hxxps://streamelements[.]com/dashboard/sponsorships/offer/fd2cf216-0029-4a06-81d3-a2478b035ead?origin=email&utm_source=streamelements&utm_medium=emailsequencing&utm_campaign=SelfServe_InitialInvite_Version5_Raid_Option3_01-2023_EN

Analysis

max time kernel
94s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2023 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://streamelements.com/dashboard/sponsorships/offer/fd2cf216-0029-4a06-81d3-a2478b035ead?origin=email&utm_source=streamelements&utm_medium=emailsequencing&utm_campaign=SelfServe_InitialInvite_Version5_Raid_Option3_01-2023_EN

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31024500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000016b1b6fc7cfc59429b2ebf78760d5fe300000000020000000000106600000001000020000000ff3b7e43a39dd35203796d095a53b3f39f9b511116361deca670ec0dda15f96b000000000e8000000002000020000000fc89fb85e8da5ed1825d6244074e4288d12741138d2cb64a74e3596a2d4f14d7200000006b853fb0fa32adb9f2e93e4ecc830e8173ff57350ddadd5a9bd4a677dbf339bf40000000cfff2d645567a5d0ead794c7ae8fec4f370f51d3cd5f6b028e0976300351cb27edbb88444202ec88a8f3265f46942b86841ea974a0887f2c39e90763d2330a59	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b095e52e7465d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5653897A-D167-11ED-9EF6-7E7B9EA57A36} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0aed92e7465d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DOMStorage\streamelements.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\streamelements.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\streamelements.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31024500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\streamelements.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\streamelements.com\ = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "726258534"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000016b1b6fc7cfc59429b2ebf78760d5fe300000000020000000000106600000001000020000000a37f41c42989214a1f52e5ae6183326aecf54b86a59a89ff348ffc9525bae14a000000000e80000000020000200000004f62b4721ed7d22fa8b79cca3bca18f89dde7ab2aa5460e666295b1096aa75c820000000a3db25db00738822dc4382040f2be9ad318e9bec1cc0e5cad91d18d2bbb9f4284000000076feafdbc650c72387ca26fc453e8e26ce5e568365708cd04d551b78495bf3213671213a5b4ed0591bf1ac9d21a400471a7d12425ac10f8077fdbff880c60244	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "726258534"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\streamelements.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\streamelements.com\Total = "20"	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
644	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	712	firefox.exe
Token: SeDebugPrivilege	712	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1448	iexplore.exe
712	firefox.exe
712	firefox.exe
712	firefox.exe
712	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
712	firefox.exe
712	firefox.exe
712	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1448	iexplore.exe
1448	iexplore.exe
1712	IEXPLORE.EXE
1712	IEXPLORE.EXE
1712	IEXPLORE.EXE
1712	IEXPLORE.EXE
712	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1712	1448	iexplore.exe	83
PID 1448 wrote to memory of 1712	1448	iexplore.exe	83
PID 1448 wrote to memory of 1712	1448	iexplore.exe	83
PID 3884 wrote to memory of 712	3884	firefox.exe	93
PID 3884 wrote to memory of 712	3884	firefox.exe	93
PID 3884 wrote to memory of 712	3884	firefox.exe	93
PID 3884 wrote to memory of 712	3884	firefox.exe	93
PID 3884 wrote to memory of 712	3884	firefox.exe	93
PID 3884 wrote to memory of 712	3884	firefox.exe	93
PID 3884 wrote to memory of 712	3884	firefox.exe	93
PID 3884 wrote to memory of 712	3884	firefox.exe	93
PID 3884 wrote to memory of 712	3884	firefox.exe	93
PID 3884 wrote to memory of 712	3884	firefox.exe	93
PID 3884 wrote to memory of 712	3884	firefox.exe	93
PID 712 wrote to memory of 3620	712	firefox.exe	94
PID 712 wrote to memory of 3620	712	firefox.exe	94
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95
PID 712 wrote to memory of 4652	712	firefox.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://streamelements.com/dashboard/sponsorships/offer/fd2cf216-0029-4a06-81d3-a2478b035ead?origin=email&utm_source=streamelements&utm_medium=emailsequencing&utm_campaign=SelfServe_InitialInvite_Version5_Raid_Option3_01-2023_EN
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1448 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1712

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.0.385509917\1706620336" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {735548a7-9fd9-47a4-b946-48776c323ced} 712 "\\.\pipe\gecko-crash-server-pipe.712" 1900 1f54fda5e58 gpu
    3⤵
    PID:3620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.1.363548034\1606981773" -parentBuildID 20221007134813 -prefsHandle 2288 -prefMapHandle 2284 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99820a30-9159-4f7e-a27a-ae10f4852c8d} 712 "\\.\pipe\gecko-crash-server-pipe.712" 2300 1f541d72858 socket
    3⤵
    PID:4652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.2.930258241\1526577643" -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 2988 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d8cd100-166f-4685-a09a-ccd7ab122776} 712 "\\.\pipe\gecko-crash-server-pipe.712" 2964 1f5528f2458 tab
    3⤵
    PID:4836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.3.1614402637\1807619826" -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 3220 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bbf9ae1-5d0b-4ca4-a5f4-a798ac4d8884} 712 "\\.\pipe\gecko-crash-server-pipe.712" 2440 1f541d70158 tab
    3⤵
    PID:736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.4.966278041\1161446822" -childID 3 -isForBrowser -prefsHandle 4124 -prefMapHandle 4120 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1aa706a8-cb56-4f63-b88f-bc9053fad8d6} 712 "\\.\pipe\gecko-crash-server-pipe.712" 4132 1f541d62b58 tab
    3⤵
    PID:4856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.7.962016462\1065191909" -childID 6 -isForBrowser -prefsHandle 5336 -prefMapHandle 5340 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf4f6800-0723-46f4-a932-5489b68a6375} 712 "\\.\pipe\gecko-crash-server-pipe.712" 5328 1f5551d2158 tab
    3⤵
    PID:4252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.6.1883438008\1405273691" -childID 5 -isForBrowser -prefsHandle 5144 -prefMapHandle 5148 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c1eab53-2e63-46ae-a283-994a3f074309} 712 "\\.\pipe\gecko-crash-server-pipe.712" 5136 1f5551d1558 tab
    3⤵
    PID:3156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.5.521559388\1097055939" -childID 4 -isForBrowser -prefsHandle 5056 -prefMapHandle 5076 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfe3c283-51d4-482b-b82c-b4893bfdead1} 712 "\\.\pipe\gecko-crash-server-pipe.712" 5060 1f552876358 tab
    3⤵
    PID:1104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.8.1272146160\1136227126" -childID 7 -isForBrowser -prefsHandle 5048 -prefMapHandle 5848 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c353e91-93e8-429f-beb3-1cb0935d8336} 712 "\\.\pipe\gecko-crash-server-pipe.712" 5860 1f5570a6b58 tab
    3⤵
    PID:4424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.9.1517078692\1274391096" -childID 8 -isForBrowser -prefsHandle 3604 -prefMapHandle 3612 -prefsLen 26755 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6985c56-805a-4fae-9da7-62e72acf3f91} 712 "\\.\pipe\gecko-crash-server-pipe.712" 3540 1f551289b58 tab
    3⤵
    PID:2616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.10.1437504356\330903723" -parentBuildID 20221007134813 -prefsHandle 2436 -prefMapHandle 6156 -prefsLen 26755 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfd88b6c-0502-4aff-a5e8-1d03ee86fb50} 712 "\\.\pipe\gecko-crash-server-pipe.712" 6264 1f552a93858 rdd
    3⤵
    PID:3444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.11.1489390497\1033272998" -childID 9 -isForBrowser -prefsHandle 5032 -prefMapHandle 5024 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08ab47b2-9789-4670-83fc-3953bd4b8077} 712 "\\.\pipe\gecko-crash-server-pipe.712" 4708 1f5557ca558 tab
    3⤵
    PID:736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.12.424963345\2079369294" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 3612 -prefMapHandle 3268 -prefsLen 26930 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1ca0fbb-69cb-4eaa-aaa1-f4e063225ee4} 712 "\\.\pipe\gecko-crash-server-pipe.712" 4488 1f5518c2258 utility
    3⤵
    PID:3772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
9cae92cd10c808776c6c5bdc06b1e94e

SHA1
41c61f2ac2d1ad4680e70a5299e5b90465edb55d

SHA256
39da043a7022ce176b387cac9ef8c4735eaf8c69fc0c303deaacdc232ee73181

SHA512
6349fa3798e5447cc38c7e35ec3d33e355112f6dd191c0d0f185ed70157323176cacd129ae06e3491f402626567746b21ea5d31eb318b565d491a5abdbb394c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
1c840021a87f0f1c2a6a85f9468119e5

SHA1
94fcf3bb3f98a7c93f3ce6fefb2ce546d5c51652

SHA256
f456d5e69169c4995adf57e78965ae778b0cb3e9a61ef97a4feefc90e2e718ea

SHA512
908021a41167fe101989a8da411a9cfd40367a7c9680557abd683cf4a2cb03711b0e139e1c752d161b918b3e4b42f7f5f648a63899c2c7f2973e95abd8c13d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\feo4h2u\imagestore.dat

Filesize
5KB

MD5
213ea74ff74b1bf851647a70427a53de

SHA1
bcec1fcc12d6732724944defa5c5b8181e54f5a0

SHA256
8b5d9f10d71c9a54d0c517d1f91af8d01ad0aeae63c94da36656c32330add206

SHA512
ef334e04e1621735a47999ec0ee3ff413b3afdeb3d41e494d764b66a9c213c422ad1fb1b6fe83bacb470cc789c237b14c2fe35e8643b227c6fafeba1cb59aebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WPCK8CWE\logo_red[1].png

Filesize
5KB

MD5
1e74d0b77a39115a306bc02e52bcb349

SHA1
ad555015234ec650b2c220dea9613d65055567f8

SHA256
de27e301f828439d42d2f0266765bf8deede7ae2fabb2b9edc4577c4bdaa8cce

SHA512
bf44a36bc173165e45b160cee3161f8ee31267bb872e35a042d60eee59801994dca8d1d295c911d9bdbe072ad6002b8755efc4f692be67beba2d30e13cfdfbd5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\activity-stream.discovery_stream.json.tmp

Filesize
158KB

MD5
66fdab3fc4c9b9b60377f4600f801e4d

SHA1
c5190e7abace29495c1759165c66d49d73599554

SHA256
9984c10319f5c65d401a0ec42d5f7be724c50491d7c3472b62b3a2dd14166551

SHA512
69b62414c4e3196394986b73f0341ba2a84722020daf07f976c953668adc53e09dd5b63d78c1ef8aef25550b118e52c6fa6393bdefff92f91974b4fa0757caa3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\cache2\doomed\13920

Filesize
9KB

MD5
5279321f675284bf1e19bebac28588ab

SHA1
1dd4463cdbf5323a0818d71a53834944fc48e769

SHA256
8701cd887f0e235aafbd1c954d17e78db4796f099c3df1f580d1a1eb8a0b78c3

SHA512
6ff02a262924d74196cf5ebe3841760acd7035f3dea7eaee74b874cb6641d5e2f7f03c51caeee212396aba84531a9e47e8017eecbbb4bfba76104cacdfe69317

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\cache2\doomed\1938

Filesize
86KB

MD5
fe5f2d24fcc7a0a88e9508e8b4bcd435

SHA1
e98724ca1b4df2bff8f670475d1dc20fbe6c4626

SHA256
758ba0abbf48667e6be944e3b415e01269dcb8f635243c49a94378f661e1ff65

SHA512
a71d7a58bccb9dfcd925d703b80f2b02521e488c909ab7d5ad293154224e14d7342e7aed7d91e8d19a2f8b712264c9a9cef1aaa7aa09851dd305c626d93e9a1f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\cache2\doomed\26108

Filesize
118KB

MD5
f9347d642480d768fa196e924d29e976

SHA1
bb1ca8ee06ef118dbbec2fdcede6cb9041e5e12f

SHA256
56ed28b71f8bf397239191d6317267d4dca90815aeea3b54795abd542620ab77

SHA512
194f48d9ab3eb90fed8a4df72026b560fadc8c82fa584ada92325c2aea17049b7e25e4a18944f2b53124fddea1b202fd853759f0adb91f4ffd167d0e9095b8fb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\cache2\doomed\27207

Filesize
24KB

MD5
74073b519bccfcc10eab550cda1832a5

SHA1
13f97fe74056ae3b0c16bee20b1bf1da853a8da1

SHA256
9afa7f34969c4437c801955593f9f51c1ce507df111074998165f53aa5b507e9

SHA512
bbc91aeb7bfe144de48de91655a269c1193e60091b48ab53dae82ae4fd70ae02bfde1ac57248ebe5e1aa6d2373da826b2c3b6d7c1857fedbaab9bf668f7d8076

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\cache2\doomed\7276

Filesize
38KB

MD5
2149c16baa650d6f94c54d79af05ef47

SHA1
55f6c46052a46853ac8a8dd2294c5a19ba8ca873

SHA256
79049535a634c6fcf841c5d0679af6c707f24192270a0e8c31c2fd2a85046ed8

SHA512
308e835b38b981c50b0e9cc751717a5220dc4d9c3f5742701fa83929cd28324c3017a746ded1324d410511942cb4a1e4e4c8f6cac27c7df5030187d821edb590

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\cache2\doomed\9846

Filesize
16KB

MD5
6e11b4045e8fc314eb5e5c5e93ccf7da

SHA1
5ee450e27ca014412bc683305e2009d156c58e2f

SHA256
02836511dc980adb9949d94ca6c3e755b134b66077117dfb6bd769663a8ddfea

SHA512
74d8c50db00540ee3af504b99265cce1ce20b6e89f8a0050c90906c6edcb27e83fc9d16e983ac4f38ae3b787f5d505c580f77eab97f47eb2533bc364d5b78320

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
1.1MB

MD5
89a9f953d4aaea6cf6f545f6618dec1b

SHA1
e5c2a9edcb741e02a2310539d98ca3f33c2ccf07

SHA256
1cfd69082d91655d2f28d68aaa32a63a862880a2110848603737987f1b7c4023

SHA512
0c8a7c6df328e21f47208a374df77796bbf6ca2294f905b3ef717b7d7038f723a79ebcd1647bdb1e3f701f648b8ef590e124cf1934d8303d2370d1aed9a8f941

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF7163C119E5BD2A64.TMP

Filesize
16KB

MD5
3d6a636805cb2d2b69411c8dc4f95770

SHA1
9b811069711138e173bdb0c0f3fc2d5be5964c74

SHA256
27d87de08fd8f3c3f74c7a300c16c544cc0af0e4be7fcd091759f03a0e06476a

SHA512
fd8936f4a551d2dc57e6845135a38036718df492cb6288184b1adc8970e012d3e1c49fd0f6e51096009747aa5a6492ec82950bd75d7a889d789a73ec73302967

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
7KB

MD5
8745583c82889c36a7ffba385ae51ad1

SHA1
e95d7cb681feab39ebc1e75bfb7780dd774e7aba

SHA256
7a24a7b261bff86ba076ac9bace111ba0633ba9cfb33635f21b03f799f6256b9

SHA512
a04dafa317cc6842fd3ce13c6629be14d4bd6bdfa1761f4d9650565088011b61f6ead76bac54ab0aa3aad23d830e442056ad2b939cdc50b7e2c57933330959e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
6KB

MD5
5b587e91183f8d5e024023d86433e917

SHA1
d510b6fdc4e3f437269d33fd37ef64b463d92346

SHA256
fbf061d99e479f18653dc99a5870242370f909a91d5b122a1d31c3322bd7a725

SHA512
ea82089a92ecb35b8ad0983c9bc74e5a456b6172d30b048b9fa5919be202b0fc758b4d266bfe55039aa93cf32c0131832d58abbe4951456eab6057b70ffdc78b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
6KB

MD5
6dc00352465a42a45588550a7b11b6c3

SHA1
a7206bc5324fe54f8cd8e341b4744457f7c35151

SHA256
d482b4be9b0578e0e82df61ea1d8a0d051ec4e6eebbefd15cdb029a5a26ccb2d

SHA512
8919c706a6e352484a8240e54c16d79fafa8dbe9f61e4018dba39cedfbe50f108e7cb7cc039bc4159ac2c9ceed45a13029021d09edbdd2a25000f95e20f55aad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs.js

Filesize
6KB

MD5
feb8a52858c8167a58f36caa1b37f116

SHA1
7ae7f9d2721ae3c579f9e18e4fea679e8c848158

SHA256
adbc4c7b5e775c3d401ae811d5be5a69b844f5937e3d0a416d374dd5a7ec227a

SHA512
109d42ec5b9744b3561d29a9cabdcf2ffb81233935fa5c2d80c39f27b92ae55366c3c51ae3d26cc1a8936635662acbd11af89e54efac374aceaa279f13e7dc16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
833e33ac0db8768ab9809fb3bf6b3f96

SHA1
cacbeb35232da35404056efb6a10a81e801cc09a

SHA256
d4c81155252b59bd018548d92287c06b04dc73d1462af0992feed0c64eaa9997

SHA512
ecd14ebfb7dcd64ee6d11b6e7288bd02853136ba101074b7833189c222d096a5efb97a6866b101b1e4231d4058f624381cfd214df76741e87f9bd49aedeb89e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
e7249d517d5e50be58851150f89b13c2

SHA1
d4ec15d0d4eb971b0ab573b763a0b6c647225f19

SHA256
92060188450ac496afc9f571be3dc54e5f478760507de131d2f1755dcf4765de

SHA512
e53c6715d88826604a1f1cc7b08577f710b2e75f1204ce340e2bb3c776e98a450cadb3962a13df6197ec56e7ad126743febc2e1ca72b7f0de654bda48bb0bf91

Download Submit