hxxps://show[.]zohopublic[.]com/publish/t61di8e1ddc3fe73a4d36a787198539bbd979

Analysis

max time kernel
150s
max time network
162s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
15-11-2023 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://show.zohopublic.com/publish/t61di8e1ddc3fe73a4d36a787198539bbd979

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31070188"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4E05CFDB-83DF-11EE-910D-7E69049F2BBD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31070188"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "578063479"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "406852129"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "406884120"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406835535"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31070188"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f7dbaddc96ae614db7c6f31f334df0fd00000000020000000000106600000001000020000000fb1148bea0200c1fa97a7d6e63cd7c05879e58b9dbafea9984a066e8f6c0ab93000000000e8000000002000020000000ca1482c96b1069d6b275044c7bb262409436cadbb571adb2edc13ac1ea7402f9200000003f5a33c407c71e1a602a1eab6075ac699d7371e7deee44bb85fd0ee319fbee094000000047f0195faaa867d9b575cb9e7a6f0e57d02abda63d5c55da9abcdf49c03670927cfab76ef76d8a3a7ff9445aa5d57a86a5b612e9a6ae325ffd83ed530fef5ed3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31070188"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90bb731fec17da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31070188"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "800767633"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "577751153"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "577751153"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "578063479"	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3976	iexplore.exe
3976	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3204	firefox.exe
Token: SeDebugPrivilege	3204	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3976	iexplore.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
3976	iexplore.exe
3976	iexplore.exe
1492	IEXPLORE.EXE
1492	IEXPLORE.EXE
1492	IEXPLORE.EXE
1492	IEXPLORE.EXE
3988	IEXPLORE.EXE
3988	IEXPLORE.EXE
3988	IEXPLORE.EXE
3988	IEXPLORE.EXE
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 1492	3976	iexplore.exe	71
PID 3976 wrote to memory of 1492	3976	iexplore.exe	71
PID 3976 wrote to memory of 1492	3976	iexplore.exe	71
PID 3976 wrote to memory of 3988	3976	iexplore.exe	72
PID 3976 wrote to memory of 3988	3976	iexplore.exe	72
PID 3976 wrote to memory of 3988	3976	iexplore.exe	72
PID 4812 wrote to memory of 3204	4812	firefox.exe	75
PID 4812 wrote to memory of 3204	4812	firefox.exe	75
PID 4812 wrote to memory of 3204	4812	firefox.exe	75
PID 4812 wrote to memory of 3204	4812	firefox.exe	75
PID 4812 wrote to memory of 3204	4812	firefox.exe	75
PID 4812 wrote to memory of 3204	4812	firefox.exe	75
PID 4812 wrote to memory of 3204	4812	firefox.exe	75
PID 4812 wrote to memory of 3204	4812	firefox.exe	75
PID 4812 wrote to memory of 3204	4812	firefox.exe	75
PID 4812 wrote to memory of 3204	4812	firefox.exe	75
PID 4812 wrote to memory of 3204	4812	firefox.exe	75
PID 3204 wrote to memory of 5108	3204	firefox.exe	76
PID 3204 wrote to memory of 5108	3204	firefox.exe	76
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77
PID 3204 wrote to memory of 4088	3204	firefox.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://show.zohopublic.com/publish/t61di8e1ddc3fe73a4d36a787198539bbd979
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3976 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1492
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3976 CREDAT:148482 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3988

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3204.0.988424763\409444331" -parentBuildID 20221007134813 -prefsHandle 1732 -prefMapHandle 1728 -prefsLen 20858 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c34f149-604a-40d7-8327-2e02c658ba37} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" 1812 273140d3458 gpu
    3⤵
    PID:5108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3204.1.1396858896\832879454" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20939 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dac36a8-b147-4047-8b4f-bde84ca11dc1} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" 2168 27301d6fe58 socket
    3⤵
    PID:4088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3204.2.1763817605\1790665605" -childID 1 -isForBrowser -prefsHandle 2748 -prefMapHandle 2980 -prefsLen 20977 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {beb89184-2f30-4b13-8152-6aa0bbd2da9e} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" 2772 273183ae258 tab
    3⤵
    PID:424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3204.3.955936795\2115224576" -childID 2 -isForBrowser -prefsHandle 3384 -prefMapHandle 3376 -prefsLen 26402 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cef5fd0-b165-462a-86f0-6f6e18fa0a10} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" 3396 27301d62258 tab
    3⤵
    PID:2832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3204.4.887256963\1123008537" -childID 3 -isForBrowser -prefsHandle 4588 -prefMapHandle 4272 -prefsLen 26461 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0607095f-5fa8-448e-8f0a-deee5ae103fd} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" 4592 2731a352558 tab
    3⤵
    PID:2676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3204.5.714179727\1083963358" -childID 4 -isForBrowser -prefsHandle 3792 -prefMapHandle 3548 -prefsLen 26461 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c76d29fc-516b-4b95-89ac-7740cb52c31e} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" 3384 2731849bd58 tab
    3⤵
    PID:816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3204.7.1114073864\1388242545" -childID 6 -isForBrowser -prefsHandle 5416 -prefMapHandle 5412 -prefsLen 26461 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa146629-05f1-4f7e-862a-a04fa9bf7906} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" 5424 2731b44d558 tab
    3⤵
    PID:1300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3204.6.868205166\82580778" -childID 5 -isForBrowser -prefsHandle 5144 -prefMapHandle 5148 -prefsLen 26461 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c72b3443-5f24-41b9-86e1-d3f7fb8f3653} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" 5136 2731af19758 tab
    3⤵
    PID:2836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3204.8.692179024\1242969467" -childID 7 -isForBrowser -prefsHandle 5640 -prefMapHandle 5632 -prefsLen 26540 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {36f96490-bf14-4a10-920c-8bc879cabae7} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" 5648 2731b9c7b58 tab
    3⤵
    PID:3852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3204.9.362037496\2063336440" -parentBuildID 20221007134813 -prefsHandle 4732 -prefMapHandle 4648 -prefsLen 26540 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {659612ee-781f-40ef-bbb4-6171aba1a5e3} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" 4720 273169a8858 rdd
    3⤵
    PID:4048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3204.11.642534702\713110272" -childID 9 -isForBrowser -prefsHandle 6084 -prefMapHandle 6088 -prefsLen 26715 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9665533-bdce-462a-8889-ad88b9cca210} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" 6076 27317436858 tab
    3⤵
    PID:5680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3204.10.1283514612\455381164" -childID 8 -isForBrowser -prefsHandle 4428 -prefMapHandle 4424 -prefsLen 26715 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {73d7b343-75f7-41ea-bd49-5c7663f9ab97} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" 4420 273170d3458 tab
    3⤵
    PID:5672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3204.12.1148346762\1980615975" -childID 10 -isForBrowser -prefsHandle 5516 -prefMapHandle 5352 -prefsLen 26980 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bdc6972-322a-48cc-8f40-a8b5d2c7c667} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" 5504 273170cf458 tab
    3⤵
    PID:6028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
d5054ae543e730a59dd7529cdf3c6e27

SHA1
2d9dc9501b209f05c71dfb52d9b54812cd5b4279

SHA256
6c81ff970465fc4da99b5b0c189411743964ec57d196d5021d22d9be0fbac34d

SHA512
c05b497eac0c9d5c81f72da6d04e4d45bad8c4ae6a1a7d53d91cba4e19a9e06ac386b390b333aac190954658a3283d6760c1d2c1cd5f824d26628fea98a0e5d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
60fe01df86be2e5331b0cdbe86165686

SHA1
2a79f9713c3f192862ff80508062e64e8e0b29bd

SHA256
c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

SHA512
ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1871FC0AFDC93392BC6E9F37BB853CBA

Filesize
471B

MD5
0cb4ffc85c8d6a0dbe8424ea62d10448

SHA1
04b7093a8f58a990204579b81b6fbbe53779cc6e

SHA256
cc88ecab602e19d26d0d2e314e32b2b8656a040b0dc12a7ea87700e2d08e7551

SHA512
83c9b6410a4e612b435ef3356896cf244085f0d5c3f67d8df5e31d7721dd056f9340e47a729ff847c6b8155c4d94af154aca27f2621988f560de783efc0c2c1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
2e57fd32f357c037e8248d353f61a241

SHA1
b7e741d41ca04caf06a71d4bf2f11aa693128d96

SHA256
3528b2181d9d044ff8f6f1b76299ac46be573295987a07fb6d839bdb7f822862

SHA512
5fc3945b317447907642aea4bde8d8b06f8e049359c16b837eba5b78b26d7b712d6a68e9ca2dfd32a4f4d57dcdef29f9d8752f584191074423bc6058e4aeab1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D95897EB3E20654975D9B45F9CF364CB

Filesize
503B

MD5
726ee7b24edbf2e70052d6007dd0569b

SHA1
acfc649aec77502a8cb6cefd8297b1762f9e2367

SHA256
a09553bbec72be2053d24b0f0f806cfd3a75b096729d2b92fc25d978e1e9c28a

SHA512
0ad9c0f32bf2c2d1db4399fba07083a23e8845e913bb8d29884bf94b797ca57b01356b8b040fa814ffd1f7ca6a39ef6db3d9e290ffc138d711e5bda484d2852c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
b8af3743bb8adc5f262edfe12af90f9f

SHA1
fb39c68c71c9524fe0cbf8ae5ab21651f09b6449

SHA256
4b05f60634f201f0a71dfc53c8101e8f56a80b3461f382062afd1cc4a0baa83a

SHA512
36b6648825d1a0905e62b50a37fb8ffc84b2f42f2bcdddd2d38fbae8c50578855175206e93fa81d0294dfd719d8533c3df67927c456de1dc56cf6ed3d45c56f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
5ac7c16815d0edb8597d02ada8003c07

SHA1
392cd456dafb84300ca071f3498f9f081d5d0c4a

SHA256
ff5ff07b2fd12118a77a0cfc09897fda42d8b704af2fb9fae7fc4810a1adda82

SHA512
3fac3cdfe4e0c2da1e1274a153d24fac5c3c4f41725abf7000ac4431622bbdb9c09e2e70a7396f9e5a0e588c18458ce3fba65ffb5ef8a8684fff27484dba933d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1871FC0AFDC93392BC6E9F37BB853CBA

Filesize
492B

MD5
5a36ba7068cfc00ab8c007bb4340b733

SHA1
7b6b0654819e7158b333e29362450d21c0bbc9af

SHA256
13fa944cbdce3b2bede93321638965a2319eb44754918303036156b3efdb7b9a

SHA512
2c7ce36d293b94fa238924903e869bdde4ca64dbaa1ce5a1fa237b29bc2c936569caa71268522fd481ede9bc9d8ff90789f2c40864d348bdce8fa1d101d0c05f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
1ac6a3cdd0159eaca62088b1a47caaa7

SHA1
a12edddc0133d1c8560ba27e70712220475cfbd0

SHA256
923721e74128379e28bc56b3b1283c0af903e0b321598b13aa610621858a4bda

SHA512
6841a9cfb4b1e69771579d920d4102dd18b9a8e5ed39f8029d2b8fa0785a59fbbe2430e4c407a471e4de2991dc923343d3a9a58039ccae9cf2cf8bcf6df7fa27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D95897EB3E20654975D9B45F9CF364CB

Filesize
552B

MD5
3db3f95d1c7a217f5587c6c819dc8241

SHA1
4dee2bf415bdb9dd8367e43794c796fbef85bc32

SHA256
cb128c5c01d1a2972cd966a51c1ae1fa094ce7ca04242ad61ed1e7b65bc4cd2a

SHA512
0675ab427231df448b317e573ff7817ee96f3d9cf6edd5492512747e4e387af67b94cda3560a0d66c463fff5d32ed7951d98bba83ac0fdf7dcd98c748c71d257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver17E8.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\587N62TK\jquery-1.7.1.min[1].js

Filesize
91KB

MD5
ddb84c1587287b2df08966081ef063bf

SHA1
9eb9ac595e9b5544e2dc79fff7cd2d0b4b5ef71f

SHA256
88171413fc76dda23ab32baa17b11e4fff89141c633ece737852445f1ba6c1bd

SHA512
0640605a22f437f10521b2d96064e06e4b0a1b96d2e8fb709d6bd593781c72ff8a86d2bfe3090bc4244687e91e94a897c7b132e237d369b2e0dc01083c2ec434

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\587N62TK\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\0RQ9WP6S.cookie

Filesize
541B

MD5
4d3e3812fcc79e58ba36aafbec192dc8

SHA1
860ca62a530d9767c22e87752752ee7436cba721

SHA256
7a9a55cac41a8881da49429b9595297daa54a9c8e4a802124a9c0917cfe1ddfc

SHA512
75039f498c51d7ace1d73d220431025edc9eae3caf76e803a151c00f2575da72bca439844407b62c7f15c1c28f2b1caf01c03bc7edc2c9227e1cdf3e098c5c85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\8512G94M.cookie

Filesize
132B

MD5
a0546139da0a882d36718304b0abba9c

SHA1
c02dd4cb0bae623ccc8b4b98d7df1accc1080de1

SHA256
346d2814bf945625a195106f0d36ed9d7d54100b0b62c22b9f4629097880befb

SHA512
e17c356557aa7af910d22ad708c9f735b840c4a3ef39c0c6bff2f331065d92c563b5b35d6eebb271ce204ff155595f99d48ad7476b8e3aba2c6bb58fd67712a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\IDPUERF9.cookie

Filesize
541B

MD5
88c067d26c0b4c94cb6f5f724a8c0a2a

SHA1
fd69736c55c5536cf4c2135c7efca3343648e731

SHA256
41a542e4fd847e84278073b5d542d5d72f0e2f1650c1bb358764c3f4b747fc43

SHA512
a245a40eb2517901f961965eef9d9921025d023ed384bc08dfef67408c02490090ee7e76b2503717fb90b19d6364bedaabd0973736b3b7443cb6fecd9b4e6866

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o4qxchb3.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
1e17e134d421063b1ceead7a6ae27c20

SHA1
d23fb766e396a2856f6d4b8228c77bb2b0a7166d

SHA256
d2495f0d09778a581b0c5a890de7e488900324fcfde39d74c7bd2c1691c896cb

SHA512
e70dba28181f80d43f407515905bd3f798f8d205591951d581f0b392acd4fadc188c0643eb4985b00b68e726f77f175b5c9552deb8a5d3cf106a02b748048736

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o4qxchb3.default-release\prefs-1.js

Filesize
6KB

MD5
850071e003d0cd7d7e245eeb3d5e8e4c

SHA1
bd9c3f2dd06a64952ee2da1535449603a519b7b9

SHA256
ff5869609cc59f51fcda77a86c4d1a331b21fe7c75d54cc9080f6588cc273bbd

SHA512
5ead4a61c9c79b9d17de257eabec788f4fdb8d5b1a286b41de116caeeb48f215080c9b7fe716c68dc5ea1c3757e0f7c1483e7dc104045faf8297f0f9ea55c97a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o4qxchb3.default-release\prefs-1.js

Filesize
6KB

MD5
bff26f811d4afdda7724a3ba482eb17a

SHA1
35208b1b7dc6f505acb4448cbe31252e5aaf302d

SHA256
9559d2d03be7bbcaf2d7f28ccf3af675492a54336b115c4335a19c64b7a9c310

SHA512
ce1d61a2054eb47400a37333bbd5a69683dfd5dad1bc829374274db51ab1c5975450674c209ec6ae90801dc3a0fcda8199c7c29896a357ab4e26d3b96b160a54

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o4qxchb3.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
cab3333a3d7f7e1e4e44b0db73843dad

SHA1
f7debd2cdfda68555a795d948641942741f19c29

SHA256
a254fc7bf7c620994926fc6e96202ec806d3192118bdc9875fe0b723dd6e9b92

SHA512
85a835ab5fdcf528aacc5b96d697067278399271637c60156ff7c0d67282f42e457aea734525931c4a2eab9d80be4485a0daecb9362ca44b8ec0cbf21078fe88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o4qxchb3.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
db435cecd9ee0a54beaf96c50f5130ec

SHA1
102d7b83d7447a9c3c897b6bfbf25470dd30f74e

SHA256
6c38efd84b18ffaa9b06079a4cbc932ad56bda3491688d975828af25db962cb9

SHA512
0d101a5e703924d0335df32c1ad628f005a95dc393b46ee31b195beb546158483803c47cf477aca08b89a8f264f6dc7f75f9d079483b78720d2ec7f378a70239

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o4qxchb3.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
9cb8171c8df917499d6394f7abb7cfb7

SHA1
5963fa4eb2602178d7b9dddc69d6d4553810b2b9

SHA256
e4f9d71742e5a2fff376409afa44b31d60c3655184193d35a6dce7f03c2c2bf8

SHA512
ebd5e9ddcfcc1a6f028d520beb5ddd3d1d73562d766b47f1940ee048ecd90d5d56caa92147ac5e414d9ac973ab47e6bb8df1849952c87b50d53f31c2f9f8be84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o4qxchb3.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
e65b9fdc82dafa7c250698178f03a2c3

SHA1
57f04f80893656044f67fe5686d86ecec3060e55

SHA256
89d9d426320dd0fcf1c532671e3509c02602be3a68dbf5df027b70c76d4191d9

SHA512
6fe4554d827604714b80f63a171d53fdab7d1f89552eb2da1f98c8a89b492e4f9f8c418350c3d57fc766e66957a461a95691901eae70286847edf2732167a987

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o4qxchb3.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
86db044047874ddfc3d167275d2e0301

SHA1
1d9538529d587a09c111d902a2e46d28cd0af6f6

SHA256
12d542deb0db4312cc8a7ba723b15fed61c204474daf32cd324c92d2b172f2bb

SHA512
4285ce5b7e3f53ca156e96f541e5633227c56cffa4119b1c24da3b24cba86b18ab1b47801c199cb803598f0660570ee9c973b29310c3f2110cae3e508b9ccfca

Download Submit