76b46daf7d91e30f37780cbdb19863a1faf4c192fa2e221995432f903479a44d

Resubmissions

12/12/2023, 05:40

231212-gc66cshah9 3

12/12/2023, 03:54

12/12/2023, 03:29

12/12/2023, 03:21

12/12/2023, 02:23

12/12/2023, 01:55

Analysis

max time kernel
203s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
12/12/2023, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

how to evict a tenant without rental agreement qld 75227.js
Size

843KB
MD5

c1ec1d082324850bebd8e7826098a516
SHA1

cafd1bdff3c8501c9d14c5fcc1fd87cb468c40b3
SHA256

7abd6a84f2ac6899901d0ebf5795a5626533018f5eaa3cbf97023d2c67380be6
SHA512

9b6f039c4be149f974a83cf9d4fc5af9cdccbaf17ebf36198e67362d5c91d425e16e558432f972f4587328e491e8087f3466eb3afeea8150e2389e9d26f7e323
SSDEEP

24576:SUCgo+ogQc5WfNnZmD/nAdzFrJCeT+hH4WkyQTaEFNE3NEr:SUCgo+ogQc5WfNnZmD/n4zFrJ1WkyQTZ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\Control Panel\International\Geo\Nation	wscript.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\services.msc	mmc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	powershell.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3936	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe
1944	taskmgr.exe
4584	powershell.exe
4584	powershell.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1944	taskmgr.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	taskmgr.exe
Token: SeSystemProfilePrivilege	1944	taskmgr.exe
Token: SeCreateGlobalPrivilege	1944	taskmgr.exe
Token: 33	4300	mmc.exe
Token: SeIncBasePriorityPrivilege	4300	mmc.exe
Token: 33	4300	mmc.exe
Token: SeIncBasePriorityPrivilege	4300	mmc.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeIncreaseQuotaPrivilege	4584	powershell.exe
Token: SeSecurityPrivilege	4584	powershell.exe
Token: SeTakeOwnershipPrivilege	4584	powershell.exe
Token: SeLoadDriverPrivilege	4584	powershell.exe
Token: SeSystemProfilePrivilege	4584	powershell.exe
Token: SeSystemtimePrivilege	4584	powershell.exe
Token: SeProfSingleProcessPrivilege	4584	powershell.exe
Token: SeIncBasePriorityPrivilege	4584	powershell.exe
Token: SeCreatePagefilePrivilege	4584	powershell.exe
Token: SeBackupPrivilege	4584	powershell.exe
Token: SeRestorePrivilege	4584	powershell.exe
Token: SeShutdownPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeSystemEnvironmentPrivilege	4584	powershell.exe
Token: SeRemoteShutdownPrivilege	4584	powershell.exe
Token: SeUndockPrivilege	4584	powershell.exe
Token: SeManageVolumePrivilege	4584	powershell.exe
Token: 33	4584	powershell.exe
Token: 34	4584	powershell.exe
Token: 35	4584	powershell.exe
Token: 36	4584	powershell.exe
Token: SeIncreaseQuotaPrivilege	4584	powershell.exe
Token: SeSecurityPrivilege	4584	powershell.exe
Token: SeTakeOwnershipPrivilege	4584	powershell.exe
Token: SeLoadDriverPrivilege	4584	powershell.exe
Token: SeSystemProfilePrivilege	4584	powershell.exe
Token: SeSystemtimePrivilege	4584	powershell.exe
Token: SeProfSingleProcessPrivilege	4584	powershell.exe
Token: SeIncBasePriorityPrivilege	4584	powershell.exe
Token: SeCreatePagefilePrivilege	4584	powershell.exe
Token: SeBackupPrivilege	4584	powershell.exe
Token: SeRestorePrivilege	4584	powershell.exe
Token: SeShutdownPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeSystemEnvironmentPrivilege	4584	powershell.exe
Token: SeRemoteShutdownPrivilege	4584	powershell.exe
Token: SeUndockPrivilege	4584	powershell.exe
Token: SeManageVolumePrivilege	4584	powershell.exe
Token: 33	4584	powershell.exe
Token: 34	4584	powershell.exe
Token: 35	4584	powershell.exe
Token: 36	4584	powershell.exe
Token: SeIncreaseQuotaPrivilege	4584	powershell.exe
Token: SeSecurityPrivilege	4584	powershell.exe
Token: SeTakeOwnershipPrivilege	4584	powershell.exe
Token: SeLoadDriverPrivilege	4584	powershell.exe
Token: SeSystemProfilePrivilege	4584	powershell.exe
Token: SeSystemtimePrivilege	4584	powershell.exe
Token: SeProfSingleProcessPrivilege	4584	powershell.exe
Token: SeIncBasePriorityPrivilege	4584	powershell.exe
Token: SeCreatePagefilePrivilege	4584	powershell.exe
Token: SeBackupPrivilege	4584	powershell.exe
Token: SeRestorePrivilege	4584	powershell.exe
Token: SeShutdownPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeSystemEnvironmentPrivilege	4584	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4300	mmc.exe
4300	mmc.exe
4300	mmc.exe
4300	mmc.exe
2816	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 544	3324	wscript.EXE	115
PID 3324 wrote to memory of 544	3324	wscript.EXE	115
PID 544 wrote to memory of 4584	544	cscript.exe	118
PID 544 wrote to memory of 4584	544	cscript.exe	118
PID 4660 wrote to memory of 3936	4660	cmd.exe	124
PID 4660 wrote to memory of 3936	4660	cmd.exe	124
PID 3476 wrote to memory of 2816	3476	firefox.exe	127
PID 3476 wrote to memory of 2816	3476	firefox.exe	127
PID 3476 wrote to memory of 2816	3476	firefox.exe	127
PID 3476 wrote to memory of 2816	3476	firefox.exe	127
PID 3476 wrote to memory of 2816	3476	firefox.exe	127
PID 3476 wrote to memory of 2816	3476	firefox.exe	127
PID 3476 wrote to memory of 2816	3476	firefox.exe	127
PID 3476 wrote to memory of 2816	3476	firefox.exe	127
PID 3476 wrote to memory of 2816	3476	firefox.exe	127
PID 3476 wrote to memory of 2816	3476	firefox.exe	127
PID 3476 wrote to memory of 2816	3476	firefox.exe	127
PID 2816 wrote to memory of 4292	2816	firefox.exe	128
PID 2816 wrote to memory of 4292	2816	firefox.exe	128
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129
PID 2816 wrote to memory of 1624	2816	firefox.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\how to evict a tenant without rental agreement qld 75227.js"
1⤵
PID:3464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3440

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\how to evict a tenant without rental agreement qld 75227.js"
1⤵
PID:4836

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\how to evict a tenant without rental agreement qld 75227.js"
1⤵
PID:2616

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\how to evict a tenant without rental agreement qld 75227.js"
1⤵
PID:3568

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE HIGHOR~1.JS
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Windows\System32\cscript.exe
  "C:\Windows\System32\cscript.exe" "HIGHOR~1.JS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4584

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1944

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4300

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\system32\PING.EXE
  ping google.com
  2⤵
  - Runs ping.exe
  PID:3936

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.0.1551380858\1494867699" -parentBuildID 20221007134813 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {584cf548-0e33-4053-b8ec-05b04f2db46b} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 1948 1abb70d7c58 gpu
    3⤵
    PID:4292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.1.418986793\1032654861" -parentBuildID 20221007134813 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb353cd4-7130-47ea-98c4-e375e872e5fd} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 2348 1abaa972b58 socket
    3⤵
    - Checks processor information in registry
    PID:1624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.2.1449601691\684551623" -childID 1 -isForBrowser -prefsHandle 2988 -prefMapHandle 2908 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d40cea65-c180-4cac-ac2e-e9e986dcd2de} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 3180 1abb705e958 tab
    3⤵
    PID:4472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.3.194441933\1246720822" -childID 2 -isForBrowser -prefsHandle 3320 -prefMapHandle 3416 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5e72e42-0bca-49d5-ac09-fbf17d47efde} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 3572 1abba4a9258 tab
    3⤵
    PID:3944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.4.1568678741\1215255034" -childID 3 -isForBrowser -prefsHandle 4364 -prefMapHandle 4356 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82f96fee-077f-4023-a9cb-1302bbf63f6a} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 4428 1abbc05e258 tab
    3⤵
    PID:1160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.7.713185752\458313909" -childID 6 -isForBrowser -prefsHandle 5344 -prefMapHandle 5348 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25c86fa0-727d-4d18-9094-508dbb24b3fd} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 5336 1abbd1efe58 tab
    3⤵
    PID:5256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.6.1110999818\1131441613" -childID 5 -isForBrowser -prefsHandle 5152 -prefMapHandle 5156 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa171f71-903d-4c16-924f-5cd3de56cb90} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 5144 1abbd1ef858 tab
    3⤵
    PID:5248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.5.1188160868\1375928782" -childID 4 -isForBrowser -prefsHandle 4712 -prefMapHandle 5080 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52134703-f393-494a-b492-f748081072d8} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 4772 1abbd167158 tab
    3⤵
    PID:5240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.8.748875651\590649089" -childID 7 -isForBrowser -prefsHandle 5812 -prefMapHandle 5808 -prefsLen 26379 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7074f157-96ea-459a-ad59-d6d6347ae42d} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 2772 1abbcfa7458 tab
    3⤵
    PID:5800

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\093b52432cbb48949781bfd96ae47859 /t 4536 /p 4300
1⤵
PID:5216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mn5vpirz.tiu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\HIGHOR~1.JS

Filesize
10.9MB

MD5
bad097422717139b8ddf95fcb3a3526a

SHA1
06669f99326d8f15f4cdd6c28c164423bfc7e744

SHA256
2f708d51d22eb94a364d4fbb302757bc4b53709fdbb8bbd766f7405329f9e682

SHA512
f3e4c880723b193e5488d510f8feacfd228b7042ebc09a6b667ad540ec1431e132c3a3826abc6fdbc828345cb5fd8b40485e56af8220a52e7a4c1abe74ddd4d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nlcuinum.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
e6bf75acce1cd9310a5170b50d095cd7

SHA1
27f642d0980160a1e98923b3105c7dc4f21d8a1b

SHA256
6e64792b5980bf9694a2fc95725e0affa84401be96174d8d59959fe34a3b155c

SHA512
3cfb98c97284e87c1f3e9289afbad795752f63e72abbb1301b9c226381d8139e8aae80f74482a96ee3e32a6a90647f2e2c8d9020d7a1402456147cb1d09f50d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nlcuinum.default-release\datareporting\glean\pending_pings\e5df8157-ea34-4ffe-b738-d9906f3dd80c

Filesize
734B

MD5
f62db049d3271cb7e4aac198a5d9996c

SHA1
3d31e26447ce5385da1a3d97d8bc9941b9f91c8b

SHA256
2371a12115471a8b07e52e5f5915b1969baf5c5bd8cdd6cb05dc9b3784f5bc93

SHA512
96c4ee9bc226a15244507167f40d6060195500043d8d186bffe1154e6c5c07ffa15be4dee60a7b61b9fae49274d803a9dd710e0a704cedeffe6e5efb454a22ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nlcuinum.default-release\prefs-1.js

Filesize
6KB

MD5
378a6bc3aaf850d6822cf1f0bea81958

SHA1
339c9c93cef876e65bcc145d78de0eb953107572

SHA256
1f349cc9e5610acb975c3eba00d58d705beb74fc98d45b4c21f9b36390ffb2a3

SHA512
e6e0577bf1ec37053b7a56f0a3acb0e90fe5e94c1892236663487848d78848a2dc11516d10ce90e96d295fd77f1741b6235d8a1a1c30d8953e302f26248be265

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nlcuinum.default-release\sessionCheckpoints.json

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nlcuinum.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
38946217a6b2f64460b5531a60bc32ee

SHA1
c86b606db248bf288549bd35160fcc7af7801ef5

SHA256
216ba3fc9a21193e7c1c1823e1882338b41c7925549df59a14e9581f4dc25f79

SHA512
0e2b3afac90f772b01024125a20219056b6f34c722fccdceb86a33e571b268a430c15b2a3176725bb64e23815abe838c3596ae780995e1b97e1fb7fe9e5369b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nlcuinum.default-release\sessionstore.jsonlz4

Filesize
919B

MD5
5ef2964fe7db57cc7c74fdd6e0416b63

SHA1
d6dcb96d7df069984f8e54757136a7595507c7e0

SHA256
3aa8140212488f34539d9e4b26b2b73120c414e6583399b0f786772c07bfc050

SHA512
bcb3ce40c5cd2890750103797738e34882ebb6d8f702c5bc527703fa81f2394f87774a359a470123211455b381dc41eac9591fd2cce94dda39a404c83ba5075d

Download Submit
memory/1944-10-0x000002340AF60000-0x000002340AF61000-memory.dmp

Filesize
4KB

Download
memory/1944-13-0x000002340AF60000-0x000002340AF61000-memory.dmp

Filesize
4KB

Download
memory/1944-14-0x000002340AF60000-0x000002340AF61000-memory.dmp

Filesize
4KB

Download
memory/1944-12-0x000002340AF60000-0x000002340AF61000-memory.dmp

Filesize
4KB

Download
memory/1944-11-0x000002340AF60000-0x000002340AF61000-memory.dmp

Filesize
4KB

Download
memory/1944-9-0x000002340AF60000-0x000002340AF61000-memory.dmp

Filesize
4KB

Download
memory/1944-8-0x000002340AF60000-0x000002340AF61000-memory.dmp

Filesize
4KB

Download
memory/1944-2-0x000002340AF60000-0x000002340AF61000-memory.dmp

Filesize
4KB

Download
memory/1944-3-0x000002340AF60000-0x000002340AF61000-memory.dmp

Filesize
4KB

Download
memory/1944-4-0x000002340AF60000-0x000002340AF61000-memory.dmp

Filesize
4KB

Download
memory/4584-35-0x0000020B52A30000-0x0000020B52AA6000-memory.dmp

Filesize
472KB

Download
memory/4584-37-0x0000020B523E0000-0x0000020B523F0000-memory.dmp

Filesize
64KB

Download
memory/4584-38-0x0000020B52C40000-0x0000020B52C6A000-memory.dmp

Filesize
168KB

Download
memory/4584-39-0x0000020B52C40000-0x0000020B52C64000-memory.dmp

Filesize
144KB

Download
memory/4584-42-0x00007FFC57FA0000-0x00007FFC58A61000-memory.dmp

Filesize
10.8MB

Download
memory/4584-44-0x0000020B523E0000-0x0000020B523F0000-memory.dmp

Filesize
64KB

Download
memory/4584-43-0x0000020B523E0000-0x0000020B523F0000-memory.dmp

Filesize
64KB

Download
memory/4584-45-0x0000020B523E0000-0x0000020B523F0000-memory.dmp

Filesize
64KB

Download
memory/4584-46-0x0000020B523E0000-0x0000020B523F0000-memory.dmp

Filesize
64KB

Download
memory/4584-47-0x0000020B523E0000-0x0000020B523F0000-memory.dmp

Filesize
64KB

Download
memory/4584-36-0x0000020B523E0000-0x0000020B523F0000-memory.dmp

Filesize
64KB

Download
memory/4584-30-0x0000020B39E70000-0x0000020B39E92000-memory.dmp

Filesize
136KB

Download
memory/4584-31-0x00007FFC57FA0000-0x00007FFC58A61000-memory.dmp

Filesize
10.8MB

Download
memory/4584-34-0x0000020B52380000-0x0000020B523C4000-memory.dmp

Filesize
272KB

Download
memory/4584-32-0x0000020B523E0000-0x0000020B523F0000-memory.dmp

Filesize
64KB

Download
memory/4584-33-0x0000020B523E0000-0x0000020B523F0000-memory.dmp

Filesize
64KB

Download