hxxp://8bakgznnxd64492bd7baf0a[.]iiubes[.]ru

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2023 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://8bakgznnxd64492bd7baf0a.iiubes.ru

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31038116"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{40004A73-0697-11EE-9156-6E21A4042E2D} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "349965707"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "360558080"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31038116"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "393060693"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "349965707"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31038116"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000084e15fe57ba15e40a7f6d85df2d7113d000000000200000000001066000000010000200000009532993d747580f8cfdc446cd0815909edcebd5fd92206f12a6b7262a87da33e000000000e8000000002000020000000bf1adb80e341b7d3f311e557f983e655dcba24f306db6c62188071ccef57dfe3200000002777b05579974a0b290ef983fe409133435e456b9ec58dff33871ea766db67f04000000083b50e199c59d40174aef5279c4c4ec3380008679444215ba54db26c73b62c739b92040bbe36df48edf800974e2f1a15b72b82efc7c62ce68e4f8d2410091427	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f061890aa49ad901	iexplore.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

firefox.exe

description	pid	process
Token: SeDebugPrivilege	2960	firefox.exe
Token: SeDebugPrivilege	2960	firefox.exe
Token: SeDebugPrivilege	2960	firefox.exe
Token: SeDebugPrivilege	2960	firefox.exe
Token: SeDebugPrivilege	2960	firefox.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

iexplore.exefirefox.exe

pid process

3188 iexplore.exe
2960 firefox.exe
2960 firefox.exe
2960 firefox.exe
2960 firefox.exe
2960 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2960 firefox.exe
2960 firefox.exe
2960 firefox.exe

pid	process
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

iexplore.exeIEXPLORE.EXEfirefox.exe

pid	process
3188	iexplore.exe
3188	iexplore.exe
3156	IEXPLORE.EXE
3156	IEXPLORE.EXE
3156	IEXPLORE.EXE
3156	IEXPLORE.EXE
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3188 wrote to memory of 3156	3188	iexplore.exe	IEXPLORE.EXE
PID 3188 wrote to memory of 3156	3188	iexplore.exe	IEXPLORE.EXE
PID 3188 wrote to memory of 3156	3188	iexplore.exe	IEXPLORE.EXE
PID 3488 wrote to memory of 2960	3488	firefox.exe	firefox.exe
PID 3488 wrote to memory of 2960	3488	firefox.exe	firefox.exe
PID 3488 wrote to memory of 2960	3488	firefox.exe	firefox.exe
PID 3488 wrote to memory of 2960	3488	firefox.exe	firefox.exe
PID 3488 wrote to memory of 2960	3488	firefox.exe	firefox.exe
PID 3488 wrote to memory of 2960	3488	firefox.exe	firefox.exe
PID 3488 wrote to memory of 2960	3488	firefox.exe	firefox.exe
PID 3488 wrote to memory of 2960	3488	firefox.exe	firefox.exe
PID 3488 wrote to memory of 2960	3488	firefox.exe	firefox.exe
PID 3488 wrote to memory of 2960	3488	firefox.exe	firefox.exe
PID 3488 wrote to memory of 2960	3488	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4924	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4924	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4396	2960	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://8bakgznnxd64492bd7baf0a.iiubes.ru
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3188

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3188 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3156

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.0.523351980\1319528432" -parentBuildID 20221007134813 -prefsHandle 1848 -prefMapHandle 1824 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecd1fe01-dff7-4d7d-82f7-d531aeb02cc7} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 1932 1e3ccbddb58 gpu
3⤵
PID:4924

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.1.1951589090\957109848" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee5b19df-eaba-480d-8fc1-fd316ce679db} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 2332 1e3bfc72858 socket
3⤵
PID:4396

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.2.1028272316\707678274" -childID 1 -isForBrowser -prefsHandle 1688 -prefMapHandle 3000 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9665087c-a3a0-49ed-a8f5-53d873caf121} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 2984 1e3d0a25358 tab
3⤵
PID:1096

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.3.104185596\1881991914" -childID 2 -isForBrowser -prefsHandle 1116 -prefMapHandle 1444 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {090854d4-b477-4be3-944a-290993635c32} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 3588 1e3bfc70a58 tab
3⤵
PID:3748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.4.964016852\2014747366" -childID 3 -isForBrowser -prefsHandle 4064 -prefMapHandle 4060 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0699e53-f71e-4a21-94dc-7e80ad7ddbbd} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 4076 1e3bfc5ca58 tab
3⤵
PID:4496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.5.2001485723\1376920549" -childID 4 -isForBrowser -prefsHandle 5060 -prefMapHandle 5020 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60ab7276-89ec-46e8-b3f4-39a97a38a20a} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 5076 1e3d3122f58 tab
3⤵
PID:2484

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.7.833147566\233576823" -childID 6 -isForBrowser -prefsHandle 5328 -prefMapHandle 5332 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e13aeef-4476-464a-bee1-36fccab9ddc5} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 5320 1e3d3123558 tab
3⤵
PID:2112

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.6.608827361\1959966463" -childID 5 -isForBrowser -prefsHandle 5132 -prefMapHandle 5136 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48daf86a-534b-4ff6-add9-901ddcf2c068} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 5080 1e3d3121d58 tab
3⤵
PID:444

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.8.187243444\1336711106" -childID 7 -isForBrowser -prefsHandle 5720 -prefMapHandle 5716 -prefsLen 26849 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1a987a0-ae6f-4e34-b752-57855aec9725} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 5728 1e3d3ae7c58 tab
3⤵
PID:5448

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.9.1396372966\699489558" -childID 8 -isForBrowser -prefsHandle 5868 -prefMapHandle 5872 -prefsLen 26849 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {880f8b5a-1594-45cd-841d-b17682fc342f} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 5728 1e3d3ae5858 tab
3⤵
PID:5452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
20e784043bf9dd5a4a234ce3703f825e

SHA1
178607f94705ec6161c2c3a88177ef6a5aaded49

SHA256
1455f3acd9f00c4a3d7fac6caf8566bdffb868aec09f86fea8acc17a525b6c72

SHA512
8ae93f0b68ee867a881dcac4628b8ad77c559925f721b46be904d40ec00f909916280057ce09cf8e28cb3eca938aab58d4e210f4c61e56e3443c3555e113f955

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
40d43042a8d46861ee12ebe111761b9b

SHA1
0f8a236151a50cfce991e35eaccd2148430bb88c

SHA256
f2165b182e81514c278d8a101bf17be5ed3d01bda764af6cd976037eb68e6521

SHA512
2ea4e80edbf0716c9103a1783dec20e73aa942f4427170904e3e6aaf3bdd37823dbd23fd88bf7776fe9c5429a64964e8bbf278505fa97df60b94cf5a07d2fe47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7H82VOZS\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JXO1ZP0L\api[1].js
Filesize
18KB

MD5
47d9ed8b2fddb896e78dbbb2d7e76c90

SHA1
8a69d2673bb54f4491c241a1d7efa686e6e9a817

SHA256
2760f96d3b7629100aee1cb3ec7c47a3b6f0dee1152c339dc91a6fd67cb87887

SHA512
8cddfd4a202ade0db43bad83ae16a5f62589188199caebec9816b191cc4474dc3804b71338b800acec54b002b78cffff1a167ba57a30a9d6fdfc7aaf2465ff6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JXO1ZP0L\transparent[1].gif
Filesize
42B

MD5
d89746888da2d9510b64a9f031eaecd5

SHA1
d5fceb6532643d0d84ffe09c40c481ecdf59e15a

SHA256
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

SHA512
d5da26b5d496edb0221df1a4057a8b0285d15592a8f8dc7016a294df37ed335f3fde6a2252962e0df38b62847f8b771463a0124ef3f84299f262ed9d9d3cee4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P8NMKCW2\challenges[1].css
Filesize
6KB

MD5
2c78b7f8fa496092bf41d5edd51611e7

SHA1
8b0b1b276e8194b0a5497db478ec2ea9b4f83c42

SHA256
2b0bd09c1cc7119d27e45353a59bf6c2721563e1689853ff704057a7439508d2

SHA512
53a7750ea46082968c2ec557857ad3975cddb0b45595259f0f3e9fc16360b87c5f257e058489ecaf80e61a97f92f1c5e34fa2f6fcfe922f4ae22392ffd75b4da

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\activity-stream.discovery_stream.json.tmp
Filesize
137KB

MD5
5e746bd44b38c3751b06d10636d4a711

SHA1
aa69c878d1f6701eb78c9fbed9bb6e4b780b3fb2

SHA256
1c13e617a8d390e37cee0332f84750c53cf3ce4fb66d89f95578e7bdb8948df7

SHA512
e60f53859b5c606a78c79c57e83fa0af926c24c5c6d4a91811ef8beca63b0331adb75399d83f738b0ef83f0faf8575a6a7a73b82d745853e10ec7967bddac6ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js
Filesize
7KB

MD5
03aa3b2d93f043256eb232bfa3da7f01

SHA1
a70db03cfd30ba1847744530925edcb6c2c25d2a

SHA256
f39417824ebbf4afd6ec8018e3631e67169bf486ac15ef76d5b1d44a152ec986

SHA512
863727bf26f2a8c74c7be8ec12f6af3b6686afb4f9b62d99120ec95a2578abd15a2df586058d83edfe8fe5be800f963583fc4e8ac33d68386accbcc55f743114

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js
Filesize
6KB

MD5
2fdd34da78ae597cc669d5ad4940c7ec

SHA1
5e9949d01b90ba2806c02e6b97513a76dcbc6c51

SHA256
8632a1619dbf2dac77f9a0e92a5ebe74efd88ad75ac783801a97ecb9ca53dad5

SHA512
3709d8538c76aac99162f4d8ca7d4ba9fe5d599d59067d82a8f96e2d93de5e5ada4587f475b487a3a2e99c161271aa4637f14f74623485858782c42c5bd7de1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js
Filesize
7KB

MD5
a594952ebc01cb7b8a99b198dbfc97ad

SHA1
6984c1be0538a220039be24017bdf731c87709b0

SHA256
cfbf57de4315439ce174a7f89d5a2859dc8bee679710e5bca8d089bab2dded2d

SHA512
b50c6f16b60cba6e5b4549ac376bf39516efd5f9eff5a3578bdbe56fa9426c3056d37008e585fc8cf385143fa3f14d9725ca3a91d3baa7b7bb4fae1fd06ddb1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js
Filesize
6KB

MD5
3f7cd05f7cd16f1d3fad8b9b02d68c61

SHA1
86e76d7bfb0e369028ceba5ef2c5acb62979af12

SHA256
01367bb1315c405f8bed6b12f401a363a93d5e2d04b69c0f998284d9038e40b5

SHA512
4155215d49626235e4e844906fdd32c99a52ea36d489b16bdb0f1a9697408d76e1b5e83dfb3426d3bd8ee68d3bbd416b1dd7270831c06ed30264853deff2039e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs.js
Filesize
6KB

MD5
2ca68eec3c1fdbaa1ae996ee759fc3c8

SHA1
54363409a7393613ff528d0488d1cc16796ef2d8

SHA256
4fe10ac0c622a99629804d64c89b59339a12a63ffb0b56132bfe39ec9b25aa1a

SHA512
e2fdc625ee7d3e54c1cca72810eccccc3f493253319dad56693d77904692830302564897d7d9c33b876f645bfcd1a5498be9be81bb18932e3333d00ca3408c12

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
2KB

MD5
8012e4cea690136a4c41828c589741e8

SHA1
14518d5b6722f23df979d3cf450b1d980b24b5cc

SHA256
30cf67eca4ef272e95e1d7a77d2b2e78c9a96aa4f7dedabc049aa5697a464b6d

SHA512
209e72dd4b456a21536c0e165769ebbee288c302341a4aab466c64affd8e1ce9b9ba2143b19ec6b1a2345f8c932f28e27ca594bf9090b0a7f73a4491c928d766

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
b8ab417b494da20d667071887bd037f7

SHA1
9fecd441c83f5856e1eef8e67ac1283e3fdd211b

SHA256
eeea8f1bb845bcfd8bf7987f66a682d6fb2345ae09bc60277a983983da3f8666

SHA512
8ddbc03d4f668bfa5a950afef77fcf4034843a8fb809c0eb681f3ef36e7d4357dc5905ea3948fd7f316deb5d2a7a8f0a27582d7ed073a19f6597ff9f03fd99fc

Download Submit