hxxp://hxxps://1drv[.]ms/b/s!Aoq-99gL4W3jcgHeyjLFnt5tS-o

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2023 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://https://1drv.ms/b/s!Aoq-99gL4W3jcgHeyjLFnt5tS-o

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395730642"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31044332"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2317113318"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31044332"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2329404878"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 103fc08eecb2d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B59C28B0-1EDF-11EE-B699-CADCCB0AB347} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2317113318"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31044332"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e70746b52f6804aba4142285479e7a8000000000200000000001066000000010000200000003869903e4b38dd229d6444c58940aa321d1ecbd0528e2167a919a5ed5416e3cc000000000e80000000020000200000009b537065af65bf1b2d7569f7612836190cbbe45e7bfc82f55b40c2c5eccdf15b20000000e1af3e808a1d1e5ac710fee173f0311d2c1130c94600d1af8f9970c3829b126840000000a3a782967779ae05e5a35d2ba711d64d3945f5d92278b58973b383a56838a2f9ba4745a08358f9aff3627105fe1ba6ad03fa1bd936b4a54674fd8f6bc34aab6d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8085cd8eecb2d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e70746b52f6804aba4142285479e7a80000000002000000000010660000000100002000000016ee79329be36fb9c5c18ca5875c753d429521f50253ea4897970c98bdcc153e000000000e8000000002000020000000418af10b7a472eb6eeb0204f11344447d864ceb655fb3f196baecd7a51c0375420000000eabaedcf33134908908c80adc671d5635c90763200814e56c3c1612124a23f9040000000d4b3cb3ddcf574873292b1be017151166b3240e48f00a2c0d4d91d5098e4ff0c05d0965b9cf4d1919918d25a0d02cab99349dd906f699cb942c26af8e02d8b4f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1456	firefox.exe
Token: SeDebugPrivilege	1456	firefox.exe
Token: SeDebugPrivilege	1456	firefox.exe
Token: SeDebugPrivilege	1456	firefox.exe
Token: SeDebugPrivilege	1456	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2636	iexplore.exe
1456	firefox.exe
1456	firefox.exe
1456	firefox.exe
1456	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1456	firefox.exe
1456	firefox.exe
1456	firefox.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2636	iexplore.exe
2636	iexplore.exe
4468	IEXPLORE.EXE
4468	IEXPLORE.EXE
4468	IEXPLORE.EXE
4468	IEXPLORE.EXE
1456	firefox.exe
1456	firefox.exe
1456	firefox.exe
1456	firefox.exe
2636	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 4468	2636	iexplore.exe	84
PID 2636 wrote to memory of 4468	2636	iexplore.exe	84
PID 2636 wrote to memory of 4468	2636	iexplore.exe	84
PID 1056 wrote to memory of 1456	1056	firefox.exe	91
PID 1056 wrote to memory of 1456	1056	firefox.exe	91
PID 1056 wrote to memory of 1456	1056	firefox.exe	91
PID 1056 wrote to memory of 1456	1056	firefox.exe	91
PID 1056 wrote to memory of 1456	1056	firefox.exe	91
PID 1056 wrote to memory of 1456	1056	firefox.exe	91
PID 1056 wrote to memory of 1456	1056	firefox.exe	91
PID 1056 wrote to memory of 1456	1056	firefox.exe	91
PID 1056 wrote to memory of 1456	1056	firefox.exe	91
PID 1056 wrote to memory of 1456	1056	firefox.exe	91
PID 1056 wrote to memory of 1456	1056	firefox.exe	91
PID 1456 wrote to memory of 4348	1456	firefox.exe	92
PID 1456 wrote to memory of 4348	1456	firefox.exe	92
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93
PID 1456 wrote to memory of 2040	1456	firefox.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://https://1drv.ms/b/s!Aoq-99gL4W3jcgHeyjLFnt5tS-o
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4468

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1456.0.96818661\1000810311" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0de949c0-6377-4c75-bc7f-24230678d2bd} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" 1932 21dc55c6e58 gpu
    3⤵
    PID:4348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1456.1.565198639\742452735" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2292 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd00657b-a551-47f7-a531-44c29ae555e5} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" 2332 21db8b70758 socket
    3⤵
    PID:2040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1456.2.2083878214\730732827" -childID 1 -isForBrowser -prefsHandle 3084 -prefMapHandle 3324 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d913ec5-6d7d-43c7-a2be-3a8808e94785} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" 2852 21dc918ee58 tab
    3⤵
    PID:2632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1456.3.423746134\605105503" -childID 2 -isForBrowser -prefsHandle 3200 -prefMapHandle 3372 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b559b9a1-b15b-4922-bdbe-b83942774657} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" 3404 21db8b62b58 tab
    3⤵
    PID:2388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1456.4.1160121319\1518458095" -childID 3 -isForBrowser -prefsHandle 3704 -prefMapHandle 3716 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1db6745-44b7-41ea-a967-56c12bbd7d70} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" 3724 21dca131858 tab
    3⤵
    PID:4108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1456.7.299972396\1684090553" -childID 6 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fc2ecd3-1411-44f3-960a-6672442096ef} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" 5272 21dcaf8c158 tab
    3⤵
    PID:2528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1456.6.1218909202\267695078" -childID 5 -isForBrowser -prefsHandle 5096 -prefMapHandle 5100 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {981c83e5-e732-43f6-b690-33aee398a8ca} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" 5080 21dcaf8c758 tab
    3⤵
    PID:2100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1456.5.1487574058\1724928832" -childID 4 -isForBrowser -prefsHandle 4904 -prefMapHandle 4944 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd854c32-2710-4888-964b-49d1503ddabf} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" 4940 21dcaf8be58 tab
    3⤵
    PID:2140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1456.8.323820569\1535070114" -childID 7 -isForBrowser -prefsHandle 4656 -prefMapHandle 3392 -prefsLen 26831 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5288168-2ba9-495d-a2f8-2ea41d109081} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" 5780 21dcca03e58 tab
    3⤵
    PID:4200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1456.9.1252853678\1374026303" -childID 8 -isForBrowser -prefsHandle 5064 -prefMapHandle 4968 -prefsLen 27232 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f7c895d-0430-4338-bf09-f0dd73786656} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" 5052 21db8b65958 tab
    3⤵
    PID:4216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1456.10.680612594\873111454" -childID 9 -isForBrowser -prefsHandle 5116 -prefMapHandle 5380 -prefsLen 27232 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c95829fc-352a-4190-9caa-c311edeada31} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" 4148 21dcccdda58 tab
    3⤵
    PID:648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1456.11.114064436\641060358" -parentBuildID 20221007134813 -prefsHandle 6160 -prefMapHandle 6148 -prefsLen 27232 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac146180-a57c-4a8b-9e14-9a6f843dfd78} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" 6172 21dcd4c9a58 rdd
    3⤵
    PID:4140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1456.12.1970450690\846882203" -childID 10 -isForBrowser -prefsHandle 6348 -prefMapHandle 6344 -prefsLen 27232 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18b9d1f6-fd0e-439a-9d2e-2f3ec04db3e4} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" 6356 21dccf9ce58 tab
    3⤵
    PID:3592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\92MHWCYC\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\05ypapi5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
144KB

MD5
0b9b9ff39abb152c4cedad16bc430537

SHA1
a25216b1a586001093ac020f1ae5d6846b0baed7

SHA256
97b6f5d01b8d66ff71e0d6b7cd03f9e781f2ae3719ef60db649d91b30c788f2b

SHA512
86bc5bcb931a78fb71e67e941beecfa787dfa6bde70016148bb9f729cccd3cd220c0596194901a65d07e04b629562c3ce0816a09f00049e33faa13fcf9efa7c2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\05ypapi5.default-release\cache2\doomed\22241

Filesize
15KB

MD5
6e0c2638aeed7b200c46f63d013dda0f

SHA1
a5b68b80f10a7adf56d2ef35fb0219d45f0e1a9f

SHA256
3cc34b149200b458c836cd7ab1805e9e459af18e2dda7ef220b0c61ffa260086

SHA512
7b706c4ea700a76f3baefa9bdd74792e9c407db2b95e3f39265ec5a36ae0821b6925060369a57e5debfeabdc2c4445fd06cf30638af53d3943a89348dcac678a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\05ypapi5.default-release\cache2\doomed\28950

Filesize
15KB

MD5
b269bf3178be4f48e139234117c331d4

SHA1
586f98d79573e1584d09a099c3e11b95e2edf6b0

SHA256
6606dc685b723d188dbeb213c934ce7487f6448df36010295927efd004158628

SHA512
5033d4298d9202062f9d8f90a64e958b8cce904c64b7b68f7c06a65c8e8ff24352f33a11b55c4720125816079f99acb05f7e40a3254805b74c4888f1259baf23

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\05ypapi5.default-release\cache2\entries\118BB2BA245AAA64B01692DF29396B97E11FC1A0

Filesize
14KB

MD5
ce86f56dacc441beca7f32e821774335

SHA1
330a922dca3d1793d243f274ecdd81725fe8e907

SHA256
4cc4e408419131c8677bb09e4679e4fba75b097bca8ed9bd74d3166cdeeb5d44

SHA512
5f8f2c9677b5f7f4db2cf77828ed2c172ba8893b686d1a99cb3df06e6c14a571532814996d4347b94bcc79ef958b70505e50650585b5ab002b0f6ef46605c469

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs-1.js

Filesize
6KB

MD5
d67ea2df2626800e82685e8d9ebddd7c

SHA1
11738499d6989e7990725c52ca7545e499db8fba

SHA256
ba7034fdc240fc459f5710904d68495b0439c14215574e45f1096ccfeca0d8bc

SHA512
5e6ab7f25a9d1ef805afa2316eb1c0f847f36522172592c08834e05c5ea210bb7c174699fc5ef31b8d3df3bb9667cc8d3ec6db6fb32bfa1d2e2c96cb0d9207b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs-1.js

Filesize
8KB

MD5
5b12ef187db8324fdddf2bd0dbf91619

SHA1
11b2c78141b69dbc71bd868af32aa0a5ab9c07f6

SHA256
bbb7c5cabb3db7bf44812ce00be3fb1214474f5766d83519d9b957b3456f187f

SHA512
a7651d74ca26b15545dab5cc9cacb6e56529a3be08f7365fc5928b57b421f5cc284e1ff3dcacbd1dd0365b8ab38a80b7e7dabae51ae3f228aff6c4975fa28c88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs-1.js

Filesize
7KB

MD5
419acd554d7daac8921a2ab06ec8cac8

SHA1
9b7e43831500be4ff432c760f6d366af0528043c

SHA256
8ed384a86c9e17c1a09a451079e81f2cf0c5e33b89b5ab8fadff665523f0a290

SHA512
9546358e03580463fb97d3cc2a987b8555f28d928db841301d470b1d7e65c8a4c49a8dc82c27d801b1e6f127f65be23667f22d905ec0bfbf264e0824700057a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
e02134f626deb378c518350e2d19d551

SHA1
d72f29398eed2c2e5ff24fdaf005f2706f86f650

SHA256
8c094e2ed19d88dbdc8368377a0d3f19d39d0d4f38840d5a2650f18ed0f87045

SHA512
607c132a40f13539c3eb1440c1bc3e8b869dbc5eeeffcc36a981007a3fae559252c491a48e29e5aed838ea164c0a25320f44d65fffa32646e5e4e05f9a879f59

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
9fc6fe112912926db7be8db5fb5a7ac5

SHA1
fc35bc3037448d1d66db33ba20894554c6f97f7b

SHA256
10e3d2fd13f91629da96b5ddd1140effd5fda12820fdd06b017437548db37fd0

SHA512
25b4fa992db3c075c3313ed68e1c890ac68d533c663007f82f0f6584f876456504e6671b0298b5c8ebeb6802f6f3db6944b2c1e1298842f040bd70088354c6a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
ae5bc00854e892440a7de92cfa90c6d4

SHA1
4ee84167cee05a96749865f85e29eb99f50840c7

SHA256
72fd8add9cb61f9f51f4161eec15a786806381a1ec3a9f7ef763e552b2c138ae

SHA512
7808ed920d34821187ab7f25cb846b36de6da0783e4944c4e62b05497bdfd6fb1e1f2475f0b4764f8a730561fa4bee260896f2fd84cad5761b2bb541f81f856c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
5e91ffee18c4646d24dd0a0529469c39

SHA1
6efd425debc729adac44bafab73d0f0d1a2c3e43

SHA256
20c79b7235fc5e278ae7df3b539115926bb72fdc095436b667525e4a079390f9

SHA512
2efda7353cca6c23f8fed88c9736abb4de84d1013865de9c301d0da74f96dd04327219ff6d441194cdb9da9578bcb1658e36581aa9b6ad3b5228732fc7a4a903

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
8b23af8aaabf6feb6d4920e458ca4392

SHA1
1fb7682fdef4595775a28f4298afd88bc8330664

SHA256
e2c0159e94448df31185acc253634d39113ab112b723ec5c97f1a017bca85247

SHA512
390571981b9350a9292a815e93bc9fcc1aca8c47ebf82ab9274d77953f3fccb4f3cdbeb9dc00f103a00972aa8aad8da3fd0e5829ab6fe47277503bba1b7be6a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
4847932467cd8eb48c820c7766724cde

SHA1
99e357f7e8672ab9aac47c7240111d36a5614e88

SHA256
5fabf13d23cd158656777365c3cda85c2a90380294d64cdc09a7024012a5d318

SHA512
9b9022ebfec943a9b000ff3f35f384000066946581c9736d1d039d93c4937e2fdeb64cd36345160ba93f1294013feb039a54876eaae7747458a203cebafcc975

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.3MB

MD5
a3600765a5a0d6fd9186b089a0e2d3a0

SHA1
a1153c6e581f908c0b288af608222ba504cf03b8

SHA256
820624d534955a9c24d4a3c27eea84f04ddffc6801d0a19b16f8a940331aaacd

SHA512
993589fa51a628fd89ee0d4daa05fc4a8e8fb59536a241d5a2f4248aa327927b895c88d7f3fe953e556a3c81efe5f7402a4e88e24b7386b154620bc18d05decf

Download Submit