81c342e8068331e76a06110cef06a20ba89cbfef568cec01fb135686e853a2e8

Resubmissions

24/03/2023, 12:44

230324-pyk41sed25 1

24/03/2023, 12:41

230324-pwymbsec98 1

24/03/2023, 12:38

230324-pt9a2sec85 1

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2023, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Remittance Advice 03232023.html
Size

5KB
MD5

64188af58348b05313dcc0b198a8851a
SHA1

7da5ede615f8dbab2c159aeea1319f671efd6b46
SHA256

81c342e8068331e76a06110cef06a20ba89cbfef568cec01fb135686e853a2e8
SHA512

74939fa11f76df9c53c7906be006e93e7f2b302af4557fbfd1512784496c53291e760aab75da471bc2e5accc03d5baf3652ac0fa0f2fd0229708600fc53e3d98
SSDEEP

96:0i7JbJ8JvqMJbUZJo7Ycjl1UJPoP/JCWBBoswQ41mYT2JcfIQKJejeJJ7ne18JOj:/tYvqI2o7YcEApCWBTv4Avcf5SeSJ7eL

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies Internet Explorer settings 1 TTPs 50 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000eb827cf93ddd146af8365c0e3ca13020000000002000000000010660000000100002000000025b324ebd12a0d74879daa1e0296df1fbf8635dcf330c009d6bd4003db5d5c1e000000000e80000000020000200000009f7bd76dc2ed62d3004be6af9a36e1f550a446225c87386a59bf037247bde4e62000000010f68b205c0034ea991ef53fd8fd295b61091c0c686dc5a617afbc69b88ed8a9400000009cee12b9c4c41a5508f43a7e1acca094f3996a4de1427f20a10503fce8245799fd869f35b0ea94b9fbdd51d7fdeb2cc9211a297d8b0f70689cde49124c4bdef9	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 701ab18e565ed901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{96670E4E-CA49-11ED-BDA1-5E272E2E2FB8} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31022678"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1857211240"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000eb827cf93ddd146af8365c0e3ca130200000000020000000000106600000001000020000000769ca6ca19aeef4d9c186297f2e11179013b52279bcb70783f27b120f943bd21000000000e8000000002000020000000e9341681a81aa03a15387ba04023928d9fe405e0967625b57aff451c9fed045e20000000f9b09988b89e06e7f28c57a94f189fe24a6c20ee69060bf406964a1efafde72040000000123dabae064d4dae307ed558ca37a8969edfeef21a34d705b6b5e578aadfcc1154314af59eb9f17483b29cc489ed90908524d7be62e3c8012fcf33bb6928f846	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0641086565ed901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0712c89565ed901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31022678"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000eb827cf93ddd146af8365c0e3ca130200000000020000000000106600000001000020000000a5fd62d6b126a4bc53c4a5eb6d8d05bb97ee3a34e3594e85cce5f649f2b56aac000000000e8000000002000020000000d503150fd4dda4a0ca08947396f4cffae795e5cacbe64ccede353e377cbdb8e420000000097ee8123bb3a47eeb5e0b0fbfb5012b9efe694456f1e0c66f6728be8447fb2f40000000f97063e6d3566c6c59e830956a904e101b2a0f311f367958852e0165b5e612db0f32f02672f7f37e4e2b80a69979a3d7bf5c68aff74c0881132b42e54aeb391e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1801897248"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "386430274"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0290399565ed901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000eb827cf93ddd146af8365c0e3ca1302000000000200000000001066000000010000200000000c61678723a8167a50c2379f226d92df40ff142919c181fd26358dbfd654c8a3000000000e8000000002000020000000b229d1b071338a6e9b2b8c1db5dc7a806d90964aeeb45217edbe30e17b4bcde420000000126e34b06dd0c58c28b834e467361875dcd62ce17934106a03f3f39a81d0d99040000000063baa37df4bbd753ab604ec330f81a22d38fc990cfaaf557c865ffe54a3d4e9a06528ed3eb707aa583b4233da542f05525bbd967cd27f2b86a0d16b51dc46db	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f05c9470565ed901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c08da270565ed901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70c1ec83565ed901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000eb827cf93ddd146af8365c0e3ca1302000000000200000000001066000000010000200000009620bdf7dd2824a2627a5d581bb1095c857a28f7effcca758eee82efbbfa9c92000000000e8000000002000020000000e903703584346e7e79773edc54225906178fcf9bd203cfbfcf770b9b296467cd20000000f19164fe4fc0368e33b32636ee409512e5ed5e50d41d8f1960b4ce5c02e8bd7d40000000953c116b4d7a23c30d4b9261eec574a3264723b3af8d74240570f64a3626058b958cf321ad1f18cbe63be969ddd784fdec0e160510e94fb45fa8457b889a8b22	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000eb827cf93ddd146af8365c0e3ca1302000000000200000000001066000000010000200000003f87ac6b628fdd6595a1ad245aa293dcfb73469712fd3a67009a3504468652a8000000000e8000000002000020000000d078fd4192ed2ee97b33be0be7e39e8d09adbabdf9601a3f6a5979a913596e58200000001cdd8cd2ba483bfb26f716b45fe8a98d99cbfa1e188551fde5217585a6971f9b400000008417d646ec7f9e270dcf5fbf2909f32c23b539614eb5a08e75ee9fb847a9a1890d8f993e10e74647b39e09598e2ccb79198b36ca07466639f5c2567f2de5a744	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1801897248"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31022678"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000eb827cf93ddd146af8365c0e3ca130200000000020000000000106600000001000020000000956fbe2fc765975de2124574b59751c7b6ea572b6d641626fddfebbb0b6b0c43000000000e80000000020000200000006741a9e85446baf1b74dd46184bcf78a5d3f81784e38f76e78f4deea745e664620000000388774b740f26173fa5d24db1387ced4baa77b9555510a07da95266b631d953d40000000f95e0ad199b9f5c00d9673635a2ae4e1f4a0eccdbbe131d214a17a7c968b639e82b1879f2d5f7d00bf31e6dd27aeaba93ba756e11c64437892d7ee79363022e3	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	928	firefox.exe
Token: SeDebugPrivilege	928	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3636	iexplore.exe
928	firefox.exe
928	firefox.exe
928	firefox.exe
928	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
928	firefox.exe
928	firefox.exe
928	firefox.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3636	iexplore.exe
3636	iexplore.exe
3840	IEXPLORE.EXE
3840	IEXPLORE.EXE
3840	IEXPLORE.EXE
3840	IEXPLORE.EXE
3636	iexplore.exe
928	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 3840	3636	iexplore.exe	86
PID 3636 wrote to memory of 3840	3636	iexplore.exe	86
PID 3636 wrote to memory of 3840	3636	iexplore.exe	86
PID 4508 wrote to memory of 928	4508	firefox.exe	103
PID 4508 wrote to memory of 928	4508	firefox.exe	103
PID 4508 wrote to memory of 928	4508	firefox.exe	103
PID 4508 wrote to memory of 928	4508	firefox.exe	103
PID 4508 wrote to memory of 928	4508	firefox.exe	103
PID 4508 wrote to memory of 928	4508	firefox.exe	103
PID 4508 wrote to memory of 928	4508	firefox.exe	103
PID 4508 wrote to memory of 928	4508	firefox.exe	103
PID 4508 wrote to memory of 928	4508	firefox.exe	103
PID 4508 wrote to memory of 928	4508	firefox.exe	103
PID 4508 wrote to memory of 928	4508	firefox.exe	103
PID 928 wrote to memory of 3996	928	firefox.exe	104
PID 928 wrote to memory of 3996	928	firefox.exe	104
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105
PID 928 wrote to memory of 3896	928	firefox.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Remittance Advice 03232023.html"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3636 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3840

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="928.0.118498826\1814772801" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20812 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca51b705-f00e-4d00-bb23-3d1fbca3a874} 928 "\\.\pipe\gecko-crash-server-pipe.928" 1932 1dfac3ebf58 gpu
    3⤵
    PID:3996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="928.1.636001403\101508346" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20848 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68ed8a47-76e1-45cd-9455-dc50fad5ec75} 928 "\\.\pipe\gecko-crash-server-pipe.928" 2316 1df9f572b58 socket
    3⤵
    PID:3896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="928.2.1393841303\1993702870" -childID 1 -isForBrowser -prefsHandle 3152 -prefMapHandle 3148 -prefsLen 20931 -prefMapSize 232645 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba4acdd6-d20a-49ce-a68b-fc62d2d62edd} 928 "\\.\pipe\gecko-crash-server-pipe.928" 3164 1dfac363458 tab
    3⤵
    PID:4580
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="928.3.394711266\2052342066" -childID 2 -isForBrowser -prefsHandle 1432 -prefMapHandle 2460 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba46a25b-33a1-4291-b883-b4669dd2e1e6} 928 "\\.\pipe\gecko-crash-server-pipe.928" 3400 1df9f55fb58 tab
    3⤵
    PID:1136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="928.4.1446933749\228223365" -childID 3 -isForBrowser -prefsHandle 4180 -prefMapHandle 4176 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d1d1fe9-d59e-49b9-ac13-a3773e73c865} 928 "\\.\pipe\gecko-crash-server-pipe.928" 4192 1dfb1256c58 tab
    3⤵
    PID:1572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="928.5.46768133\2126721977" -childID 4 -isForBrowser -prefsHandle 4836 -prefMapHandle 4832 -prefsLen 26579 -prefMapSize 232645 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ea5ec0e-ee84-4c04-b22d-6d08c529bedf} 928 "\\.\pipe\gecko-crash-server-pipe.928" 4840 1df9f565f58 tab
    3⤵
    PID:3728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="928.6.1946492010\2071811727" -childID 5 -isForBrowser -prefsHandle 4864 -prefMapHandle 4860 -prefsLen 26579 -prefMapSize 232645 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb96e1fa-696f-4590-8688-40666789520f} 928 "\\.\pipe\gecko-crash-server-pipe.928" 4972 1dfb0f2c958 tab
    3⤵
    PID:452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="928.7.970848104\766182493" -childID 6 -isForBrowser -prefsHandle 4924 -prefMapHandle 4864 -prefsLen 26579 -prefMapSize 232645 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3b36d4c-0e18-4c9c-b4fa-7a2e1cc05bb9} 928 "\\.\pipe\gecko-crash-server-pipe.928" 4944 1dfb293b358 tab
    3⤵
    PID:1816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="928.8.1031144410\1228152304" -childID 7 -isForBrowser -prefsHandle 5676 -prefMapHandle 5668 -prefsLen 26754 -prefMapSize 232645 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0067da3f-02d7-4df5-a13d-da3fd2d48c9b} 928 "\\.\pipe\gecko-crash-server-pipe.928" 5684 1dfac30da58 tab
    3⤵
    PID:4344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="928.9.430921580\1650630910" -childID 8 -isForBrowser -prefsHandle 5908 -prefMapHandle 5836 -prefsLen 26771 -prefMapSize 232645 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {afd3bbc3-a85a-4a25-ab13-eef102cfefec} 928 "\\.\pipe\gecko-crash-server-pipe.928" 5980 1dfaff59758 tab
    3⤵
    PID:4332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="928.10.1226267769\964171643" -childID 9 -isForBrowser -prefsHandle 5260 -prefMapHandle 4912 -prefsLen 26771 -prefMapSize 232645 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7df4571-961a-4e7c-809e-7a24ea3431b1} 928 "\\.\pipe\gecko-crash-server-pipe.928" 5060 1dfad90d158 tab
    3⤵
    PID:5860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\challenges[1].css

Filesize
6KB

MD5
2c78b7f8fa496092bf41d5edd51611e7

SHA1
8b0b1b276e8194b0a5497db478ec2ea9b4f83c42

SHA256
2b0bd09c1cc7119d27e45353a59bf6c2721563e1689853ff704057a7439508d2

SHA512
53a7750ea46082968c2ec557857ad3975cddb0b45595259f0f3e9fc16360b87c5f257e058489ecaf80e61a97f92f1c5e34fa2f6fcfe922f4ae22392ffd75b4da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V6GB5GU8\transparent[2].gif

Filesize
42B

MD5
d89746888da2d9510b64a9f031eaecd5

SHA1
d5fceb6532643d0d84ffe09c40c481ecdf59e15a

SHA256
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

SHA512
d5da26b5d496edb0221df1a4057a8b0285d15592a8f8dc7016a294df37ed335f3fde6a2252962e0df38b62847f8b771463a0124ef3f84299f262ed9d9d3cee4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y624AVVJ\api[1].js

Filesize
13KB

MD5
83dbbe00f3d0cadee2c7bb7128dfc430

SHA1
22c9253023530e5243691926a5a85775aa63e77b

SHA256
38065ca232356314bc86aad8e1b1ad253d7b20a16bc6387d01ab225c29e86490

SHA512
9d9faaac7b1cbd3e4c029dc2c53dabd1c259c0a532b67ac77a91aff11bc8870b81f82d073876da78b96b7d5a73142d09758cc57876eafee9d89e1cd7aed6e0d2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\activity-stream.discovery_stream.json.tmp

Filesize
158KB

MD5
9d49289f8710326a74de5f80a3b37ddc

SHA1
0f7ec8160cfde87538649ea490d26848763512f0

SHA256
b8a6ebaf94e719fe9fd93c338e355d7e69d0e3c296c54bb633e1d8f84770179d

SHA512
1e418a3cd79a90766c7909f14615afb335b75f76353919671427b8c075e7c141808a2e07253a80ea82846e972af4538fa8fde1a6e360ab10e6b61b3816bfcc01

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
83fa2b9432f763a1953f62f23d1bff92

SHA1
f3916b3f8838d361ef4d7afe321689c23e8d018e

SHA256
d09689702181012a5905840bf07adf29b650be1f9fb15fc824cef0ed3cdb85ae

SHA512
5cdcda4fcf098929c6d43b9737e896ac38a741dcf53961b91044d5c29e8e3189140ea92ee5fbf14784f90941c59f8b84c84c162e6e47c9e031cb2ef3933fcc0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
a06ee315012f5cc6e20da1faea2a8ef3

SHA1
0e1bb3c38b61556080451a50b85d9910c99368dd

SHA256
b3ac04bf95cd6131e608dc70e5709a694afb4fb9b79c3efef13c508a6ed94005

SHA512
b021819169978695f8631da6b0b91f199eb2271d268ce9f77bf01b680c5ae43f5e04f7552469fb1570fa7a7369d6b162b4fdd94c136adeecc061b43a3121ace1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
21c6d87b5cc2228b5f8357abc62aa411

SHA1
14cdedba68e9178acdfa51d05a4da100232c7616

SHA256
9543e8ccfce02755c4306d3c9fcd020dad08bc67fa71aedd49419525d869774b

SHA512
8f03426d2044835260fa0ccb53b95f1182623e37286ceb3ba46cdb7b45f899ab0b83b36e6d3132b0295a3c23c2697ddc17e3d440f03998c27e20473a6222fe02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
c1c03089c4e692ee647c35a11b4770ab

SHA1
31da3ae4f6e5dfafe945a276fd1b85cdb2255753

SHA256
c406518dc796947de4d928fc7a45893e9d14a6ac382a1ea16fbe6221b954df4c

SHA512
05dd64d0366237d0cdaff535f4f1be4ecc7e0af465ea2ae1dfe233e7c672361339b128399dd5d2cc883454df0d734c05a0a85a7433f8739c75ea97d861c8c1ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs.js

Filesize
6KB

MD5
9971fa8fa89a208685d3e30835832fb5

SHA1
5d9972a3bdbd4c18b3648597d2fd9f9fd6e30300

SHA256
13417a67a65fecc73ad5acc94d17d8a6fac3b0a343daf12d1cd2d126b9198084

SHA512
02b107e0d9449fa2d4d3655a880fbdeea4477205fa6c21aaf641c3d358353aa437cf040ec842107f973253bef767e48b9a0267dea5ed2d331aa192ef540e3b1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
b5b4588d76b45ce540150f957c8c7393

SHA1
9c597bc2ca82528f74370ecc5f57425039e03328

SHA256
18e874c2a95fc20f8379abe6d57f5ccaa2d8ae9e1dab1f23d95a523670d7529a

SHA512
5b78644837dcbe640637d0e581559a572f6a5610fb57545cca8c5ec70fd44516dfaafbe8aa93629794c29f6fe37c50e953e4135b7393947633f3c8e978d399fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
91dcb454f17b28544a1eb0317fd3cc22

SHA1
243c5f51c068dccbf7ad08b3ee2f2878762f5cc6

SHA256
d60dd4577b4da7ac32c0e2ad9e50567834f08788b367d5228bda634ec7d96c66

SHA512
12c1e954af1b086514ca7865d2dea1b090c51552e29b3a1ae8f398c45e8974de73b300db16d3dd2cdbd64cfcd9e67831b2ec56e033fe10cb2ec5a2ce7c8d68c5

Download Submit