc49b9f2d4ad50139d6fcacfa3cfc07cc26ad70a2369061bb701c

SHA512
db3d1d2c9a89d4bf8ece11ae66480fab76dadb34fad72149b56b464036144754fbef6e958e9ac8e188ab4f526e0ca78a8c8b22437bbbb7e2bb2c94e91ef124b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\favicon-16x16[1].png

Filesize
695B

MD5
7fc6324199de70f7cb355c77347f0e1a

SHA1
d94d173f3f5140c1754c16ac29361ac1968ba8e2

SHA256
97d4556f7e8364fb3e0f0ccf58ab6614af002dfca4fe241095cf645a71df0949

SHA512
09f44601fa449b1608eb3d338b68ea9fd5540f66ea4f3f21534e9a757355a6133ae8fb9b4544f943ca5c504e45a3431bf3f3d24de2302d0439d8a13a0f2d544f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
6KB

MD5
d6bb0656f494a140abb9be06fa41473f

SHA1
6c00486fb91cfd326062eb958d45bddabd93ab91

SHA256
cd076309eef1a1667b82b43e66118c9f4f5151062c0427934877c1ac9ba95039

SHA512
120231de03d43c192fa4883bcfa36133ca874e923426af73dffc9d858c5df000a567d84259436649197ea19d0f718ac7a73a80be917967eb695a284f83642f7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
6KB

MD5
d6c0094811e6f78e13626f4a00437aa4

SHA1
58315dc43dc510b1ab68f7ccd8015f4180789263

SHA256
fce407bb52665b918fa022478fa43836b1ada7ca0f7fef68dacd87b36fb901e1

SHA512
ebdddf0e8c539d24a9696ee6f1fd4b3682828b3812a407d2ffbb7876931f37625f304fc35c481d830a2ca1199a36c0ada64292096ca72cb011b187c9a21d735b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
6KB

MD5
a8015a96aa268060b147d5284edc526b

SHA1
f9dcab8b78175ecf904c0bc1114f28ffc19f70fe

SHA256
2fa02e528da5a92e72e3fd65e6aeb4edeb7adf8ddd75663ae8cd052ed9cfd025

SHA512
351e71306b60b807e8362cb5176297f25cee1cef8e1f3fa16a8833ee3faf0206f68e53c18695a803568a6d670f885df627c3f3f9cd3c57c500a696c22a85d2be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs.js

Filesize
6KB

MD5
fcd5f37e5e4066f7cffe8eb106b6ce19

SHA1
b0a1c4d3d5c96271429fb09cb71055d177c13402

SHA256
38dbdb91f24f8e138803d71d0f7e4758fbb78e7f657208325fe30a501e225c67

SHA512
afdf7697bc784c3c85f30a8a1e4caa32459cf7f19c1ffacde04f62f089218ff1899ffe69fc465677d719546c8f91bea0d04807b13d58096f79aeba8eef0a0a15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
62769c55dca79e2410357b32d980da11

SHA1
328d1a826d203d010a1477e1160971db047272df

SHA256
591d7f4837ce8c10d211d472fdb51347b88dc4687d2750946fdc66f91ded59bf

SHA512
842ad64c36ae58bd20b5f073cd7a6d7f2b2ab13fb5f840baf85d0b89db133c20c5990b20656e7d4a20567f5e8efde120e4c12f1b4f3ae6f1d6ce5a69b97d0aa0

Download Submit