Resubmissions
12/12/2023, 05:40
231212-gc66cshah9 312/12/2023, 03:54
231212-egdy9sedhp 712/12/2023, 03:29
231212-d17j9aebcq 712/12/2023, 03:21
231212-dwfwqseaep 712/12/2023, 02:23
231212-cvagwsddal 712/12/2023, 01:55
231212-ccfaesecc8 3Analysis
-
max time kernel
563s -
max time network
565s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
12/12/2023, 02:23
Static task
static1
Behavioral task
behavioral1
Sample
how to evict a tenant without rental agreement qld 75227.js
Resource
win10v2004-20231130-en
windows10-2004-x64
16 signatures
1800 seconds
General
-
Target
how to evict a tenant without rental agreement qld 75227.js
-
Size
843KB
-
MD5
c1ec1d082324850bebd8e7826098a516
-
SHA1
cafd1bdff3c8501c9d14c5fcc1fd87cb468c40b3
-
SHA256
7abd6a84f2ac6899901d0ebf5795a5626533018f5eaa3cbf97023d2c67380be6
-
SHA512
9b6f039c4be149f974a83cf9d4fc5af9cdccbaf17ebf36198e67362d5c91d425e16e558432f972f4587328e491e8087f3466eb3afeea8150e2389e9d26f7e323
-
SSDEEP
24576:SUCgo+ogQc5WfNnZmD/nAdzFrJCeT+hH4WkyQTaEFNE3NEr:SUCgo+ogQc5WfNnZmD/n4zFrJ1WkyQTZ
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation wscript.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2000 NETSTAT.EXE 376 NETSTAT.EXE -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ powershell.exe Key created \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ powershell.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3048 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 1768 powershell.exe 1768 powershell.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2024 OpenWith.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1768 powershell.exe Token: SeIncreaseQuotaPrivilege 1768 powershell.exe Token: SeSecurityPrivilege 1768 powershell.exe Token: SeTakeOwnershipPrivilege 1768 powershell.exe Token: SeLoadDriverPrivilege 1768 powershell.exe Token: SeSystemProfilePrivilege 1768 powershell.exe Token: SeSystemtimePrivilege 1768 powershell.exe Token: SeProfSingleProcessPrivilege 1768 powershell.exe Token: SeIncBasePriorityPrivilege 1768 powershell.exe Token: SeCreatePagefilePrivilege 1768 powershell.exe Token: SeBackupPrivilege 1768 powershell.exe Token: SeRestorePrivilege 1768 powershell.exe Token: SeShutdownPrivilege 1768 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeSystemEnvironmentPrivilege 1768 powershell.exe Token: SeRemoteShutdownPrivilege 1768 powershell.exe Token: SeUndockPrivilege 1768 powershell.exe Token: SeManageVolumePrivilege 1768 powershell.exe Token: 33 1768 powershell.exe Token: 34 1768 powershell.exe Token: 35 1768 powershell.exe Token: 36 1768 powershell.exe Token: SeIncreaseQuotaPrivilege 1768 powershell.exe Token: SeSecurityPrivilege 1768 powershell.exe Token: SeTakeOwnershipPrivilege 1768 powershell.exe Token: SeLoadDriverPrivilege 1768 powershell.exe Token: SeSystemProfilePrivilege 1768 powershell.exe Token: SeSystemtimePrivilege 1768 powershell.exe Token: SeProfSingleProcessPrivilege 1768 powershell.exe Token: SeIncBasePriorityPrivilege 1768 powershell.exe Token: SeCreatePagefilePrivilege 1768 powershell.exe Token: SeBackupPrivilege 1768 powershell.exe Token: SeRestorePrivilege 1768 powershell.exe Token: SeShutdownPrivilege 1768 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeSystemEnvironmentPrivilege 1768 powershell.exe Token: SeRemoteShutdownPrivilege 1768 powershell.exe Token: SeUndockPrivilege 1768 powershell.exe Token: SeManageVolumePrivilege 1768 powershell.exe Token: 33 1768 powershell.exe Token: 34 1768 powershell.exe Token: 35 1768 powershell.exe Token: 36 1768 powershell.exe Token: SeIncreaseQuotaPrivilege 1768 powershell.exe Token: SeSecurityPrivilege 1768 powershell.exe Token: SeTakeOwnershipPrivilege 1768 powershell.exe Token: SeLoadDriverPrivilege 1768 powershell.exe Token: SeSystemProfilePrivilege 1768 powershell.exe Token: SeSystemtimePrivilege 1768 powershell.exe Token: SeProfSingleProcessPrivilege 1768 powershell.exe Token: SeIncBasePriorityPrivilege 1768 powershell.exe Token: SeCreatePagefilePrivilege 1768 powershell.exe Token: SeBackupPrivilege 1768 powershell.exe Token: SeRestorePrivilege 1768 powershell.exe Token: SeShutdownPrivilege 1768 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeSystemEnvironmentPrivilege 1768 powershell.exe Token: SeRemoteShutdownPrivilege 1768 powershell.exe Token: SeUndockPrivilege 1768 powershell.exe Token: SeManageVolumePrivilege 1768 powershell.exe Token: 33 1768 powershell.exe Token: 34 1768 powershell.exe Token: 35 1768 powershell.exe Token: 36 1768 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1988 firefox.exe 1988 firefox.exe 1988 firefox.exe 1988 firefox.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1988 firefox.exe 1988 firefox.exe 1988 firefox.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 2024 OpenWith.exe 2024 OpenWith.exe 2024 OpenWith.exe 2024 OpenWith.exe 2024 OpenWith.exe 2024 OpenWith.exe 2024 OpenWith.exe 2024 OpenWith.exe 2024 OpenWith.exe 2024 OpenWith.exe 2024 OpenWith.exe 2024 OpenWith.exe 2024 OpenWith.exe 1988 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3992 wrote to memory of 3436 3992 wscript.EXE 102 PID 3992 wrote to memory of 3436 3992 wscript.EXE 102 PID 3436 wrote to memory of 1768 3436 cscript.exe 104 PID 3436 wrote to memory of 1768 3436 cscript.exe 104 PID 2024 wrote to memory of 2096 2024 OpenWith.exe 115 PID 2024 wrote to memory of 2096 2024 OpenWith.exe 115 PID 2096 wrote to memory of 1988 2096 firefox.exe 117 PID 2096 wrote to memory of 1988 2096 firefox.exe 117 PID 2096 wrote to memory of 1988 2096 firefox.exe 117 PID 2096 wrote to memory of 1988 2096 firefox.exe 117 PID 2096 wrote to memory of 1988 2096 firefox.exe 117 PID 2096 wrote to memory of 1988 2096 firefox.exe 117 PID 2096 wrote to memory of 1988 2096 firefox.exe 117 PID 2096 wrote to memory of 1988 2096 firefox.exe 117 PID 2096 wrote to memory of 1988 2096 firefox.exe 117 PID 2096 wrote to memory of 1988 2096 firefox.exe 117 PID 2096 wrote to memory of 1988 2096 firefox.exe 117 PID 1988 wrote to memory of 1716 1988 firefox.exe 118 PID 1988 wrote to memory of 1716 1988 firefox.exe 118 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 PID 1988 wrote to memory of 532 1988 firefox.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\how to evict a tenant without rental agreement qld 75227.js"1⤵PID:4700
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4480
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE HIGHOR~1.JS1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "HIGHOR~1.JS"2⤵
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\how to evict a tenant without rental agreement qld 75227.js"1⤵PID:4388
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\how to evict a tenant without rental agreement qld 75227.js"1⤵PID:448
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\how to evict a tenant without rental agreement qld 75227.js"2⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\how to evict a tenant without rental agreement qld 75227.js"3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.0.275318638\1212642745" -parentBuildID 20221007134813 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bda5d5c3-91e8-4425-a01a-9a6c5e459f43} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 1948 191efdd6a58 gpu4⤵PID:1716
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.1.536472206\1648363026" -parentBuildID 20221007134813 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6399f31e-4994-44ca-bfe3-bf56a88ca224} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 2408 191ef73f758 socket4⤵
- Checks processor information in registry
PID:532
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.2.1755168864\177615504" -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 3104 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ede0249-fae0-455e-ba74-c4906a044ec5} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 3084 191f3cdea58 tab4⤵PID:3884
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.3.199773775\1763800523" -childID 2 -isForBrowser -prefsHandle 3552 -prefMapHandle 3548 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ee2c633-e229-4275-9884-b4413c821ea4} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 3556 191f4b82e58 tab4⤵PID:2760
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.6.734757017\774531074" -childID 5 -isForBrowser -prefsHandle 4980 -prefMapHandle 4908 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a1de3dc-f472-463a-8f85-68e7d5769d6a} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 4896 191f60f6858 tab4⤵PID:1552
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.5.819751008\1470559559" -childID 4 -isForBrowser -prefsHandle 4584 -prefMapHandle 4556 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7afd5f3-0cb4-4110-85aa-6d6023564c7e} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 4776 191f13bf858 tab4⤵PID:1928
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.4.1448479970\1728577933" -childID 3 -isForBrowser -prefsHandle 4552 -prefMapHandle 4548 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dec71843-ddd0-49de-9a89-6f83599aa9ed} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 4524 191f5eacd58 tab4⤵PID:3848
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:2608
-
C:\Windows\system32\NETSTAT.EXEnetstat2⤵
- Gathers network information
PID:2000
-
-
C:\Windows\system32\cscript.execscript.exe "C:\Users\Admin\AppData\Local\Temp\how to evict a tenant without rental agreement qld 75227.js"2⤵PID:3784
-
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\how to evict a tenant without rental agreement qld 75227.js"2⤵PID:3404
-
-
C:\Windows\system32\NETSTAT.EXEnetstat2⤵
- Gathers network information
PID:376
-
-
C:\Windows\system32\PING.EXEping 8.8.8.82⤵
- Runs ping.exe
PID:3048
-
-
C:\Windows\System32\CScript.exe"C:\Windows\System32\CScript.exe" "C:\Users\Admin\AppData\Local\Temp\how to evict a tenant without rental agreement qld 75227.js"1⤵PID:3220
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2672
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\how to evict a tenant without rental agreement qld 75227.js"1⤵PID:5052
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\how to evict a tenant without rental agreement qld 75227.js"1⤵PID:2800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
10.0MB
MD586231380693a365d22565410275d1a6e
SHA125146903e4ad7a4f6b7c63f7177e7cef6ead07be
SHA2563a52908a22470e127c45eae892b5227b7df2e3f645b39286bc48c470b5daab50
SHA5126c2a1e860a20d04090c4ac87f9f2d562d24c4f88016c84cc7e1f3654028c3e1507b705d40f1a29ed691286d40d4abf62750d471ba974b3a7a849b5927ac7651b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jpv1j5mm.default-release\datareporting\glean\db\data.safe.bin
Filesize9KB
MD5ce33e0708129221bab2a46e2fb2ddd0c
SHA13e12fb3647191322dd77389d9c174816a8de59ea
SHA25670ed77887849f9f25aa9ef41d17f68ab55cb6922a70f8702916a5cf3aac94f1e
SHA51242ede73a85d3004c4af9174a1d2be0f950d19bad36bb21f609aa0c2b0b2787e5c1c4e4fa2f3ae7a35571a3ab8a3d7f2e69e4ab28fa5e9265e372c25b23b5bb4f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jpv1j5mm.default-release\datareporting\glean\pending_pings\b643fbcc-e330-423b-8aa0-6cd3746d710c
Filesize734B
MD5906219e57c667b59876e5595995ac146
SHA1995bff753b5d68040d874b522a90e233858b0d22
SHA2569ee481d6228af25e72743ca8f84a49277bc085feb0653efdf3705516839fb268
SHA512e1761d52a98e844d2732145f310553c76db380a5de0db8bf6bf343ae9dc6c1611c67094087256a1051a95aafef04d20a2658c2be08352a4f893968eac65c1c7a
-
Filesize
6KB
MD54f918389f1f7c06043e825406e809abb
SHA1cb5345e385af7daf199316d4417d10d7344b475c
SHA2561c8dd96c5b21956dbc29cb0018f13f45e84ba05161626db4e011164c66a01451
SHA51265bd2347ad7f015ce5fe16866c6e2cf3294704d95e205541440d3841d66a26f079bde73507101568f173638b558f17bb8d8949c8a043a8a4ea88bc830467c096
-
Filesize
6KB
MD5aba372bf622f1e5786c18a5819ae5669
SHA173bac5214462cb382547ccd141b250ca97fe3834
SHA25683a1d30147f4fedbcb6dd56862b64b2b7a59c2e9d0c57fe9aa82a063e8581ff6
SHA51242b8aca86a12d28111d43eed6a298e918261cfc7b346ea4ef10f3da4bbfb17c1a841c2d95b16d310ed4b852a19bf360718a15cd96f71259a5eec90dd0681e585
-
Filesize
6KB
MD521d24a7cfa35085f901781764931a9d8
SHA1c810986975e38205ddb4d3fb03b5f3d73ef461c2
SHA256d0f3417eac0e85df867cda5209bc46616842c33e776f6064e3c217adbfa979c8
SHA512531587eac7d46b04ad9ce49b6636b2ba8077bfd044e56d49a08b88a585063baf05df66efec51b11a993025d014879b26eae1f973b8453a5d6a61fcb7c8c4207a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jpv1j5mm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD562585518d3d30bde0b5a1e457874bd4b
SHA1aab6b7f03128bcfbf0640f244615ba6537352ef8
SHA256acd8b6e8edd0bf4d3fe397fc9b43894701b76fc6d6d74971b9a2e164d9e16dd0
SHA512917c40c27273eb30acb354672735df5ede942484dda84719245a4e090a08b68fd662474af9f67182ad0f013b0cd83ffd9ed5b79a2bde5a25185af7f21b5f6825
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jpv1j5mm.default-release\sessionstore.jsonlz4
Filesize1012B
MD57a31779b13737a8999274d46b747ce1c
SHA1d192ca98bdb873ef04b3733caf6880d66973fd54
SHA256e6e0b3702a87b4819ee364602f682d6aace1d2053c86dad7ee0fb95a4b456e29
SHA512c3675234a387d57ff8e58e6fbd993037ca55f95cf14fb66d1d46a1716eb8a778c4d3fd5c3d31cf2066598b4afe6ef37b76891d38a03e4939a0b5276d902c0996