hxxps://vk[.]com/doc228185173_661634627?hash=sLjfuikODHUN81zjVKvxpv3t5Kcn1wJ0xlwA3z8YCKk&dl=1wQi6KBbmda1RyhL93RmzTcXteZyKzT6qnHZE1cglro&api=1&no_preview=1#3314

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2023, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://vk.com/doc228185173_661634627?hash=sLjfuikODHUN81zjVKvxpv3t5Kcn1wJ0xlwA3z8YCKk&dl=1wQi6KBbmda1RyhL93RmzTcXteZyKzT6qnHZE1cglro&api=1&no_preview=1#3314

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000040724f6557a614d9b83b8f7d77c685100000000020000000000106600000001000020000000d72f00ddc21ee668a55b56ea7ba9ca5d8b3db81510f1b030e94777cbca2aa9a8000000000e80000000020000200000009ab04208de2a10bf2378378d8d3f04146ae448bff5bcf01543b0484f24ac444020000000fbc25e520a8e631e86fb93151290ff0bfc59bd1bed2b8b9de27c0a91b77a8f3d400000007c29f95a7ab207ac1bd68debeb52fa93b68ae7b437990b8479bbf447b7de91ff7f853a6cb29bef565fef02b7e4a8aede59c0c8801e5e34c5a5b1f41691cfed40	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000040724f6557a614d9b83b8f7d77c685100000000020000000000106600000001000020000000b43be87f3e2e9f9fc5a38288598b9b3830866979ad2d1ebc7d6de7574a7f8818000000000e8000000002000020000000d3decd2522295d25d10e717c5ecceb8cdd8c80399e6555e14a8df7b6486d2a0120000000323b329b2a9a4ba62fa77f906463f614fca860b14742633aa6bd9e8f35d28cf640000000a02085b697117fa5a45783137b4bc32fa6125868ebf5ee5176cd3e1de1411a37454d95f69a7a7937bf4bc615eaddc19c7a1949f527e8b6e47471c54cea0e5891	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 804093cb9c9fd901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "https://sun6-21.userapi.com/c909628/u228185173/docs/d14/cc522a0be19d/225.bmp?extra=l48NibLjQxaDK1O_m_6ui3_xqQQ0W32LcCnnUQD9rfOuXcDAlIzJV9DjFDo6adbWP1RcXeNTBi_YD8KVUKLRmirOnXvRHeNKK4TWTaHMapWRF-2UQ08rfo5m6-JKlrr90cYRpxXW88QjJw#3314"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\IESettingSync	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3365584302"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10afffd89c9fd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "6"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F3F8CA9F-0B8F-11EE-9F77-5603A1288413} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url1 = e59304d99c9fd901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3374647343"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0b776cb9c9fd901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31039388"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31039388"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31039388"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3365584302"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000040724f6557a614d9b83b8f7d77c6851000000000200000000001066000000010000200000008259607693e9aa69534b9373ea40d0196355af6e2c8b49d31b0594fb2e90f8ef000000000e8000000002000020000000b41757e720554621b88c684c257f732ec82116f31e52e998b5dbd1ef74d7134120000000ab781b6d38eab180fe4d63f53d78c87d419222f03eb9aedfc759f3952e47b68a40000000703ab98018c94c0937323fbaa353a5563e7410e786a34417ad58034d35d0b5f5513782b95639c82cc33249fc9d764009fd9d8f39813f2c5d4852986ce6c24853	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "393607315"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4468	firefox.exe
Token: SeDebugPrivilege	4468	firefox.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
4320	iexplore.exe
4468	firefox.exe
4468	firefox.exe
4468	firefox.exe
4468	firefox.exe
4468	firefox.exe
4468	firefox.exe
4468	firefox.exe
4468	firefox.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
4468	firefox.exe
4468	firefox.exe
4468	firefox.exe
4468	firefox.exe
4468	firefox.exe
4468	firefox.exe
4468	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4320	iexplore.exe
4320	iexplore.exe
4252	IEXPLORE.EXE
4252	IEXPLORE.EXE
4252	IEXPLORE.EXE
4252	IEXPLORE.EXE
4468	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 4252	4320	iexplore.exe	79
PID 4320 wrote to memory of 4252	4320	iexplore.exe	79
PID 4320 wrote to memory of 4252	4320	iexplore.exe	79
PID 4152 wrote to memory of 4468	4152	firefox.exe	97
PID 4152 wrote to memory of 4468	4152	firefox.exe	97
PID 4152 wrote to memory of 4468	4152	firefox.exe	97
PID 4152 wrote to memory of 4468	4152	firefox.exe	97
PID 4152 wrote to memory of 4468	4152	firefox.exe	97
PID 4152 wrote to memory of 4468	4152	firefox.exe	97
PID 4152 wrote to memory of 4468	4152	firefox.exe	97
PID 4152 wrote to memory of 4468	4152	firefox.exe	97
PID 4152 wrote to memory of 4468	4152	firefox.exe	97
PID 4152 wrote to memory of 4468	4152	firefox.exe	97
PID 4152 wrote to memory of 4468	4152	firefox.exe	97
PID 4468 wrote to memory of 2804	4468	firefox.exe	98
PID 4468 wrote to memory of 2804	4468	firefox.exe	98
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99
PID 4468 wrote to memory of 400	4468	firefox.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://vk.com/doc228185173_661634627?hash=sLjfuikODHUN81zjVKvxpv3t5Kcn1wJ0xlwA3z8YCKk&dl=1wQi6KBbmda1RyhL93RmzTcXteZyKzT6qnHZE1cglro&api=1&no_preview=1#3314
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4320 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4252

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.0.1862698333\1834170681" -parentBuildID 20221007134813 -prefsHandle 1824 -prefMapHandle 1816 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {202c9d73-ecc8-4307-adbd-1604be038a7a} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 1900 2a130290758 gpu
    3⤵
    PID:2804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.1.795078322\1366368942" -parentBuildID 20221007134813 -prefsHandle 2288 -prefMapHandle 2284 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8b30eb1-3c27-4140-b23d-0856bd502d3f} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 2300 2a12226fe58 socket
    3⤵
    PID:400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.2.948526730\1697463004" -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2920 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acf936d7-0b8c-4399-9c21-d3d6f5b91e4b} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 2964 2a132deac58 tab
    3⤵
    PID:2140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.3.1485617669\658941262" -childID 2 -isForBrowser -prefsHandle 1280 -prefMapHandle 1288 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d5ce548-6368-4a2b-9610-c953d99d3486} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 3552 2a12225d058 tab
    3⤵
    PID:2740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.4.1173630055\1958983815" -childID 3 -isForBrowser -prefsHandle 4072 -prefMapHandle 4068 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4761ce6f-4849-4df0-a784-515760b10374} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 4008 2a122262b58 tab
    3⤵
    PID:4880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.7.1544071080\1215839888" -childID 6 -isForBrowser -prefsHandle 5376 -prefMapHandle 5380 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {974ff5ea-e96f-415c-86a7-95c25a312579} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 5368 2a1355cac58 tab
    3⤵
    PID:1948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.6.1476912628\1755229288" -childID 5 -isForBrowser -prefsHandle 5184 -prefMapHandle 5188 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64b40943-6840-4b21-b4a9-acdf03173433} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 5176 2a1355c9458 tab
    3⤵
    PID:368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.5.1787530531\1736009443" -childID 4 -isForBrowser -prefsHandle 5100 -prefMapHandle 4840 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6348fcc-4ab6-43e7-a7cb-eccb7ea6be0b} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 5104 2a1351e3c58 tab
    3⤵
    PID:1824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.8.109174382\2106692368" -childID 7 -isForBrowser -prefsHandle 3152 -prefMapHandle 1444 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3788b3ca-2988-474c-a922-d5e09853003e} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 4264 2a132dea058 tab
    3⤵
    PID:3712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.9.2026913410\658779070" -childID 8 -isForBrowser -prefsHandle 4456 -prefMapHandle 5624 -prefsLen 26770 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b2a004c-581f-4ad3-a4f1-1dedfffa8e9f} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 5204 2a12f496558 tab
    3⤵
    PID:3324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.10.863446547\1744353383" -childID 9 -isForBrowser -prefsHandle 4996 -prefMapHandle 5012 -prefsLen 27035 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83646c60-83d2-4b5a-9bc2-d18341cdb3c7} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 5076 2a1319aff58 tab
    3⤵
    PID:4280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
82b6e24e9d7fe90d647b5b81389401b3

SHA1
51f3af35027bc77cf6912e6dd3d6cc3289c19c55

SHA256
3483fda8fbc0fa1d77780c1c46e372c3bc834a45b19d149d0dbc8c2fba26322d

SHA512
3454b31c7111bdc0cf6ec133ef1dd6755abf0b006f77341b904fbb8ad25a81b548accc510f1590c2a3955f5bf86f8b023404e1acb9d2b028bb29067848936f7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
534599fafe0d7dc2a8b227f6a228e091

SHA1
eaf11fd304748b1d7bdd05785d6685aca495c7c3

SHA256
1acc4f209370f879c148494449875ffb8362b1b7ea4a01cd76b9ee8e8f104945

SHA512
c6d80833b7a02d8ca5402126a3314132e6a079134332e8d2c88f079499526401192627d0322a82e7239f49932a504fa1992921d95d246f099e371dbe544354d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\osplltc\imagestore.dat

Filesize
871B

MD5
31c55e0b3f867162187983e7a467e94a

SHA1
cdc9ff9587bfd9e11da34d53ab88a9588c1e9b0d

SHA256
04e0fd6774cf200a99e1b56d80af03174a68268a777a85d32c748c652e1dc0e9

SHA512
58ebf4f459f5e37b49ad82388168ea62efcbc3acd9bd47233b24c1de9a0c9806d298e43fd014c70168c0c38d585314881f666cfb49d7c1defe9c046abf3a9db1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\favicon[1].ico

Filesize
747B

MD5
2a7640af3049ac87ad304c6d06aaaeb6

SHA1
2928f8c2e82c8c5551e2e92d13015cba312c0e90

SHA256
f4988f116aaa9073b484b491a1a266606494157350d82ebf323a0cb862959d2a

SHA512
b9c7faeb1cffc9f1ac212070e3e7a1be073ec1964c50db5550b7870b222be850e45fe6dd6350e630348b55935e82229a348e6743193486f6fbd6c8dfccb86ebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\favicon[1].ico

Filesize
747B

MD5
2a7640af3049ac87ad304c6d06aaaeb6

SHA1
2928f8c2e82c8c5551e2e92d13015cba312c0e90

SHA256
f4988f116aaa9073b484b491a1a266606494157350d82ebf323a0cb862959d2a

SHA512
b9c7faeb1cffc9f1ac212070e3e7a1be073ec1964c50db5550b7870b222be850e45fe6dd6350e630348b55935e82229a348e6743193486f6fbd6c8dfccb86ebc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\activity-stream.discovery_stream.json.tmp

Filesize
155KB

MD5
0b8ddc82a9d9957856d8dc6d0312a4b6

SHA1
8bba010e875c3c3d6885903ded54207390fad92a

SHA256
47e4cb518692503ebe1f43945dd7f5d12e6a48fe75569004e52fe8976a84f430

SHA512
d0166f0bcf94fa87512f57a8c4e859b53d021923ff64d5ddce6e0d6c6a680de440c8c75fdb941cb172175c5537be0ffec465c1c982cb19892ed2dddd1cbbc7a5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\entries\5811E00C1A6E7B83BE6DD256998C5C87FD613A64

Filesize
1.0MB

MD5
4e28a71b53b3d20a4f86e95a13c0179a

SHA1
bfc6f07ea6e71aac044a97d9969e01587c874b20

SHA256
c6024ba0eee3871cc342380ac81a8383fa71085de891649ecc01a82ff4a571e2

SHA512
56784b1792ab857bf9e63d53c122f8d8d7c6300f81bf9b4d0525de6c40bfba2781af87d8e459436688f348345d928cfaa186a9851fcbdd02a0e1c864cd60192a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\entries\A49CDD69CD497EF4ECDDA0381DEAEC6BAD55F9B7

Filesize
171KB

MD5
2f70440b2bc3ce856821480647b880f0

SHA1
5b1305fb876c41c7dd8cd2c46f878998a2d488c1

SHA256
030efd114d44213a6d48d9d9b3f463ccf8f41314325672f19d97fbd330680a07

SHA512
31c0ba95b0f7b9876c7684fa0f07c41c45b00b759d91771813c4c2f40639798fd6987881bc47925e9d6a03fde59e119c25ab070494a962b9f259570781d9c0dd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\entries\ABF8A18AC6094E0B3AB643A9375125F1422765F0

Filesize
414KB

MD5
5439d73a6c75101c4a32fd012fc1cef7

SHA1
635b2c5c861b8b897036c826d37baaac882e9f2b

SHA256
6c1680db1bb025420a69d573045f48978a3ef503f55de79f45adf170df2c963b

SHA512
76e1850e6877bc32966dd402a534f979ef92d3e14c9a8e4d82ca669a12553f6a0025b258ef82afd66e5f1fdc214e01d6598aca1de7d418fa18b17d225131b5a1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\entries\ED12D7B4C36F34C6081B3048A5F57601F018A306

Filesize
240KB

MD5
fb77691a5a4806ac3b7a94dc669becb2

SHA1
5be3dc68f19cd79f1913598a8bfb6ff7e0593df1

SHA256
d0a9d56cd36dd5a62b9f97c228df6a7877f0dd064a43dd0a24e21d2dfa122ae8

SHA512
d8d61959e90192c5529dec2c5759d02867751ff1d0190ca56707aab92bd4382fdc636342eb2b88e22b0ba161822b260d6a84c2ea575a5710ddc9f2246c937b3d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\safebrowsing-updating\ads-track-digest256-1.vlpset

Filesize
54KB

MD5
4f9ef3d3a71d4cb49e623e3f4b7b1162

SHA1
c2d65973b44b051d043475e9387fa7100514acbd

SHA256
48ae004f3c542ac764dd5a1e894918ec4b250b5c1f7209256c191cae13106b1f

SHA512
f7017204ad37ceedbff4e8b58ab4edac75748d2f36693e59ea9d9157f637d29b53c6405d994ac9fc62712f2574013e95c4817ff49229c78dcc23cac805b13ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF3175B9A30275F2BB.TMP

Filesize
16KB

MD5
5b16718ad328c383b2f2fd161a6a3882

SHA1
f7e0a740648ba6e1e0300c91c4a26e62081ba8b5

SHA256
63a91358c382ee3015c93eb45b4a0ce3220a87b4eb3b19184227d5bccd8b5f35

SHA512
1483e813870538bccd0a339b791dfeff47388d27ce4caa3e1a4e1af1a91237416b4c898fb1dc0bb2303616f4a6caa505fb795eac42fc57de9fa5866d7e0a11bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js

Filesize
6KB

MD5
042dfbf85fa46a6c314faa31c5f14aae

SHA1
7c7f1469a3d4ecbf64510878be52090c3dcf7845

SHA256
bea2fe6aae352f3ccae2ddb9a46f4f27955d410a0180e2e3b2b7743e9e2eca03

SHA512
693fa563e6a258c186408bd2731bbc546f8bd5d4161549e45145927bd52ba30b5494b7680cc6c19015b7e886095b449c02654e091ef297168b2dc0c8c949ba7b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js

Filesize
7KB

MD5
1a40a48e1902a0e863a2f0c431a42568

SHA1
0dad37ce34f86d85ca563642b5ce7cec0f42d7ed

SHA256
66ba5faee76d4b1c46c6d17bdf2bb6b03c04a0089b7ebab3e512d1d340d13091

SHA512
51a73af6d2907300b39eaea7accb4d263cb2dc15a91934dcd951ab7d8e9dfcba6864420f77522fa8af6e296475f2b64627f294b3f89c34fc941f8827e0910fbc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs.js

Filesize
6KB

MD5
3425d247ab92b56037dffee96a90f15f

SHA1
e7b4d1f5da45d31badffa17b5bf2f7830b1122d3

SHA256
3cec81913a9a277e92a40661d7af06a7469f364467348c614a68cf041d0af025

SHA512
008cd2753f32167e9ed5d48e181bf9b964a6b4eb84fdfe1d93a602b9cae2dd3b4999b09cd87beee7b74321bac3886b8981bf6578b1363a333cea2fd2cc0f5a03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
bff5b9a11fc794a457c61f7369eb16f5

SHA1
de96b04505213ce4427c7567691dd2025a624939

SHA256
3fe7be7d432334b1801b6e8bf8b5158a7c3fb22955c24005d26b05b5232774ce

SHA512
e32d24f30f0f72077cc2b9bd0e2f8d81b4aef1a9eafe6a658edceb376b9c26159def007d755024ab735e66c97414b0a08f22018c4bc0452d2b539b7778db7b77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
999662f38e9f9ec35f2c77bbaf49bb06

SHA1
e033f06ca08c0fae49f61af82f64a333423ace2d

SHA256
d0c3f180074a2af01fe8e9fbe98d6bd12ecd234262a9b8b6fbda157d4d50ce5b

SHA512
7b05613ea17af36cdfed4a3ec54c69c58f5aa49e0150d2bdc6ac6dd16fafeaf718413d8ee3769e3569d632a2770c4cb1ed6058a1f64e044c313c8b8ec06772e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
5d58530ac999c03e0b20944be3eb9899

SHA1
2aad5c762ee3f301b4132c4d28b85cfd4dea8a84

SHA256
efda83bfc8d4e21073a679295c6f267d86881c5e4766e9835781052db1454b2a

SHA512
adc86f79db53d6cfe04672c3ceb89ea43a508480abac216b2fe71795150de48e269d17e6b4575caeeffbd3a1d26b5cc7ed9b048ef7df94fba11ae00709677791

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
19f54b822d5e7e79c9f55096efe85c6e

SHA1
598c5ac6e97bef10afef3fc243ff50063c4a4d83

SHA256
ec2fd69a6671656c5dd11f19abdbfeff7141ce77acf13271a83cb466d702df6c

SHA512
cead943be300f313758af417107da9aad1b047ffe9efc56884372a6521b7997ba8c14338f2ff0130576328fba8c192e4dd2f3d535851cff739926d4e11b515e8

Download Submit