81c342e8068331e76a06110cef06a20ba89cbfef568cec01fb135686e853a2e8

Resubmissions

24-03-2023 12:44

230324-pyk41sed25 1

24-03-2023 12:41

230324-pwymbsec98 1

24-03-2023 12:38

230324-pt9a2sec85 1

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Remittance Advice 03232023.html
Size

5KB
MD5

64188af58348b05313dcc0b198a8851a
SHA1

7da5ede615f8dbab2c159aeea1319f671efd6b46
SHA256

81c342e8068331e76a06110cef06a20ba89cbfef568cec01fb135686e853a2e8
SHA512

74939fa11f76df9c53c7906be006e93e7f2b302af4557fbfd1512784496c53291e760aab75da471bc2e5accc03d5baf3652ac0fa0f2fd0229708600fc53e3d98
SSDEEP

96:0i7JbJ8JvqMJbUZJo7Ycjl1UJPoP/JCWBBoswQ41mYT2JcfIQKJejeJJ7ne18JOj:/tYvqI2o7YcEApCWBTv4Avcf5SeSJ7eL

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3494711507"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "386430436"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FAC3A70F-CA49-11ED-B7D7-4E89871AD1F5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c884d0db6b01394f84d012a5eedc1d2d00000000020000000000106600000001000020000000c8b2ffb2418966c17f9736c5d9b7956b3b26abdc103849c9423fb485f22b47a3000000000e80000000020000200000008275c5ad6c1828f938a845f2f40b01e5730235b1173767e439d0f8afbdb2a3d6200000003a97a0572b025153f567ccb77785652d7e3ca4389c585a0eaee26e9532206e1b4000000045a8b16a3bdf2e7bff3afd3ae27ba45b77450330185516522788ed7882d4ea29fb0f2cc35716bf8f3d1604ff32cf365acccf04d77c2482e19e1dceabf63019f8	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3483211015"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31022678"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f00487c1565ed901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20b49bc3565ed901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31022678"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31022678"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c884d0db6b01394f84d012a5eedc1d2d00000000020000000000106600000001000020000000c7b942c186bcbf66f3f4aae0e98b6331237c9dce1ef8fa26d60fe8ef5127b108000000000e80000000020000200000007475256ccfce08cf6b193bbab31f5540d90e237e33cd8c78fa9cf042634fb12720000000c09bf07ccf6943d2bb1959c024da989135793fc8251bd17743b46b168fb66fe640000000bcfa8a1ae077e430286d34cc2f444807de65d798798c93d0dcc5763f8384ee1a4b675d50fae76af7ef4d7ccdfea0934119c97b36e28ad4b3b0b27c58432c6f42	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3483221565"	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4948	firefox.exe
Token: SeDebugPrivilege	4948	firefox.exe
Token: SeDebugPrivilege	4948	firefox.exe
Token: SeDebugPrivilege	4948	firefox.exe
Token: SeDebugPrivilege	4948	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3616	iexplore.exe
4948	firefox.exe
4948	firefox.exe
4948	firefox.exe
4948	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4948	firefox.exe
4948	firefox.exe
4948	firefox.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3616	iexplore.exe
3616	iexplore.exe
3876	IEXPLORE.EXE
3876	IEXPLORE.EXE
4948	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 3876	3616	iexplore.exe	85
PID 3616 wrote to memory of 3876	3616	iexplore.exe	85
PID 3616 wrote to memory of 3876	3616	iexplore.exe	85
PID 4524 wrote to memory of 4948	4524	firefox.exe	101
PID 4524 wrote to memory of 4948	4524	firefox.exe	101
PID 4524 wrote to memory of 4948	4524	firefox.exe	101
PID 4524 wrote to memory of 4948	4524	firefox.exe	101
PID 4524 wrote to memory of 4948	4524	firefox.exe	101
PID 4524 wrote to memory of 4948	4524	firefox.exe	101
PID 4524 wrote to memory of 4948	4524	firefox.exe	101
PID 4524 wrote to memory of 4948	4524	firefox.exe	101
PID 4524 wrote to memory of 4948	4524	firefox.exe	101
PID 4524 wrote to memory of 4948	4524	firefox.exe	101
PID 4524 wrote to memory of 4948	4524	firefox.exe	101
PID 4948 wrote to memory of 3272	4948	firefox.exe	102
PID 4948 wrote to memory of 3272	4948	firefox.exe	102
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103
PID 4948 wrote to memory of 4764	4948	firefox.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Remittance Advice 03232023.html"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3616 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.0.1192724671\1224800490" -parentBuildID 20221007134813 -prefsHandle 1828 -prefMapHandle 1820 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {482fde48-de46-435a-8802-6cf0ceb552ef} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 1908 20775718658 gpu
    3⤵
    PID:3272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.1.2057152756\1113834482" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f225dfb-b1d8-417f-ae22-4532d4ab302d} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 2316 20767871958 socket
    3⤵
    PID:4764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.2.303095906\621403099" -childID 1 -isForBrowser -prefsHandle 3276 -prefMapHandle 3272 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4484927f-f884-4767-adf6-f888f5442858} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 3284 207784ed158 tab
    3⤵
    PID:4008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.3.1376464345\1695010986" -childID 2 -isForBrowser -prefsHandle 3060 -prefMapHandle 2908 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57cb403e-6155-49eb-bc2a-4e6be98c096f} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 1456 20767863558 tab
    3⤵
    PID:5088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.4.1666069263\735033496" -childID 3 -isForBrowser -prefsHandle 4116 -prefMapHandle 4112 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {458eb133-c59b-4483-a8a1-4ad010dc8e3f} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 4128 2077722bc58 tab
    3⤵
    PID:2000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.7.2082617079\1482992194" -childID 6 -isForBrowser -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19390c91-1a16-4e2b-8ed6-3f8221389cc6} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 5304 20778496858 tab
    3⤵
    PID:2772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.6.690211356\36060292" -childID 5 -isForBrowser -prefsHandle 4916 -prefMapHandle 4912 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a960612-0ad6-4bec-bccd-c37f9fe0b0e1} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 4988 20778495f58 tab
    3⤵
    PID:1416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.5.436628651\272213336" -childID 4 -isForBrowser -prefsHandle 4952 -prefMapHandle 4984 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64fe2d01-c637-4b8f-b138-30c347fb6c87} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 5012 20778494458 tab
    3⤵
    PID:1648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.8.1302167385\820319825" -childID 7 -isForBrowser -prefsHandle 4984 -prefMapHandle 4796 -prefsLen 26913 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {421a4a8b-928b-42f2-ad57-1022ab21c7c9} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 5800 20774a4e758 tab
    3⤵
    PID:5692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.9.156656185\126770695" -childID 8 -isForBrowser -prefsHandle 6000 -prefMapHandle 6052 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d5a0350-e537-440d-ac96-da1cf01c8c6c} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 5808 2077c221958 tab
    3⤵
    PID:5956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.10.583025720\1604859706" -childID 9 -isForBrowser -prefsHandle 4956 -prefMapHandle 4944 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f93c4948-8017-4419-a7c7-23e6a46fba76} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 5096 20774a3bf58 tab
    3⤵
    PID:5428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.11.209503888\790238206" -childID 10 -isForBrowser -prefsHandle 5244 -prefMapHandle 4932 -prefsLen 27331 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aaec6aa1-b71c-4955-9ba1-018fa3c5f6e3} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 5988 2077ab27e58 tab
    3⤵
    PID:5388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.12.194260578\1543895095" -childID 11 -isForBrowser -prefsHandle 2856 -prefMapHandle 2852 -prefsLen 27331 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35217ac6-2942-4b38-965c-a27d46439941} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 2872 2077bfc0f58 tab
    3⤵
    PID:2612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4948.13.1903556765\1303663313" -childID 12 -isForBrowser -prefsHandle 3588 -prefMapHandle 3584 -prefsLen 27331 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28208547-565a-4955-936a-efe4e017d246} 4948 "\\.\pipe\gecko-crash-server-pipe.4948" 3576 2077bfbfa58 tab
    3⤵
    PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\challenges[1].css

Filesize
6KB

MD5
2c78b7f8fa496092bf41d5edd51611e7

SHA1
8b0b1b276e8194b0a5497db478ec2ea9b4f83c42

SHA256
2b0bd09c1cc7119d27e45353a59bf6c2721563e1689853ff704057a7439508d2

SHA512
53a7750ea46082968c2ec557857ad3975cddb0b45595259f0f3e9fc16360b87c5f257e058489ecaf80e61a97f92f1c5e34fa2f6fcfe922f4ae22392ffd75b4da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\activity-stream.discovery_stream.json.tmp

Filesize
158KB

MD5
88e867b9175c128e7880c92daa9a75b4

SHA1
900e6a767022f57ee9fc12ca2830ebf27683c671

SHA256
92cdb823774179d33d46127146c74b60337bb4c84725a2e542819a6b514eafcb

SHA512
0b4f3f48cdf59cdc8d73e8152022b35cc81caf4758375a2383ba47211366095d78093dbf01ad516809adb0920d4bcb86b50dc073e4f090e789633b9bf85bc9f2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\entries\D5594A2648EECD01993B5C42919BA64ADBF56052

Filesize
14KB

MD5
07f773d2564b034d0cf5824d2da5a43e

SHA1
c90df74a6f9b037498527b9045ec0c981cc20bab

SHA256
5a38b1e5a5155070ec8a2312e376c7ed2bce0caef12544793a27ff38a316d59a

SHA512
1f468c07821960a7ba8a7b01934f0b07a1d449d40d134572d2cac63d3da6771313a6439c8282c34256d77361e591830fcaaf4a48113adbe07c67aab434874c37

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\jumpListCache\ciHnUTCEP4Hh7bWnXGJ2mg==.ico

Filesize
3KB

MD5
3fef9833539ecf7625989a1192319b16

SHA1
98a69e5e74479847a673c688e44a44a16ae87f12

SHA256
4428522c40ebb41bee7c71186c4cbed9c4ef97a435d795ce074895ae055267a2

SHA512
1d2a7d78a7af9a46f01f22315e374f6366ddfee46f26ebb15bb22198559b64a9024174f14d2630d150f802ced1e7bfbf3057fa06e6bf575e281bea903a99071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
6KB

MD5
5934d502f2556187b1fe361e587d2077

SHA1
3cad45c5b031998263f8f296e70fd790a25334a3

SHA256
849a40da0124dcc6b4581b27aba7752d2b4653086c729e23f84541f05885ffa4

SHA512
eba63ded29b7312864e3437e842292f8d5410ab75e1927243cde059902008a551171a539e91c89ee6596543faf4b7623edf83b719dbc4a991d0f76377aaffb07

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
6KB

MD5
64888ba092e5845b183da493947d9059

SHA1
d825423f4553d86dca204679a0a95f6707a4a244

SHA256
051dba18a10d64abef16ad3a890cfe0b2f239fe2fd0a8e92f78d327dba2c7e52

SHA512
814dd66b149a39be3b075f9f367f5226d40e48f952e6060d347b015a922a05100d691564f86c31190fe66702ea952f06884e8c99ca64429d42076576979d7bc9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
6KB

MD5
f4b534014913aea39da1e1d17de7a9d7

SHA1
c9f5c1e35bec98db2f2d655fbb735db75260b322

SHA256
d2dc3bcc555e76c2f7241c6da3936a5f04bfb174cb56417156b452a0c7c62819

SHA512
06ec5fc6c91d381a694913d00e1ae64a63c744efe2dc64894413ccb94f275d3132f15db25b4433a9265c1fd93af4c059711110b96369a9fe84483381dd940945

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
7KB

MD5
e421af54cb16671f70505b77087da557

SHA1
1121dcf3be13583ea13d272b6474533494e7072b

SHA256
e5580cc34f35ddb00843435dcd996e2efd42b72b09373fb33013660bb8d54570

SHA512
3c9111bd12e88266e1fc3ef991c27472dab57aa37fa320b752dabeee7d97e397dd67a0484cb01b03b4cb1f1bedf8a03d58c78ded4696ae838cf5ee3f775bcbcf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
8KB

MD5
be6944a97e844c3142708803b2fbee9b

SHA1
a9c91a330699f063e01e53e5d0ed9113a72feae8

SHA256
bbdf07b6f2613df7cf7370ecd32598a17ccc906f6f78486e53b6735dd7d5f869

SHA512
10ce2b83a22be4e646832c9da9978bb85146fe186ccb8b5d64e9640418450f7b67a4414a54478a8970f86f3817923f8add49adf3ba19f5135f2b7d0f1553d1c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
7KB

MD5
35edd03c23efcfc307b56ddc677b10c5

SHA1
c787ef76792a6af9481520950c73859ff543a5a7

SHA256
9697df9e13b33d7627ee246ca6d8c2d0f13179373e42cc56b1bd6fccb208a05f

SHA512
bc3e6dbf27188668cc3f4f8e5ce253475f2083424cd33942b4a53002b67ba8082b3a7919752a897ff5bb4d9483eadd174be9571788552529e8f1634c00ff5652

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs.js

Filesize
6KB

MD5
108b97b1ff7efbdb1aecce96d55ff2e5

SHA1
bb72b2e0c3d859fe5e821632307a32df331b55e1

SHA256
c5e19d4313b524fffc4859f4fac05ea3dcf408714a736dbd0bb7fcdf5131f80e

SHA512
e0f7678424e68957a1cb521786e9e4e54c179f9a263b04d0c6a96147cb1e242b58bda3e74e6f142dcd9b6dd313a0061c3050af334b149eab9a8040f923da84dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
a6061af1154b6619e633dd2cc85f9518

SHA1
c234ebc353c79388995db86db71b3527bb4f04e8

SHA256
ad91e95c982dc0bb3826c08e0fc84744d29578606440ae9fb8faf63a57fa1b94

SHA512
6378ddf1d36140c0319458e9b71e163682df9af7c4af483feef3371b38c4fb61a61dcad80e739a7638009626c6b76050f6d135bac2f81313b052ed9a7227a3f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
8758628f62a896fd3b71bcde33eb400e

SHA1
9e15f873fc9696bacc692d66af30e9f9878e8801

SHA256
045341b09cf000f41ba0374ce50a33a34f06ed909019e006cd52226cc578d53f

SHA512
be1ff871fda90c3021c0f063597d517528bf7e9e817dfbca5d856667cdb49efdd3df26167a8892d5d75e064635736ba2ad12e26cf30d8fee22b683da0ba5213c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\storage\default\https+++www.virustotal.com\cache\morgue\122\{5bf5017b-6dd4-4058-96d8-cff414acd17a}.final

Filesize
41KB

MD5
63960ec6a4369289b7116a2393969f5e

SHA1
d56b8e2f4f0c3ca99aa64b1e4979160403545e13

SHA256
9eb0af0367167ddc1a4fa373e761e25a07f7fb9959baa3b352c11982a1cf5aa3

SHA512
dde1d81e07a8a4667dcbfc8a3447ed12acf206b4382294a225dedac828500de89dcbd93f8258bc6ab01f607b2cb4c1d423712eb84d8279ac1c6130a04930190f

Download Submit