hxxp://a7d70[.]invesmig[.]com

Analysis

max time kernel
121s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://a7d70.invesmig.com

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009d8b573c9c3d4c47b15aa909e9d947bd000000000200000000001066000000010000200000006e181666c69b8a242e4863b3e148e6e4d8c1e958a43a4f385ea6561563acb016000000000e80000000020000200000003b689e5283b5acb5b0919bab8af6cafc467b283bef3684e6429976276075065c200000002ee2c3e0a6b02916cc8c2e7b7b0ba6143d0a8099a72ad76dd25abac9f83c958b4000000070fe81e5f0a128d4bfb9ef35da016e847a2a09b12b51e51992029c20478acfbbd650939b6a3ff8a8d6729e3dd59cdcb4297a16a59c68a705428d3946688e97a4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0003632E-05F1-11EE-9F77-FA48AF8140A7} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 208aa7d6fd99d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3572406217"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31037949"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009d8b573c9c3d4c47b15aa909e9d947bd00000000020000000000106600000001000020000000ae0da84c1ad390d2610e3692b36bd4f79ddbc42cef583ae9040b2d77efa0f63a000000000e8000000002000020000000883099018a9d0d4df6af54927e8318ca4f1f6707ffdb924c3cd4105dbbaac1ef2000000005be46c62f64c6c3ec5823a11d5ce69f1b2f9fd8c6025097197ab96cabd895cb400000005c3e6d99cd010984976fcc8148879bec62d020870d1a9ce7bb8af1ac0b08a9760f0e1fcb79acfd85f1eabd1ca48b37f062cd1eeddae661b249b8a355409e30df	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3572406217"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31037949"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0a690d6fd99d901	iexplore.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 1856 firefox.exe
Token: SeDebugPrivilege 1856 firefox.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

iexplore.exefirefox.exe

pid process

224 iexplore.exe
1856 firefox.exe
1856 firefox.exe
1856 firefox.exe
1856 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1856 firefox.exe
1856 firefox.exe
1856 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	1856	firefox.exe
Token: SeDebugPrivilege	1856	firefox.exe

pid	process
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe

Suspicious use of SetWindowsHookEx 34 IoCs

Processes:

iexplore.exeIEXPLORE.EXEfirefox.exe

pid	process
224	iexplore.exe
224	iexplore.exe
2320	IEXPLORE.EXE
2320	IEXPLORE.EXE
2320	IEXPLORE.EXE
2320	IEXPLORE.EXE
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe
1856	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exefirefox.exefirefox.exe

description	pid	process	target process
PID 224 wrote to memory of 2320	224	iexplore.exe	IEXPLORE.EXE
PID 224 wrote to memory of 2320	224	iexplore.exe	IEXPLORE.EXE
PID 224 wrote to memory of 2320	224	iexplore.exe	IEXPLORE.EXE
PID 5036 wrote to memory of 1856	5036	firefox.exe	firefox.exe
PID 5036 wrote to memory of 1856	5036	firefox.exe	firefox.exe
PID 5036 wrote to memory of 1856	5036	firefox.exe	firefox.exe
PID 5036 wrote to memory of 1856	5036	firefox.exe	firefox.exe
PID 5036 wrote to memory of 1856	5036	firefox.exe	firefox.exe
PID 5036 wrote to memory of 1856	5036	firefox.exe	firefox.exe
PID 5036 wrote to memory of 1856	5036	firefox.exe	firefox.exe
PID 5036 wrote to memory of 1856	5036	firefox.exe	firefox.exe
PID 5036 wrote to memory of 1856	5036	firefox.exe	firefox.exe
PID 5036 wrote to memory of 1856	5036	firefox.exe	firefox.exe
PID 5036 wrote to memory of 1856	5036	firefox.exe	firefox.exe
PID 1856 wrote to memory of 1080	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 1080	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe
PID 1856 wrote to memory of 4976	1856	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://a7d70.invesmig.com
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:224

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:224 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2320

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5036

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.0.122748037\1157380414" -parentBuildID 20221007134813 -prefsHandle 1840 -prefMapHandle 1832 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28a16dab-fc03-41db-bd3d-032454a77c51} 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 1916 1f2c99e0558 gpu
3⤵
PID:1080

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.1.1538358615\1979281576" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddc0312c-9c06-4b50-a8ad-196e3d995586} 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 2316 1f2bca72e58 socket
3⤵
PID:4976

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.2.259559618\268179760" -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 2896 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e5fe6d4-71e4-40ff-91a7-b3f2c4e7f1a2} 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 2688 1f2cd6dd158 tab
3⤵
PID:3344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.3.1910194013\138424645" -childID 2 -isForBrowser -prefsHandle 2452 -prefMapHandle 1468 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e6dfcd3-ad7e-4b03-b218-a4e989a7710e} 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 1440 1f2bca6ae58 tab
3⤵
PID:5020

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.4.1426666134\834221752" -childID 3 -isForBrowser -prefsHandle 4100 -prefMapHandle 4080 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56e3103a-8085-4155-8394-9a158af5d239} 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 4112 1f2bca62258 tab
3⤵
PID:5060

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.5.1345271190\1859608352" -childID 4 -isForBrowser -prefsHandle 5028 -prefMapHandle 5112 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57006ee1-4e38-4a5f-ac7f-c59cf8a58189} 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 4964 1f2cfd97658 tab
3⤵
PID:1712

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.7.2038930647\2019976136" -childID 6 -isForBrowser -prefsHandle 5324 -prefMapHandle 5328 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {892209ae-f710-45a9-97f6-af66f4895a26} 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 5316 1f2cfef5858 tab
3⤵
PID:2644

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.6.1742750499\1792797647" -childID 5 -isForBrowser -prefsHandle 5132 -prefMapHandle 5136 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb6b6c12-be39-4336-b5c7-2a4b9dc4990a} 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 5044 1f2cfef3458 tab
3⤵
PID:2640

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.9.1600392554\1318111840" -childID 8 -isForBrowser -prefsHandle 5920 -prefMapHandle 5924 -prefsLen 26832 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f691480-6906-4c5f-8155-d01945f84c0a} 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 5912 1f2d175e758 tab
3⤵
PID:4232

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.8.368312029\1311998444" -childID 7 -isForBrowser -prefsHandle 5768 -prefMapHandle 5764 -prefsLen 26832 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {805e80fb-60fc-4f7a-a4d4-271d26f075ad} 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 5780 1f2d175ff58 tab
3⤵
PID:4624

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.10.1164885930\563935410" -childID 9 -isForBrowser -prefsHandle 4992 -prefMapHandle 6140 -prefsLen 27250 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d985111-21bf-4455-9829-7a44298f9087} 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 6000 1f2d1ebbb58 tab
3⤵
PID:1928

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.11.902272394\885071662" -childID 10 -isForBrowser -prefsHandle 3140 -prefMapHandle 2824 -prefsLen 27250 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ed10f20-707a-4765-8607-bc89f39232e0} 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 5020 1f2c9c43858 tab
3⤵
PID:3060

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.12.1052445265\1319628676" -childID 11 -isForBrowser -prefsHandle 3460 -prefMapHandle 5276 -prefsLen 27250 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {488da879-74a1-4a3e-b859-3dc8966b1faa} 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 5000 1f2cf88a958 tab
3⤵
PID:628

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.13.2028658546\222311644" -childID 12 -isForBrowser -prefsHandle 3612 -prefMapHandle 3600 -prefsLen 27250 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {051e7493-d1d4-4505-acc4-9a9f8fe23c6b} 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 4512 1f2cfef5e58 tab
3⤵
PID:1044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.15.582505416\1326833191" -childID 14 -isForBrowser -prefsHandle 4784 -prefMapHandle 2796 -prefsLen 27250 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69223cd4-7b34-4218-8f1a-3e7b553368c5} 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 4424 1f2d220fc58 tab
3⤵
PID:5008

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.14.1598776716\1045223586" -childID 13 -isForBrowser -prefsHandle 4128 -prefMapHandle 4916 -prefsLen 27250 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29df6722-58d5-4af0-aeaa-51973f5b8be4} 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 5512 1f2c9c35058 tab
3⤵
PID:4260

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.16.1848100492\1509241684" -childID 15 -isForBrowser -prefsHandle 5884 -prefMapHandle 5888 -prefsLen 27250 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f0834f5-b752-4ddb-bcb6-0e2d3a064986} 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 10156 1f2cc945758 tab
3⤵
PID:4744

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.17.1981083724\1713965560" -childID 16 -isForBrowser -prefsHandle 6080 -prefMapHandle 6068 -prefsLen 27250 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57187084-917b-49d5-b4c8-169941a4faf6} 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 5904 1f2bca5d358 tab
3⤵
PID:5364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\activity-stream.discovery_stream.json.tmp
Filesize
144KB

MD5
6bcfd483a00033703856cd39b38fdab1

SHA1
1f0034483bc49e430d05e11cedb78780d19e893f

SHA256
816324e5c1573314c4c38030f207a4ec06aeb5287fa345cb88cfa6b186da6621

SHA512
e0742bf0d144e9f7f5cd33464c4c50c5ba05846ae0d11a882638b69e2f85e0ff6296de1f90a4494fb9028c3cfb055745aee8fdc3261452310de9e995d3bb155f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\17584
Filesize
29KB

MD5
962307966ac8b3c8c72a728dabade50c

SHA1
fac8b9f71dce78a338ad35cda2148a64abf355df

SHA256
d760b8f93aaabe848f57473b7ad7cbde31850100f0814fb9e21bdc5568a341f9

SHA512
bae875bb21941f809719d0cb5869f922dafead4b4070235c7307ca693ce6d82d811a7662b74bfe43563dced160d07a185b463b21b2b4de4c166beda2c7c552da

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF6BC05F1C0848074B.TMP
Filesize
16KB

MD5
f3192847fb8da0a734aabb8d68ac7081

SHA1
e1b13a29ece636ba8ac2532775fac6909dbd8f77

SHA256
ec61b9c1dd00a560da9b9b41e2ba7bfda74dbce295ba101322ed28af80eebf21

SHA512
1219351605f0e1817364b7de1625973e308d8be8869841b9ebe6875a42675c811618e8492c2ece803b7924c5632f3566240c49509e3bce5413a2b10daaab4ba7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
6KB

MD5
e58c55e2c2a2127c4fa2bd62b39a2e37

SHA1
f06b8c7960dbc2253e8dc287c770a8df002f3529

SHA256
cec90c57a387f5ea37967ad8f9d5d4527423b74e89d124eac0be8a7073332825

SHA512
9d42ac68aaa1a2ab646f1797e82fca56e8ff9ab7fd928ca9b51ab5d78efa88394a4a73e90f176a4cae3f2ec9579bcb412755c5de090b250f990035bddd1aa6c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
6KB

MD5
a19fe15f9b04d66a9752e2d9d3c4f20d

SHA1
cdff5d6ae29d3009ef8591f68dfeb5338edd4d48

SHA256
6bf4953e8355d9d5a894e7065c1d902c0b4dc6f266ba902c3468975098d11667

SHA512
486088edb62af83e8ab5b52c3f89f369f8e1b08dc4e40165f2afedc1c9913a35f3348cec946b63b617f1c1a55e33ae426f9416b433fc0b4f1f0f2a346b7a9656

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
7KB

MD5
2d672ea685bb6df81aedcc58d4149f03

SHA1
9c111cc0f1a9394ba4f57763e7c2adb8ff50d360

SHA256
6e46b9baa43277ea9cf6e8c42c0ee612cf5bc47c72ca0cdf2ea3154a7dc2408c

SHA512
c790c03a8527eb95cd6170ba5763f5f05d2e71285d5cbf5ef405f213a6a4c96abfedf3dece5dbd3f57b7c9b296c6e61167a6ab71008777c8536afab2130e756d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
7KB

MD5
4ca13080c79c6c7c4340d9e8f249e8ba

SHA1
c5a987457f662f62f186079eaf6699f8c740130c

SHA256
98db9ffd8b9a027548cff206e7e0cc01777074269cb36384018ef8dffaf61bbf

SHA512
1f717603a3236113189b6b334dd4ab0cc8dedd6ac12974d55d762f3b59e9971968cd3d084b85ea1c7cfe13b2001863048641ab3dec86bf53acbcd1319b230b31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs.js
Filesize
6KB

MD5
1984b45f201f1fd79d2154406648433b

SHA1
42f082dc6d4d43333688690bf4dfa7c7f8b618ab

SHA256
000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9

SHA512
e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
1cfc8f650783cce65016bd85ac7098fa

SHA1
dc721bdee0ced49cd92643d33640e63060be1617

SHA256
5b7d7f0ebdd4a8c1a62e7aa381ae16cd5ccc611a0e8293bfd9444fb48c98d0c5

SHA512
bcc6e3960bd03ad300c4056ca15d88000cc5211a1cacc348fe59cbfbc08878b2de981d99f853acc03b180eb26215e8f77c9efa05505ea267e5019f4a983629ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
2ce076b476dedf6ea8bdbafc86549a46

SHA1
2a2d615d0ef30cf263ddaa6adc9348bc4306a667

SHA256
8527717b61864f74d7ffe886c200874e7ddde241691683cea57c69dda9cdf33c

SHA512
d8d839b86ba2335cdb1834f77d742df13ef668d97cee32b48911fed1e3b6d36fefe915dfebb5169d247f1739d7cf97060b21437fe228243a9fe902379333f53b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\default\https+++www.office.com\cache\morgue\65\{6e7f0f0f-df40-483b-905a-49daceb28341}.final
Filesize
72KB

MD5
69e55239522af5acb6a94aed214e232b

SHA1
3d4b23b7f8324f02ecc37641a826c557db4da608

SHA256
f19d83ac0555a08435c9bcf5d5e15c2b16e5bc34cfe513502bde35c48a61ac12

SHA512
0d7b192c67e4a1b5a6281a422f3ccdde43c4fc6e72146346ee8bc58d3a0c797b499e428797c976a5de8f66f2af77660bc1e613259c6c2ea50493a332a446a2d6

Download Submit